For our Active Directory and Azure AD, we’d like to institute some sanity on our large set of currently active user accounts by disabling and after some additional period of inactivity deleting a disabled user.
Unlike most everywhere else, we have a very large and fluid set of relationships for any given user with a large number of different user populations that permit a given individual to have a UW identity, so it is not just a disable when employee or student leaves. Employees and students are maybe 10% of our total user population. We tend to instead heavily emphasize access controls. Our technical architecture is also very much a hybrid that spans a diverse set of technologies, mostly hiding from users the fact that any given UW identity actually has many different user accounts and possible authentication technologies being leveraged. In terms of the most relevant bits for this email, our Azure AD federates authentication to ADFS, which federates authentication to our Shibboleth IdP (which leverages a MIT Kerberos realm). Along that path, you can get an ADFS logon token with an AD logon token, if you have one, but otherwise you end up authenticating elsewhere. If we had a purely AD based authentication architecture, we could simply look at lastLogonTimestamp data to figure out which AD users (and by extension AAD users) we could inactivate. However, we don’t have that simple architecture. And likewise, it’s not viable to use Shibboleth or MIT Kerberos logs for this purpose because they aren’t a direct indicator of whether the associated AD and AAD user account is active or not. This seems to leave ADFS and Azure AD log data (in conjunction with AD lastLogonTimestamp) to determine which AD and AAD users are inactive and good candidates for disabling. This brings me to my question. Does anyone have any good general purpose solution for determining which user accounts have logged via either ADFS or Azure AD?
I’d love to see Microsoft add a lastLogonTimestamp attribute to Azure AD user objects, but I don’t think that will happen any time soon, so I’m looking for other solutions. Ideally the solution would allow us to run some simple query across all users to find those who haven’t logged in during a given period of time.