I am trying to build a workflow that disables the AD account when the last login date is over 90 days ago, and emails the manager of that event. I am unsure what is the best way to go forward, because I have seen multiple solutions in the Community but none of them worked for me so far (for example via Saved Search or via Compare Timestamps).
I have created an Identity Attribute with the AD Last Login date in ISO 8601 format, so how do I proceed and make sure that I retrieve the AD accounts that have been inactive for over 90 days?
A better approach would be to create a lifecycleState with a transform that checks your account attribute and compares if 90 days have passed. If so, the identity lifecycleState should change to something like inactive90d. You can then configure this state in the provisioning tab to disable the AD accounts. After that, you can set up a workflow to trigger when the identity attribute (lifecycleState) changes to inactive90d and simply send an email to the manager.
Does your org uses Azure AD as well for SSO to access the applications ?
if yes then you need to consider Azure AD last logon as well, not just AD.
There was a bug with Microsoft Azure AD, if you attempt to login and if it was unsuccessful, still last logon will be updated. You need to check this before implementing your requirement.
You don’t need to create a LCS for this, instead you can create an Identity attribute AD90daysInactivity, if user didn’t login from last 90 days, populate the value as 514 if not 512. Use this attribute for User Account Control (UAC) in AD, enable attribute sync. User account gets disabled.