Azure REST Call to get enterprise application single sign-on information

Question

Trying to use the Microsoft graph API to get information about my Enterprise Applications, can get a lot of it via the applications and serviceProviders calls but I don't see a way to the information for what is available on the Single sign-on tab in the Azure portal.

I assumed it was claimsMappingPolicies but that always returns an empty list, when doing a https://graph.microsoft.com/v1.0/serviceProviders/{id}/claimsMappingPolicies for a particular service provider or just calling https://graph.microsoft.com/v1.0/claimsMappingPolicies.

The result is

Body:  {"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#policies/claimsMappingPolicies","value":[]}

I've tried all the other policies around the application and serviceProvider with no luck.

Is there another API that I can use to get this information?

For reference here is a screenshot of the information that I'm looking for:

Answer 1

We can use Microsoft Graph to configure the SAML-based SSO app.

So most SAML-based SSO information endpoints should be available on this page.

I think your concern is how to get the basic user claims.

Unfortunately the data is not exposed by Microsoft Graph. Microsoft Graph can only get the custom claims which you configured with claimsMappingPolicies. It means if you configure claimsMappingPolicies with Microsoft Graph, you can get it with Microsoft Graph.

If you update the user attributes and claims on Azure portal, you will find it's calling this endpoint:

POST https://main.iam.ad.ext.azure.com/api/ApplicationSso/{service principal object id}/FederatedSsoClaimsPolicyV2

which is different with Microsoft Graph.

So I'm afraid that MS doesn't exposed an API to do this.