azurepowershellmicrosoft-graph-apimicrosoft-entra-id

Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell


I want to read 'Attribute & Claims' from SAML enterprise application configuration using PowerShell.

I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell but it always return empty value, even if I can see that attributes are configured in Azure Portal. Portal

I am using graph scope: Application.Read.All and Policy.Read.All

Any idea how I can read this configuration?

Regards


Solution

  • You can now use the beta version of the MS Graph API and push a claims policy to the application. This will overwrite the claims in the Application's UI, but it also allows the claims to be queried & updated through both the API and UI afterwards.

    https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization

    enter image description here

    Once you do so, this is what the output of a GET command is.

    {
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('service_principal_id')/claimsPolicy/$entity",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET servicePrincipals('<guid>')/claimsPolicy?$select=audienceOverride,claims",
    "id": "service_principal_id",
    "includeBasicClaimSet": true,
    "includeApplicationIdInIssuer": false,
    "audienceOverride": null,
    "groupFilter": null,
    "claims": [
        {
            "@odata.type": "#microsoft.graph.samlNameIdClaim",
            "configurations": [
                {
                    "condition": null,
                    "attribute": {
                        "@odata.type": "#microsoft.graph.sourcedAttribute",
                        "id": "mail",
                        "source": "user",
                        "isExtensionAttribute": false
                    },
                    "transformations": []
                }
            ],
            "nameIdFormat": "emailAddress"
        },
        {
            "@odata.type": "#microsoft.graph.customClaim",
            "name": "emailaddress",
            "namespace": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
            "tokenFormat": [
                "saml"
            ],
            "samlAttributeNameFormat": null,
            "configurations": [
                {
                    "condition": null,
                    "attribute": {
                        "@odata.type": "#microsoft.graph.sourcedAttribute",
                        "id": "mail",
                        "source": "user",
                        "isExtensionAttribute": false
                    },
                    "transformations": []
                }
            ]
        },
        {
            "@odata.type": "#microsoft.graph.customClaim",
            "name": "RoleSessionName",
            "namespace": "https://aws.amazon.com/SAML/Attributes",
            "tokenFormat": [
                "saml"
            ],
            "samlAttributeNameFormat": null,
            "configurations": [
                {
                    "condition": null,
                    "attribute": {
                        "@odata.type": "#microsoft.graph.valueBasedAttribute",
                        "value": "test"
                    },
                    "transformations": []
                }
            ]
        }
    ]
    

    }