Configure SAML-based single sign-on for your application using the Microsoft Graph API
Article
In this article, you'll learn how to create and configure a SAML-based single sign-on (SSO) for your application in Azure Active Directory (Azure AD) using the Microsoft Graph API. The application configuration includes basic SAML URLs, a claims mapping policy, and using a certificate to add a custom signing key. After the application is created, you assign a user to it to be an administrator. You then can use a URL to obtain Azure AD SAML metadata for additional configuration of the application.
This article uses an AWS Azure AD application template as an example, but you can use the steps in this article for any SAML-based app in the Azure AD Gallery.
Prerequisites
Sign in to an API client such as Graph Explorer, Postman, or create your own client app to call Microsoft Graph. To call Microsoft Graph APIs in this tutorial, you need to use an account with the global administrator role.
Grant yourself the following delegated permissions: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfiguration, and User.ReadWrite.All.
Step 1: Create the application
Azure AD has a gallery that contains thousands of pre-integrated applications that you can use as a template for your application. The application template describes the metadata for that application. Using this template, you can create an instance of the application and service principal in your tenant for management.
To create the application from the gallery, you first get the identifier of the application template and then use that identifier to create the application.
Retrieve the gallery application template identifier
In this tutorial, you retrieve the identifier of the application template for AWS IAM Identity Center (successor to AWS Single Sign-On). Record the value of the id property to use later in this tutorial.
GET https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var result = await graphClient.ApplicationTemplates.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
});
Import-Module Microsoft.Graph.Applications
Get-MgApplicationTemplate -Filter "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestConfiguration = new ApplicationTemplatesRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationTemplatesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
$requestConfiguration->queryParameters = $queryParameters;
$result = $graphServiceClient->applicationTemplates()->get($requestConfiguration);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
query_params = ApplicationTemplatesRequestBuilder.ApplicationTemplatesRequestBuilderGetQueryParameters(
filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'",
)
request_configuration = ApplicationTemplatesRequestBuilder.ApplicationTemplatesRequestBuilderGetRequestConfiguration(
query_parameters = query_params,
)
result = await client.application_templates.get(request_configuration = request_configuration)
HTTP/1.1 200 OK
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applicationTemplates",
"value": [
{
"id": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
"displayName": "AWS IAM Identity Center (successor to AWS Single Sign-On)",
"homePageUrl": "https://aws.amazon.com/",
"supportedSingleSignOnModes": [
"saml",
"external"
],
"supportedProvisioningTypes": [
"sync"
],
"logoUrl": "https://az495088.vo.msecnd.net/app-logo/awssinglesignon_215.png",
"categories": [
"developerServices",
"itInfrastructure",
"security",
"New"
],
"publisher": "Amazon Web Services, Inc.",
"description": "Federate once to AWS IAM Identity Center (successor to AWS Single Sign-On) & use it to centrally manage access to multiple AWS accounts and IAM Identity Center enabled apps. Provision users via SCIM."
}
]
}
Create the application
Using the id value that you recorded for the application template, create an instance of the application and service principal in your tenant. Record the value of the id property of the application and the value of the id property for the service principal to use later in this tutorial.
POST https://graph.microsoft.com/v1.0/applicationTemplates/21ed01d2-ec13-4e9e-86c1-cd546719ebc4/instantiate
Content-type: application/json
{
"displayName": "AWS Contoso"
}
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new Microsoft.Graph.ApplicationTemplates.Item.Instantiate.InstantiatePostRequestBody
{
DisplayName = "AWS Contoso",
};
var result = await graphClient.ApplicationTemplates["{applicationTemplate-id}"].Instantiate.PostAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new InstantiatePostRequestBody();
$requestBody->setDisplayName('AWS Contoso');
$result = $graphServiceClient->applicationTemplates()->byApplicationTemplateId('applicationTemplate-id')->instantiate()->post($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = InstantiatePostRequestBody()
request_body.display_name = 'AWS Contoso'
result = await client.application_templates.by_application_template_id('applicationTemplate-id').instantiate.post(request_body = request_body)
Allow some time for the app to be provisioned into your Azure AD tenant. It is not instant. One strategy is to do a GET query on the application or service principal object every 5-10 seconds until the query is successful.
