The Get-AzureADUser command comes with a filtering function just like, e.g., Get-ADUser.
But if you’re expecting the power of the Get-ADUser LdapFilter switch or the PowerShell expression language Filter switch, then you’re in for a sad surprise…
The Get-AzureADUser filter is overly complex and lacks a lot of functionality.
Unfortunately, in most cases, your better option is to retrieve all user accounts and perform the filtering locally.
The below sections will demonstrate some uses of the Get-AzureADUser Filter options.
To bring an end to the constant googling for PowerShell commands altogether, have a look at Easy365Manager:
Easy365Manager is a snap-in to Active Directory Users & Computers that consolidates Office 365 and Active Directory management.
With Easy365Manager, you can perform all daily Office 365 management directly from AD – even tasks that would typically require PowerShell, like the configuration of calendar permissions, as seen in the above example.
Review the complete Easy365Manager feature list here.
Get-AzureADUser Filter Operators
The Filter switch of the Get-AzureADUser command builds on oData v3.0 filtering.
This is contrary to the PowerShell expression language filter used by Get-ADUser -Filter, which again is different from the very basis Get-MsolUser -SearchString filter option.
For every new development team at Microsoft, there seems to be a new strategy… 🙄
The following details the basic operators available to Get-AzureADUser filtering:
| Operator | Meaning | Sample expression |
|---|---|---|
| eq | Equal to | DisplayName eq ‘Tycho Brahe’ |
| and | And | Country eq ‘Germany’ and Department eq ‘Marketing’ |
| or | Or | Country eq ‘Germany’ or Country eq ‘France’ |
Notice that the Like filter is not available – it’s impossible to search substrings in Azure AD user attributes, which makes the use cases very limited. The same goes for the Not filter and many more.
The only type of wildcard search available is the ‘startswith’ filter.
Additionally, it’s possible to search the values of multivalue attributes using the ‘any’ filter.
However, a big limitation of this is the inability to search complex object type attributes like ‘AssignedPlans’.
Get-AzureADUser Filter Examples
Below you’ll find some basic examples of the Get-AzureADUser filter syntax.
Get-AzureADUser -Filter "DisplayName eq 'Tycho Brahe'"Get-AzureADUser -Filter "Country eq 'Germany' and Department eq 'Marketing'"Get-AzureADUser -Filter "Country eq 'Germany' or Country eq 'France'"Get-AzureADUser -Filter "startswith(displayName,'Hans')"Get-AzureADUser -Filter "proxyAddresses/any(p:startswith(p,'smtp:hans'))"But as mentioned at the beginning of the article:
The use-cases of the Get-AzureADUser Filter parameter are very limited. In most cases, you’re forced to retrieve all users and perform the filtering locally, using the PowerShell expression language filter, e.g.:
Get-AzureADUser -All $true | Where-Object {$_.DisplayName -like "*hans*"}Get-AzureADUser -All $true | Where-Object {$_.AssignedPlans.Service -eq "SharePoint"}Although this approach may perform badly in large environments, it offers a lot more options and flexibility.