User query $filter ignores identities/issuer - MS Graph API and Azure B2C

Question

User query $filter ignores identities/issuer - MS Graph API and Azure B2C

Andrew Campbell 1

We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.

Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:
Request

    GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities/any(x:x/issuerAssignedId eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')

Response

{  
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",  
    "value": [  
        {  
            "id": "e2349f30-7778-4e60-86f6-254096886f84",  
            "displayName": "trusted-user",  
            "identities": [  
                {  
                    "signInType": "emailAddress",  
                    "issuer": "myb2cissuer.onmicrosoft.com",  
                    "issuerAssignedId": "myusername@mycompany.onmicrosoft.com"  
                },  
                {  
                    "signInType": "userPrincipalName",  
                    "issuer": "myb2cissuer.onmicrosoft.com",  
                    "issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"  
                }  
            ]  
        }  
    ]  
}

I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.

Could we please receive some info/feedback on this issue? Is it still a confirmed bug or are we calling the MS Graph API incorrectly?
This is a blocking issue for us.

@Faith (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:

“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“

@Faith - from: $filter is not working properly for user identities · Issue #11094 · microsoftgraph/microsoft-graph-docs (github.com)

BTW This question has been asked elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1744549
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users-by-identity/65396990#65396990

Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-06T23:11:18.907+00:00

Hi @Andrew Campbell ,

Thanks for reporting this. I agree that there should be an update on this, and I sent a message to both the B2C team and the owner of that Github issue to see where this is being tracked.
Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-09T19:09:45.08+00:00

The PG replied that they are tracking the bug and they showed me the work item, but they are unable provide an ETA for a fix yet.
Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-10T23:41:28.553+00:00

Can you describe in more detail what is blocking you?

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.
Andrew Campbell 1 Reputation point

2022-05-12T14:41:21.84+00:00

Hi @Marilee Turscak-MSFT
Thanks for replying to my question.

Can you describe in more detail what is blocking you?

What is blocking us is the fact that the query filter doesn't filter our Azure B2C users' identities by the identity issuer as we expected.
Using their email address and specific issuer "keys", our API looks for specific federated or social account identities that a user may possess. We need to check whether an account's identities collection contains a federated or social identity account using a comparison expression on the "issuer" property.

Our API was working correctly when it was using Azure Active Directory Graph API to query Azure B2C. This issue only presented itself once we migrated to using Microsoft Graph API.

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.

We might need to try that approach and simply filter by issuer assigned id while we wait for the MS Graph API bug fix.

We mainly need to filter by the issuer property because we primarily serve users with different federated and social account identities.
Julia Pettere 6 Reputation points Microsoft Employee

2022-05-16T18:57:56.98+00:00

Hi @Andrew Campbell . Thanks for providing the extra info. Any chance you could share the AAD Graph query you've been able to use successfully?
Andrew Campbell 1 Reputation point

2022-05-18T06:08:02.363+00:00
Hi @Julia Pettere :

Thanks for getting in touch with me - I really appreciate your help with this.

The following are the query filters that we were using previously with our AD Graph API queries:

When we’re querying for a Local account:

$filter=signInNames/any(x:x/value eq '{emailAddress}')

And when we’re querying for a Federated or Social account:

$filter=userIdentities/any(x:x/issuer eq '{federatedIssuerKey}' and x/issuerUserId eq binary'{emailAddress}')

Where federatedIssuerKey is a short identifer name for the kind of issuer i.e. social logins like microsoft or facebook, or federated domain logins.

I've ommitted any irrelevant info from the query
Julia Pettere 6 Reputation points Microsoft Employee

2022-05-20T18:55:48.08+00:00

@Andrew Campbell Thanks, this is super helpful.

Digging into this further, I think the issue is the following statement in our docs: "Note: When filtering on the identities property, you must supply both issuer and issuerAssignedId." as well as an example on the update user doc.

Identities exposes 2 backend properties, logon identifiers (B2C local account info) and alternative security ids (federated account info). Filtering on alternative security ids requires issuer + issuer assigned id, but this is not the case for logon identifiers. This seems to match your original example above where when filtering identities with a B2C local account email, issuer is ignored.

