question

JakeClawson avatar image
0 Votes"
JakeClawson asked ·

Identify SAML-enabled apps in Azure AD

I'm trying to build some governance around SSO-enabled applications in my environment. I have multiple apps which has SAML/OAuth/OIDC integration with Azure AD. Is there a way to get the data from Azure AD about "Which protocol this app is using for SSO?"

The end goal here to identify all SSO enabled apps with protocols used for future migration.

So far, I've tried to look into AzureAD and Az Powershell modules, but haven't found a way to clearly determine that from the cmdlets.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@JakeClawson, You can use the following PS snippet:

 $type = "SAML APP"
 Get-AzureADServicePrincipal -All $true | Where-Object {($_.Tags -contains "WindowsAzureActiveDirectoryGalleryApplicationNonPrimaryV1") -or ($_.Tags -contains "WindowsAzureActiveDirectoryCustomSingleSignOnApplication")} | Select DisplayName, @{Name="AppType"; Expression={$type}}

Every Application be it an OAuth app or SAML app (both gallery and non-gallery apps) would have two objects created in AAD when their registration happens. One is called the Application Object and the other is the Service Principal object. Now I used the Service Principal object to prepare this snippet. When you dump the properties of a Service Principal Object using PS, you would find that every application has a certain number of Tags associated with it like:

  • OAuth apps would have a tag called "WindowsAzureActiveDirectoryIntegratedApp"

  • Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1"

  • Non-Gallery SAML Apps would have a tag called "WindowsAzureActiveDirectoryCustomSingleSignOnApplication"

Hence you can use the following Tags and find out what kind of app is it. Now the following Tag "WindowsAzureActiveDirectoryIntegratedApp" is common to all types of apps {categories as mentioned in the above list}, hence the snippet i shared above, by using that you can list all the SAML apps (both gallery and non-gallery) and rest of the apps would be your OAuth apps.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.




· 5 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JakeClawson, I wanted to followup and wanted to understand if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 · ·

Thanks for your reply Soumi!
Let me give it a try and I'll post my feedback.

0 Votes 0 · ·

@JakeClawson, Sure sure, take your time and hopefully this snippet helps you. Feel free to reach out in case any more queries pops out.

0 Votes 0 · ·

This is exactly, what I was looking for, thank you!
@soumi-MSFT Side question: is it possible to achieve the same goal with Graph API call?

0 Votes 0 · ·
Show more comments
JakeClawson avatar image
0 Votes"
JakeClawson answered ·

@soumi-MSFT I'm gonna have to uncheck your answer as valid for now, here's why:
I've tried to create new empty application using Azure portal, did no configuration whatsoever, here's what I get when I query this app using PS:
7773-untitled.png



3 tags has been applied to this app immediately - basically saying that it could be either SAML or OAuth
Am I missing something?


untitled.png (30.4 KiB)
· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered ·

@JakeClawson, That's correct, nothing wrong in the steps you performed. Now let me explain you. When you are creating an application using the Enterprise application by choosing the non-gallery app option, by that you only get to create either a SAML, Password-Based or Linked type of applications but not OAuth App using this.
7762-customsaml.png



Note: As mentioned earlier, the following Tag "WindowsAzureActiveDirectoryIntegratedApp" is common to all types of apps {categories as mentioned in the above list}, hence the snippet I shared above, by using that you can list all the SAML apps (both gallery and non-gallery) and rest of the apps would be your OAuth apps.

Further clarifying, for SAML Application we have two categories, Gallery Applications and Non-Gallery Applications, where in Gallery applications would only contain the tag "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1" and the non-gallery apps would contain both the following tags "WindowsAzureActiveDirectoryGalleryApplicationPrimaryV1 (since its also a SAML app)" and "WindowsAzureActiveDirectoryCustomSingleSignOnApplication(specific to Non-Gallery App)".

Based on this, I found that's the best way to segregate applications as OAuth and SAML apps. Now the condition you are specifying I believe should be for the tags for SAML apps only and remaining apps would be OAuth Apps.

Do let me know if this helps.


customsaml.png (25.6 KiB)
· 4 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@soumi-MSFT thanks for your quick reply.
So we assume that in order to get SAML apps we run the snippet provided by you and if we want to filter OAuth apps we run the query to filter apps that does not contain the tags mentioned by you in the last comment, would that be right?
In the mean time, to register an app which won't get these tags by default, we would rather use "App Registrations" blade, does it makes sense?

0 Votes 0 · ·

@JakeClawson, Facing some issues posting the response here. Can you please share your email id on azcommunity[at]microsoft[dot]com, so that I can share the details on email until this gets fixed,

0 Votes 0 · ·

just sent an email

0 Votes 0 · ·
Show more comments