How to Import Last Logon Data from Azure AD

You can import the last sign-in timestamp for users from Azure AD into eAdm. This data is valuable for creating automated rules, such as downgrading Microsoft 365 licenses that are no longer in use, which can lead to significant cost savings.

Once the configuration is complete, the last logon timestamp will be imported and available in the user attribute AzureAdLastLogon.

Configuration

To set up the import, you must first grant the appropriate permissions in your Azure AD portal.

1. Sign in to the Azure Portal with an administrator account.

2. Go to Azure Active Directory.

3. Go to App Registrations.

4. Search for your eAdm (e.g., "Identum" or "eAdm") to find the integration application.

5. In the application menu, select API permissions.

6. Click + Add a permission and select Microsoft Graph.

7. Select " App Permissions."

8. In the search box, type AuditLog.ReadAll and select the checkbox for that permission.

9. Click Add permissions.

10. Grant Admin Consent: On the API permissions screen, you must click the "Grant admin consent for [Your Tenant]" button. The status for the new permission must display a green checkmark and be listed as "Granted".

    Warning: This permission will not take effect until the administrator has granted consent.

11. Activate the Import: Notify Identum support at support@identum.no and state that you have granted the permission and wish to activate the last logon import.

Use Case: Automated M365 License Downgrading

Once the AzureAdLastLogon Once this attribute is populated, you can use it to create powerful license management rules.

For example, you can create a rule that automatically assigns a cheaper license to users who haven't logged into Microsoft 365 for a specific period of time.