Reputation: 5
Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell
I want to read 'Attribute & Claims' from SAML enterprise application configuration using PowerShell.
I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell but it always return empty value, even if I can see that attributes are configured in Azure Portal. Portal
I am using graph scope: Application.Read.All and Policy.Read.All
Any idea how I can read this configuration?
Regards
Upvotes: 0
Views: 565
Answers (2)
Reputation: 4064
You can now use the beta version of the MS Graph API and push a claims policy to the application. This will overwrite the claims in the Application's UI, but it also allows the claims to be queried & updated through both the API and UI afterwards.
https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization
Once you do so, this is what the output of a GET command is.
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('service_principal_id')/claimsPolicy/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET servicePrincipals('<guid>')/claimsPolicy?$select=audienceOverride,claims",
"id": "service_principal_id",
"includeBasicClaimSet": true,
"includeApplicationIdInIssuer": false,
"audienceOverride": null,
"groupFilter": null,
"claims": [
{
"@odata.type": "#microsoft.graph.samlNameIdClaim",
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.sourcedAttribute",
"id": "mail",
"source": "user",
"isExtensionAttribute": false
},
"transformations": []
}
],
"nameIdFormat": "emailAddress"
},
{
"@odata.type": "#microsoft.graph.customClaim",
"name": "emailaddress",
"namespace": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
"tokenFormat": [
"saml"
],
"samlAttributeNameFormat": null,
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.sourcedAttribute",
"id": "mail",
"source": "user",
"isExtensionAttribute": false
},
"transformations": []
}
]
},
{
"@odata.type": "#microsoft.graph.customClaim",
"name": "RoleSessionName",
"namespace": "https://aws.amazon.com/SAML/Attributes",
"tokenFormat": [
"saml"
],
"samlAttributeNameFormat": null,
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.valueBasedAttribute",
"value": "test"
},
"transformations": []
}
]
}
]
}
Upvotes: 0
Reputation: 22452
Currently, it's not possible to retrieve 'Attributes & Claims' from a SAML Entra application configuration via PowerShell or Graph API. The only way as of now is via Azure Portal.
I have one Enterprise application with 'Attributes & Claims' values as below:
When I tried running same PowerShell command as you to, it will give null as below:
Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId <sp_id>
Response:
Even Graph API queries results null response as there are no claim mapping policies assigned to service principal:
GET https://graph.microsoft.com/v1.0/servicePrincipals/sp_Id/claimsMappingPolicies
Response:
To create claim mapping policies via PowerShell, you can refer this MS Document and assign them to service principal.
Reference:
Upvotes: 0
Related Questions
- Assign Custom Claims Provider/ Retrieve Configured Claims for Azure AD Application via Microsoft Graph API
- Change Microsoft Entra External ID custom attribute using Microsoft Graph API
- Microsoft Graph Powershell - Azure AD SAML Application Attributes and Claims not updated in Portal
- How to $filter appRoleAssignments based on appRoleId?
- Microsoft Graph API - Is there a way to get all the service principals?
- How to Create a new Enterprise Application with SAML SSO in Azure AD using Graph API or Powershell
- How to create approle assignments programmatically using MS graph API?
- Create a new role assignment for an enterprise application using Graph beta version
- How to edit azure service principal manifest from command line