tokenIssuancePolicy resource type

Namespace: microsoft.graph


APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents the policy to specify the characteristics of SAML tokens issued by Azure AD. You can use token-issuance policies to:

  • Set signing options
  • Set signing algorithm
  • Set SAML token version

Inherits from stsPolicy.


Method Return Type Description
Create tokenIssuancePolicy tokenIssuancePolicy Create a tokenIssuancePolicy object.
Get tokenIssuancePolicy tokenIssuancePolicy Read properties and relationships of a tokenIssuancePolicy object.
List tokenIssuancePolicy tokenIssuancePolicy Read properties and relationships of tokenIssuancePolicy objects.
Update tokenIssuancePolicy None Update a tokenIssuancePolicy object.
Delete tokenIssuancePolicy None Delete a tokenIssuancePolicy object.
List appliesTo directoryObject collection Get the list of directoryObjects that this policy has been applied to.


Property Type Description
id String Unique identifier for this policy. Read-only.
definition String collection A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required.
description String Description for this policy.
displayName String Display name for this policy. Required.
isOrganizationDefault Boolean Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization.

Properties of a token issuance policy definition

The properties form the JSON object that represents a token issuance policy. This JSON object must be converted to a string with quotations escaped to be inserted into the definition property. The following is an example in JSON format:

"definition": [
    "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"\",\"Version\":\"1\",\"EmitSAMLNameFormat\": \"true\"}}"
Property Type Description
TokenResponseSigningPolicy String Represents the certificate signing options available in Azure AD. Supported values are: ResponseOnly, TokenOnly, ResponseAndToken.
SamlTokenVersion String Version of the SAML token. Supported values are: 1.1, 2.0.
SigningAlgorithm String Signing algorithm use by Azure AD to sign the SAML token. Supported values are:,
Version Integer Set value of 1. Required.
EmitSamlNameFormat Boolean If selected, Azure Active Directory will add an additional attribute called "NameFormat" that describes the format of the name to restricted, core, and optional claims for this application. Learn more


Relationship Type Description
appliesTo directoryObject collection The directoryObject collection that this policy has been applied to. Read-only.

JSON representation

The following is a JSON representation of the resource.

  "definition": ["String"],
  "description": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "isOrganizationDefault": true,