I’m encountering a repeatable issue in the Azure AD (Entra ID) connector during aggregation. Whenever I use an advanced filter with endsWith() on userPrincipalName, aggregation fails with:
Error:
Exception occurred in Iterate Objects. Error message - sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Response Code - 400 Error - 400 Operator ‘endsWith’ is not supported because it is used with the property ‘manager’ in $expand which requires $levels inside $expand. Refer to Advanced query capabilities on Microsoft Entra ID objects - Microsoft Graph | Microsoft Learn for more information
What I need help with:
Is there a supported configuration where: - endsWith filter works.
manager remains mapped
and manager attribute sync to Azure AD still works?
This is a Microsoft limitation not a Sailpoint issue. If you want to use "endsWith” you have to remove the Manager attribute from Account Schema.
”The connector supports advanced query filters like endsWith, NOT, and NE during aggregation. The Azure API does not support the advanced query filters while also using an expanded attribute such as manager in the URL. When using the advanced filters, ensure that you remove the manager attribute from the account schema and remove the owners attribute from the group schema.”
filterString does work with the Entra SaaS connector. I just double checked it.
Just be aware that the connector will get all the accounts from Entra, and then it will filter out the accounts matching your filter. Versus the advanced filter will only grab the account that match the filter. So filterString could be significantly slower depending on number of accounts.
you must split it into two steps (aggregation first, then manager enrichment), because Graph won’t let you filter with endsWith and expand manager together.
Aggregate with endsWith and no manager expansion (remove manager from the schema for the aggregation run).
After aggregation, call /users/{id}/manager (no advanced filter) to populate the manager mapping in SailPoint (either via a follow‑up enrichment task or rule).
This respects Microsoft Graph limitations (no $expand with advanced queries) and keeps your manager data current.
Only if you can figure out an Entra filter not using the advanced options. Maybe you could reduce the user count by using an Entra filter, then applying the filterString to get it the users you want.
If you don’t need them aggregated, you shouldn’t have visbility to them to start with (least privilege). Scope them in / out according from your AU as mentioned in earlier post.
i.e. first layer of security is not what the client says they want to see/ not see. It’s about the what data custodian (Entra) authorizes you to see.
We ‘solved’ the same problem by having separate connectors. Not the best solution we have ever come up with, but the only one that we could get to work considering the limitations of Entra
Hi @Amrit1897 ,
If you are using endsWith() advanced filter, you will get the error
sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Response Code - 400 Error - 400 Operator ‘endsWith’ is not supported because it is used with the property ‘manager’ in $expand which requires $levels inside $expand.
So, to solve this, what you can do is instead of using endsWith, use the filterString.
You have to add below line to the connector attributes of the source Azure AD
**“account.filterString”: “(userPrincipalName.endsWith(\“sample.com\”))”
**
This works without removing manager attribute from account schema.
Thanks
