question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked TawneyFollett-6706 published

Create SAML application in Azure AD via PowerShell or Graph API

Hi Team,

I need to create SAML application via Powershell or GraphAPI . How to achieve it ?

Already Tried Existing soutions:

PowerShell :


Reference: https://docs.microsoft.com/en-us/powershell/module/azuread/New-AzureADApplication?view=azureadps-2.0#examples

New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" -ReplyUrls "http://mynewapp.contoso.com/finishLogin"

This Doesn't work it just register an app. NO SAML APP Created.

GraphApi:


Also creating Application from existing template doesn't work. It creates the application but when you go to the application under Enterprise Applications and select SSO setting nothing is set there.

Reference: https://docs.microsoft.com/en-us/graph/api/resources/applicationtemplate?view=graph-rest-beta


Kindly assist or idea in the SAML application onboarding via PowerShell or Graph.

azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Team,

Anyone done this before creating only SAML application via PowerShell or GraphAPI ?

0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered Rahul-7230 commented

@Rahul-7230, When you try to create an application using either Powershell or Microsoft Graph API, the application object (app registration part) and the service principal object (enterprise registration part) have to be created by running separate commands. This doesnt work the same way as in the Azure Portal.

Powershell:

When you run the following command:
New-AzureADApplication -DisplayName "My new SAML application" -IdentifierUris "http://mynewapp.contoso.com" -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml"; -ReplyUrls "http://mynewapp.contoso.com/finishLogin";

This only creates the Application object for you. After this you would have to run the following command to create its corresponding service principal.

New-AzureADServicePrincipal -AccountEnabled $true -AppId $samlApp.AppId
-AppRoleAssignmentRequired $true -DisplayName $appName
-Tags {WindowsAzureActiveDirectoryIntegratedApp}

Your overall Powershell code should look something like:

 $appName = "SAMLAppTest1"
 $samlApp = New-AzureADApplication -DisplayName $appName `
                        -IdentifierUris "http://mynewapp.contoso.com" `
                        -SamlMetadataURL "http://mynewapp.contoso.com/metadata.xml" `
                        -ReplyUrls "http://mynewapp.contoso.com/finishLogin"
    
 Get-AzureADApplication -SearchString $appName
    
 New-AzureADServicePrincipal -AccountEnabled $true `
                             -AppId $samlApp.AppId `
                             -AppRoleAssignmentRequired $true `
                             -DisplayName $appName `
                             -Tags {WindowsAzureActiveDirectoryIntegratedApp}
    
 Get-AzureADServicePrincipal -SearchString $appName

Same goes for Microsoft Graph API.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT : Thanks for the clarification.


But this doesn't create any SAML application. You can't see the SSO configuration via portal when created via PowerShell.

See below Screenshot no configuration where you can see SSO configured with SAML.
7393-application-settings.png


See if you create via portal then you'll see the option to configure the SSO setting as highlighted in the below snapshot.

7422-saml-application-settings.png

Let me know is this working for you because this is not considered as SAML application via PowerShell or Graph API.


0 Votes 0 ·
soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered DurgempudiAshokReddy-2925 commented

@Rahul-7230, Yes, you are correct, even when i tested the same out, with Powershell, I was somehow not able to get the Single SignOn option in the enterprise section of the newly created application. I tried the same with Microsoft Graph API using the same API endpoint that you used.

API: https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

I used the Microsoft Graph API beta endpoint to create a SAML application based on the standard SAML application template ID. This will create a base SAML application in Azure AD that you can then update the SAML metadata from.

https://docs.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-beta&tabs=http

The ID of the basic SAML application template from Microsoft is: 8adf8e6e-67b2-4cf2-a259-e3dc5476c621

The endpoint URI would be the below then for creating the application with a request body json object of displayName, like below

 Request Type: Post
    
 Request Body:
 {"displayName":"SAMLTestApp2"}
    
 URI Endpoint:
 https://graph.microsoft.com/beta/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

This API call creates both the Application Object and the Service Principal object in one go. Also the service principal created by this api lists the Single SignOn option under the Enterprise Application section for this app. [Please refer to the screenshot]

7363-samlapp-img1.png

7313-samlapp-img2.png

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




samlapp-img1.png (79.2 KiB)
samlapp-img2.png (78.8 KiB)
· 6
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT : Thanks for the update.

