User query $filter ignores identities/issuer - MS Graph API and Azure B2C

Andrew Campbell 1 Reputation point
2022-04-26T06:42:58.913+00:00

We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.

Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:
Request

    GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities/any(x:x/issuerAssignedId eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')  

Response

{  
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",  
    "value": [  
        {  
            "id": "e2349f30-7778-4e60-86f6-254096886f84",  
            "displayName": "trusted-user",  
            "identities": [  
                {  
                    "signInType": "emailAddress",  
                    "issuer": "myb2cissuer.onmicrosoft.com",  
                    "issuerAssignedId": "myusername@mycompany.onmicrosoft.com"  
                },  
                {  
                    "signInType": "userPrincipalName",  
                    "issuer": "myb2cissuer.onmicrosoft.com",  
                    "issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"  
                }  
            ]  
        }  
    ]  
}  

I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.

Could we please receive some info/feedback on this issue? Is it still a confirmed bug or are we calling the MS Graph API incorrectly?
This is a blocking issue for us.

@Faith (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:

“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“

  • @Faith - from: $filter is not working properly for user identities · Issue #11094 · microsoftgraph/microsoft-graph-docs (github.com)

BTW This question has been asked elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1744549
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users-by-identity/65396990#65396990

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,798 questions
Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,677 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Mike Crowley 121 Reputation points
    2024-02-08T21:54:45.02+00:00

    I don't think the issue is limited to B2C. Even using the regular Entra Admin Center fails to filter correctly on the identities property (image below).

    Also related: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/9104 User's image

    0 comments No comments

  2. Mike Crowley 121 Reputation points
    2024-02-09T21:25:22.63+00:00

    From the github issue I linked above:

    Due to internal architecture complexities, the only supported values for filtering on issuer properties alone are: google.com, facebook.com, mail, phone. Filtering on ExternalAzureAD will return an empty array while there could be users matching that condition in your tenant.

    0 comments No comments