Help

Azure AD 'User Name' mapping with onPremisesSamAccountName

glpi-ios
Contributor III

‎01-14-2022 08:13 AM - edited ‎01-14-2022 08:15 AM

Hello,

I would like to know if any of you have configured Azure AD 'User Name' mapping (Cloud Identity Providers) with the onPremisesSamAccountName attribute (instead of userPrincipalName).

Because it was working fine and since we are in Jamf 10.33 it doesn't seem to work anymore.
When we try to search for a user, we get the following error in the logs:

com.microsoft.graph.http.GraphServiceException: Error code: Request_UnsupportedQuery
Error message: Unsupported or invalid query filter clause specified for property 'onPremisesSamAccountName' of resource 'User'.

GET https://graph.microsoft.com/v1.0/users?%24filter=startswith%28onPremisesSamAccountName%2C%27username%27%29&%24select=id%2ConPremisesSamAccountName%2CdisplayName%2Cmail%2Cdepartmentle%2CmobileTop=999

Thank you

0 Kudos
Reply
5 REPLIES 5

abremel
New Contributor II

Posted on ‎02-01-2022 12:57 PM

Just ran into this today... sure looks like jamf needs to tweak the graph API query they're using here. Came across this post when researching the error:  https://docs.microsoft.com/en-us/answers/questions/577870/filtering-on-onpremisessamaccountname-is-n...

Reproducing the jamf graph query in graph explorer results in the same error, adding the mentioned headers and count variable make the search completely successfully - it looks like searching on onpremisessamaccountname turns this into an advanced query, requiring the extra headers and $count=true that jamf doesn't currently appear to be sending to graph.

0 Kudos
Reply

glpi-ios
Contributor III

Posted on ‎02-21-2022 07:51 AM

Hi @abremel 

Thanks for the explanation.
So far Jamf still hasn't solved the problem.

0 Kudos
Reply

abremel
New Contributor II
In response to glpi-ios

Posted on ‎02-21-2022 07:57 AM

My last reply from support was that it's now an open product issue, but as is standard with those... no ETA.

From support: "This is a open Product Issue, PI103710. Currently the only workaround is to use different username mapping. "

0 Kudos
Reply

glpi-ios
Contributor III
In response to abremel

Posted on ‎02-21-2022 08:53 AM

Ok thank you for this information.
I had just created a Support ticket....

If it's a Product Issue that's already open, all we have to do is wait.

Thank you

0 Kudos
Reply

glpi-ios
Contributor III

Posted on ‎07-20-2022 09:14 AM

Hello,

I see that PI103710 still exists and yet I notice that now I am able to search Users and Groups with the onPremisesSamAccountName attribute (instead of userPrincipalName) in User Name mapping.

Do you know if it's solved by Jamf or if it's a change on the Microsoft side?

Thanks

0 Kudos
Reply