Bsure Documentation
back to bsure.io
  • Welcome
  • Installation
    • Overview
    • Prerequisites
    • Installation Instructions
  • Technical Description
    • Design Principles
    • Azure Managed Application
    • Permissions Required
    • Security​
      • Public IP and Storage Account Key considerations
    • Technical Architecture
    • Dataflow and visibility
  • User guides
    • Overview
    • Main Dashboard
    • Users
      • Dashboard
      • Members
      • Guests
      • Data Quality
      • Properties
      • Sign-in Map
      • Sign-in Locations
      • Drilldown
    • Microsoft Licenses
      • Cost Dashboard
      • Licenses Overview
      • Subscription Overview
      • Inactive and Disabled Users
      • Overlapping licenses
      • Cost Allocation
      • Drilldown
      • Price Settings
      • Add Your Own Prices
        • Average SKU Price Calculator
    • Applications
      • Usage
      • Cost
      • Sign-in Locations
        • Successful sign-ins from blocked countries?
    • Groups
    • Security
      • Dashboard
      • Authentiation Methods
      • Entra ID Roles
      • Service Principals
    • Devices
      • Windows Dashboard
      • Windows Inactive Devices
      • Windows OS
      • Windows Management
      • Devices per Person
      • Drilldown
    • Share the Power BI App
      • Share App only
      • Give Access to the Power BI Workspace
      • Share the Storage Account Access Key
      • Share with External Users
    • Update Power BI App
    • Glossary
  • Pricing & Billing
    • Pricing
    • Billing
  • Support
    • Support
    • Frequently Asked Questions
    • Troubleshooting
    • Release Notes
    • New features
      • User purpose property
  • Partners
    • Partner sell an offering including the app to the customers
    • Customer have a strict data protection regime
    • Partner uses the app without customer knowledge
    • General considerations
  • Policies
    • Privacy Policy
    • Terms & Conditions
  • RECOMMENDED ACTIONS
    • Recommended actions
      • Review Entra ID role assignments and create a strategy to offer such roles
      • Review and remove all inactive or unwanted accounts
        • Bulk deletion of users in Entra ID
      • Protect all users with MFA
      • Review and clean up applications with excessive permissions
Powered by GitBook
On this page
  • How do I get assistance?
  • Which permissions are required for installation?
  • Can we add last logon info from on-premises AD?
  • How can we delete the Managed Application?
  • Last sign-in date for users used in Bsure Insights
  • Sign-in logs: What information is collected and how it's stored in Bsure Insights
  1. Support

Frequently Asked Questions

Common questions and answers

PreviousSupportNextTroubleshooting

Last updated 17 days ago

How do I get assistance?

Please see our

Which permissions are required for installation?

Entra ID

The plays a vital role during the installation of the Bsure Datacollector. You will require a highly privileged user account due to the . Although the may also be used, we've skipped that in the prior steps. This decision was influenced by the familiarity of most customers with the Global Administrator Role

Azure Subscription

When installing the Bsure Datacollector, the Azure Resource Manager has to assign permissions to certain identities. The task of assigning permissions within an Azure Subscription is reserved for the . Additionally, access to the actual resources within the subscription is required, rendering the insufficient for this purpose

Can we add last logon info from on-premises AD?

Bsure Insights show users last successful sign-in date in Entra ID. Our app does not have information about when users last logged on to your on-premises Active Directory.

Hybrid customers may have users synced to Entra ID, showing as inactive in Bsure Insights, because they have not signed in to any Microsoft cloud resources recently. But they can still be active in your local AD.

To bring the last logon information from AD in to Bsure Insights, you have to add this information to a user attribute that is being synced to Entra ID.

Our recommended approach:

  • Run a PowerShell script against your local AD to write Last Logon date to an unused Extension Attribute.

  • Schedule the script to run daily, using Task Scheduler or an automation tool of your choice.

Script example:

You have to adapt this script to your local environment. Change the OU path, and change extensionattribute2 to the extension attribute you choose.

