Nov 03 2021
11:13 AM
- last edited on
Jan 14 2022
03:23 PM
by
TechCommunityAP
Nov 03 2021
11:13 AM
- last edited on
Jan 14 2022
03:23 PM
by
TechCommunityAP
Hello
I understand azure ad has not knowledge of "account expiration" , however i am being asked to sync this attribute to azure ad. I need this attribute to be useable for applications like MS Flow. If i just configure the attribute to sync will it be readable or do i need to create a custom sync rule so the attribute and value are useable in azure ad ?
Feb 17 2022 09:14 PM
Jun 12 2023 01:02 PM
@Jai Verma I'm not sure thats what he was asking. The link you sent refers to password hash more than anything and in my business we do that part fine but what we don't do is sync AccountExpires and the previous link is more interested in accounts expiring whereas I and likely the other chap are interested in utilizing the account expires as in a set date and time that we set using scripts from an HR system and the issue is this isn't sent from AD to Azure and into our Azure linked systems.
I've read why it doesn't happen but no detailed way of getting around it but I'll keep looking.
I think I read somewhere that you can create a "full sync" schedule in ADsync and the reason you need this method instead of delta syncs is due to the "state" of the attribute.... ??
Jun 12 2023 03:45 PM
This is an old thread now and there's been some changes since late 2021 - not with respect to account expiration, as that still doesn't exist, but with respect to effectively moving accountExpires from Active Directory into Azure Active Directory.
First, the "what's new" is that an additional attribute was added to Azure AD and grouped together with another to be called the "lifecycle attributes" - which is a grandiose title for a whole two attributes:
Reference article:
With respect to getting accountExpires into Azure AD via AAD Connect, you will need (or should) to use a custom rule to transform the Int64 Active Directory presentation into a String presentation (see the Functions Reference link below) - as noted in the reference article. If your organisation is looking to use or already using one of the listed SAAS HR platforms, plan to use the nominated dates formats to ensure there aren't any integration issues down the road.
So, once you've flowed accountExpires into employeeLeaveDateTime using the AAD Connect custom rule's transformation, you can then consume that "ending date" into other Azure AD-integrated systems/platforms, applications. You could even use something like Azure Logic Apps/Functions to further emulate the actual account expiration functionality if you were so inclined (albeit at extra cost per execution.)
Cheers,
Lain