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new ServicePrincipal
{
PreferredSingleSignOnMode = "saml",
};
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new ServicePrincipal();
$requestBody->setPreferredSingleSignOnMode('saml');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = ServicePrincipal()
request_body.preferred_single_sign_on_mode = 'saml'
result = await client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body = request_body)
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new Application
{
Web = new WebApplication
{
RedirectUris = new List<string>
{
"https://signin.aws.amazon.com/saml",
},
},
IdentifierUris = new List<string>
{
"https://signin.aws.amazon.com/saml",
},
};
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new Application();
$web = new WebApplication();
$web->setRedirectUris(['https://signin.aws.amazon.com/saml', ]);
$requestBody->setWeb($web);
$requestBody->setIdentifierUris(['https://signin.aws.amazon.com/saml', ]);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = Application()
web = WebApplication()
web.RedirectUris(['https://signin.aws.amazon.com/saml', ])
request_body.web = web
request_body.IdentifierUris(['https://signin.aws.amazon.com/saml', ])
result = await client.applications.by_application_id('application-id').patch(request_body = request_body)
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new ServicePrincipal
{
AppRoles = new List<AppRole>
{
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
DisplayName = "User",
Id = Guid.Parse("8774f594-1d59-4279-b9d9-59ef09a23530"),
IsEnabled = true,
Description = "User",
Value = null,
Origin = "Application",
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
DisplayName = "msiam_access",
Id = Guid.Parse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
IsEnabled = true,
Description = "msiam_access",
Value = null,
Origin = "Application",
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "Admin,WAAD",
DisplayName = "Admin,WAAD",
Id = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
},
new AppRole
{
AllowedMemberTypes = new List<string>
{
"User",
},
Description = "Finance,WAAD",
DisplayName = "Finance,WAAD",
Id = Guid.Parse("7a960000-ded3-455b-8c04-4f2ace00319b"),
IsEnabled = true,
Value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
},
},
};
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
Some keys in the claims mapping policy are case sensitive (for example, "Version"). If you receive an error message such as "Property has an invalid value", it might be a case sensitive issue.
Create the claims mapping policy and record the value of the id property to use later in this tutorial.
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new ClaimsMappingPolicy
{
Definition = new List<string>
{
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
},
DisplayName = "AWS Claims Policy",
IsOrganizationDefault = false,
};
var result = await graphClient.Policies.ClaimsMappingPolicies.PostAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new ClaimsMappingPolicy();
$requestBody->setDefinition(['{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}', ]);
$requestBody->setDisplayName('AWS Claims Policy');
$requestBody->setIsOrganizationDefault(false);
$result = $graphServiceClient->policies()->claimsMappingPolicies()->post($requestBody);
Assign a claims mapping policy to a service principal
Use the id for the service principal that you recorded earlier to assign a claims mapping policy to it. Use the value of the id property for the claims mapping policy in the body of the request.
POST https://graph.microsoft.com/v1.0/servicePrincipals/a750f6cf-2319-464a-bcc3-456926736a91/claimsMappingPolicies/$ref
Content-type: application/json
{
"@odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78"
}
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new Microsoft.Graph.Models.ReferenceCreate
{
OdataId = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78",
};
await graphClient.ServicePrincipals["{servicePrincipal-id}"].ClaimsMappingPolicies.Ref.PostAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new ReferenceCreate();
$requestBody->set@odataid('https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78');
$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->claimsMappingPolicies()->ref()->post($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = ReferenceCreate()
request_body.@odata_id = 'https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78'
await client.service_principals.by_service_principal_id('servicePrincipal-id').claim_mapping_policies.ref.post(request_body = request_body)
You need a self-signed certificate that Azure AD can use to sign a SAML response. You can use your own certificate or you can use the following example.
Option 1: Create a signing certificate in Azure AD
Using the id of the service principal that you created, create a new certificate and add it to the service principal.
