How can we improve Azure Active Directory?

Include users' last logon time

Last Logon is missing from the user objects in Azure! I'd like to be able to read the Last Logon information through the Graph API, to tell which users are actually logging in. But very surprisingly I can't find any such attribute!
Can we please please add this attribute to the user object?

442 votes
Sign in
(thinking…)
Password icon
Signed in as (Sign out)

We’ll send you updates on this idea

Pietro shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

34 comments

Sign in
(thinking…)
Password icon
Signed in as (Sign out)
Submitting...
  • Andrew commented  ·   ·  Flag as inappropriate

    Why do Office365 accounts keep getting compromised? Because IT admins, can no longer efficiently audit account inactivity .. This is absolutely REQUIRED.

  • Ken C commented  ·   ·  Flag as inappropriate

    We are using AzureAD for many SaaS applicatons, and need to know when an account has been inactive for a number of days. AD does not get updated by such an event, so without this we have no visibility of inactive users.

    There are internal processes to process "leavers", however as a distribution organisation with warehouse staff in particular who don't need to logon to IT systems regularly, we are flying blind. Help please.

  • M.O. commented  ·   ·  Flag as inappropriate

    This is critical for our business as well. Is there any other attribute that replicates we could use for a query?

  • T.A. commented  ·   ·  Flag as inappropriate

    We're in desperate need of this. Our cloud users are getting disabled because they only use email and don't authenticate to on-premises AD.

  • Anonymous commented  ·   ·  Flag as inappropriate

    @Azure AD Team, this will be good to have. There are plenty of customers asking for this.

  • Mike Wood commented  ·   ·  Flag as inappropriate

    When will Azure AD be able to show a users' last sign-in date?

    Stop talking about "cloud first" when you can't even get basic user management feature available to administrators via Graph API nor PowerShell.

  • Anonymous commented  ·   ·  Flag as inappropriate

    LastLogon Time stamp needed urgently for the same reasons stated below. We can't compare the logons with our Local AD to prevent locking out accounts that actually are logging into the mail portal only.
    Please help.

  • Nitin commented  ·   ·  Flag as inappropriate

    Any update on this? Also users may not care about what their last logon time was, as much as IT admins and compliance stakeholders would. That's the feature you need to be delivering here.

    This is critical with respect to Azure B2B guests in tenants who may never log in.

  • Eric Kool-Brown commented  ·   ·  Flag as inappropriate

    I asked for this feature maybe 4 years ago on an NDA Yammer group along with several other AD attributes that are not surfaced in AAD. AAD is after all built on AD but it still has a long way to go to be at feature parity to AD. I am presuming that MS wants IT to treat AAD as a black box. That is both naive and insulting. We need to have visibility into many details of how the identity system is being used, both for security and manageability.

    As has been pointed out, last-logon time is ambiguous WRT long lived PRTs. We are generally interested in activity, so last-PRT-refresh would also be a useful metric to have as a user attribute.

    I spent some time with an MS PSS engineer investigating an AAD issue. He was able to use a tool that showed him many AAD attributes that are not exposed by the Graph API. Someone within MS has made a decision to not show all AAD attributes. The rationale could be API performance, needing to create more search indexes, security through obscurity, whatever. It is our data, let us see it in an efficient and transparent manner! I have a hard time recommending MS cloud products when clearly manageability is such an afterthought.

  • Prasanna B J commented  ·   ·  Flag as inappropriate

    Hi Azure AD Team,

    As there is no PowerShell available for this activity and the Graph API auditLogs/signIns also in beta state. How could we use it in production? We do not find any other alternative option for prod use.

    Could you help atleast publish the beta signIn API as release version (v1.0).

    Thanks.

  • Brian Arkills commented  ·   ·  Flag as inappropriate

    The Jun 29, 2018 response seems to indicate an intended delivery of the wrong solution.

    What is desired by most of the comments on this thread is an attribute on the user object with a timestamp of the last logon.

    What is indicated by that response seems to be a new feature in each user's Access Panel ("My Apps") which searches against the AAD Sign-In records for that user's logons.

    I'll note that my organization wants a user attribute that my organization can query across all our users and analyze ourselves.

    I recognize that one challenge with this request is the different types of Azure AD logons and whether for example issuance of an OAuth token should count as a logon or not.

    If someone would like to hear more about our needs, I'd be happy to talk with the Identity team further.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I also don't want to be told to use Splunk or something else and rig some type of solution myself. If you want AzureAD to be taken seriously as an enterprise directory, this functionality is a must natively

  • Anonymous commented  ·   ·  Flag as inappropriate

    Azure AD is a joke at this point. I don't know how Microsoft is pushing for it so much when it still feels like a really ****** alpha

  • Rohitesh commented  ·   ·  Flag as inappropriate

    Is this being worked on? This is definitely a "MUST" have. Also the API suggested above doesn't even return data for more than 15 days old :(

  • ScH commented  ·   ·  Flag as inappropriate

    There has been a major design flaw with Hybrid Azure-AD systems. The Azure directory schema is missing the last logon date attribute.

    Many users on the internet believe they can obtain this information from the mailbox usage “Last logon” Exchange user field. As of recent, the cloud Exchange services have actively triggered this date to be written to and rendered this field unusable to determine actual user logon times. We have created a ticket and it was confirmed this field is no longer reliable in terms of last time a user logged in.

    Technical support has directed us to the last 30 day rolling authentication log on the Azure management website. Although this information is helpful for a recent logon for an incident, it does not properly represent the full logon history.

    It is part of solid security account management processes to know and audit if your accounts are being accessed. Azure does not currently provide data with regards to:
    • Has the account EVER been logged onto by the actual user?
    • WHEN was the last time the account was logged onto (not just in the last 30 days)?

    This is a basic field that has been recorded in Active Directory for many years through the “lastLogon” and ”lastLogonTimestamp” (as well as the ability to audit authentication of Credential/Kerberos/Kerberos Service Ticket/Other). Now that Exchange no longer allows administrators to accurately determine the last mailbox logon time, it is not possible to fully audit account access of cloud resources. It is not recorded as part of the Azure Directory user Graph/Schema https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity

    I would like to propose the Azure Directory schema be extended to include a “UserLastAuthenticationDate” type field property for user accounts that can be accessed through BOTH the admin portal and programmatically via PowerShell. This new property should be kept SOLELY to record actual user authentication and that it not be allowed for non-user/non-service account processes to write to this field. If there is a need for a secondary automation processes authentication be recorded a second “LastAccessedByAProcessDate” type field property could also be added to the user account schema.

← Previous 1

Feedback and Knowledge Base