Entra ID User Filter "endsWith"

renzambos · August 20, 2024, 10:42pm

Hello,

I am trying to set up an Entra ID source that will filter out accounts from a particular on premise OU. I am trying to do this using the User Filter settings in the source. I am trying to use endsWith(onPremisesDistinguishedName,‘OU=QA Test Accounts,OU=Employees,OU=All Users,DC=test,DC=domain,DC=com’)

I use the above for the source to just return users under the OU QA test Accounts. But I am getting an error everytime I run the aggregation.

I tried adding the ConsistencyLevel: eventual in the search string but it then gives me this error:

Appreciate if you can assist me on this one. Thanks!

david_letourneau · August 20, 2024, 11:03pm

Try removing the Manager attribute from the schema and retrying the aggregation.

renzambos · August 20, 2024, 11:21pm

removed it. now giving me this error

Arun-Kumar · August 21, 2024, 12:54am

Hi @renzambos,

Add $count=true to the query parameters and try.

Regards,
Arun

renzambos · August 21, 2024, 1:54am

error still…

Arun-Kumar · August 21, 2024, 2:17am

Hi,

Did you add the below entry to source XML?

key: supportsAdvancedAccountFilter

value: true

renzambos · August 21, 2024, 2:18am

In the Source settings > Aggregation > User Filters, I did set this:

Arun-Kumar · August 21, 2024, 2:29am

If you are using Advanced filters, you must add the entry to source XML using API.

renzambos · August 21, 2024, 2:35am

its already set as true…

varshini303 · August 24, 2024, 3:09pm

Hi @renzambos

Just need one clarification. Is your User Filters valid like this?: endsWith(onPremisesDistinguishedName,‘OU=QA Test Accounts,OU=Employees,OU=All Users,DC=test,DC=domain,DC=com’) or you have added something to it? Wanted to know what caused the invalid filter clause.

As you have already set supportsAdvancedAccountFilter to true in the source, this will automatically add the ConsistencyLevel:eventual in the header and $count=true in query params. Hope these are not explicitly mentioned in the filter that might have caused the invalid filter clause error.

Thanks!

vinnysail · August 25, 2024, 5:55am

Hi @renzambos,

See if you can print the filter in the logs then you will get to see what is the filter value.

Refer the Microsoft graph queries to understand if it align in the below way or not.

shaileeM · August 26, 2024, 1:35am

Hi @renzambos,

I am sure this has already been eliminated but no harm verifying again - AAD service account has “User.Read.All” rights.

Another thing you can try is in the request URL (not the filter), please add $select=* and use the same filter value.

HTH

renzambos · August 26, 2024, 1:51am

Update: was able to resolve this using the filterString from this article:

IdentityNow Account Filtering during Account Aggregation - Compass (sailpoint.com)

Thanks everyone for your responses!

system · October 25, 2024, 1:51am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with User Filtering in Microsoft Entra with Multiple Sources ISC Discussion and Questions aggregation , identity-security-cloud , connectors	14	222	May 25, 2025
Entra ID Source as Authoritative Source ISC Discussion and Questions aggregation , identity-security-cloud , connectors , sources	1	49	March 23, 2025
Azure Active Directory source - Advanced user filter ISC Discussion and Questions aggregation , identity-security-cloud	6	460	November 8, 2024
Azure User Filter in Filter Settings ISC Discussion and Questions	5	1228	July 19, 2023
Microsoft Entra(Saas) connector \| Advanced user filter\| Error 400 \| [ConnectorError] Error occurrend while fetching page during aggregation ISC Discussion and Questions aggregation , identity-security-cloud , connectors	3	264	January 18, 2025

Entra ID User Filter "endsWith"

Related topics