No, it's not supported OOTB. Also lastLogon is the Active Directory system attribute, so it can't be changed programatically from Java (for example by adding custom attribute mapper). However what can work for you is maybe one of those possibilities: 1) Track lastLogon time in some other attribute either in Keycloak DB or in MSAD. You can create an EventListener, which will listen for LOGIN events and then update the attribute on user based on that. If you want to map that attribute to LDAP, you will also need LDAP UserAttributeMapper to map the attribute from keycloak user model into particular LDAP attribute. But maybe this means that you will also need to add custom LDAP attribute to your LDAP schema... Also note that always updating user attribute has performance implications (user is always removed from cache etc). 2) I've just played a bit and found that lastLogon attribute is automatically updated by MSAD, but just in case that there was unsuccessful login attempt of the particular user. This looks strange, but seems to work this way. At least in MSAD 2012 :-) So what you can do is an Authenticator implementation, which will first call LDAP authentication with some bad credentials before trying to login user with "real" credentials from login form. Bad thing is that "badPwdCount" MSAD attribute will contain more false login attempts then it really was, which may have consequences if you rely on MSAD password policies... 3) Check MSAD system logs, which seems to provide more proper tracking of last login than lastLogon attribute according to http://stackoverflow.com/questions/18598287/updating-lastlogontimestamp-u... there is a way to do it. None of the possibilities is probably ideal, but hope at least one of them can be useful for you. Marek On 30/09/16 09:04, Stian Thorgersen wrote: