federatedIdentityCredential resource type

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

References an application's federated identity credentials. These federated identity credentials are used in workload identity federation when exchanging a token from a trusted issuer for an access token linked to an application registered on Azure AD.

Inherits from entity.


Method Return type Description
List federatedIdentityCredentials federatedIdentityCredential collection Get a list of the federatedIdentityCredential objects and their properties.
Create federatedIdentityCredential federatedIdentityCredential Create a new federatedIdentityCredential object.
Get federatedIdentityCredential federatedIdentityCredential Read the properties and relationships of a federatedIdentityCredential object.
Update federatedIdentityCredential None Update the properties of a federatedIdentityCredential object.
Delete federatedIdentityCredential None Deletes a federatedIdentityCredential object.


Property Type Description
audiences String collection The audience that can appear in the external token. This field is mandatory and should be set to api://AzureADTokenExchange for Azure AD. It says what Microsoft identity platform should accept in the aud claim in the incoming token. This value represents Azure AD in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required.
description String The un-validated, user-provided description of the federated identity credential. It has a limit of 600 characters. Optional.
id String The unique identifier for the federated identity. Required. Read-only.
issuer String The URL of the external identity provider and must match the issuer claim of the external token being exchanged. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters. Required.
name String is the unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created. Required. Not nullable. Supports $filter (eq).
subject String Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the sub claim within the token presented to Azure AD. The combination of issuer and subject must be unique on the app. It has a limit of 600 characters. Supports $filter (eq).



JSON representation

The following is a JSON representation of the resource.

  "@odata.type": "#microsoft.graph.federatedIdentityCredential",
  "name": "String",
  "issuer": "String",
  "subject": "String",
  "description": "String",
  "audiences": [