Disable users based on last logon

mtreptow · June 8, 2022, 6:24pm

Hello all,

I need a process, for PCI, to detect users who have not logged in to either Active Directory or Azure AD within a certain time period.

Is there a process that will analyze identity attributes and detect conditions such as
Is contractor= yes
Lifecycle State = active
AD lastLogonTimestamp > 9 days
AND
AzureAD last interactive login > 9 days
And if conditions are met, meaning the users hasn’t logged in within the last 10 days perform action: disable AD account (but no groups removed, just disable the account)

Right now we’ve accomplished this via a lengthy PowerShell script. We need a better solution.

Please let me know if I can clarify this ask.

Thanks!
Mike

colin_mckibben · June 8, 2022, 7:43pm

This should be achievable with lifecycle states. In the identity profile for active directory, configure your existing “Inactive” lifecycle state to disable accounts in AD. Or, create a new lifecycle state if you are already using “Inactive” for other purposes.

Then, apply a custom transform on the Lifecycle State attribute in your identity profile mappings to calculate the correct lifecycle based on the attribute conditions you listed above. There are a number of transform operations to help you accomplish this logic.

Topic		Replies	Views
Disable User account ISC Discussion and Questions identity-security-cloud	4	509	July 19, 2023
Search for users not logged in during past 120 days ISC Discussion and Questions identity-security-cloud , search	5	706	September 27, 2023
Active Directory Account Deletion based on Approval Cycle ISC Discussion and Questions workflows , rules , identity-security-cloud	2	195	April 26, 2024
Trigger "cloudLifecycleState" ISC Discussion and Questions	1	943	July 19, 2023
Disable just Active Directory Account ISC Discussion and Questions identity-security-cloud	8	600	November 4, 2023

Disable users based on last logon

Related Topics