Hi Experts,
I’m trying to fetch all the accounts [Active and Inactive] from Azure AD including the attribute of when the account got disabled.
Has anyone able to pull this value into ISC
I’m affraid it’s not possible - mostly because as far as I know there’s no attribute in Azure AD which would hold information when account got disabled.
It is possible to filter accounts during aggregation - here is documentation for that purpose
Thanks @kamil for your reply.
Actually we are trying to use that data for an other operation in ISC.
Hi @chandramohans27,
Just for the workaround you may reconcile the data and depending upon the disabled detection or disable trigger you may configure the operation that you want to achieve.
Thanks
That’s correct, as far as I know its even not that simple to get this information from Azure itself. You may try to execute powershell command on iqService host to get this information
$upn = [userPrincipalName]
Get-MgAuditLogDirectoryAudit -Filter "ActivityDisplayName eq 'Disable account' and TargetResources/any(t:t/UserPrincipalName eq '$upn')"
Azure keeps the log only for 30 days. Also there is no guarantee by when AD writes operations to the AuditLog - they only say in 95% of the cases the information may be available within 2 minutes
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.