User provisioning (not SCIM)

Hi

I am trying to find a way to provision users to an API enabled SaaS application when the account gets synchronized to Azure. Unfortunately the SaaS app is not really SCIM compliant and runs basic auth. I am looking to do something serverless like Automation Runbooks. I have tried Graph and PowerShell but am not finding a good way to Filter users based on createdDateTime for all users in last x amount of time. In fact, it seems I can only read createdDateTime for a user if I specify their objectID and not their UPN which seems odd to me. PowerShell seems to have problems with the same type of filtering with extensionproperty.createddatetime

I have lots of examples that don't work such as:

https://graph.microsoft.com/beta/users?$filter=createdDateTime gt datetime '2019-01-01'

or

 $When = ((Get-Date).AddDays(-30)).Date
 Get-AzureADUser -Filter datetime 'extensionproperty.CreatedDateTime -ge $When'

But these queries works:

((get-azureaduser -objectID <objectid> ).extensionproperty).createdDateTime

and

https://graph.microsoft.com/beta/users/(objectid)?select=createdDateTime

It's totally likely that I don't understand the odata query syntax or have been looking at this too long LOL

Has anyone tried this?

Another angle I thought of might be to watch the Azure Audit logs for Add User but that seems pretty far down the rabbit hole and might involve an event hub.

Thanks in advance for any help, other ideas, concerns, commiseration, etc.

Charlie