This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 16%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAC%3C/text%3E%3C/svg%3E)
We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.
Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:
Request
GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities/any(x:x/issuerAssignedId eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')
Response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",
"value": [
{
"id": "e2349f30-7778-4e60-86f6-254096886f84",
"displayName": "trusted-user",
"identities": [
{
"signInType": "emailAddress",
"issuer": "myb2cissuer.onmicrosoft.com",
"issuerAssignedId": "myusername@mycompany.onmicrosoft.com"
},
{
"signInType": "userPrincipalName",
"issuer": "myb2cissuer.onmicrosoft.com",
"issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"
}
]
}
]
}
I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.
Could we please receive some info/feedback on this issue? Is it still a confirmed bug or are we calling the MS Graph API incorrectly?
This is a blocking issue for us.
@Faith (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:
“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“
BTW This question has been asked elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1744549
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users-by-identity/65396990#65396990
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Hi @Andrew Campbell ,
Thanks for reporting this. I agree that there should be an update on this, and I sent a message to both the B2C team and the owner of that Github issue to see where this is being tracked.
The PG replied that they are tracking the bug and they showed me the work item, but they are unable provide an ETA for a fix yet.
Can you describe in more detail what is blocking you?
Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.
Hi @Marilee Turscak-MSFT
Thanks for replying to my question.
Can you describe in more detail what is blocking you?
What is blocking us is the fact that the query filter doesn't filter our Azure B2C users' identities by the identity issuer as we expected.
Using their email address and specific issuer "keys", our API looks for specific federated or social account identities that a user may possess. We need to check whether an account's identities collection contains a federated or social identity account using a comparison expression on the "issuer" property.
Our API was working correctly when it was using Azure Active Directory Graph API to query Azure B2C. This issue only presented itself once we migrated to using Microsoft Graph API.
Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.
We might need to try that approach and simply filter by issuer assigned id while we wait for the MS Graph API bug fix.
We mainly need to filter by the issuer property because we primarily serve users with different federated and social account identities.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(32, 34%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Hi @Andrew Campbell . Thanks for providing the extra info. Any chance you could share the AAD Graph query you've been able to use successfully?
Hi @Julia Pettere :
Thanks for getting in touch with me - I really appreciate your help with this.
The following are the query filters that we were using previously with our AD Graph API queries:
When we’re querying for a Local account:
$filter=signInNames/any(x:x/value eq '{emailAddress}')
And when we’re querying for a Federated or Social account:
$filter=userIdentities/any(x:x/issuer eq '{federatedIssuerKey}' and x/issuerUserId eq binary'{emailAddress}')
Where federatedIssuerKey is a short identifer name for the kind of issuer i.e. social logins like microsoft or facebook, or federated domain logins.
I've ommitted any irrelevant info from the query
@Andrew Campbell Thanks, this is super helpful.
Digging into this further, I think the issue is the following statement in our docs: "Note: When filtering on the identities property, you must supply both issuer and issuerAssignedId." as well as an example on the update user doc.
Identities exposes 2 backend properties, logon identifiers (B2C local account info) and alternative security ids (federated account info). Filtering on alternative security ids requires issuer + issuer assigned id, but this is not the case for logon identifiers. This seems to match your original example above where when filtering identities with a B2C local account email, issuer is ignored.
As such, I do think both your AAD Graph queries are translatable to MS Graph. For your first example above you can filter on identities by just supplying issuer assigned id. For the second one you'd need to supply both issuer and issuer assigned id. We need to make clear in our docs when issuer is and isn't required. Does this resonate with what you've seen and are looking for?
Hi @Julia Pettere :
I definitely think amending the documentation around $filter would help greatly.
We're still waiting from an official fix from our Microsoft channel.
In the meantime, we have applied a temporary fix on the API side but I think we'll use your suggestion eventually.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 23%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBV%3C/text%3E%3C/svg%3E)
Any update on this perchance?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 73%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Gentle nudge. Kindly provide any update on this challenge?
I don't think the issue is limited to B2C. Even using the regular Entra Admin Center fails to filter correctly on the identities property (image below).
Also related: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/9104
From the github issue I linked above:
Due to internal architecture complexities, the only supported values for filtering on
issuerproperties alone are:google.com,facebook.com,phone. Filtering onExternalAzureADwill return an empty array while there could be users matching that condition in your tenant.