Azure Question posted in
The official documentation to get you started can be found here.

Azure – Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell

I want to read ‘Attribute & Claims’ from SAML enterprise application configuration using PowerShell.

I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell
but it always return empty value, even if I can see that attributes are configured in Azure Portal.
Portal

I am using graph scope: Application.Read.All and Policy.Read.All

Any idea how I can read this configuration?

Regards

Tags:

2

Answers


  1. 0

    Currently, it’s not possible to retrieve ‘Attributes & Claims‘ from a SAML Entra application configuration via PowerShell or Graph API. The only way as of now is via Azure Portal.

    I have one Enterprise application with ‘Attributes & Claims‘ values as below:

    enter image description here

    When I tried running same PowerShell command as you to, it will give null as below:

    Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId <sp_id>

    Response:

    enter image description here

    Even Graph API queries results null response as there are no claim mapping policies assigned to service principal:

    GET https://graph.microsoft.com/v1.0/servicePrincipals/sp_Id/claimsMappingPolicies

    Response:

    enter image description here

    To create claim mapping policies via PowerShell, you can refer this MS Document and assign them to service principal.

    Reference:

    Read ‘Attribute & Claims’ from SAML Entra application configuration using PowerShell – Microsoft Q&A by Raja Pothuraju

    Login or Signup to reply.
  2. 0

    You can now use the beta version of the MS Graph API and push a claims policy to the application. This will overwrite the claims in the Application’s UI above, but it also allows the claims to be queried & updated through both the API and UI afterwards.

    https://learn.microsoft.com/en-us/entra/identity-platform/reference-claims-customization

    enter image description here

    Once you do so, this is what the output of a GET command is.

    {
"@odata.context": "https://graph.microsoft.com/beta/$metadata#servicePrincipals('service_principal_id')/claimsPolicy/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET servicePrincipals('<guid>')/claimsPolicy?$select=audienceOverride,claims",
"id": "service_principal_id",
"includeBasicClaimSet": true,
"includeApplicationIdInIssuer": false,
"audienceOverride": null,
"groupFilter": null,
"claims": [
    {
        "@odata.type": "#microsoft.graph.samlNameIdClaim",
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.sourcedAttribute",
                    "id": "mail",
                    "source": "user",
                    "isExtensionAttribute": false
                },
                "transformations": []
            }
        ],
        "nameIdFormat": "emailAddress"
    },
    {
        "@odata.type": "#microsoft.graph.customClaim",
        "name": "emailaddress",
        "namespace": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims",
        "tokenFormat": [
            "saml"
        ],
        "samlAttributeNameFormat": null,
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.sourcedAttribute",
                    "id": "mail",
                    "source": "user",
                    "isExtensionAttribute": false
                },
                "transformations": []
            }
        ]
    },
    {
        "@odata.type": "#microsoft.graph.customClaim",
        "name": "RoleSessionName",
        "namespace": "https://aws.amazon.com/SAML/Attributes",
        "tokenFormat": [
            "saml"
        ],
        "samlAttributeNameFormat": null,
        "configurations": [
            {
                "condition": null,
                "attribute": {
                    "@odata.type": "#microsoft.graph.valueBasedAttribute",
                    "value": "test"
                },
                "transformations": []
            }
        ]
    }
]

    }

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search