Share via

Microsoft Graph API to identify SAML apps issue

Prasad Somasamudra 21 Reputation points
2021-01-04T21:43:38.08+00:00

We are using https://graph.microsoft.com/v1.0/servicePrincipals Graph API to get all the apps/addins from Azure Portal as per the documentation https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0 and we came across below 2 issues with SAML apps.

Issue 1: We created an app “New_Test_Application“ and enabled SAML-Based Sign-on in Azure Portal and able to access the app without any issues, but unfortunately the application that we registered is not coming as part of servicePrincipals/Applications Graph API response. Even we tried with Salesforce App with some dummy SAML configurations, APIs didn’t return Salesforce App in the response.

Issue 2: For the new app “New_Test_Application” we are not seeing any “Add service principal” audit event in Unified Audit Log - https://protection.office.com/unifiedauditlog

Please let me know how I can get the list of Apps which are enabled SAML based single sign-on.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,798 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,808 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,316 Reputation points
    2021-01-05T11:36:33.177+00:00

    Hello @Prasad Somasamudra · Welcome to Q&A platform and thanks for your query.

    Could you please confirm that you are using Application Administrator or Global Administrator account and have consented for below permissions:

    • Application.ReadWrite.All
    • Directory.AccessAsUser.All

    When you register the application using Azure Portal, under Azure AD > App Registration, a corresponding service principal gets created automatically. However, if you create the application via Graph API using below call, a corresponding service principal doesn't get created automatically. 

    Call: POST https://graph.microsoft.com/v1.0/applications  
Body: { "displayName": "Display name"}

    In this case you need to create service principal manually by using below call referencing AppID of the application created by using above call. 

    Call: POST https://graph.microsoft.com/v1.0/servicePrincipals  
Body: { "appId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" }

    I tested with GET https://graph.microsoft.com/v1.0/servicePrincipals in my test tenant and was able to get the service principal of Salesforce Enterprise app.

    If you are using Graph Explorer to make this call, make sure you are signed in using member account in the tenant where the app is registered. If you are signed in via guest account, graph explorer will execute the call against home tenant of the guest user.

    Feel free to tag me in your reply, if you have any further question.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest