User query $filter ignores identities/issuer - MS Graph API and Azure B2C

Question

question

AndrewCampbell-3711 asked Apr 26, '22 saldana-msft edited 3 days ago

User query $filter ignores identities/issuer - MS Graph API and Azure B2C

We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.

Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:
Request

     GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities/any(x:x/issuerAssignedId eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')

Response

 {
     "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",
     "value": [
         {
             "id": "e2349f30-7778-4e60-86f6-254096886f84",
             "displayName": "trusted-user",
             "identities": [
                 {
                     "signInType": "emailAddress",
                     "issuer": "myb2cissuer.onmicrosoft.com",
                     "issuerAssignedId": "myusername@mycompany.onmicrosoft.com"
                 },
                 {
                     "signInType": "userPrincipalName",
                     "issuer": "myb2cissuer.onmicrosoft.com",
                     "issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"
                 }
             ]
         }
     ]
 }

I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.

Could we please receive some info/feedback on this issue? Is it still a confirmed bug or are we calling the MS Graph API incorrectly?
This is a blocking issue for us.

@FaithOmbongi (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:

“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“

- @FaithOmbongi - from: $filter is not working properly for user identities · Issue #11094 · microsoftgraph/microsoft-graph-docs ( github.com)

BTW This question has been asked elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1744549
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users-by-identity/65396990#65396990

azure-ad-b2c microsoft-graph-identity microsoft-graph-query-parameters

· 8

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT · May 06 at 11:11 PM

Hi @AndrewCampbell-3711,

Thanks for reporting this. I agree that there should be an update on this, and I sent a message to both the B2C team and the owner of that Github issue to see where this is being tracked.

0 ·

MarileeTurscak-MSFT · May 09 at 07:09 PM

The PG replied that they are tracking the bug and they showed me the work item, but they are unable provide an ETA for a fix yet.

0 ·

MarileeTurscak-MSFT · May 10 at 11:41 PM

Can you describe in more detail what is blocking you?

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.

0 ·

AndrewCampbell-3711 MarileeTurscak-MSFT · May 12 at 02:41 PM

Hi @MarileeTurscak-MSFT
Thanks for replying to my question.

Can you describe in more detail what is blocking you?

What is blocking us is the fact that the query filter doesn't filter our Azure B2C users' identities by the identity issuer as we expected.
Using their email address and specific issuer "keys", our API looks for specific federated or social account identities that a user may possess. We need to check whether an account's identities collection contains a federated or social identity account using a comparison expression on the "issuer" property.

Our API was working correctly when it was using Azure Active Directory Graph API to query Azure B2C. This issue only presented itself once we migrated to using Microsoft Graph API.

Do you have cases where there are users with the same issuer assigned id and issuer? If not, you should still be able to search by issuer assigned id.

We might need to try that approach and simply filter by issuer assigned id while we wait for the MS Graph API bug fix.

We mainly need to filter by the issuer property because we primarily serve users with different federated and social account identities.

0 ·

JuliaPettere-6121 · May 16 at 06:57 PM

Hi @AndrewCampbell-3711 . Thanks for providing the extra info. Any chance you could share the AAD Graph query you've been able to use successfully?

0 ·

AndrewCampbell-3711 JuliaPettere-6121 · May 18 at 06:08 AM

Hi @JuliaPettere-6121:

Thanks for getting in touch with me - I really appreciate your help with this.

The following are the query filters that we were using previously with our AD Graph API queries:

When we’re querying for a Local account:

 $filter=signInNames/any(x:x/value eq '{emailAddress}')

And when we’re querying for a Federated or Social account:

 $filter=userIdentities/any(x:x/issuer eq '{federatedIssuerKey}' and x/issuerUserId eq binary'{emailAddress}')

Where federatedIssuerKey is a short identifer name for the kind of issuer i.e. social logins like microsoft or facebook, or federated domain logins.

I've ommitted any irrelevant info from the query

0 ·

JuliaPettere-6121 AndrewCampbell-3711 · May 20 at 06:55 PM

@AndrewCampbell-3711 Thanks, this is super helpful.

Digging into this further, I think the issue is the following statement in our docs: "Note: When filtering on the identities property, you must supply both issuer and issuerAssignedId." as well as an example on the update user doc.

Identities exposes 2 backend properties, logon identifiers (B2C local account info) and alternative security ids (federated account info). Filtering on alternative security ids requires issuer + issuer assigned id, but this is not the case for logon identifiers. This seems to match your original example above where when filtering identities with a B2C local account email, issuer is ignored.

As such, I do think both your AAD Graph queries are translatable to MS Graph. For your first example above you can filter on identities by just supplying issuer assigned id. For the second one you'd need to supply both issuer and issuer assigned id. We need to make clear in our docs when issuer is and isn't required. Does this resonate with what you've seen and are looking for?

1 ·

Show more comments

question