azure powershell microsoft-graph-api microsoft-entra-id

Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell

I want to read 'Attribute & Claims' from SAML enterprise application configuration using PowerShell.

I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell but it always return empty value, even if I can see that attributes are configured in Azure Portal. Portal

I am using graph scope: Application.Read.All and Policy.Read.All

Any idea how I can read this configuration?

Regards

Solution

You can now use the beta version of the MS Graph API and push a claims policy to the application. This will overwrite the claims in the Application's UI above, but it also allows the claims to be queried & updated through both the API and UI afterwards.

https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization

Once you do so, this is what the output of a GET command is.

{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('service_principal_id')/claimsPolicy/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET servicePrincipals('<guid>')/claimsPolicy?$select=audienceOverride,claims",
"id": "service_principal_id",
"includeBasicClaimSet": true,
"includeApplicationIdInIssuer": false,
"audienceOverride": null,
"groupFilter": null,
"claims": [
    {
        "@odata.type": "#microsoft.graph.samlNameIdClaim",
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.sourcedAttribute",
                    "id": "mail",
                    "source": "user",
                    "isExtensionAttribute": false
                },
                "transformations": []
            }
        ],
        "nameIdFormat": "emailAddress"
    },
    {
        "@odata.type": "#microsoft.graph.customClaim",
        "name": "emailaddress",
        "namespace": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
        "tokenFormat": [
            "saml"
        ],
        "samlAttributeNameFormat": null,
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.sourcedAttribute",
                    "id": "mail",
                    "source": "user",
                    "isExtensionAttribute": false
                },
                "transformations": []
            }
        ]
    },
    {
        "@odata.type": "#microsoft.graph.customClaim",
        "name": "RoleSessionName",
        "namespace": "https://aws.amazon.com/SAML/Attributes",
        "tokenFormat": [
            "saml"
        ],
        "samlAttributeNameFormat": null,
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.valueBasedAttribute",
                    "value": "test"
                },
                "transformations": []
            }
        ]
    }
]

}