How to get SAML Signing Certificate data using Microsoft graph api

khalil liraqui 1 Reputation point
2022-08-03T09:33:31.28+00:00

I'm using Http requests to retrieve data from Azure active directory, my goal is to retrieve data about all certificates and secrets in Azure Ad applications so when i call : https://graph.microsoft.com/v1.0/applications
I get data about the applications including applications certificates and secrets.

but there is one missing data : the SAML Signing Certificate, see below :

227666-image.png

I've tried to get serviceprincipal data through: https://graph.microsoft.com/v1.0/servicePrincipals but still, data about the single sign-on saml certificate is not listed, how can i access this data ?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,581 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,459 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vicky Kumar (Mindtree Consulting PVT LTD) 1,156 Reputation points Microsoft Employee
    2022-08-03T17:54:21.99+00:00

    You are correct you have you use Get- https://graph.microsoft.com/v1.0/servicePrincipalswill to get relevant info in the KeyCredentials and the preferredTokenSigningKeyThumbprint properties.

    please check the similar issue - https://stackoverflow.com/questions/73219303/how-to-get-saml-signing-certificate-data-using-microsoft-graph-api

    Hope this helps, please let us know if have any query

    Thanks.

  2. James Hamil 21,621 Reputation points Microsoft Employee
    2022-08-30T21:25:31.993+00:00

    Hi, I'll repost the answer from StackOverflow here for other users to reference.

    The SAML certificate info is available from the servicePrincipals endpoint, but not the applications endpoint.

    You'll find relevant info in the KeyCredentials and the preferredTokenSigningKeyThumbprint properties.

    Portal view

    65NBC.png

    Graph API Example output 

    {  
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",  
    "id": "b1d98f31-0d9e-4deb-b9d7-a9b65a9dc35b",  
    "appId": "c2fa0ce8-1894-4e25-aa85-cd3880d2f849",  
    "keyCredentials": [  
        {  
            "customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",  
            "displayName": "CN=Microsoft Azure Federated SSO Certificate",  
            "endDateTime": "2025-06-02T04:49:26Z",  
            "key": null,  
            "keyId": "2e5cf0c3-a2af-43ff-902f-5915a5c1739a",  
            "startDateTime": "2022-06-02T04:49:25Z",  
            "type": "AsymmetricX509Cert",  
            "usage": "Verify"  
        },  
        {  
            "customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",  
            "displayName": "CN=Microsoft Azure Federated SSO Certificate",  
            "endDateTime": "2025-06-02T04:49:26Z",  
            "key": null,  
            "keyId": "d9828f8c-551a-4e22-9e99-ae4559eff713",  
            "startDateTime": "2022-06-02T04:49:25Z",  
            "type": "AsymmetricX509Cert",  
            "usage": "Sign"  
        }  
    ],  
    "preferredTokenSigningKeyThumbprint": "BAE149EA92FBF748FABE89EEB150F9D65BE4F676",  
}

    KeyCredentials

    For each certificate you see in the Portal, you'll see 2 objects, which corresponds to the public and private certificate. The public certificate is the key where the Usage property is Verify. The private certificate you don't see when you're viewing from the Portal.

    PreferredTokenSigningKeyThumbprint

    This is the thumbprint of the certificate which is currently active. You'll notice that the thumbprint is NOT in the KeyCredentials info. Only when you first assign a certificate is the thumbprint included in the KeyCredentials.