diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
index ab83209117d..5294281da97 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolver.java
@@ -246,6 +246,26 @@ public class IndicesAndAliasesResolver {
                 aliasOrIndex = index;
             }
 
+            // we always need to check for date math expressions
+            final String dateMathName = nameExpressionResolver.resolveDateMathExpression(aliasOrIndex);
+            if (dateMathName != aliasOrIndex) {
+                assert dateMathName.equals(aliasOrIndex) == false;
+                if (replaceWildcards && Regex.isSimpleMatchPattern(dateMathName)) {
+                    // continue
+                    aliasOrIndex = dateMathName;
+                } else if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) {
+                    if (minus) {
+                        finalIndices.remove(dateMathName);
+                    } else {
+                        finalIndices.add(dateMathName);
+                    }
+                } else {
+                    if (indicesOptions.ignoreUnavailable() == false) {
+                        throw new IndexNotFoundException(dateMathName);
+                    }
+                }
+            }
+
             if (replaceWildcards && Regex.isSimpleMatchPattern(aliasOrIndex)) {
                 wildcardSeen = true;
                 Set<String> resolvedIndices = new HashSet<>();
@@ -266,34 +286,19 @@ public class IndicesAndAliasesResolver {
                         finalIndices.addAll(resolvedIndices);
                     }
                 }
-            } else {
-                // we always need to check for date math expressions
-                String dateMathName = nameExpressionResolver.resolveDateMathExpression(aliasOrIndex);
-                // we can use != here to compare strings since the name expression resolver returns the same instance, but add an assert
+            } else if (dateMathName == aliasOrIndex) {
+                // we can use == here to compare strings since the name expression resolver returns the same instance, but add an assert
                 // to ensure we catch this if it changes
-                if (dateMathName != aliasOrIndex) {
-                    assert dateMathName.equals(aliasOrIndex) == false;
-                    if (authorizedIndices.contains(dateMathName) && isIndexVisible(dateMathName, indicesOptions, metaData, true)) {
-                        if (minus) {
-                            finalIndices.remove(dateMathName);
-                        } else {
-                            finalIndices.add(dateMathName);
-                        }
-                    } else {
-                        if (indicesOptions.ignoreUnavailable() == false) {
-                            throw new IndexNotFoundException(dateMathName);
-                        }
-                    }
+
+                assert dateMathName.equals(aliasOrIndex);
+                //MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on
+                // ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized
+                // to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be
+                // removed from the list, based on the ignore_unavailable option.
+                if (minus) {
+                    finalIndices.remove(aliasOrIndex);
                 } else {
-                    //MetaData#convertFromWildcards checks if the index exists here and throws IndexNotFoundException if not (based on
-                    // ignore_unavailable). We only add/remove the index: if the index is missing or the current user is not authorized
-                    // to access it either an AuthorizationException will be thrown later in AuthorizationService, or the index will be
-                    // removed from the list, based on the ignore_unavailable option.
-                    if (minus) {
-                        finalIndices.remove(aliasOrIndex);
-                    } else {
-                        finalIndices.add(aliasOrIndex);
-                    }
+                    finalIndices.add(aliasOrIndex);
                 }
             }
         }
diff --git a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
index 02c03795bf6..f43bd64120f 100644
--- a/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
+++ b/plugin/src/test/java/org/elasticsearch/xpack/security/authz/IndicesAndAliasesResolverTests.java
@@ -1109,18 +1109,19 @@ public class IndicesAndAliasesResolverTests extends ESTestCase {
 
     public void testResolveDateMathExpression() {
         // make the user authorized
-        String dateTimeIndex = indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}>");
+        final String pattern = randomBoolean() ? "<datetime-{now/M}" : "<datetime-{now/M}*";
+        String dateTimeIndex = indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}");
         String[] authorizedIndices = new String[] { "bar", "bar-closed", "foofoobar", "foofoo", "missing", "foofoo-closed", dateTimeIndex};
         roleMap.put("role", new RoleDescriptor("role", null,
                 new IndicesPrivileges[] { IndicesPrivileges.builder().indices(authorizedIndices).privileges("all").build() }, null));
 
-        SearchRequest request = new SearchRequest("<datetime-{now/M}>");
+        SearchRequest request = new SearchRequest(pattern);
         if (randomBoolean()) {
             request.indicesOptions(IndicesOptions.fromOptions(randomBoolean(), randomBoolean(), randomBoolean(), randomBoolean()));
         }
         Set<String> indices = defaultIndicesResolver.resolve(request, metaData, buildAuthorizedIndices(user, SearchAction.NAME));
         assertThat(indices.size(), equalTo(1));
-        assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression("<datetime-{now/M}>")));
+        assertThat(request.indices()[0], equalTo(indexNameExpressionResolver.resolveDateMathExpression(pattern)));
     }
 
     public void testMissingDateMathExpressionIgnoreUnavailable() {