#Import ActiveDirectory module
Import-Module ActiveDirectory

#Set Organizational Unit (OU) where users are located
$ouPath = "OU=Users,OU=Bsure, dc=bsuredemo,dc=local"

#Set the root log path
$logRootPath = "C:\temp\"

#Set the extension attribute to update
$extensionAttribute = "extensionAttribute2"

#Create a unique log file
$logFile = "$logRootPath\ADUserUpdate_$(Get-Date -Format 'yyyyMMddHHmmss').log"

#Start transcript
Start-Transcript -Path $logFile -Append

#Enable verbose logging
$VerbosePreference = "Continue"

#Delete log files older than 30 days
Get-ChildItem -Path $logRootPath -Filter "ADUserUpdate_*.log" | Where-Object { $_.LastWriteTime -lt (Get-Date).AddDays(-30) } | Remove-Item -Force

#Get users and add values to $users
$users = Get-ADuser -Filter * -SearchBase $ouPath -Properties lastLogonTimestamp, $extensionAttribute

#Cycle every user, reformat date and time from lastlogontimestamp and write to to extensionattributeXX
$totalUsers = $users.Count
$currentUser = 0

ForEach ($user in $users){
    $currentUser++
    Write-Output "Processing user $currentUser of $totalUsers"

    try {
        #Check for null lastLogonTimestamp
        if ($user.lastLogonTimestamp -ne $null) {
            #Make human readable using UTC
            $lastLogonTimestamp = [datetime]::FromFileTimeUtc($user.lastLogonTimestamp)

            #Change date format to ISO 8601
            $formatteddate = $lastLogonTimestamp.ToString("yyyy-MM-dd")

            #write last logon date to extensionattributeXX"
            Set-ADUser $user -Replace @{$extensionAttribute=$formatteddate} -Verbose

            Write-Output "Updated user: $($user.SamAccountName) with date; $formatteddate"
        } else {
            Write-Output "Skipped user: $($user.SamAccountName) because lastLogonTimestamp was null"
        }
    } catch {
        Write-Output "Failed to update user: $($user.SamAccountName) with error: $_"
    }
}

Write-Output "Job complete"

#Stop transcript
Stop-Transcript

This script writes LastLogonTimestamp in format YYYY-MM-DD to the selected ExtensionAttribute. The ExtensionAttribute properties are in string format in Bsure Insights.

How can we delete the Managed Application?

Navigate to "All Applications" and find the application you installed. The name of the application will be the same as the one you selected during the installation process. Click on the application name to access the Managed Application.

Click on the "Delete" button and confirm your action to initiate the deletion process.

Last sign-in date for users used in Bsure Insights

In Entra ID you will see date and time for "Last interactive sign-in" and "Last non-interactive sign-in":

These dates represent the latest sign-in attempt regardless if it was successful or not. An unsuccessful user sign-in from a browser in e.g. a conditional access blocked country would update the "Last interactive sign-in" on that specific user, ref

It is not possible to provide a "last sign-in" date for users not signed in since then, and in Bsure Insights reports they will be stamped as never signed in with "last sign-in" = 01.01.1970, since we simply don't know when or if they ever signed in successfully.

Sign-in logs: What information is collected and how it's stored in Bsure Insights

Bsure Insights data collector store the latest successful unique sign-in, unique combination of appId, location_countryOrRegion and userid. It also stores when sign-in event happened, and resourcename, resourceid, applicationname and sign-in type (interactive or non-interactive) related to that unique sign-in event.

Meaning we only store the latest successful sign-in a specific user made to a specific app from a specific country.

NB! LastLogonTimestamp in ActiveDirectory may have up to 14 days delay. Read more about the difference between LastLogon, LastLogonTimestamp and LastLogonDate in Active Directory .

To find the Managed Application Center, enter "Managed Application Center" into the search bar at the top of the page on . Then, select the "Managed Application Center" option from the search results.

Last sign-in date for users is defined as the date of the user's most recent successful interactive or non-interactive sign-in. It is the property from Entra ID.

In Bsure Insights we set January 1. 1970 as sign-in date if Microsoft graph returns a blank value for the property .

According to Microsoft they started populating this field December 1. 2023, but it seems like was populated from .

support page
Global Administrator
restrictions that Microsoft has imposed on the assignment of MS Graph Roles to applications
Privileged Role Administrator
Owner Role
User Access Administrator
here
https://portal.azure.com
lastSuccessfulSignInDateTime
lastSuccessfulSignInDateTime
lastSuccessfulSignInDateTime
early November 2023