Transform that calculates difference between today and ISO8601 date attribute in days

khalilgahbiche · January 21, 2025, 9:35am

Dear team,

We’ve added the “lastSignInDate” Entra ID attribute to the identity profile attributes, and we’d like to add a new profile attribute that returns the number of days since the last Entra ID sign-in date. To do that, we’ll need a Transform. The “lastSignInDate” Entra ID attribute is already using a transform to convert it to an ISO8601 date format. The endeavor is to run a Workflow that checks all users who didn’t log in in the last 90 days and disable their accounts.
Any idea how to build this transform rule?
Thanks.

sameertawargeri · January 21, 2025, 11:37am

You can setup date compare transform to compare EntraID lastSigninDate to current date. If the lastSigninDate is more than 90 days in the past then return true from the transform and assign it to a new identity profile attribute named something like(EntraID Dormant User), if signindate is less than 90 set it to false

To disable account through workflow configure Identity Attributes Change trigger. If the change to this attribute is true then perform Manage Account to disable. Here is an example of date compare transform

"entraAccountDormant": {
	"type": "dateCompare",
	"attributes": {
		"firstDate": {
			"attributes": {
				"input": {
					"attributes": {
						"input": {
							"type": "accountAttribute",
							"attributes": {
								"sourceName": "EntraID",
								"attributeName": "lastSigninDate"
							}
						},
						"inputFormat": "yyyy-MM-dd",
						"outputFormat": "ISO8601"
					},
					"type": "dateFormat"
				},
				"expression": "+90d"
			},
			"type": "dateMath"
		},
		"secondDate": "now",
		"operator": "lt",
		"positiveCondition": "true",
		"negativeCondition": "false"
	}
}

phil_awlings · January 21, 2025, 2:02pm

Rather than using Workflows, just add the transform that Sameer has provided to the LCS transform. That will then disable all the accounts. It will also auto re-enable the accounts once they log back in again ,rather than having to have another workflow

sup3rmark · January 21, 2025, 4:19pm

Hi @khalilgahbiche!

A couple of things -

We don’t have access to Velocity libraries like dateTool or mathTool, unfortunately, which makes any sort of math more difficult to implement in a Transform. See this post and the linked Idea where I’ve requested adding dateTool and numberTool to Transforms (they’re already used elsewhere in the platform, though mathTool is not).
It’s still possible to use simple addition, subtraction, etc., but the bigger issue in this sort of transform would be converting the date to something we could actually do math on. It’s probably doable if we’re talking about dates within a year of each other, but beyond that it gets really tricky with leap years and whatnot.

As for the attribute itself, see the transform I’ve shared here for a more robust version of what @sameertawargeri did above. This looks not only at the lastSignInDateTime from Entra, but also the lastNonInteractiveSignInDateTime as well as the lastLogon, lastLogonTimestamp, pwdLastSet, and whenCreated from Active Directory, and returns the value that is the most recent. You could then do a dateCompare and see if the returned value is >90 days in the past, and use that to change their Lifecycle State or trigger the workflow.

Good luck!