The pull query is being blocked by the Web Application Firewall (WAF) DRS rules.

[ks3140]

In the PullAsync request, the query in the request URL includes a comparison with updatedAt, as shown below:

$filter=%28%28accountId eq %27010101%27%29 and %28updatedAt gt cast%282025-05-22T07%3A07%3A07.199Z%2CEdm.DateTimeOffset%29%29%29&$orderby=updatedAt&$count=true&__includedeleted=true
It appears that this query is being blocked by the WAF rules in the DRS rule set. According to the logs, the following rules from the Microsoft_DefaultRuleSet_2.1 applied to the Application Gateway are being triggered:
https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21%2Cowasp30

• 942410: SQL Injection Attack Detected via libinjection
• 942430: Restricted SQL Character Anomaly Using Double Encoding
• 942150: SQL Injection Attack via Keyword Match

On the initial request, since there is no delta token, the query does not include the updatedAt filter, and the data sync works without any issues. Therefore, I believe the part of the query that compares with updatedAt is the cause.（%28updatedAt gt cast%282025-05-22T07%3A07%3A07.199Z%2CEdm.DateTimeOffset%29%29%29）

I would prefer not to change the WAF settings on the Application Gateway. If there are any possible workarounds on the client side, I would like to know about them.

[adrianhall]

There aren't - that's a standard OData v4 query, so its a false positive. There is not a thing I can do about it on the client side.