Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

sync account expires to azure ad

Iron Contributor

Hello

I understand azure ad has not knowledge of "account expiration" , however i am being asked to sync this attribute to azure ad. I need this attribute to be useable for applications like MS Flow. If i just configure the attribute to sync will it be readable or do i need to create a custom sync rule so the attribute and value are useable in azure ad ?

3 Replies

@Jai Verma I'm not sure thats what he was asking. The link you sent refers to password hash more than anything and in my business we do that part fine but what we don't do is sync AccountExpires and the previous link is more interested in accounts expiring whereas I and likely the other chap are interested in utilizing the account expires as in a set date and time that we set using scripts from an HR system and the issue is this isn't sent from AD to Azure and into our Azure linked systems.

 

I've read why it doesn't happen but no detailed way of getting around it but I'll keep looking. 

 

I think I read somewhere that you can create a "full sync" schedule in ADsync and the reason you need this method instead of delta syncs is due to the "state" of the attribute.... ??

@pbatey7 

 

This is an old thread now and there's been some changes since late 2021 - not with respect to account expiration, as that still doesn't exist, but with respect to effectively moving accountExpires from Active Directory into Azure Active Directory.

 

First, the "what's new" is that an additional attribute was added to Azure AD and grouped together with another to be called the "lifecycle attributes" - which is a grandiose title for a whole two attributes:

 

  • employeeHireDate (has been around for quite a while)
  • employeeLeaveDateTime (the new addition since the original post)

 

Reference article:

 

 

With respect to getting accountExpires into Azure AD via AAD Connect, you will need (or should) to use a custom rule to transform the Int64 Active Directory presentation into a String presentation (see the Functions Reference link below) - as noted in the reference article. If your organisation is looking to use or already using one of the listed SAAS HR platforms, plan to use the nominated dates formats to ensure there aren't any integration issues down the road.

 

 

So, once you've flowed accountExpires into employeeLeaveDateTime using the AAD Connect custom rule's transformation, you can then consume that "ending date" into other Azure AD-integrated systems/platforms, applications. You could even use something like Azure Logic Apps/Functions to further emulate the actual account expiration functionality if you were so inclined (albeit at extra cost per execution.)

 

Cheers,

Lain