Konfigurieren des SAML-basierten einmaligen Anmeldens für Ihre Anwendung mithilfe von Microsoft Graph

Artikel
02/26/2024

Einmaliges Anmelden (Single Sign-On, SSO) ist eine Authentifizierungsmethode, mit der sich Benutzer bei einer Anwendung anmelden und dann auf mehrere Anwendungen zugreifen können, ohne sich erneut anmelden zu müssen. Microsoft Entra unterstützt verschiedene SSO-Methoden, einschließlich OpenID Connect, OAuth, Security Assertion Markup Language (SAML), kennwortbasiertes und verknüpftes einmaliges Anmelden. Mithilfe von Microsoft Graph können Sie die Konfiguration des einmaligen Anmeldens für Ihre Anwendung automatisieren.

In diesem Tutorial wird Folgendes vermittelt:

Identifizieren von SAML-basierten Apps im Microsoft Entra-Katalog und Konfigurieren des SAML-basierten einmaligen Anmeldens für eine App
Hinzufügen von App-Rollen zu einer Anwendung und Zuweisen dieser Rollen für Benutzer
Konfigurieren von Ansprüchen, die im SAML-Token ausgegeben werden sollen
Konfigurieren eines Zertifikats für verbundbasiertes einmaliges Anmelden
Abrufen der Microsoft Entra ID-SAML-Metadaten für Ihre Anwendung, die Sie zum Abschließen der Integration verwenden

Voraussetzungen

Melden Sie sich bei einem API-Client wie Graph-Explorer als Benutzer mit der Rolle Cloudanwendungsadministrator in Ihrem Microsoft Entra-Mandanten an.
Gewähren Sie sich die folgenden delegierten Berechtigungen: Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, Policy.Read.All, Policy.ReadWrite.ApplicationConfigurationund User.ReadWrite.All.
Lassen Sie einen Testbenutzer der Anwendung zuweisen.

Schritt 1: Identifizieren der zu konfigurierenden Anwendung

Microsoft Entra ID verfügt über einen Katalog, der Tausende von vorintegrierten Anwendungen enthält, die Sie als Vorlage für Ihre Anwendung verwenden können. In Microsoft Graph ist diese Liste über die ApplicationTemplate-Entität verfügbar.

In diesem Schritt identifizieren Sie die Anwendungsvorlage für die AWS IAM Identity Center (successor to AWS Single Sign-On) Anwendung, die Sie konfigurieren möchten. Notieren Sie sich die ID.

Anforderung

GET https://graph.microsoft.com/v1.0/applicationTemplates?$filter=displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ApplicationTemplates.GetAsync((requestConfiguration) =>
{
	requestConfiguration.QueryParameters.Filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
});



mgc application-templates list --filter "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphapplicationtemplates "github.com/microsoftgraph/msgraph-sdk-go/applicationtemplates"
	  //other-imports
)


requestFilter := "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"

requestParameters := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetQueryParameters{
	Filter: &requestFilter,
}
configuration := &graphapplicationtemplates.ApplicationTemplatesRequestBuilderGetRequestConfiguration{
	QueryParameters: requestParameters,
}

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applicationTemplates, err := graphClient.ApplicationTemplates().Get(context.Background(), configuration)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ApplicationTemplateCollectionResponse result = graphClient.applicationTemplates().get(requestConfiguration -> {
	requestConfiguration.queryParameters.filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
});


const options = {
	authProvider,
};

const client = Client.init(options);

let applicationTemplates = await client.api('/applicationTemplates')
	.filter('displayName eq \'AWS IAM Identity Center (successor to AWS Single Sign-On)\'')
	.get();


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\ApplicationTemplatesRequestBuilderGetRequestConfiguration;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestConfiguration = new ApplicationTemplatesRequestBuilderGetRequestConfiguration();
$queryParameters = ApplicationTemplatesRequestBuilderGetRequestConfiguration::createQueryParameters();
$queryParameters->filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'";
$requestConfiguration->queryParameters = $queryParameters;


$result = $graphServiceClient->applicationTemplates()->get($requestConfiguration)->wait();


Import-Module Microsoft.Graph.Applications

Get-MgApplicationTemplate -Filter "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'"


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.application_templates.application_templates_request_builder import ApplicationTemplatesRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ApplicationTemplatesRequestBuilder.ApplicationTemplatesRequestBuilderGetQueryParameters(
		filter = "displayName eq 'AWS IAM Identity Center (successor to AWS Single Sign-On)'",
)

request_configuration = RequestConfiguration(
query_parameters = query_params,
)

result = await graph_client.application_templates.get(request_configuration = request_configuration)

Antwort

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applicationTemplates",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET applicationTemplates?$select=categories,description",
    "value": [
        {
            "id": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
            "displayName": "AWS IAM Identity Center (successor to AWS Single Sign-On)",
            "homePageUrl": "https://aws.amazon.com/",
            "supportedSingleSignOnModes": [
                "saml",
                "external"
            ],
            "supportedProvisioningTypes": [
                "sync"
            ],
            "logoUrl": "https://galleryapplogos1.azureedge.net/app-logo/awssinglesignon_FC86917E_215.png",
            "categories": [
                "developerServices",
                "itInfrastructure",
                "security",
                "New"
            ],
            "publisher": "Amazon Web Services, Inc.",
            "description": "Federate once to AWS IAM Identity Center (successor to AWS Single Sign-On) & use it to centrally manage access to multiple AWS accounts and IAM Identity Center enabled apps. Provision users via SCIM."
        }
    ]
}

Schritt 2: Instanziieren der Anwendung

Erstellen Sie mithilfe des Id-Werts für die Anwendungsvorlage eine Instanz der Anwendung in Ihrem Mandanten. Hier nennen Sie die Anwendung AWS Contoso. Die Antwort enthält ein Anwendungs- und Dienstprinzipalobjekt für AWS Contoso, bei dem es sich um eine Instanz der AWS IAM Identity Center-App (Nachfolger von AWS Single Sign-On) handelt. Notieren Sie sich die IDs der beiden Objekte zur späteren Verwendung in diesem Tutorial.

Anforderung

POST https://graph.microsoft.com/v1.0/applicationTemplates/21ed01d2-ec13-4e9e-86c1-cd546719ebc4/instantiate
Content-type: application/json

{
  "displayName": "AWS Contoso"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.ApplicationTemplates.Item.Instantiate;

var requestBody = new InstantiatePostRequestBody
{
	DisplayName = "AWS Contoso",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ApplicationTemplates["{applicationTemplate-id}"].Instantiate.PostAsync(requestBody);



mgc application-templates instantiate post --application-template-id {applicationTemplate-id} --body '{\
  "displayName": "AWS Contoso"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphapplicationtemplates "github.com/microsoftgraph/msgraph-sdk-go/applicationtemplates"
	  //other-imports
)

requestBody := graphapplicationtemplates.NewInstantiatePostRequestBody()
displayName := "AWS Contoso"
requestBody.SetDisplayName(&displayName) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
instantiate, err := graphClient.ApplicationTemplates().ByApplicationTemplateId("applicationTemplate-id").Instantiate().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.applicationtemplates.item.instantiate.InstantiatePostRequestBody instantiatePostRequestBody = new com.microsoft.graph.applicationtemplates.item.instantiate.InstantiatePostRequestBody();
instantiatePostRequestBody.setDisplayName("AWS Contoso");
var result = graphClient.applicationTemplates().byApplicationTemplateId("{applicationTemplate-id}").instantiate().post(instantiatePostRequestBody);


const options = {
	authProvider,
};

const client = Client.init(options);

const applicationServicePrincipal = {
  displayName: 'AWS Contoso'
};

await client.api('/applicationTemplates/21ed01d2-ec13-4e9e-86c1-cd546719ebc4/instantiate')
	.post(applicationServicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ApplicationTemplates\Item\Instantiate\InstantiatePostRequestBody;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new InstantiatePostRequestBody();
$requestBody->setDisplayName('AWS Contoso');

$result = $graphServiceClient->applicationTemplates()->byApplicationTemplateId('applicationTemplate-id')->instantiate()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	displayName = "AWS Contoso"
}

Invoke-MgInstantiateApplicationTemplate -ApplicationTemplateId $applicationTemplateId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.applicationtemplates.item.instantiate.instantiate_post_request_body import InstantiatePostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = InstantiatePostRequestBody(
	display_name = "AWS Contoso",
)

result = await graph_client.application_templates.by_application_template_id('applicationTemplate-id').instantiate.post(request_body)

Antwort

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.applicationServicePrincipal",
    "application": {
        "id": "b7308000-8bb3-467b-bfc7-8dbbfd759ad9",
        "appId": "2fbc8259-0f56-4f56-9870-93a228020936",
        "applicationTemplateId": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
        "createdDateTime": "2024-02-21T17:14:33Z",
        "deletedDateTime": null,
        "displayName": "AWS Contoso",
        "description": null,
        "groupMembershipClaims": null,
        "identifierUris": [],
        "isFallbackPublicClient": false,
        "signInAudience": "AzureADMyOrg",
        "tags": [],
        "tokenEncryptionKeyId": null,
        "defaultRedirectUri": null,
        "samlMetadataUrl": null,
        "optionalClaims": null,
        "addIns": [],
        "api": {
            "acceptMappedClaims": null,
            "knownClientApplications": [],
            "requestedAccessTokenVersion": null,
            "oauth2PermissionScopes": [
                {
                    "adminConsentDescription": "Allow the application to access AWS Contoso on behalf of the signed-in user.",
                    "adminConsentDisplayName": "Access AWS Contoso",
                    "id": "f5419931-094d-481d-b801-ab3ed60d48d8",
                    "isEnabled": true,
                    "type": "User",
                    "userConsentDescription": "Allow the application to access AWS Contoso on your behalf.",
                    "userConsentDisplayName": "Access AWS Contoso",
                    "value": "user_impersonation"
                }
            ],
            "preAuthorizedApplications": []
        },
        "appRoles": [
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "displayName": "User",
                "id": "8774f594-1d59-4279-b9d9-59ef09a23530",
                "isEnabled": true,
                "description": "User",
                "value": null,
                "origin": "Application"
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "displayName": "msiam_access",
                "id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
                "isEnabled": true,
                "description": "msiam_access",
                "value": null,
                "origin": "Application"
            }
        ],
        "info": {
            "logoUrl": null,
            "marketingUrl": null,
            "privacyStatementUrl": null,
            "supportUrl": null,
            "termsOfServiceUrl": null
        },
        "keyCredentials": [],
        "parentalControlSettings": {
            "countriesBlockedForMinors": [],
            "legalAgeGroupRule": "Allow"
        },
        "passwordCredentials": [],
        "publicClient": {
            "redirectUris": []
        },
        "requiredResourceAccess": [],
        "verifiedPublisher": {
            "displayName": null,
            "verifiedPublisherId": null,
            "addedDateTime": null
        },
        "web": {
            "homePageUrl": "https://*.signin.aws.amazon.com/platform/saml/acs/*?metadata=awssinglesignon|ISV9.1|primary|z",
            "redirectUris": [
                "https://*.signin.aws.amazon.com/platform/saml/acs/*"
            ],
            "logoutUrl": null
        }
    },
    "servicePrincipal": {
        "id": "d3616293-fff8-4415-9f01-33b05dad1b46",
        "deletedDateTime": null,
        "accountEnabled": true,
        "appId": "2fbc8259-0f56-4f56-9870-93a228020936",
        "applicationTemplateId": "21ed01d2-ec13-4e9e-86c1-cd546719ebc4",
        "appDisplayName": "AWS Contoso",
        "alternativeNames": [],
        "appOwnerOrganizationId": "38d49456-54d4-455d-a8d6-c383c71e0a6d",
        "displayName": "AWS Contoso",
        "appRoleAssignmentRequired": true,
        "loginUrl": null,
        "logoutUrl": null,
        "homepage": "https://*.signin.aws.amazon.com/platform/saml/acs/*?metadata=awssinglesignon|ISV9.1|primary|z",
        "notificationEmailAddresses": [],
        "preferredSingleSignOnMode": null,
        "preferredTokenSigningKeyThumbprint": null,
        "replyUrls": [],
        "servicePrincipalNames": [
            "2fbc8259-0f56-4f56-9870-93a228020936"
        ],
        "servicePrincipalType": "Application",
        "tags": [
            "WindowsAzureActiveDirectoryIntegratedApp"
        ],
        "tokenEncryptionKeyId": null,
        "samlSingleSignOnSettings": null,
        "addIns": [],
        "appRoles": [
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "displayName": "User",
                "id": "8774f594-1d59-4279-b9d9-59ef09a23530",
                "isEnabled": true,
                "description": "User",
                "value": null,
                "origin": "Application"
            },
            {
                "allowedMemberTypes": [
                    "User"
                ],
                "displayName": "msiam_access",
                "id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
                "isEnabled": true,
                "description": "msiam_access",
                "value": null,
                "origin": "Application"
            }
        ],
        "info": {
            "logoUrl": null,
            "marketingUrl": null,
            "privacyStatementUrl": null,
            "supportUrl": null,
            "termsOfServiceUrl": null
        },
        "keyCredentials": [],
        "oauth2PermissionScopes": [
            {
                "adminConsentDescription": "Allow the application to access AWS Contoso on behalf of the signed-in user.",
                "adminConsentDisplayName": "Access AWS Contoso",
                "id": "f5419931-094d-481d-b801-ab3ed60d48d8",
                "isEnabled": true,
                "type": "User",
                "userConsentDescription": "Allow the application to access AWS Contoso on your behalf.",
                "userConsentDisplayName": "Access AWS Contoso",
                "value": "user_impersonation"
            }
        ],
        "passwordCredentials": [],
        "verifiedPublisher": {
            "displayName": null,
            "verifiedPublisherId": null,
            "addedDateTime": null
        }
    }
}

Schritt 3: Konfigurieren des einmaligen Anmeldens

In diesem Schritt konfigurieren Sie einmaliges Anmelden sowohl für die AWS Contoso-Anwendung als auch für den Dienstprinzipal. Für die Anwendung konfigurieren Sie die SAML-URLs, während Sie für den Dienstprinzipal den SSO-Modus auf samlfestlegen.

Schritt 3.1: Festlegen des Modus für einmaliges Anmelden für den Dienstprinzipal

Legen Sie saml als SSO-Modus für den Dienstprinzipal fest, den Sie in Schritt 2 erstellt haben. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json

{
  "preferredSingleSignOnMode": "saml"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	PreferredSingleSignOnMode = "saml",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);



mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
  "preferredSingleSignOnMode": "saml"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
preferredSingleSignOnMode := "saml"
requestBody.SetPreferredSingleSignOnMode(&preferredSingleSignOnMode) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setPreferredSingleSignOnMode("saml");
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
  preferredSingleSignOnMode: 'saml'
};

await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
	.update(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setPreferredSingleSignOnMode('saml');

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	preferredSingleSignOnMode = "saml"
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	preferred_single_sign_on_mode = "saml",
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

Schritt 3.2: Festlegen grundlegender SAML-URLs für die Anwendung

Legen Sie in diesem Schritt die Web/redirectUris und web/redirectUris für die Anwendung fest, die Sie in Schritt 2 erstellt haben. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

PATCH https://graph.microsoft.com/v1.0/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9
Content-type: application/json

{
    "identifierUris": [
        "https://signin.aws.amazon.com/saml"
    ],
    "web": {
        "redirectUris": [
            "https://signin.aws.amazon.com/saml"
        ]
    }
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new Application
{
	IdentifierUris = new List<string>
	{
		"https://signin.aws.amazon.com/saml",
	},
	Web = new WebApplication
	{
		RedirectUris = new List<string>
		{
			"https://signin.aws.amazon.com/saml",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].PatchAsync(requestBody);



mgc applications patch --application-id {application-id} --body '{\
    "identifierUris": [\
        "https://signin.aws.amazon.com/saml"\
    ],\
    "web": {\
        "redirectUris": [\
            "https://signin.aws.amazon.com/saml"\
        ]\
    }\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewApplication()
identifierUris := []string {
	"https://signin.aws.amazon.com/saml",
}
requestBody.SetIdentifierUris(identifierUris)
web := graphmodels.NewWebApplication()
redirectUris := []string {
	"https://signin.aws.amazon.com/saml",
}
web.SetRedirectUris(redirectUris)
requestBody.SetWeb(web)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
applications, err := graphClient.Applications().ByApplicationId("application-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

Application application = new Application();
LinkedList<String> identifierUris = new LinkedList<String>();
identifierUris.add("https://signin.aws.amazon.com/saml");
application.setIdentifierUris(identifierUris);
WebApplication web = new WebApplication();
LinkedList<String> redirectUris = new LinkedList<String>();
redirectUris.add("https://signin.aws.amazon.com/saml");
web.setRedirectUris(redirectUris);
application.setWeb(web);
Application result = graphClient.applications().byApplicationId("{application-id}").patch(application);


const options = {
	authProvider,
};

const client = Client.init(options);

const application = {
    identifierUris: [
        'https://signin.aws.amazon.com/saml'
    ],
    web: {
        redirectUris: [
            'https://signin.aws.amazon.com/saml'
        ]
    }
};

await client.api('/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9')
	.update(application);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\Application;
use Microsoft\Graph\Generated\Models\WebApplication;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new Application();
$requestBody->setIdentifierUris(['https://signin.aws.amazon.com/saml', 	]);
$web = new WebApplication();
$web->setRedirectUris(['https://signin.aws.amazon.com/saml', 	]);
$requestBody->setWeb($web);

$result = $graphServiceClient->applications()->byApplicationId('application-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	identifierUris = @(
	"https://signin.aws.amazon.com/saml"
)
web = @{
	redirectUris = @(
	"https://signin.aws.amazon.com/saml"
)
}
}

Update-MgApplication -ApplicationId $applicationId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.application import Application
from msgraph.generated.models.web_application import WebApplication
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = Application(
	identifier_uris = [
		"https://signin.aws.amazon.com/saml",
	],
	web = WebApplication(
		redirect_uris = [
			"https://signin.aws.amazon.com/saml",
		],
	),
)

result = await graph_client.applications.by_application_id('application-id').patch(request_body)

Schritt 4: Hinzufügen von App-Rollen

Wenn die Anwendung die Rolleninformationen im Token erfordert, fügen Sie die Definition der Rollen im „application“-Objekt hinzu. Standardmäßig enthielt das appRoles-Objekt in der Anwendung und dem Dienstprinzipal in Schritt 2 die Standardrollen User und msiam_access . Ändern oder entfernen Sie sie nicht. Um weitere Rollen hinzuzufügen, müssen Sie sowohl die vorhandenen Rollen als auch die neuen Rollen in das appRoles-Objekt in der Anforderung einschließen. Andernfalls werden die vorhandenen Rollen ersetzt.