I also tried creating the application via Graph API using Template. Issue is it will not update the Basic SAML SSO setting i.e. Identifier (Entity ID) and Reply URL (Assertion Consumer Service URL) and Attribute settings.

The above example is more or less equivalent to creating application via GUI because essential SAML configuration is we are doing it manually.

Application should be created with required SAML settings as mentioned above Entity ID or Reply URL.

Is there a way to update the basic SAML configuration via PowerShell or Graph API in Azure AD? Any idea how to proceed here ?

0 Votes 0 ·

@Rahul-7230, unfortunately there are no ways to update the Basic SAML configuration in automated way yet available. While using the Microsoft Graph API and using the ApplicationTemplate, you can only modify the following parameters:

 {
     "id": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
     "displayName": "Custom",
     "homePageUrl": "",
     "supportedSingleSignOnModes": [
         "password",
         "saml",
         "external"
     ],
     "supportedProvisioningTypes": [
         "sync"
     ],
     "logoUrl": "https://az495088.vo.msecnd.net/app-logo/customappsso_215.png",
     "categories": [
         "custom"
     ],
     "publisher": "",
     "description": null
 }


Hope this helps.

0 Votes 0 ·

@soumi-MSFT : Thanks for your quick and prompt response on this post.

Appreciate for bringing in the clarity in App creation. Sorry since this not answer to my ask. I couldn't mark it as answer here.

I see many people are looking for this SAML application API in Azure AD so that they can do many customization programmatically.

  1. https://social.msdn.microsoft.com/Forums/azure/en-US/a4200216-ce60-43b5-bbd6-76077ade3e3c/create-azure-sso-application-using-the-graph-api?forum=WindowsAzureAD (@SaurabhSharma-msft )

  2. https://social.msdn.microsoft.com/Forums/azure/en-US/e30ea277-519c-4511-81b8-fb57157fdad6/register-a-new-enteprise-application-with-saml-using-powershell-or-graph-api?forum=WindowsAzureAD (@FrankHuMSFT-3200 )


0 Votes 0 ·
Show more comments

Hello,

When I was calling this Api via Microsoft graph api and it created the application, but when I was trying to call this api via powershell or Python script it's giving me 403 forbidden error, I am adding the error details here. In the script I am passing headers as token and in the body just application display name. could you tell me what I am doing wrong here.

Powershell:
nvoke-RestMethod : {
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2020-07-09T03:28:59",
"request-id": "XXXXXXXXXXXX"
}
}
}

Python:
{
"error": {
"code": "UnknownError",
"message": "",
"innerError": {
"date": "2020-07-10T14:59:50",
"request-id": "XXXXXXXXXXXXXX"
}
}
}

0 Votes 0 ·
GonzaloParra-5722 avatar image
1 Vote"
GonzaloParra-5722 answered TawneyFollett-6706 published

I know this is an old post but wanted to include this here for anyone having the same issue.

For Powershell, the way to get the Single sign-on section is to add the Tag WindowsAzureActiveDirectoryCustomSingleSignOnApplication when creating the ADServicePrincipal.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
It would be great if you post the piece of code so we can take this as a reference.

0 Votes 0 ·

You can do thsi using the Set-AzureADServicePrincipal command, or during the New-AzureADServicePrincipal.

 Set-AzureADServicePrincipal  -AccountEnabled $true `
 -AppId $samlApp.AppId `
 -AppRoleAssignmentRequired $true `
 -DisplayName $appName `
 -Tags {WindowsAzureActiveDirectoryCustomSingleSignOnApplication}


0 Votes 0 ·