Share via

Microsoft Graph API Endpoint Filters not working

Deep_Toot 0 Reputation points
2026-05-06T21:58:35.4333333+00:00

Greetings,

When using the https://graph.microsoft.com/beta/security/threatSubmission/emailThreats rest api endpoint. The filters for both id and category do not work.

Example:

https://graph.microsoft.com/beta/security/threatSubmission/emailThreats?$filter=id%20eq%20'xxxxxxxxxxxxxxxxxxxxxx'

https://graph.microsoft.com/beta/security/threatSubmission/emailThreats?$filter=category%20eq%20'phishing'

Both of the above get requests returns a blank array despite being able to pull the data when filtering on source eq 'user'

The documentation states that the id and the category should support filtering use:

https://learn.microsoft.com/en-us/graph/api/resources/security-threatsubmission?view=graph-rest-beta
https://learn.microsoft.com/en-us/graph/api/resources/security-emailthreatsubmission?view=graph-rest-beta

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-05-06T21:58:51.5633333+00:00

    id and category are documented as filterable on the threatSubmission resource, but there are some important limitations and behaviors with Microsoft Graph filters that explain what is being observed:

    1. The /beta/security/threatSubmission/emailThreats endpoint supports only a subset of OData query options and combinations. The documentation for listing email threat submissions explicitly calls out support for $filter, $top, $skipToken, and $count, but it does not guarantee that every filterable property works in every scenario or combination.
    2. Microsoft Graph has known issues where query parameters can fail silently. In particular, the known issues state that:
      • Query parameters specified in a request might fail silently.
      • This can be true for unsupported query parameters and for unsupported combinations of query parameters.
      This matches the behavior where $filter=source eq 'user' returns data, but $filter=id eq '...' or $filter=category eq 'phishing' returns an empty array, even though the properties exist and are populated.
    3. The threatSubmission resource definition confirms that:
      • id is the identifier of the threat submission.
      • category is a filterable property with supported values notJunk, spam, phishing, malware, and unkownFutureValue.
      However, because this is a /beta API, the implementation of filtering on these properties can be incomplete or inconsistent, and the platform may ignore or mishandle certain filters without returning an error.

    Given the current behavior and the documented known issues, the blank array result for filters on id and category is consistent with an unsupported or partially implemented filter scenario on this beta endpoint. Where filtering is critical, a practical workaround is to:

    • Call GET /security/threatSubmission/emailThreats (optionally with other working filters such as source eq 'user'), and
    • Apply additional filtering on id and category client-side in application code.

    Because this is a beta API and query parameters can fail silently, this is a platform limitation rather than a usage error.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.