Skip to main content

Employee List - Directory Filtering

Sebastian Salla
Updated

Table Of Contents

Overview

CanIPhish support advanced filtering when syncing Entra ID/Azure AD or Google Workspace Directory Groups. To utilise Directory Sync Filtering, simply add one or more filter values against a directory attribute. By default, values entered look for an exact match - but are case insensitive.

Each filter acts as an AND operator. For example, if filter 1 is against the Location Attribute and set to 'Australia' and filter 2 is against the Department Attribute and set to 'IT' then only users who fit both criteria will be added to the employee list (i.e. are an IT employee in Australia).

When adding multiple values to a filter, each value entered acts as an OR operator. For example, if a filter is set against the Department Attribute and the values are 'IT' and 'Finance' then we will look for employees who have either 'IT' OR 'Finance' in the Department Attribute.

Date Filters

Date filtering is supported on specific fields within both Entra ID/Azure AD and Google Workspace. Date filters can be applied for dates that are either greater OR less than the date specified in the filter attribute value section through the use of angle brackets.

  • Greater Than Date Operator: ">"
  • Less Than Date Operator: "<"

Supported Date Filter Formats

When filtering on dates, the filter attribute value can be in one of two formats:

  • ISO 8601 Timestamp: yyyy-MM-ddTHH:mm:ss.fffZ
    • Example: 2025-01-22T13:30:45.123Z
  • Date Format: yyyy-MM-dd
    • Example: 2025-01-22
  • Dynamic Date Evaluations: This comes in the form of an evaluation function which will look at the current datetime (UTC+0) and either add or remove days to then perform the necessary filter. The evaluation function is split into three sections which are combined to form the full evaluation function:
    • 1. Positive/Negative: In the form of a "+" or "-" character indicating whether to add days "+" or deduct days "-" from the current datetime.
    • 2. Day Count: In the form of a number ranging from 0-9999.
    • 3. Dynamic Evaluation Qualifier: Indicated by the appending of the character "d" to the end of the filter. This indicates to CanIPhish that you're using the Dynamic Date Format, instead of a traditional date/timestamp.
    • Full Function: The below examples showcase a couple of formatting examples:
        • Add 90 Days To Current Date:+90d
        • Deduct 180 Days From Current Date: -180d

Entra ID/Azure AD Supported Date Attributes

As defined in the Microsoft Graph REST Resource Guide For Users:

  • CreatedDateTime: Maps to the user.createdDateTime schema attribute
  • EmployeeHireDate: Maps to the user.employeeHireDate schema attribute
  • HireDate: Maps to the user.hireDate schema attribute
  • LastPasswordChangeDateTime: Maps to the user.lastPasswordChangeDateTime schema attribute

Google Workspace Supported Date Attributes

As defined in the Google Workspace REST Resource Guide For Users:

  • CreationTime: Maps to the user.creationTime schema attribute
  • LastLoginTime: Maps to the user.lastLoginTime schema attribute

Example Date Filters:

Entra ID/Azure AD Less Than Filter - Employees with a creation date prior to January 01, 2023:

<2023-01-01

Note: In the example above, the "CUSTOM #1" field has been populated with data from the "CreatedDateTime" Entra ID attribute for demonstration purposes.

Google Workspace Greater Than Filter - Employees with a creation date after January 01, 2022:

>2022-01-01

Note: In the example above, the "CUSTOM #1" field has been populated with data from the "CreationTime" Google Workspace attribute for demonstration purposes.

Entra ID/Azure AD Greater Than Filter - Employees with a creation date greater (more recent) than 120 days ago (e.g. new hires employed in the past 4 months):

>-120d

Note: In the example above, the "CUSTOM #1" field has been populated with data from the "CreatedDateTime" Entra ID attribute for demonstration purposes.

Google Workspace Less Than Filter - Employees with a creation date less (older than) than 120 days ago (e.g. employees who have been with the organization for atleast 4 months):

<-120d

Note: In the example above, the "CUSTOM #1" field has been populated with data from the "CreatedDateTime" Entra ID attribute for demonstration purposes.

Wildcard And NOT Operators

When adding attribute values you can use wildcards and NOT operators to help filter for employees who contain a certain word in an attribute or remove employees who have a certain word.

Wildcard Operators

To use a wildcard, simply place a star '*' at the beginning and/or end of the value you want to filter for. For example, using the value '*Developer*' in the JobTitle attribute, will look for any employee who has the keyword 'Developer' in their JobTitle.

NOT Operators

To use a NOT operator, simply place a '!' at the beginning of the value you want to filter out. For example, using the value '!Developer' in the JobTitle attribute, will exclude any employee who has the exact JobTitle of 'Developer'.

Using both a Wildcard and NOT Operator in a single value

To use a Wilcard and a NOT operator, simply place a '!' at the beginning of the value you want to filter out. Then place your wilcard immediately after this if you want to wildcard the beginning of the value, and optionally include a wildcard at the end. For example, using the value '!*Developer*' will exclude any employees who have the keyword 'Developer' anywhere in their JobTitle.

Example Wildcard and NOT Operator Filters:

Wildcard match filter applied for:

*em*

mceclip2.png

NOT match filter applied for:

 !demo

mceclip3.png

Wildcard NOT match filter applied for:

!*em*

mceclip4.png

Example Exact Match Filter

No filters applied:

mceclip0.png

Exact match filter applied for:

Demo

mceclip1.png

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk