Notify when AD account expiration date approaches

jsosa · April 14, 2025, 2:33pm

Hi all! We have mapped the AD account expires date to identity.

We need to send email when there is 15 days left, 10 days left, 5 days left and 1 day left.

At now, we have a solution on which we 1 identity attribute, with a transform that returns the days left until expiration date. This with a workflow, capturing when this is attributes changes, and inside workflow, send corresponding email.

Has anyone faced something related? As this solution implies attributes that client will see on indentity, we wolud like to explore other alternatives.

Thanks in advance.

agutschow · April 14, 2025, 4:14pm

We did something like this for a customer who wanted to notify the sponsor of a contractor that their account was expiring. We used an identity attribute with an end date. We used that in the lifecycle state transform. We had multiple life cycle states 15 days to termination, 7 days to termination, 3 days to termination … each life cycle state notified the manager. We used velocity to create a specialized template for these notifications.

gmilunich · April 14, 2025, 6:56pm

The 2 solutions that I have seen most often are the 2 that are mentioned here:

Using an IdentityAttribute to hold the Days Until Termination, and then a workflow with an IdentityAttribute Change Trigger that look for the correct value and sends messages
An IdentityAttribute with the Termination Date, and Lifecycle states built off them, with the Lifecycle state change sending the messages.

For the First one, one thing to be aware of is that if you update the number every day, then the workflow will trigger everyday for every user. A better approach is to only update the value when it changes to a value you care about. So only update on 15, 10, 5 and 1 days. This way it is only triggered once for each.

For the second approach that @agutschow mentions, this does take some additional work to make sure that the lifecycle states are correct, but it also allows you to use it for other processes, such as if you need to do staged disable/delete of account/roles, etc. that are available for the state changes.

It is really going to depend on what you need to process and how. You could likely use both methods too. Unfortunately, I don’t know of an approach that does not require an IdentityAttribute for this.

David_Norris · April 14, 2025, 9:36pm

If you’re in an Exchange environment, maybe consider creating Events. (People are already bombarded with emails).

e.g. Create event - Microsoft Graph v1.0 | Microsoft Learn

p.s. Forgotten to mention: if you want to hide this / avoid having / showing an additional identity attribute, you can potentially hide / embed this in the expiration date calculation as ‘x’ seconds offset. e.g. 1 second offset means set an event today / send an email today. 0 second offset means nothing to do. Then, in the before / after account modify rule, just check if there’s a 1 second offset or not, if 1, then do the notification step that you see fit. (or 100-nanosecond offset if that 1 second matters)

This piggy-backing does mean you’d be doing unnecessary writes to AD. I don’t recommend this…but just doing a thought exercise. Alicia’s approach is likely your best bet, assuming you don’t have a lot of pre-event notifications. (As an identity can only be in one state at any point in time, multiple types of pre-event notification time-collision?)

Caio_Nakayama · April 15, 2025, 2:35pm

Hi @gmilunich, how should we get the difference between the accountExpires attribute and today’s date? Is it possible with the dateMath transform?

gmilunich · April 15, 2025, 2:42pm

Yes, you would use the Transforms to calculate the difference.

suresh4iam · April 16, 2025, 9:34pm

I had the similar requirement to one of the customer but not entirely same. Below is the approach I took to implement it by using Workflow,

Trigger: Scheduled Trigger (twice a day)
Action: Get List of Identities. Used Search Query to find the limited identities whose falling within the reminder days by using end Date/AD account expires identity attribute like now+15d OR now+10d OR now+5d)
Operator: Loop. To iterate each identities from the Search result
Inside Loop:
=> Action: Get Identity. Getting an identity from the loop
=> Operator: Define Variable. Variable for each reminder days and for a current date. Here you need to define 3 reminder variables for 15,10 and 5 days. Calculate the reminder day from end date, Below is a sample variable definition for 15days

{
    "name": "var15Days",
    "description": "",
    "transforms": [
        {
            "id": "sp:transform:subtractTime:time",
            "input": {
                "length": 15,
                "unit": "days"
            }
        }
    ],
    "variableA.$": "$.getIdentity1.attributes.endDate"
}

=> Operator: CompareTimestamps. Compare the current date with remainderDays variable. For example, Value1 = varToday, Comparison Operator = “Is on the Date”, Value2 = var15Days. If it is True Send email, else goto 10dayscheck and do the same comparison with 10days and 5days variable.
=> Operator: End Step - Success. To end the loop
5. Operator: End Step - Success. To end the Workflow.

This way, it does not required additional identity attribute and also not required to processing unchanged identities everyday. Workflow will execute on the scheduled time and process only the identities whose end date fall in the specific timeline.

Hope this helps on your case.