POST https://graph.microsoft.com/v1.0/servicePrincipals/a750f6cf-2319-464a-bcc3-456926736a91/addTokenSigningCertificate
Content-type: application/json
{
"displayName":"CN=AWSContoso",
"endDateTime":"2024-01-25T00:00:00Z"
}
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new Microsoft.Graph.ServicePrincipals.Item.AddTokenSigningCertificate.AddTokenSigningCertificatePostRequestBody
{
DisplayName = "CN=AWSContoso",
EndDateTime = DateTimeOffset.Parse("2024-01-25T00:00:00Z"),
};
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AddTokenSigningCertificate.PostAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new AddTokenSigningCertificatePostRequestBody();
$requestBody->setDisplayName('CN=AWSContoso');
$requestBody->setEndDateTime(new DateTime('2024-01-25T00:00:00Z'));
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->addTokenSigningCertificate()->post($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = AddTokenSigningCertificatePostRequestBody()
request_body.display_name = 'CN=AWSContoso'
request_body.endDateTime = DateTime('2024-01-25T00:00:00Z')
result = await client.service_principals.by_service_principal_id('servicePrincipal-id').add_token_signing_certificate.post(request_body = request_body)
You can use the following PowerShell and C# scripts to get a self-signed certificate for testing. You will then need to manipulate and pull the values you need manually using other tools. Use the best security practice from your company to create a signing certificate for production.
The following C# console app can be used as a proof of concept to understand how the required values can be obtained. This code is for learning and reference only and should not be used as-is in production.
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;
/* CONSOLE APP - PROOF OF CONCEPT CODE ONLY!!
* This code uses a self signed certificate and should not be used
* in production. This code is for reference and learning ONLY.
*/
namespace Self_signed_cert
{
class Program
{
static void Main(string[] args)
{
// Generate a guid to use as a password and then create the cert.
string password = Guid.NewGuid().ToString();
var selfsignedCert = buildSelfSignedServerCertificate(password);
// Print values so we can copy paste into the JSON fields.
// Print out the private key in base64 format.
Console.WriteLine("Private Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Pfx, password)), Environment.NewLine);
// Print out the start date in ISO 8601 format.
DateTime startDate = DateTime.Parse(selfsignedCert.GetEffectiveDateString()).ToUniversalTime();
Console.WriteLine("For All startDateTime: " + startDate.ToString("o"));
// Print out the end date in ISO 8601 format.
DateTime endDate = DateTime.Parse(selfsignedCert.GetExpirationDateString()).ToUniversalTime();
Console.WriteLine("For All endDateTime: " + endDate.ToString("o"));
// Print the GUID used for keyId
string signAndPasswordGuid = Guid.NewGuid().ToString();
string verifyGuid = Guid.NewGuid().ToString();
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Sign and passwordCredentials: " + signAndPasswordGuid);
Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Verify: " + verifyGuid);
// Print out the password.
Console.WriteLine("Password is: {0}", password);
// Print out a displayName to use as an example.
Console.WriteLine("displayName to use: CN=Example");
Console.WriteLine();
// Print out the public key.
Console.WriteLine("Public Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Cert)), Environment.NewLine);
Console.WriteLine();
// Generate the customKeyIdentifier using hash of thumbprint.
Console.WriteLine("You can generate the customKeyIdentifier by getting the SHA256 hash of the certs thumprint.\nThe certs thumbprint is: {0}{1}", selfsignedCert.Thumbprint, Environment.NewLine);
Console.WriteLine("The hash of the thumbprint that we will use for customeKeyIdentifier is:");
string keyIdentifier = GetSha256FromThumbprint(selfsignedCert.Thumbprint);
Console.WriteLine(keyIdentifier);
}
// Generate a self-signed certificate.
private static X509Certificate2 buildSelfSignedServerCertificate(string password)
{
const string CertificateName = @"Microsoft Azure Federated SSO Certificate TEST";
DateTime certificateStartDate = DateTime.UtcNow;
DateTime certificateEndDate = certificateStartDate.AddYears(2).ToUniversalTime();
X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");
using (RSA rsa = RSA.Create(2048))
{
var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
request.CertificateExtensions.Add(
new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));
var certificate = request.CreateSelfSigned(new DateTimeOffset(certificateStartDate), new DateTimeOffset(certificateEndDate));
certificate.FriendlyName = CertificateName;
return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable);
}
}
// Generate hash from thumbprint.
public static string GetSha256FromThumbprint(string thumbprint)
{
var message = Encoding.ASCII.GetBytes(thumbprint);
SHA256Managed hashString = new SHA256Managed();
return Convert.ToBase64String(hashString.ComputeHash(message));
}
}
}
Add a custom signing key
After running the previous code, extract the values for the following parameters from the PFX file. You will add this information to the service principal:
Make sure that the keyId for the keyCredential used for "Sign" matches the keyId of the passwordCredential. You can generate the customkeyIdentifier by getting the hash of the cert's thumbprint. See the previous C# reference code.
