I don't think the issue is limited to B2C. Even using the regular Entra Admin Center fails to filter correctly on the identities property (image below).
Also related: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/9104
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
We’re using the MS Graph API /users endpoint to query user accounts in our Azure B2C tenant.
The $filter parameter doesn’t seem to filter Users correctly when filtering on the issuer property in the identities collection (used in identities/any(x:x/issuer)- the supplied issuer string value is ignored.
Here’s an example of a query where the endpoint returned results matching the email address in issuerAssignedId even though the filter’s identities/issuer filter value contained only a whitespace character:
Request
GET https://graph.microsoft.com/v1.0/users?$select=id,displayName,identities&$top=999&$filter=identities/any(x:x/issuerAssignedId eq 'myusername@mycompany.onmicrosoft.com' and x/issuer eq ' ')
Response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,displayName,identities)",
"value": [
{
"id": "e2349f30-7778-4e60-86f6-254096886f84",
"displayName": "trusted-user",
"identities": [
{
"signInType": "emailAddress",
"issuer": "myb2cissuer.onmicrosoft.com",
"issuerAssignedId": "myusername@mycompany.onmicrosoft.com"
},
{
"signInType": "userPrincipalName",
"issuer": "myb2cissuer.onmicrosoft.com",
"issuerAssignedId": "e2349f30-7778-4e60-86f6-254096886f84@myb2cissuer.onmicrosoft.com"
}
]
}
]
}
I understand that this form of query filter expression on the User’s identities collection requires that both issuer and issuerAssignedId are specified.
Could we please receive some info/feedback on this issue? Is it still a confirmed bug or are we calling the MS Graph API incorrectly?
This is a blocking issue for us.
@Faith (MS Graph Docs on Github) mentioned that this is caused by a known bug but didn’t include any reference to the bug, or tracking details, nor any indication of when it will be resolved:
“This is a known bug currently in Engineering's queue for resolution. Closing this issue for now.“
BTW This question has been asked elsewhere but it still remains unanswered:
https://techcommunity.microsoft.com/t5/microsoft-graph/microsoft-graph-filtering-on-identities/m-p/1744549
https://github.com/microsoftgraph/microsoft-graph-docs/issues/11094
https://stackoverflow.com/questions/65209716/is-issuer-both-required-and-ignored-when-querying-users-by-identity/65396990#65396990
I don't think the issue is limited to B2C. Even using the regular Entra Admin Center fails to filter correctly on the identities property (image below).
Also related: https://github.com/microsoftgraph/microsoft-graph-docs-contrib/issues/9104
From the github issue I linked above:
Due to internal architecture complexities, the only supported values for filtering on
issuer
properties alone are:google.com
,facebook.com
,phone
. Filtering onExternalAzureAD
will return an empty array while there could be users matching that condition in your tenant.