Share via

Read 'Attribute & Claims' from SAML Entra application configuration using PowerShell

Fraczek, Rafal SW/WRO-DCDZA 206 Reputation points
2024-10-16T08:54:01.21+00:00

I want to read 'Attribute & Claims' from SAML enterprise application configuration using PowerShell.

I have found the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-claimsmappingpolicies?view=graph-rest-beta&tabs=powershell but it always return empty value, even if I can see that attributes are configured in Azure Portal. User's image

I am using graph scope: Application.Read.All and Policy.Read.All

I was using PS command:

Get-MgServicePrincipalClaimMappingPolicy -ServicePrincipalId $SPObjectID -Select *

Graph query:

https://graph.microsoft.com/v1.0/servicePrincipals/$appID/claimsMappingPolicies?$select=displayName

Any idea how I can read this configuration?

Regards

Windows for business | Windows Server | User experience | PowerShell
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
Microsoft Security | Microsoft Entra | Other
0 comments
Accepted answer
  1. Raja Pothuraju 23,790 Reputation points Microsoft External Staff Moderator
    2024-10-16T12:01:28.4166667+00:00

    Hello @Fraczek, Rafal SW/WRO-DCDZA,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that you are trying to retrieve 'Attributes & Claims' from the SAML application configuration using PowerShell, specifically referring to the Graph command Get-MgBetaServicePrincipalClaimMappingPolicy. However, this command returns an empty result because it only provides output if the application is assigned a claim mapping policy. Since your service principal is not associated with any claim mapping policies, the output is empty, as expected.

    Regarding reading 'Attributes & Claims' from a SAML Entra application configuration via PowerShell, unfortunately, it is currently not possible to export the configured list of User Attributes & Claims for a given Azure service principal via PowerShell or Graph API.

    The commands you are using only display claim mapping policies that are applied to a service principal.

    You can refer to the following document to learn how to create a claim mapping policy and assign it to a service principal:

    https://learn.microsoft.com/en-us/entra/identity-platform/claims-customization-powershell

    Additionally, we encourage you to share your feedback on our Azure Feedback Portal channel. This platform allows the user community to upvote and comment on suggestions, which helps our product teams prioritize feature requests more effectively based on their potential impact.

    And I found similar ask on another thread. Sharing here for reference. https://learn.microsoft.com/en-us/answers/questions/344648/export-the-user-attributes-claims-for-azure-servic

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Fox, R 0 Reputation points
    2025-05-14T15:20:22.88+00:00

    This is available under 'beta' graph functions and returns claims/attributes under the "claims" value

    https://graph.microsoft.com/beta/servicePrincipals/{servicePrincipalsId}/claimsPolicy

    https://learn.microsoft.com/en-gb/graph/api/customclaimspolicy-get?view=graph-rest-beta&WT.mc_id=msgraph_inproduct_graphexhelp&tabs=http

    0 comments
  2. Thierry DEMAN-BARCELO 491 Reputation points MVP
    2025-06-04T14:51:59.32+00:00

    Hello

    here is a sample script that creates a file with all attributes used by SAML application:

    ##Connect to Microsoft Graph
#Install-Module Microsoft.Graph.Beta
#Import-Module Microsoft.Graph.Beta
#Install-Module Microsoft.Graph.Beta.Applications
$scriptpath = $myinvocation.mycommand.path.toupper() |Split-Path -parent
$date=date -format "yyyy-MM-dd-HHmm"
$Outputfile = "$scriptpath\ExportSAML-$Date.csv"
Write-output "DISPLAYNAME;ID;GRAPH;FIELD;TYPE" | out-file $outputfile -encoding UTF8
Import-Module Microsoft.Graph.Beta.Applications
#Connect-MgGraph -Scopes "Application.Read.All", "Policy.Read.All","Policy.ReadWrite.ApplicationConfiguration"
#Import-Module Microsoft.Graph.Identity.SignIns
##Retrieve a list of enterprise applications
$enterpriseApps = Get-MgBetaServicePrincipal -all -property * | where {$_.PreferredSingleSignOnMode -eq "saml"}
$n=$enterpriseApps.count
foreach ($app in $enterpriseApps) {
$DISPLAYNAME=$($app.DisplayName)
Write-Host "Application Name: $DISPLAYNAME"
$ID=$app.Id
Write-Host "Service Principal ID: $ID"
#Recover Claims Mapping
 $claimsPolicies = Get-MgBetaServicePrincipalClaimPolicy -ServicePrincipalId $Id
 $Claims=$ClaimsPolicies.claims.additionalProperties
 foreach($i in $claims){
   $u= $i.values -join ";"
   $u=$u.replace(";System.Object[]","")
   write-host $u
   Add-content -path $outputfile -encoding UTF8 -value "$DISPLAYNAME;$ID;$u"
 }
Write-Host "--------------------------"
read-host "stop"
}
write-host "$n Applications"
##Disconnect from Microsoft Graph
#Disconnect-MgGraph

    Note that the result file uses ";" as separator.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.