Forum Discussion

Skipster311-1's avatar
Skipster311-1
Iron Contributor
Nov 03, 2021

sync account expires to azure ad

Hello

I understand azure ad has not knowledge of "account expiration" , however i am being asked to sync this attribute to azure ad. I need this attribute to be useable for applications like MS Flow. If i just configure the attribute to sync will it be readable or do i need to create a custom sync rule so the attribute and value are useable in azure ad ?

    • pbatey7's avatar
      pbatey7
      Copper Contributor

      Jai Verma I'm not sure thats what he was asking. The link you sent refers to password hash more than anything and in my business we do that part fine but what we don't do is sync AccountExpires and the previous link is more interested in accounts expiring whereas I and likely the other chap are interested in utilizing the account expires as in a set date and time that we set using scripts from an HR system and the issue is this isn't sent from AD to Azure and into our Azure linked systems.

       

      I've read why it doesn't happen but no detailed way of getting around it but I'll keep looking. 

       

      I think I read somewhere that you can create a "full sync" schedule in ADsync and the reason you need this method instead of delta syncs is due to the "state" of the attribute.... ??

      • LainRobertson's avatar
        LainRobertson
        Silver Contributor

        pbatey7 

         

        This is an old thread now and there's been some changes since late 2021 - not with respect to account expiration, as that still doesn't exist, but with respect to effectively moving accountExpires from Active Directory into Azure Active Directory.

         

        First, the "what's new" is that an additional attribute was added to Azure AD and grouped together with another to be called the "lifecycle attributes" - which is a grandiose title for a whole two attributes:

         

        • employeeHireDate (has been around for quite a while)
        • employeeLeaveDateTime (the new addition since the original post)

         

        Reference article:

         

         

        With respect to getting accountExpires into Azure AD via AAD Connect, you will need (or should) to use a custom rule to transform the Int64 Active Directory presentation into a String presentation (see the Functions Reference link below) - as noted in the reference article. If your organisation is looking to use or already using one of the listed SAAS HR platforms, plan to use the nominated dates formats to ensure there aren't any integration issues down the road.

         

         

        So, once you've flowed accountExpires into employeeLeaveDateTime using the AAD Connect custom rule's transformation, you can then consume that "ending date" into other Azure AD-integrated systems/platforms, applications. You could even use something like Azure Logic Apps/Functions to further emulate the actual account expiration functionality if you were so inclined (albeit at extra cost per execution.)

         

        Cheers,

        Lain

Resources