This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 2%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Hi Team,
I need to create SAML application via Powershell or GraphAPI . How to achieve it ?
Already Tried Existing soutions:
New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" -ReplyUrls "http://mynewapp.contoso.com/finishLogin"
This Doesn't work it just register an app. NO SAML APP Created.
Also creating Application from existing template doesn't work. It creates the application but when you go to the application under Enterprise Applications and select SSO setting nothing is set there.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/applicationtemplate?view=graph-rest-beta
Kindly assist or idea in the SAML application onboarding via PowerShell or Graph.
Hi Team,
Anyone done this before creating only SAML application via PowerShell or GraphAPI ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 39%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
I know this is an old post but wanted to include this here for anyone having the same issue.
For Powershell, the way to get the Single sign-on section is to add the Tag WindowsAzureActiveDirectoryCustomSingleSignOnApplication when creating the ADServicePrincipal.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 31%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Hi,
It would be great if you post the piece of code so we can take this as a reference.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 0%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETF%3C/text%3E%3C/svg%3E)
You can do thsi using the Set-AzureADServicePrincipal command, or during the New-AzureADServicePrincipal.
Set-AzureADServicePrincipal -AccountEnabled $true `
-AppId $samlApp.AppId `
-AppRoleAssignmentRequired $true `
-DisplayName $appName `
-Tags {WindowsAzureActiveDirectoryCustomSingleSignOnApplication}
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 21%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
This is good however it doesn't create the SAML from template. How do we create the SAML SSO service principal from a Gallery App template ID?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 2%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Rahul , When you try to create an application using either Powershell or Microsoft Graph API, the application object (app registration part) and the service principal object (enterprise registration part) have to be created by running separate commands. This doesnt work the same way as in the Azure Portal.
Powershell:
When you run the following command:
New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml"; -ReplyUrls "http://mynewapp.contoso.com/finishLogin";
This only creates the Application object for you. After this you would have to run the following command to create its corresponding service principal.
New-AzureADServicePrincipal -AccountEnabled $true -AppId $samlApp.AppId
-AppRoleAssignmentRequired $true -DisplayName $appName
-Tags {WindowsAzureActiveDirectoryIntegratedApp}
Your overall Powershell code should look something like:
$appName = "SAMLAppTest1"
$samlApp = New-AzureADApplication -DisplayName $appName `
-IdentifierUris "http://mynewapp.contoso.com" `
-SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" `
-ReplyUrls "http://mynewapp.contoso.com/finishLogin"
Get-AzureADApplication -SearchString $appName
New-AzureADServicePrincipal -AccountEnabled $true `
-AppId $samlApp.AppId `
-AppRoleAssignmentRequired $true `
-DisplayName $appName `
-Tags {WindowsAzureActiveDirectoryIntegratedApp}
Get-AzureADServicePrincipal -SearchString $appName
Same goes for Microsoft Graph API.
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
@soumi-MSFT : Thanks for the clarification.
But this doesn't create any SAML application. You can't see the SSO configuration via portal when created via PowerShell.
See below Screenshot no configuration where you can see SSO configured with SAML.
See if you create via portal then you'll see the option to configure the SSO setting as highlighted in the below snapshot.
Let me know is this working for you because this is not considered as SAML application via PowerShell or Graph API.
@Rahul , Yes, you are correct, even when i tested the same out, with Powershell, I was somehow not able to get the Single SignOn option in the enterprise section of the newly created application. I tried the same with Microsoft Graph API using the same API endpoint that you used.
I used the Microsoft Graph API beta endpoint to create a SAML application based on the standard SAML application template ID. This will create a base SAML application in Azure AD that you can then update the SAML metadata from.
The ID of the basic SAML application template from Microsoft is: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621
The endpoint URI would be the below then for creating the application with a request body json object of displayName, like below
Request Type: Post
Request Body:
{"displayName":"SAMLTestApp2"}
URI Endpoint:
https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate
This API call creates both the Application Object and the Service Principal object in one go. Also the service principal created by this api lists the Single SignOn option under the Enterprise Application section for this app. [Please refer to the screenshot]
Hope this helps.
Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
@soumi-MSFT : Thanks for the update.
I also tried creating the application via Graph API using Template. Issue is it will not update the Basic SAML SSO setting i.e. Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) and Attribute settings.
The above example is more or less equivalent to creating application via GUI because essential SAML configuration is we are doing it manually.
Application should be created with required SAML settings as mentioned above Entity ID or Reply URL.
Is there a way to update the basic SAML configuration via PowerShell or Graph API in Azure AD? Any idea how to proceed here ?
@Rahul , unfortunately there are no ways to update the Basic SAML configuration in automated way yet available. While using the Microsoft Graph API and using the ApplicationTemplate, you can only modify the following parameters:
{
"id": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
"displayName": "Custom",
"homePageUrl": "",
"supportedSingleSignOnModes": [
"password",
"saml",
"external"
],
"supportedProvisioningTypes": [
"sync"
],
"logoUrl": "https://az495088.vo.msecnd.net/app-logo/customappsso_215.png",
"categories": [
"custom"
],
"publisher": "",
"description": null
}
Hope this helps.
@soumi-MSFT : Thanks for your quick and prompt response on this post.
Appreciate for bringing in the clarity in App creation. Sorry since this not answer to my ask. I couldn't mark it as answer here.
I see many people are looking for this SAML application API in Azure AD so that they can do many customization programmatically.
@Rahul , I totally understand the pain for not able to automate this app setup completely for SAML apps in Azure. A similar request has been posted here:
https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/37970713-powershell-saml-app-automation
the feedback.azure.com is a place where you can post your queries regarding the features that you would want to be made available in Azure. So i would request you to post your feature request in that forum and also here: https://feedback.azure.com/forums/169401-azure-active-directory?category_id=165567
The product team directly monitors this forum and based on the number of hits on a particular feature request by other users/customers, the PG takes a call in incorporating that feature.
Also, from my end, I would do some more research on this and would try to share some updates with you in next two days.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 86%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
What I've managed to workout myself that in order to get the Single-sign on page to appear, you need to also add the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag to the Service Principal as well. Unfortunately, this however does NOT enable the custom SAML single-sign on feature, just enables the page. All of the required settings can be configured via the App Registration and Service Principal powershell commandlets,
I haven't been able to figure out how to tell Azure AD to enable the custom SAML single-sign on via script/api calls.
The other issue I've encountered trying to solve this from myself is that in order to actually enable the SAML option after automating the properties possible, you still have edit the basic configuration section so that you can click the Save button, so that SAML enabled is actually persisted. That's despite all of the correct settings already present.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 88%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Hello,
When I was calling this Api via Microsoft graph api and it created the application, but when I was trying to call this api via powershell or Python script it's giving me 403 forbidden error, I am adding the error details here. In the script I am passing headers as token and in the body just application display name. could you tell me what I am doing wrong here.
Powershell:
nvoke-RestMethod : {
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2020-07-09T03:28:59",
"request-id": "XXXXXXXXXXXX"
}
}
}
Python:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2020-07-10T14:59:50",
"request-id": "XXXXXXXXXXXXXX"
}
}
}