Include users' last logon time
Last Logon is missing from the user objects in Azure! I'd like to be able to read the Last Logon information through the Graph API, to tell which users are actually logging in. But very surprisingly I can't find any such attribute!
Can we please please add this attribute to the user object?
Just to update. We ran into a few problems here, and this has been delayed. Revised timeline is Q1 2020 (hopefully nearer the beginning of the quarter). Sorry for the delay.
Smith, Chris commented
Thanks for the update Dan - glad to see an updated response and ETA. Happy Thanksgiving. :)
Ronald Foppen commented
How are we doing on this one?
Ronald Foppen commented
Would there be any further updates to this? Is this still scheduled for preview this month?
Ivan Fioravanti commented
Any news on this one? You started 10 months ago. Thanks
Why do Office365 accounts keep getting compromised? Because IT admins, can no longer efficiently audit account inactivity .. This is absolutely REQUIRED.
Ken C commented
We are using AzureAD for many SaaS applicatons, and need to know when an account has been inactive for a number of days. AD does not get updated by such an event, so without this we have no visibility of inactive users.
There are internal processes to process "leavers", however as a distribution organisation with warehouse staff in particular who don't need to logon to IT systems regularly, we are flying blind. Help please.
This is critical for our business as well. Is there any other attribute that replicates we could use for a query?
We're in desperate need of this. Our cloud users are getting disabled because they only use email and don't authenticate to on-premises AD.
We desperately need this functionality.
@Azure AD Team, this will be good to have. There are plenty of customers asking for this.
Mike Wood commented
When will Azure AD be able to show a users' last sign-in date?
Stop talking about "cloud first" when you can't even get basic user management feature available to administrators via Graph API nor PowerShell.
LastLogon Time stamp needed urgently for the same reasons stated below. We can't compare the logons with our Local AD to prevent locking out accounts that actually are logging into the mail portal only.
Any update on this? Also users may not care about what their last logon time was, as much as IT admins and compliance stakeholders would. That's the feature you need to be delivering here.
This is critical with respect to Azure B2B guests in tenants who may never log in.
Eric Kool-Brown commented
I asked for this feature maybe 4 years ago on an NDA Yammer group along with several other AD attributes that are not surfaced in AAD. AAD is after all built on AD but it still has a long way to go to be at feature parity to AD. I am presuming that MS wants IT to treat AAD as a black box. That is both naive and insulting. We need to have visibility into many details of how the identity system is being used, both for security and manageability.
As has been pointed out, last-logon time is ambiguous WRT long lived PRTs. We are generally interested in activity, so last-PRT-refresh would also be a useful metric to have as a user attribute.
I spent some time with an MS PSS engineer investigating an AAD issue. He was able to use a tool that showed him many AAD attributes that are not exposed by the Graph API. Someone within MS has made a decision to not show all AAD attributes. The rationale could be API performance, needing to create more search indexes, security through obscurity, whatever. It is our data, let us see it in an efficient and transparent manner! I have a hard time recommending MS cloud products when clearly manageability is such an afterthought.
Prasanna B J commented
Hi Azure AD Team,
As there is no PowerShell available for this activity and the Graph API auditLogs/signIns also in beta state. How could we use it in production? We do not find any other alternative option for prod use.
Could you help atleast publish the beta signIn API as release version (v1.0).
Brian Arkills commented
The Jun 29, 2018 response seems to indicate an intended delivery of the wrong solution.
What is desired by most of the comments on this thread is an attribute on the user object with a timestamp of the last logon.
What is indicated by that response seems to be a new feature in each user's Access Panel ("My Apps") which searches against the AAD Sign-In records for that user's logons.
I'll note that my organization wants a user attribute that my organization can query across all our users and analyze ourselves.
I recognize that one challenge with this request is the different types of Azure AD logons and whether for example issuance of an OAuth token should count as a logon or not.
If someone would like to hear more about our needs, I'd be happy to talk with the Identity team further.
I also don't want to be told to use Splunk or something else and rig some type of solution myself. If you want AzureAD to be taken seriously as an enterprise directory, this functionality is a must natively
Azure AD is a joke at this point. I don't know how Microsoft is pushing for it so much when it still feels like a really ****** alpha
YOSHIFUMI HASHIMOTO commented
This is absolutely necessary for security.
It leads to early detection of unused accounts.
+1, looking for Azure AD last logon stamp as well.