Idea ID: 2870425

Update azure collector to support the Microsoft Graph API AND be also able to support the /beta additional API’s

Status: New Idea

The current collector uses the Azure AD Graph API.

The new Microsoft Graph API includes additional user attribute that are highly valuable, in particular the last login time

            "signInActivity": {
                "lastSignInDateTime": "2020-12-07T04:40:59Z",
                "lastSignInRequestId": "2047c4cf-31a1-4383-8576-1588578a2301"
            }

To be able to collect this attribute required BOTH the collector be updated to support  Azure AD Graph API but also (presently) it's only available under the /beta branch.

Being able to collect login times for accounts is invaluable from a governance perspective as it allows tracking of stale account and also provides valuable information on account being accessed when believed to be disabled (du to the account being detached from whatever directory sync tool is being used to provision the account).

Parents Comment Children
  • Also in Azure it is not possible to select Azure AD Graph for new app registrations anymore, it is greyed out. So creating a new identity or application source that collects from Azure, it already needs support for Microsoft Graph. From request API permissions, its not possible to select. 

    This needs to be fixed yesterday Thinking