Share via

Microsoft Graph API: Cannot filter users by onPremisesUserPrincipalName — returns empty results

Muthukumar, Subramanian 0 Reputation points
2026-05-11T20:14:03.2466667+00:00

I am trying to look up a hybrid (on-prem synced) user's onPremisesSecurityIdentifier (SID) by filtering on onPremisesUserPrincipalName using Microsoft Graph API.

User's image

However the onPremisesUserPrincipalName clearly exist when queried with onPremisesSamAccountName
User's image

Microsoft Security | Microsoft Graph
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-05-11T20:14:21.2266667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    onPremisesUserPrincipalName is one of the on-premises attributes that are treated as advanced/limited-query properties in Microsoft Graph. It can be selected and read on a user, but it is not supported in $filter for directory objects, which is why the query

    GET /v1.0/users?$count=true&$filter=onPremisesUserPrincipalName eq '******@wolf.com'&$select=...

    returns an empty collection even though the property is populated.

    To retrieve the onPremisesSecurityIdentifier (SID) for a hybrid user, use a supported lookup and then read the on-premises attributes from that user object:

    1. Query the user with a supported key (for example, id, userPrincipalName, or onPremisesSamAccountName): 
         GET https://graph.microsoft.com/v1.0/users?$filter=onPremisesSamAccountName eq 'wolfu1'&$select=id,displayName,userPrincipalName,onPremisesUserPrincipalName,onPremisesSamAccountName,onPremisesSecurityIdentifier
   ConsistencyLevel: eventual
      or, if the user ID is known: 
         GET https://graph.microsoft.com/v1.0/users/{user-id}?$select=onPremisesSecurityIdentifier
    2. Read onPremisesSecurityIdentifier from the returned user.

    Filtering directly on onPremisesUserPrincipalName is not supported; use another supported identifier (such as onPremisesSamAccountName) to locate the user, then select onPremisesUserPrincipalName and onPremisesSecurityIdentifier in the same call.

    References:

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.