Share via

Bug: Date filter for directory extension attribute stopped working

98969115 0 Reputation points
2023-05-18T10:27:05.36+00:00

Hello,

we have configured a custom directory extension attribute of type DateTime and associated it to user objects.

In the last weeks, it was possible to properly apply the $filter parameter with the le (less equal) operator in order to search for users where the custom date property is less or equal a specified date. Please see more details about our use case below.

Now, the date filter stopped working and it returns incorrect results.

Can you please investigate the issue or can you help me to forward this bug to the engineering team responsible for the Graph API? Thank you very much.

Steps to reproduce the issue

  1. Create a new directory extension attribute for the user resource according to the official documentation. For example, we did it with Microsoft Graph PowerShell:
$appId = "abcd1966-6cd0-5c00-be2d-30bd120c310a" # ID of the Azure AD app registration

Connect-MgGraph -Scopes Application.ReadWrite.All

$expirationDateExtensionParams = @{
	Name = "ExpirationDate"
	DataType = "DateTime"
	TargetObjects = @(
		"User"
	)
}

New-MgApplicationExtensionProperty -ApplicationId $appId -BodyParameter $expirationDateExtensionParams
  1. Store a desired date into the custom directory extension attribute for some user(s). For example:
Connect-MgGraph -Scopes User.ReadWrite.All

$userId = "123bd00c-1089-425c-9827-20fd89a4895b"

$userBodyParams = @{    
    "extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate" = "2024-12-01T00:00:00.0000000Z"
}

$userUri = "https://graph.microsoft.com/v1.0/users/$userId/"
Invoke-MgGraphRequest -Uri $userUri -Method "PATCH" -Body $userBodyParamsJson
  1. Query the user objects while applying a $filter to our custom directory extension attribute of type DateTime.

Here we tried the "normal" filter approach:

https://graph.microsoft.com/v1.0/users?$filter=extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate+le+2024-01-28T00:00:00Z&$select=Id,UserPrincipalName,extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate

as well as the advanced query approach (with ConsistencyLevel = eventual header + $count=true):

https://graph.microsoft.com/v1.0/users?$filter=extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate+le+2024-01-28T00:00:00Z&$select=Id,UserPrincipalName,extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate&$count=true

In the past, this filter worked correctly for our custom directory extension attribute, but now it returns ALL users who have some arbitrary value stored in the extension property. In other words, the filter behaves as we would do a ne null filter (https://graph.microsoft.com/v1.0/users?$filter=extension_abcd19666cd05c00be2d30bd120c310a_ExpirationDate+ne+null).

Please see the following screenshot from the Microsoft Graph Explorer:

Bug: Date filter for directory extension attribute stopped working

As you can see, we have filtered for user objects, where the custom "ExpirationDate" is set to something LESS OR EQUAL than "2024-01-28T00:00:00Z" (28th January 2024 encoded in the ISO 8601 format).

But in fact, the Graph API returns ALL user objects in our tenant, which have their "ExpirationDate" set to some arbitrary value (currently two users). For example, the value "2024-06-02T00:00:00Z" is obviously GREATER than the desired filter value "2024-01-28T00:00:00Z".

There seems to be a bug in the Graph API because these two users should not be returned in the results list.

Microsoft Security Microsoft Graph

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.