SOLVED

Azure AD account expiration date

%3CLINGO-SUB%20id%3D%22lingo-sub-2809454%22%20slang%3D%22en-US%22%3EAzure%20AD%20account%20expiration%20date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2809454%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20in%20need%20of%20having%20expiration%20time%20for%20Azure%20AD%20User%20accounts.%20How%20do%20we%20acomplish%20that%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2809454%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2809660%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20account%20expiration%20date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2809660%22%20slang%3D%22en-US%22%3ENo%20such%20attribute%20in%20Azure%20AD%2C%20you%20can%20use%20a%20custom%20workflow%2Fscript%20instead.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2811558%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20AD%20account%20expiration%20date%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2811558%22%20slang%3D%22en-US%22%3EThanks%20Vasil%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20know%20a%20lot%20of%20companies%20use%20this%20in%20Windows%20Active%20Directory%20for%20short%20term%20employees%20or%20consultants.%20My%20reaction%20in%20this%20community%20is%20rather%20due%20to%20the%20lack%20of%20funcionality%20i%20MS%20Azure%20AD.%3CBR%20%2F%3EI%20will%20fix%20my%20problem%20with%20custom%20workflows%20but%20it%20seems%20unnecessary%20to%20me.%20Better%20if%20Microsoft%20copies%20this%20attribute%20from%20Windows%20Active%20Directory%20i%20think.%20I%20understand%20copying%20functionality%20from%20Windows%20AD%20is%20not%20really%20how%20they%20do%20it%20but%20it%20can't%20be%20impossible%20for%20them%20to%20build%20it.%3CBR%20%2F%3E%3CBR%20%2F%3EAgain%2C%20thanks%20for%20your%20response.%3C%2FLINGO-BODY%3E
New Contributor

We are in need of having expiration date for Azure AD User accounts. How do we acomplish that?

6 Replies
No such attribute in Azure AD, you can use a custom workflow/script instead.
Thanks Vasil,

I know a lot of companies use this in Windows Active Directory for short term employees or consultants. My reaction in this community is rather due to the lack of funcionality i MS Azure AD.
I will fix my problem with custom workflows but it seems unnecessary to me. Better if Microsoft copies this attribute from Windows Active Directory i think. I understand copying functionality from Windows AD is not really how they do it but it can't be impossible for them to build it.

Again, thanks for your response.
@pema012

Like Vasil indeed states, there is no feature or attribute that fixes this issue.

Tip, if you have contractors, partners, or external accounts, I would recommend you using Access reviews. More information about this can be found in my blog post:

https://www.bilalelhaddouchi.nl/index.php/2021/09/30/blog-3-of-4-azure-ad-access-reviews/
Thanks BilaelHadd,

Unfortunatley we will not engage in Azure AD P2 license.
best response confirmed by pema012 (New Contributor)
Solution
In the end I solved my issue by creating a list in Sharepoint online containing user accounts object ID and the last day of employment as a date.

Then in Microsoft Power Automate I created a flow running every night checking if any records in the list are the same or earlier than today and if so setting AzureAD account to be disabled in Azure AD. When on it I also remove the account from the Azure AD security group providing Microsoft 365 licenses.

So by not having account expire date in Azure AD in the end was giving me the opportunity to do more. Thanks Microsoft. :D

Azure AD doesn't support for setting expiration date for Azure AD accounts currently. currently we use access review from Identity governance and set a quarterly review to validate the user accounts. You can also use access packages for privilege's users you have an option to define the "Maximum allowed eligible duration is permanent." or make them eligible and define the maximum JIT duration