SOLVED

Azure AD account expiration date

Copper Contributor

We are in need of having expiration date for Azure AD User accounts. How do we acomplish that?

14 Replies
No such attribute in Azure AD, you can use a custom workflow/script instead.
Thanks Vasil,

I know a lot of companies use this in Windows Active Directory for short term employees or consultants. My reaction in this community is rather due to the lack of funcionality i MS Azure AD.
I will fix my problem with custom workflows but it seems unnecessary to me. Better if Microsoft copies this attribute from Windows Active Directory i think. I understand copying functionality from Windows AD is not really how they do it but it can't be impossible for them to build it.

Again, thanks for your response.
@pema012

Like Vasil indeed states, there is no feature or attribute that fixes this issue.

Tip, if you have contractors, partners, or external accounts, I would recommend you using Access reviews. More information about this can be found in my blog post:

https://www.bilalelhaddouchi.nl/index.php/2021/09/30/blog-3-of-4-azure-ad-access-reviews/
Thanks BilaelHadd,

Unfortunatley we will not engage in Azure AD P2 license.
best response confirmed by pema012 (Copper Contributor)
Solution
In the end I solved my issue by creating a list in Sharepoint online containing user accounts object ID and the last day of employment as a date.

Then in Microsoft Power Automate I created a flow running every night checking if any records in the list are the same or earlier than today and if so setting AzureAD account to be disabled in Azure AD. When on it I also remove the account from the Azure AD security group providing Microsoft 365 licenses.

So by not having account expire date in Azure AD in the end was giving me the opportunity to do more. Thanks Microsoft. 😄

Azure AD doesn't support for setting expiration date for Azure AD accounts currently. currently we use access review from Identity governance and set a quarterly review to validate the user accounts. You can also use access packages for privilege's users you have an option to define the "Maximum allowed eligible duration is permanent." or make them eligible and define the maximum JIT duration

@pema012 

Not trying to revive a dead thread here, but anyone looking for this should see a new attribute on their user accounts called "employeeLeaveDateTime." I believe that this attribute did not exist prior to the introduction of Lifecycle Workflows, which is in public preview but requires an Azure AD P2 license. If you have P2 licensing, you can utilize Lifecycle Workflows to accomplish account expiration. But for anyone else you should be able to interact with employeeLeaveDateTime using the Graph API. This would allow you, for instance, to set an expiration date by running a Logic App on a recurring schedule and when the date hits you can disable the account.

kdrumm5000_0-1670438844777.png

 

In Azure AD, you can set an account expiration date for user accounts to restrict access to resources for a specific period. To set an expiration date for a user account in Azure AD, follow these steps:

Connect to Azure AD using PowerShell or Graph API: You can use either Azure AD PowerShell or Azure AD Graph API to manage Azure AD user accounts. To connect to Azure AD using PowerShell, you will need to install the Azure AD PowerShell module and authenticate with your Azure AD tenant. To connect to Azure AD using Graph API, you will need to create an Azure AD app and authenticate with the app's client ID and secret.

Retrieve the user object: Once you have connected to Azure AD, you can retrieve the user object that you want to set the expiration date for. You can use the user's User Principal Name (UPN) or Object ID to retrieve the user object. For example, to retrieve a user object using PowerShell, you can use the following command:

Get-AzureADUser -ObjectId <user_object_id>

Set the account expiration date: After you have retrieved the user object, you can set the account expiration date using the "AccountExpirationDate" attribute of the user object. The "AccountExpirationDate" attribute is a DateTime attribute that can be set to a specific date and time or to a relative time. For example, to set the account expiration date for a user account to July 1, 2023, you can use the following command in PowerShell:

Set-AzureADUser -ObjectId <user_object_id> -AccountExpirationDate "2023-07-01T00:00:00Z"

This will set the account expiration date to July 1, 2023, at midnight UTC time.

Verify the account expiration date: To verify that the account expiration date has been set correctly, you can use the "Get-AzureADUser" cmdlet or the Azure AD Graph API to retrieve the user object again. The "AccountExpirationDate" attribute of the user object should now be set to the date and time that you specified.

It's important to note that setting an account expiration date will prevent the user from signing in after the expiration date, but it will not remove the user account or any associated data. If you want to delete the user account and associated data after the expiration date has passed, you will need to do so manually or through an automated process.
What would really be nice is if we could sync from On-Premises Active Directory to Azure AD the account expiration date. While we can sync and block access if the account is disabled, but when it comes to contractors you are not always told when a contract has ended and there account stay enabled. This allows them to still have access to data/email/teams/etc when they are no longer contracting.

@infocloud posting AI generated and unverified content that you didn't test and that doesn't even work (the parameter doesn't even exist)... Why are you doing this? You are not gaining anything from it. In fact you are wasting your own, but more importantly, everyone else's time. Maybe you didn't know but AI can often make up stuff so always best to verify.

@infocloud 

I do not see  '-AccountExpirationDate' switch with Set-AzureADUser cmdlet

I also do not see AccountExpirationDate attribute when getting user details using Get-AzureADuser

To my mind this is really just a workaround rather than a proper solution. It will work until MS decides to make changes to the underlying structure and breaks your solution. Which based on prior experience when this happens you may never know about it until its too late. Also this isn't really the same thing as the account should just be expired and not disabled - which triggers other processes like notification to managers etc.
That's very STUPID from Microsoft to not add this attribute.
IT is supposed to lighten our work load but "thanks" to Microsoft, our workload has just been increased *USELESSLY* !!!
1 best response

Accepted Solutions
best response confirmed by pema012 (Copper Contributor)
Solution
In the end I solved my issue by creating a list in Sharepoint online containing user accounts object ID and the last day of employment as a date.

Then in Microsoft Power Automate I created a flow running every night checking if any records in the list are the same or earlier than today and if so setting AzureAD account to be disabled in Azure AD. When on it I also remove the account from the Azure AD security group providing Microsoft 365 licenses.

So by not having account expire date in Azure AD in the end was giving me the opportunity to do more. Thanks Microsoft. 😄

View solution in original post