Request
Note
The "key" value in the keyCredentials property is shortened for readability. The value is base 64 encoded. For the private key the property usage is "Sign". For the public key the property usage is "Verify".
You need to set the preferredTokenSigningKeyThumbprint property of the service principal to the thumbprint of the certificate that you want Azure AD to use to sign the SAML response.
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new ServicePrincipal
{
PreferredTokenSigningKeyThumbprint = "A7D3C4626B8A84FDA868CCC67D274D402FFD0A10",
};
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new ServicePrincipal();
$requestBody->setPreferredTokenSigningKeyThumbprint('A7D3C4626B8A84FDA868CCC67D274D402FFD0A10');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody);
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
request_body = ServicePrincipal()
request_body.preferred_token_signing_key_thumbprint = 'A7D3C4626B8A84FDA868CCC67D274D402FFD0A10'
result = await client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body = request_body)
For this tutorial, you create a user account that is added to the application. In the request body, change contoso.com to the domain name of your tenant. You can find tenant information on the Azure Active Directory overview page. Record the id of the user to be used later in this tutorial.
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new User
{
AccountEnabled = true,
DisplayName = "MyTestUser1",
MailNickname = "MyTestUser1",
UserPrincipalName = "MyTestUser1@contoso.com",
PasswordProfile = new PasswordProfile
{
ForceChangePasswordNextSignIn = true,
Password = "Contoso1234",
},
};
var result = await graphClient.Users.PostAsync(requestBody);
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$requestBody = new User();
$requestBody->setAccountEnabled(true);
$requestBody->setDisplayName('MyTestUser1');
$requestBody->setMailNickname('MyTestUser1');
$requestBody->setUserPrincipalName('MyTestUser1@contoso.com');
$passwordProfile = new PasswordProfile();
$passwordProfile->setForceChangePasswordNextSignIn(true);
$passwordProfile->setPassword('Contoso1234');
$requestBody->setPasswordProfile($passwordProfile);
$result = $graphServiceClient->users()->post($requestBody);
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
var requestBody = new AppRoleAssignment
{
PrincipalId = Guid.Parse("040f9599-7c0f-4f94-aa75-8394c4c6ea9b"),
PrincipalType = "User",
AppRoleId = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
ResourceId = Guid.Parse("a750f6cf-2319-464a-bcc3-456926736a91"),
};
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignments.PostAsync(requestBody);
Use the following URL to get the Azure AD SAML metadata for the specific configured application. The metadata contains information such as the signing certificate, Azure AD entityID, and Azure AD SingleSignOnService, among others.
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
await graphClient.Applications["{application-id}"].DeleteAsync();
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$graphServiceClient->applications()->byApplicationId('application-id')->delete();
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
await client.applications.by_application_id('application-id').delete()
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
await graphClient.Users["{user-id}"].DeleteAsync();
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$graphServiceClient->users()->byUserId('user-id')->delete();
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
await client.users.by_user_id('user-id').delete()
// Code snippets are only available for the latest version. Current version is 5.x
var graphClient = new GraphServiceClient(requestAdapter);
await graphClient.Policies.ClaimsMappingPolicies["{claimsMappingPolicy-id}"].DeleteAsync();
<?php
// THIS SNIPPET IS A PREVIEW FOR THE KIOTA BASED SDK. NON-PRODUCTION USE ONLY
$graphServiceClient = new GraphServiceClient($requestAdapter);
$graphServiceClient->policies()->claimsMappingPolicies()->byClaimsMappingPolicieId('claimsMappingPolicy-id')->delete();
// THE PYTHON SDK IS IN PREVIEW. NON-PRODUCTION USE ONLY
client = GraphServiceClient(request_adapter)
await client.policies.claim_mapping_policies.by_claim_mapping_policie_id('claimsMappingPolicy-id').delete()