Skip to main content
Nintex Community Menu Bar

I am getting an error when using the “On Premise Sam Account Name” field in conditions.
Error is : Unsupported or invalid query filter clause specified for property 'onPremisesSamAccountName' of resource 'User'.

When testing this in Postman (or MS Graph explorer)  I am able to get it to work but it needs some modification from a basic command or it gets the same Error. What needs to happen in the GET command is “$count=true” needs to be added and and in request headers key “ConsistencyLevel” with value “eventual” must be added.

So my questions:

  1. can the default Azure Active Directory Query Users activity be use the “On Premise Sam Account Name” field in conditions? Maybe I am missing something.
  2. Should I try to just use “Call a Web Service” and customize it to GET from AAD?

This is how it is setup now.

 

Hi @Scottg,

You’re not missing anything. The Microsoft Graph API just don’t work the same with On-Premise properties conditions parameters. 

I will not recommend to use the action “Call a web service” as it is not secure. 

I recommend to use Nintex Xtensions to get the API request as an action which is more secure as then the connection authentication will be encrypted.

1- Create the Xtensions : Below the swagger file I created specifically for that API request “/users?$count=true&$filter=onPremisesSamAccountName eq '{onPremisesSamAccountName}'”.

 
{
"swagger": "2.0",
"info": {
"version": "1.0.0",
"title": "MS Graph API - Get Users By On Premise SAM AC",
"description": "MS Graph API - Get Users By On Premise SAM AC",
"contact": {
"email": "cecilia.penha@nintex.com"
}
},
"host": "graph.microsoft.com",
"basePath": "/v1.0/",
"schemes": >
"https"
],
"x-ntx-render-version" : 2,
"securityDefinitions": {
"oauth2": {
"type": "oauth2",
"flow": "accessCode",
"authorizationUrl": "https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/authorize",
"tokenUrl": "https://login.microsoftonline.com/{{tenant}}/oauth2/v2.0/token",
"scopes": {
"https://graph.microsoft.com/.default": "all the application permissions you have configured for your app"
},
"x-ntx-connection-properties": {
"type": "object",
"properties": {
"tenant": {
"type": "string",
"title": "Directory tenant",
"description": "This can be GUID or friendly name user"
}
},
"required": "tenant"]
}
}
},
"security":
{
"oauth2":
"https://graph.microsoft.com/.default"
]
}
],
"paths": {
"/users?$count=true&$filter=onPremisesSamAccountName eq '{onPremisesSamAccountName}'": {
"get": {
"summary": "Get Users By On Premise SAM Account Name",
"description": "Get Users By On Premise SAM Account Name",
"operationId": "getUsersByOnPremiseSAMAccountName",
"parameters":
{
"$ref": "#/parameters/OnPremiseSAMAccountName"
},
{
"$ref": "#/parameters/ConsistencyLevel"
}
],
"responses": {
"200": {
"description": "OK",
"schema": {
"$ref": "#/definitions/users"
}
}
}
}
}
},
"parameters": {
"OnPremiseSAMAccountName": {
"name": "onPremisesSamAccountName",
"x-ntx-summary": "On Premises SAM Account Name",
"type": "string",
"in": "path",
"required": true
},
"ConsistencyLevel": {
"name": "ConsistencyLevel",
"x-ntx-summary": "Consistency Level",
"type": "string",
"in": "header",
"x-ntx-visibility": "internal",
"x-ntx-initial": true,
"default": "Eventual",
"required": true
}
},
"definitions": {
"users": {
"x-ntx-summary": "Users",
"additionalProperties": false,
"type": "object",
"properties": {
"@odata.context":{
"x-ntx-summary": "OData Context",
"type": "string"
},
"@odata.nextLink":{
"x-ntx-summary": "OData Next Link",
"type": "string"
},
"value": {
"x-ntx-summary": "Users",
"additionalProperties": false,
"type": "array",
"items": {
"$ref": "#/definitions/user"
}
}
}
},
"user": {
"type": "object",
"additionalProperties": false,
"x-ntx-summary": "",
"properties": {
"id": {
"type": "string",
"x-ntx-summary": "Id",
"description": "User ID"
},
"displayName": {
"type": "string",
"x-ntx-summary": "Display Name"
},
"givenName": {
"type": "string",
"x-ntx-summary": "Last Name"
},
"surname": {
"type": "string",
"x-ntx-summary": "First Name"
},
"jobTitle": {
"type": "string",
"x-ntx-summary": "Job Title"
},
"mail": {
"type": "string",
"x-ntx-summary": "Email"
},
"userPrincipalName": {
"type": "string",
"x-ntx-summary": "User Principal Name"
},
"mobilePhone": {
"type": "string",
"x-ntx-summary": "Mobile Phone"
},
"officeLocation": {
"type": "string",
"x-ntx-summary": "Office Location"
},
"businessPhones": {
"type": "array",
"x-ntx-summary": "Business Phone",
"items": {
"$ref": "#/definitions/phone"
}
}
}
},
"phone": {
"type": "object",
"additionalProperties": false,
"x-ntx-summary": "",
"properties": {
"phone": {
"type": "string",
"x-ntx-summary": "Phone",
"description": "Phone"
}
}
},
"groups": {
"x-ntx-summary": "Groups",
"additionalProperties": false,
"type": "array",
"items": {
"$ref": "#/definitions/group"
}
},
"group": {
"type": "object",
"additionalProperties": false,
"x-ntx-summary": "",
"properties": {
"id": {
"type": "string",
"x-ntx-summary": "Id",
"description": "Group ID"
},
"created": {
"type": "string",
"x-ntx-summary": "Created"
},
"displayName": {
"type": "string",
"x-ntx-summary": "Display Name"
},
"description": {
"type": "string",
"x-ntx-summary": "Description"
},
"mailEnabled": {
"type": "boolean",
"x-ntx-summary": "Email Enabled"
},
"mail": {
"type": "string",
"x-ntx-summary": "Email"
},
"visibility": {
"type": "string",
"x-ntx-summary": "Visibility",
"enum": "Public","Private"]
},
"mobilePhone": {
"type": "string",
"x-ntx-summary": "Mobile Phone"
},
"officeLocation": {
"type": "string",
"x-ntx-summary": "Office Location"
},
"businessPhones": {
"type": "array",
"x-ntx-summary": "Business Phone",
"items": {
"$ref": "#/definitions/phone"
}
}
}
}
}
}

On Nintex Automation Cloud, add an Xtension and upload the OpenAPI specification file : 

Then specifiy the client ID and client Secret (as it rely on Azure AD App registration with the right permissions to Users API) :

Then specify connector details :

2- Create the connection and specify the Azure AD Tenant ID and publish. This will start the OAuth authorization. 

 

Once the connection is created you can implement the action within any workflows as shown below : 

I have 2 users with “james.bond” SAM Account name but only 1 on-premise as retrieved above.

 

I use Nintex Xtensions quite often to extend the native connectors and for any external OpenAPI.

 

Hope that helps ! 


@cecilia-penha thank you very much . I will test that out. Defiantly looks like a better and more secure method.


@cecilia-penha 
I was able to set up the Xtensions connector. It appeared to connect properly but when I run it in the workflow.

>Error Code: IO.XtensionExecute.ErrorResponse]


I can run the same command with a “Get Web Service” and pulling a token with the same ClientID and Secret, so the privileges are correct on the AAD side. Is this a problem with the Xtension? Should I open a support case?


I think I found the issue. The Xtensions app is using delegated not application permissions with Graph call. I can repoduce in postman.

Now just need to figure out how to make the make it work with the correct permission.


Reply