As such, I do think both your AAD Graph queries are translatable to MS Graph. For your first example above you can filter on identities by just supplying issuer assigned id. For the second one you'd need to supply both issuer and issuer assigned id. We need to make clear in our docs when issuer is and isn't required. Does this resonate with what you've seen and are looking for?
Andrew Campbell 1 Reputation point

2022-06-07T14:39:11.76+00:00

Hi @Julia Pettere :

I definitely think amending the documentation around $filter would help greatly.

We're still waiting from an official fix from our Microsoft channel.

In the meantime, we have applied a temporary fix on the API side but I think we'll use your suggestion eventually.
Bhu Vidya 5 Reputation points

2023-05-03T07:36:15.8733333+00:00

Any update on this perchance?

Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-06T23:11:18.907+00:00

Hi @Andrew Campbell ,

Thanks for reporting this. I agree that there should be an update on this, and I sent a message to both the B2C team and the owner of that Github issue to see where this is being tracked.
Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-09T19:09:45.08+00:00

The PG replied that they are tracking the bug and they showed me the work item, but they are unable provide an ETA for a fix yet.
Marilee Turscak-MSFT 24,311 Reputation points Microsoft Employee

2022-05-10T23:41:28.553+00:00

Can you describe in more detail what is blocking you?

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.
Andrew Campbell 1 Reputation point

2022-05-12T14:41:21.84+00:00

Hi @Marilee Turscak-MSFT
Thanks for replying to my question.

Can you describe in more detail what is blocking you?

What is blocking us is the fact that the query filter doesn't filter our Azure B2C users' identities by the identity issuer as we expected.
Using their email address and specific issuer "keys", our API looks for specific federated or social account identities that a user may possess. We need to check whether an account's identities collection contains a federated or social identity account using a comparison expression on the "issuer" property.

Our API was working correctly when it was using Azure Active Directory Graph API to query Azure B2C. This issue only presented itself once we migrated to using Microsoft Graph API.

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.

We might need to try that approach and simply filter by issuer assigned id while we wait for the MS Graph API bug fix.

We mainly need to filter by the issuer property because we primarily serve users with different federated and social account identities.
Julia Pettere 6 Reputation points Microsoft Employee

2022-05-16T18:57:56.98+00:00

Hi @Andrew Campbell . Thanks for providing the extra info. Any chance you could share the AAD Graph query you've been able to use successfully?
Andrew Campbell 1 Reputation point

2022-05-18T06:08:02.363+00:00

Hi @Julia Pettere :

Thanks for getting in touch with me - I really appreciate your help with this.

The following are the query filters that we were using previously with our AD Graph API queries:

When we’re querying for a Local account:

$filter=signInNames/any(x:x/value eq '{emailAddress}')

And when we’re querying for a Federated or Social account:

$filter=userIdentities/any(x:x/issuer eq '{federatedIssuerKey}' and x/issuerUserId eq binary'{emailAddress}')

Where federatedIssuerKey is a short identifer name for the kind of issuer i.e. social logins like microsoft or facebook, or federated domain logins.

I've ommitted any irrelevant info from the query
Julia Pettere 6 Reputation points Microsoft Employee

2022-05-20T18:55:48.08+00:00

@Andrew Campbell Thanks, this is super helpful.

Digging into this further, I think the issue is the following statement in our docs: "Note: When filtering on the identities property, you must supply both issuer and issuerAssignedId." as well as an example on the update user doc.

Identities exposes 2 backend properties, logon identifiers (B2C local account info) and alternative security ids (federated account info). Filtering on alternative security ids requires issuer + issuer assigned id, but this is not the case for logon identifiers. This seems to match your original example above where when filtering identities with a B2C local account email, issuer is ignored.

As such, I do think both your AAD Graph queries are translatable to MS Graph. For your first example above you can filter on identities by just supplying issuer assigned id. For the second one you'd need to supply both issuer and issuer assigned id. We need to make clear in our docs when issuer is and isn't required. Does this resonate with what you've seen and are looking for?
Andrew Campbell 1 Reputation point

2022-06-07T14:39:11.76+00:00

Hi @Julia Pettere :

I definitely think amending the documentation around $filter would help greatly.

We're still waiting from an official fix from our Microsoft channel.

In the meantime, we have applied a temporary fix on the API side but I think we'll use your suggestion eventually.
Bhu Vidya 5 Reputation points

2023-05-03T07:36:15.8733333+00:00

Any update on this perchance?

User query $filter ignores identities/issuer - MS Graph API and Azure B2C

Activity