Dear Marcel,
After spending hours i found the problem and solution. Now its working fine on 6.12.0. I had to replace mail to userPrincipalName in the filter. Rest all is ok, i even removed Rolemapping policy and it worked. I did a complete fresh installation again and everything worked just fine. So "mail" was the culprit in my case
default filter
users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Correct query (in my case)
users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=userPrincipalName eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes
Rest everything is same, as i mentioned in my post, i tested the connection from clearpass as well as from a python script and got everything as expected.
Can you tell me how to write the filters? is there any guide because honestly i dont know how to relate the attribute names/alias to the filter query
-------------------------------------------
Original Message:
Sent: Jan 07, 2026 12:50 PM
From: mkk
Subject: Cannot get authorization attributes from Entra id - CPPM 6.12.0
I think your filter is incorrect.
users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes


------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------
Original Message:
Sent: Jan 07, 2026 12:34 PM
From: mkk
Subject: Cannot get authorization attributes from Entra id - CPPM 6.12.0
I test this for you in 5 minutes and it worked with ClearPass 6.12.3. Beter not use the first major release of 6.12.0 but patch it to the latest 6.12.x version the .0 version often has many bugs.
You can follow this guide
Microsoft Entra ID
- Did you set the API permissions correct in Entra ID?
- Did you test with the Authentication Source test button?
- Did you first test with the default filter query?
- First check if you see the Authorization in the Access Tracker input before configure then in your role mapping
My result example:

users:users/?$select=userPrincipalName,displayName,id,accountEnabled,companyName,createdDateTime,department,employeeId,lastPasswordChangeDateTime,registeredDevices&$filter=mail eq %{Authentication:Username};group:/users/%{users:id}/memberOf?$select=displayName,id,groupTypes

Let me know if you get solved is, config it self seems fine to me.
------------------------------
Marcel Koedijk | MVP Expert 2024 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own