User query $filter ignores identities/issuer - MS Graph API and Azure B2C

%3CLINGO-SUB%20id%3D%22lingo-sub-3296041%22%20slang%3D%22en-US%22%3EUser%20query%20%24filter%20ignores%20identities%2Fissuer%20-%20MS%20Graph%20API%20and%20Azure%20B2C%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3296041%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20everyone%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%E2%80%99re%20using%20the%20MS%20Graph%20API%20%2Fusers%20endpoint%20to%20query%20user%20accounts%20in%20our%20Azure%20B2C%20tenant.%3CBR%20%2F%3EThe%20%24filter%20parameter%20doesn%E2%80%99t%20seem%20to%20filter%20Users%20correctly%20when%20filtering%20on%20the%20issuer%20property%20in%20the%20identities%20collection%20(used%20in%20identities%2Fany(x%3Ax%2Fissuer)-%20the%20supplied%20issuer%20string%20value%20is%20ignored.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%E2%80%99s%20an%20example%20of%20a%20query%20where%20the%20endpoint%20returned%20results%20matching%20the%20email%20address%20in%20%3CSTRONG%3EissuerAssignedId%3C%2FSTRONG%3E%20even%20though%20the%20filter%E2%80%99s%20%3CSTRONG%3Eidentities%2Fissuer%3C%2FSTRONG%3E%20filter%20value%20contained%20only%20a%20whitespace%20character%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3ERequest%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EGET%20%3CA%20href%3D%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%3F%24select%3Did%2CdisplayName%2Cidentities%26amp%3B%24top%3D999%26amp%3B%24filter%3Didentities%2Fany(x%3Ax%2FissuerAssignedId%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%3F%24select%3Did%2CdisplayName%2Cidentities%26amp%3B%24top%3D999%26amp%3B%24filter%3Didentities%2Fany(x%3Ax%2FissuerAssignedId%3C%2FA%3E%20eq%20'myusername%40mycompany.onmicrosoft.com'%20and%20x%2Fissuer%20eq%20'%20')%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EResponse%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%20%7B%0A%20%20%20%20%20%22%40odata.context%22%3A%20%22https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2F%24metadata%23users(id%2CdisplayName%2Cidentities)%22%2C%0A%20%20%20%20%20%22value%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%22id%22%3A%20%22e2349f30-7778-4e60-86f6-254096886f84%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%22displayName%22%3A%20%22trusted-user%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%22identities%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22signInType%22%3A%20%22emailAddress%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22issuer%22%3A%20%22myb2cissuer.onmicrosoft.com%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22issuerAssignedId%22%3A%20%22myusername%40mycompany.onmicrosoft.com%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22signInType%22%3A%20%22userPrincipalName%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22issuer%22%3A%20%22myb2cissuer.onmicrosoft.com%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22issuerAssignedId%22%3A%20%22e2349f30-7778-4e60-86f6-254096886f84%40myb2cissuer.onmicrosoft.com%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%5D%0A%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20understand%20that%20this%20form%20of%20query%20filter%20expression%20on%20the%20User%E2%80%99s%20identities%20collection%20requires%20that%20both%20issuer%20and%20issuerAssignedId%20are%20specified.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20target%3D%22_blank%22%20rel%3D%22user%22%3E%40FaithOmbongi%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(MS%20Graph%20Docs%20on%20Github)%20mentioned%20that%20this%20is%20caused%20by%20a%20known%20bug%20but%20didn%E2%80%99t%20include%20any%20reference%20to%20the%20bug%2C%20or%20tracking%20details%2C%20nor%20any%20indication%20of%20when%20it%20will%20be%20resolved%3A%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3E%E2%80%9CThis%20is%20a%20known%20bug%20currently%20in%20Engineering's%20queue%20for%20resolution.%20Closing%20this%20issue%20for%20now.%E2%80%9C%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3CP%3E%3CSPAN%3E-%26nbsp%3B%3C%2FSPAN%3E%3CA%20target%3D%22_blank%22%20rel%3D%22user%22%3E%40FaithOmbongi%3C%2FA%3E%3CSPAN%3E%26nbsp%3B-%20from%3A%20%24filter%20is%20not%20working%20properly%20for%20user%20identities%20%C2%B7%20Issue%20%2311094%20%C2%B7%20microsoftgraph%2Fmicrosoft-graph-docs%20(%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fgithub.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egithub.com%3C%2FA%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20we%20please%20receive%20some%20info%2Ffeedback%20on%20this%20issue%3F%26nbsp%3BThis%20is%20a%20blocking%20issue%20for%20us.%3C%2FP%3E%3CP%3EIs%20it%20still%20a%20confirmed%20bug%20or%20are%20we%20calling%20the%20MS%20Graph%20API%20incorrectly%3F%3C%2FP%3E%3CP%3EBTW%20Apologies%20if%20I've%20asked%20this%20question%20in%20the%20wrong%20forum.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3E%3CSPAN%3EAlso%2C%20this%20same%20issue%20has%20been%20raised%20elsewhere%20but%20it%20still%20remains%20unanswered%3A%3C%2FSPAN%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-graph%2Fmicrosoft-graph-filtering-on-identities%2Fm-p%2F1744549%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-graph%2Fmicrosoft-graph-filtering-on-identities%2Fm-p%2F1744549%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fmicrosoft-graph-docs%2Fissues%2F11094%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fmicrosoftgraph%2Fmicrosoft-graph-docs%2Fissues%2F11094%3C%2FA%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fstackoverflow.com%2Fquestions%2F65209716%2Fis-issuer-both-required-and-ignored-when-querying-users-by-identity%2F65396990%2365396990%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fstackoverflow.com%2Fquestions%2F65209716%2Fis-issuer-both-required-and-ignored-when-querying-users-by-identity%2F65396990%2365396990%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3296041%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20B2C%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Graph%20Api%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
New Contributor

Hello everyone:

 

We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.

 

Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:

 

Request

GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities... eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')

 

Response

 

 

 {
     "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",
     "value": [
         {
             "id": "e2349f30-7778-4e60-86f6-254096886f84",
             "displayName": "trusted-user",
             "identities": [
                 {
                     "signInType": "emailAddress",
                     "issuer": "myb2cissuer.onmicrosoft.com",
                     "issuerAssignedId": "myusername@mycompany.onmicrosoft.com"
                 },
                 {
                     "signInType": "userPrincipalName",
                     "issuer": "myb2cissuer.onmicrosoft.com",
                     "issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"
                 }
             ]
         }
     ]
 }

 

 

 

 

I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.

 

 

 

@FaithOmbongi (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:

“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“

@FaithOmbongi - from: $filter is not working properly for user identities · Issue #11094 · microsoftgraph/microsoft-graph-docs ( github.com)

 

 

Could we please receive some info/feedback on this issue? This is a blocking issue for us.

Is it still a confirmed bug or are we calling the MS Graph API incorrectly?

BTW Apologies if I've asked this question in the wrong forum.


Also, this same issue has been raised elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1...
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users...

0 Replies