Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Microsoft Graph Filter by specific Domain Name

Iron Contributor
  • I have over 20000 users and we have four sub-domain.
  • I'm trying reduce the results when making a Graph call by only calling those users with a specific userPrincipalName sub-domain.

When I execute the query it's return all users that has the main domain and the users that has sub-domain. 

 

Question: How can I execute a graph call and return only users with specific sub-domain along with the other filters.

 

$uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=appDisplayName eq 'Windows Sign In' AND deviceDetail/operatingSystem eq 'Windows' AND createdDateTime ge $CurrentDate AND endwith(userPrincipalName,'@group.maindomain.net') &$Top=1000"

 

Thank You,

 

-Larry

6 Replies
I just tested this query and this works:
https://graph.microsoft.com/v1.0/auditlogs/signins?filter=endswith(userPrincipalName,"domainxxx.onmi...")

I see you have 'endwith', without the s. That might be the problem?

@Thijs Lecomte  Thank you for responding, I've added the "S" and still not working. Also, I moved the endswith at the beginning of the URL. Sorry to say I can't use the onmicrosoft.com address, it doesn't have the sub-domain attached to the onmicrosoft.com address 

 

All the other filters is working just that one filter I'm having the issue.

 

$uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?$filter=endswith(userPrincipalName,'southeast.xxx...') AND appDisplayName eq 'Windows Sign In' AND deviceDetail/operatingSystem eq 'Windows' AND createdDateTime ge $CurrentDate &$Top=1000"

 

Thank You,

 

-Larry

Could you try it with just the filter on the UPN and check what that gives you?
best response confirmed by Larry Jones (Iron Contributor)
Solution

As noted in the documentation, only startswith and eq operators are supported for userPrincipalName. Welcome to the wonderful world of crappy oData filtering...

Sadly the endsWith query-filter ist not supported yet. But there is a way around it, it's not so elegant since we're first getting all the users and then reselect the ones with the specific domain:

Connect-MgGraph -Scopes "User.Read.All"

$DisabledDomainUsers = Get-MgUser -Filter 'accountEnabled eq false' -All | Where-Object {$_.Mail -like "*@domain.ch"}


The following Modules are needed to use the commands above:

Install-Module Microsoft.Graph -Scope CurrentUser
Install-Module Microsoft.Graph.Users -Scope CurrentUser
1 best response

Accepted Solutions
best response confirmed by Larry Jones (Iron Contributor)
Solution

As noted in the documentation, only startswith and eq operators are supported for userPrincipalName. Welcome to the wonderful world of crappy oData filtering...

View solution in original post