Hi, I'll repost the answer from StackOverflow here for other users to reference.
The SAML certificate info is available from the servicePrincipals endpoint, but not the applications endpoint.
You'll find relevant info in the KeyCredentials and the preferredTokenSigningKeyThumbprint properties.
Portal view
Graph API Example output
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity",
"id": "b1d98f31-0d9e-4deb-b9d7-a9b65a9dc35b",
"appId": "c2fa0ce8-1894-4e25-aa85-cd3880d2f849",
"keyCredentials": [
{
"customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2025-06-02T04:49:26Z",
"key": null,
"keyId": "2e5cf0c3-a2af-43ff-902f-5915a5c1739a",
"startDateTime": "2022-06-02T04:49:25Z",
"type": "AsymmetricX509Cert",
"usage": "Verify"
},
{
"customKeyIdentifier": "ND35AAdHR6SwZl73ExNO7aGzDbb2NBchauiGFOF4dto=",
"displayName": "CN=Microsoft Azure Federated SSO Certificate",
"endDateTime": "2025-06-02T04:49:26Z",
"key": null,
"keyId": "d9828f8c-551a-4e22-9e99-ae4559eff713",
"startDateTime": "2022-06-02T04:49:25Z",
"type": "AsymmetricX509Cert",
"usage": "Sign"
}
],
"preferredTokenSigningKeyThumbprint": "BAE149EA92FBF748FABE89EEB150F9D65BE4F676",
}
KeyCredentials
For each certificate you see in the Portal, you'll see 2 objects, which corresponds to the public and private certificate. The public certificate is the key where the Usage property is Verify. The private certificate you don't see when you're viewing from the Portal.
PreferredTokenSigningKeyThumbprint
This is the thumbprint of the certificate which is currently active. You'll notice that the thumbprint is NOT in the KeyCredentials info. Only when you first assign a certificate is the thumbprint included in the KeyCredentials.