How to get SAML Signing Certificate data using Microsoft graph api
I'm using Http requests to retrieve data from Azure active directory, my goal is to retrieve data about all certificates and secrets in Azure Ad applications so when i call: https://graph.microsoft.com/v1.0/applicationsi get data about the applications including applications certificates and secrets. but there is one missing data : the SAML Signing Certificate, see below :
I've tried to get serviceprincipal data through: https://graph.microsoft.com/v1.0/servicePrincipals but still, data about the single sign-on saml certificate is not listed, how can i access this data ?
The SAML certificate info is available from the servicePrincipals endpoint, but not the applications endpoint.
You'll find relevant info in the KeyCredentials and the preferredTokenSigningKeyThumbprint properties.
Portal view
Graph API Example output
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
"id": "b1d98f31-0d9e-4deb-b9d7-a9b65a9dc35b",
"appId": "c2fa0ce8-1894-4e25-aa85-cd3880d2f849",
"keyCredentials": [
{
"customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2025-06-02T04:49:26Z",
"key": null,
"keyId": "2e5cf0c3-a2af-43ff-902f-5915a5c1739a",
"startDateTime": "2022-06-02T04:49:25Z",
"type": "AsymmetricX509Cert",
"usage": "Verify"
},
{
"customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2025-06-02T04:49:26Z",
"key": null,
"keyId": "d9828f8c-551a-4e22-9e99-ae4559eff713",
"startDateTime": "2022-06-02T04:49:25Z",
"type": "AsymmetricX509Cert",
"usage": "Sign"
}
],
"preferredTokenSigningKeyThumbprint": "BAE149EA92FBF748FABE89EEB150F9D65BE4F676",
}
KeyCredentials
For each certificate you see in the Portal, you'll see 2 objects, which corresponds to the public and private certificate. The public certificate is the key where the Usage property is Verify. The private certificate you don't see when you're viewing from the Portal.
PreferredTokenSigningKeyThumbprint
This is the thumbprint of the certificate which is currently active. You'll notice that the thumbprint is NOT in the KeyCredentials info. Only when you first assign a certificate is the thumbprint included in the KeyCredentials.
- AADSTS900971: No reply address provided. on SPA with http://localhost as redirect_uri
- Why my valid MS access_token can't be parsed with jwt.ms?
- Dynamic OpenIdConnectOptions for multi-tenancy in Asp.net Core 2.1-*
- Azure AD auth token refresh request blocked in iframe
- "Use a tenant-specific endpoint or configure the application to be multi-tenant" when signing into my Azure website
- BrowserAuthError: interaction_in_progress: Interaction is currently in progress with azure/msal-browser@2.11.2
- AADSTS50011: The reply url specified in the request does not match the reply urls configured for the application: '<AppId>'
- Microsoft Password Reset - Pass parameter that contains redirect URI for after reset
- How to get SAML Signing Certificate data using Microsoft graph api
- Azure AD error: The client has requested access to a resource which is not listed in the requested permissions in the client's application registratio
- Python microsoft graph API - /callback error
- Getting MsalServiceException: 'AADSTS501461 when trying to access a Web API from a console app using Msal
- Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
- PySpark to Azure SQL Database connection issue
- Roles for a SPA and API setup in Microsoft Intra ID
- Getting a token from Microsoft Intra ID with PostMan using MFA
- I receive the error AADSTS50020 when authenticating in an azure app registration
- n8n Microsoft Graph OAuth2 login still fails after admin consent
- Get AD security groups in NGINX through OAuth2
- Where can I find my Azure Correlation Id and Request ID?
- management.azure.com/providers/Microsoft.Capacity/reservationOrders PassthroughTokenValidationFailed Error
- Should deleted application in Enterprise app be also deleted in App registration within Azure AD?
- PowerShell script intended to pull all users' emails belonging to a specific security group in AD is creating a blank CSV
- Custom claims for user from any tenant
- Twitter social login issue with Azure AD B2C - Forbidden
- Azure AD client credentials generated token does not have claims
- IDX10511: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
- Federated Credential to be used by Multiple Repositories - Github Actions
- How can I retrieve all users from Azure Active Directory
- How to add Company name as a field on a Sign up User Flow?