Create SAML application in Azure AD via PowerShell or Graph API

Rahul 241 Reputation points
2020-04-12T20:20:47.19+00:00

Hi Team,

I need to create SAML application via Powershell or GraphAPI . How to achieve it ?

Already Tried Existing soutions:

PowerShell :

Reference: https://learn.microsoft.com/en-us/powershell/module/azuread/New-AzureADApplication?view=azureadps-2.0#examples

New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" -ReplyUrls "http://mynewapp.contoso.com/finishLogin"

This Doesn't work it just register an app. NO SAML APP Created.

GraphApi:

Also creating Application from existing template doesn't work. It creates the application but when you go to the application under Enterprise Applications and select SSO setting nothing is set there.

Reference: https://learn.microsoft.com/en-us/graph/api/resources/applicationtemplate?view=graph-rest-beta

Kindly assist or idea in the SAML application onboarding via PowerShell or Graph.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,553 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Gonzalo Parra 11 Reputation points
    2020-08-20T21:54:03.403+00:00

    I know this is an old post but wanted to include this here for anyone having the same issue.

    For Powershell, the way to get the Single sign-on section is to add the Tag WindowsAzureActiveDirectoryCustomSingleSignOnApplication when creating the ADServicePrincipal.

    2 people found this answer helpful.

  2. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-04-13T05:42:15.287+00:00

    @Rahul , When you try to create an application using either Powershell or Microsoft Graph API, the application object (app registration part) and the service principal object (enterprise registration part) have to be created by running separate commands. This doesnt work the same way as in the Azure Portal.

    Powershell:

    When you run the following command:
    New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml"; -ReplyUrls "http://mynewapp.contoso.com/finishLogin";

    This only creates the Application object for you. After this you would have to run the following command to create its corresponding service principal.

    New-AzureADServicePrincipal -AccountEnabled $true -AppId $samlApp.AppId
    -AppRoleAssignmentRequired $true -DisplayName $appName
    -Tags {WindowsAzureActiveDirectoryIntegratedApp}

    Your overall Powershell code should look something like:

    $appName = "SAMLAppTest1"  
    $samlApp = New-AzureADApplication -DisplayName $appName `  
                           -IdentifierUris "http://mynewapp.contoso.com" `  
                           -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" `  
                           -ReplyUrls "http://mynewapp.contoso.com/finishLogin"  
      
    Get-AzureADApplication -SearchString $appName  
      
    New-AzureADServicePrincipal -AccountEnabled $true `  
                                -AppId $samlApp.AppId `  
                                -AppRoleAssignmentRequired $true `  
                                -DisplayName $appName `  
                                -Tags {WindowsAzureActiveDirectoryIntegratedApp}  
      
    Get-AzureADServicePrincipal -SearchString $appName  
    

    Same goes for Microsoft Graph API.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    1 person found this answer helpful.

  3. soumi-MSFT 11,761 Reputation points Microsoft Employee
    2020-04-13T08:43:41.507+00:00

    @Rahul , Yes, you are correct, even when i tested the same out, with Powershell, I was somehow not able to get the Single SignOn option in the enterprise section of the newly created application. I tried the same with Microsoft Graph API using the same API endpoint that you used.

    API: https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

    I used the Microsoft Graph API beta endpoint to create a SAML application based on the standard SAML application template ID. This will create a base SAML application in Azure AD that you can then update the SAML metadata from.

    https://learn.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http

    The ID of the basic SAML application template from Microsoft is: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621

    The endpoint URI would be the below then for creating the application with a request body json object of displayName, like below

    Request Type: Post  
      
    Request Body:  
    {"displayName":"SAMLTestApp2"}  
      
    URI Endpoint:  
    https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate  
    

    This API call creates both the Application Object and the Service Principal object in one go. Also the service principal created by this api lists the Single SignOn option under the Enterprise Application section for this app. [Please refer to the screenshot]

    7363-samlapp-img1.png

    7313-samlapp-img2.png

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.