Hello all,
I have a question about AADSync and the 'LastLogonTimeStamp' attribute for user objects in the directory.
I'm facing a situation where I have run a report in the past to highlight users with an aged LastLogonTimeStamp attribute as candidates for disablement in our corporate directory. I re-ran the report recently and over a thousand users had seemingly logged in and when looking at just these users it could be seen all their LastLogonTimeStamp values were all very similar. It very much looks like an automated process is using these accounts and the LastLogonTimeStamp attribute is being updated when it does, which makes analysis and reporting on the directory's users difficult (impossible? How do you tell if a user is inactive if you can't query their LastLogonTimeStamp attribute?).
There is currently AADSync running and syncing all the users to the cloud.. so the question is:
When AADSync runs and syncs a user, does it update or trigger their LastLogonTimeStamp in the on-premises directory?
I would think it does, as it's accessing the mail server on behalf of the user and this activity will usually trigger the LastLogonTimeStamp attribute to update. If this is the case.. how do you query the userbase to identify inactive users while AADSync is being used? I know about configuring filters in AADSync to only sync current users (using the LastLogonTimeStamp attrib) but if the team before me didn't do this (don't ask..) are we now in a situation where I can't differentiate between genuinely active users and users who haven't logged in but their account has been synced with AADSync?
Thanks for any help you can provide.