I want to read 'Attribute & Claims' from SAML enterprise application configuration using PowerShell.
I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell but it always return empty value, even if I can see that attributes are configured in Azure Portal. Portal
I am using graph scope: Application.Read.All and Policy.Read.All
Any idea how I can read this configuration?
Regards
You can now use the beta version of the MS Graph API and push a claims policy to the application. This will overwrite the claims in the Application's UI above, but it also allows the claims to be queried & updated through both the API and UI afterwards.
https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization
Once you do so, this is what the output of a GET command is.
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('service_principal_id')/claimsPolicy/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET servicePrincipals('<guid>')/claimsPolicy?$select=audienceOverride,claims",
"id": "service_principal_id",
"includeBasicClaimSet": true,
"includeApplicationIdInIssuer": false,
"audienceOverride": null,
"groupFilter": null,
"claims": [
{
"@odata.type": "#microsoft.graph.samlNameIdClaim",
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.sourcedAttribute",
"id": "mail",
"source": "user",
"isExtensionAttribute": false
},
"transformations": []
}
],
"nameIdFormat": "emailAddress"
},
{
"@odata.type": "#microsoft.graph.customClaim",
"name": "emailaddress",
"namespace": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
"tokenFormat": [
"saml"
],
"samlAttributeNameFormat": null,
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.sourcedAttribute",
"id": "mail",
"source": "user",
"isExtensionAttribute": false
},
"transformations": []
}
]
},
{
"@odata.type": "#microsoft.graph.customClaim",
"name": "RoleSessionName",
"namespace": "https://aws.amazon.com/SAML/Attributes",
"tokenFormat": [
"saml"
],
"samlAttributeNameFormat": null,
"configurations": [
{
"condition": null,
"attribute": {
"@odata.type": "#microsoft.graph.valueBasedAttribute",
"value": "test"
},
"transformations": []
}
]
}
]
}