I want to aggregate users where userPrincipalName ends with certain string(endsWith(userPrincipalName,‘-c@domain.onmicrosoft.com’)).
But I am getting below error while aggregation.
Exception occurred in Iterate Objects. Error message - sailpoint.connector.ConnectorException: Exception occurred in processReadRequest. Error - Response Code - 400 Error - 400 Operator ‘endsWith’ is not supported because it is used with the property ‘manager’ in $expand which requires $levels inside $expand. Refer to Advanced query capabilities on Microsoft Entra ID objects - Microsoft Graph | Microsoft Learn for more information
Along with userPrincipalName ends with certain string filter. Is it possible to aggregate users which are part of a certain group and userPrincipalName ends with certain string?
I have followed below documents and tried recommended approach but it didn’t help much. Maybe I am missing something.
Hi @Amrit1897 That first link includes the detail that you can’t use endswith filter together with selecting the manager attribute, and recommends removing the manager attribute from the schema.
Accounts gets aggregated by this user filter and it satisfies group filter condition in a way. Basically user filter pulls all user with object type as ApplicationRole. With group membership filter it adds object type as group with the user.
But I want both user filter and group membership should be applied in such a way that user which are part of a particular group that will only be onboarded.
For e.g: A group XYZ has 3 members. So, only three members should be aggregated.
User Filter: endsWith(userPrincipalName,‘-c@domain.com’)
Group Filter: displayName eq ‘XYZ’
From what I understand about Microsoft Graph and the Azure connector:
The connector first grabs all the Users, and uses the User Filter.
That first list of users doesn’t contain the groups that the Users are in.
The connector takes the list of users and does a look up of each User separately, and uses the Group Membership Filters.
This is where the connector gets the group listing.
So you will be able to filter users by userPrincipalName ends with XXXX, but you won’t be able to also filter them if they are in a particular group.
Group Membership Filters exclude any group that isn’t defined in your filter. If displayName eq ‘XYZ’ works, then when you look at an Account, you would only see that one particular group listed, and nothing else. We use that filter to exclude onPremise sync’d groups, along with Dynamic Membership groups, as we don’t want to see those listed for our users.
Ex. onPremisesSyncEnabled ne true AND NOT groupTypes/any(c:c eq ‘DynamicMembership’)
If you are using the Virtual Appliance Azure connector, you could try to add an account.filterString attribute to the source config via API.
account.filterString occurs after the list of Accounts is gathered from Azure. Use the User Filter in the Azure connector to only import users with endsWith(userPrincipalName,‘-c@domain.com’)
Then add the following account.filterString
”account.filterString”: “!(groups.contains(\“<AzureAD value of the group>\”))”
That should filter out any accounts that do not contain the specified group. You might need to tweak it.
@Carlatto , Thanks for the suggestion I have applied both the removed group membership filter. But only user filter works properly below filter does not work as expected.
“account.filterString”: “(groups.contains(\“groupName\”))”,
Make sure you have an ! before the (groups.contains(\”groupname\”)), so it should be ”account.filterString”: “!(groups.contains(\“\”))”
The filter is kind of opposite of how a lot of filters work. (groups.contains(\”groupname\”)) will remove all accounts that contain the groupname. So you have to add the ! so that it does the opposite.