Fügen Sie in diesem Schritt die Finance,WAAD Rollen und Admin,WAAD dem AWS Contoso-Dienstprinzipal hinzu. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json

{
    "appRoles": [
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "User",
            "displayName": "User",
            "id": "8774f594-1d59-4279-b9d9-59ef09a23530",
            "isEnabled": true,
            "origin": "Application",
            "value": null
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "msiam_access",
            "displayName": "msiam_access",
            "id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",
            "isEnabled": true,
            "origin": "Application",
            "value": null
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Admin,WAAD",
            "displayName": "Admin,WAAD",
            "id": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
            "isEnabled": true,
            "value": "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
        },
        {
            "allowedMemberTypes": [
                "User"
            ],
            "description": "Finance,WAAD",
            "displayName": "Finance,WAAD",
            "id": "7a960000-ded3-455b-8c04-4f2ace00319b",
            "isEnabled": true,
            "value": "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
        }
    ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	AppRoles = new List<AppRole>
	{
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
			},
			Description = "User",
			DisplayName = "User",
			Id = Guid.Parse("8774f594-1d59-4279-b9d9-59ef09a23530"),
			IsEnabled = true,
			Origin = "Application",
			Value = null,
		},
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
			},
			Description = "msiam_access",
			DisplayName = "msiam_access",
			Id = Guid.Parse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
			IsEnabled = true,
			Origin = "Application",
			Value = null,
		},
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
			},
			Description = "Admin,WAAD",
			DisplayName = "Admin,WAAD",
			Id = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
			IsEnabled = true,
			Value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
		},
		new AppRole
		{
			AllowedMemberTypes = new List<string>
			{
				"User",
			},
			Description = "Finance,WAAD",
			DisplayName = "Finance,WAAD",
			Id = Guid.Parse("7a960000-ded3-455b-8c04-4f2ace00319b"),
			IsEnabled = true,
			Value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);



mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
    "appRoles": [\
        {\
            "allowedMemberTypes": [\
                "User"\
            ],\
            "description": "User",\
            "displayName": "User",\
            "id": "8774f594-1d59-4279-b9d9-59ef09a23530",\
            "isEnabled": true,\
            "origin": "Application",\
            "value": null\
        },\
        {\
            "allowedMemberTypes": [\
                "User"\
            ],\
            "description": "msiam_access",\
            "displayName": "msiam_access",\
            "id": "e7f1a7f3-9eda-48e0-9963-bd67bf531afd",\
            "isEnabled": true,\
            "origin": "Application",\
            "value": null\
        },\
        {\
            "allowedMemberTypes": [\
                "User"\
            ],\
            "description": "Admin,WAAD",\
            "displayName": "Admin,WAAD",\
            "id": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",\
            "isEnabled": true,\
            "value": "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"\
        },\
        {\
            "allowedMemberTypes": [\
                "User"\
            ],\
            "description": "Finance,WAAD",\
            "displayName": "Finance,WAAD",\
            "id": "7a960000-ded3-455b-8c04-4f2ace00319b",\
            "isEnabled": true,\
            "value": "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"\
        }\
    ]\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()


appRole := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
}
appRole.SetAllowedMemberTypes(allowedMemberTypes)
description := "User"
appRole.SetDescription(&description) 
displayName := "User"
appRole.SetDisplayName(&displayName) 
id := uuid.MustParse("8774f594-1d59-4279-b9d9-59ef09a23530")
appRole.SetId(&id) 
isEnabled := true
appRole.SetIsEnabled(&isEnabled) 
origin := "Application"
appRole.SetOrigin(&origin) 
value := null
appRole.SetValue(&value) 
appRole1 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
}
appRole1.SetAllowedMemberTypes(allowedMemberTypes)
description := "msiam_access"
appRole1.SetDescription(&description) 
displayName := "msiam_access"
appRole1.SetDisplayName(&displayName) 
id := uuid.MustParse("e7f1a7f3-9eda-48e0-9963-bd67bf531afd")
appRole1.SetId(&id) 
isEnabled := true
appRole1.SetIsEnabled(&isEnabled) 
origin := "Application"
appRole1.SetOrigin(&origin) 
value := null
appRole1.SetValue(&value) 
appRole2 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
}
appRole2.SetAllowedMemberTypes(allowedMemberTypes)
description := "Admin,WAAD"
appRole2.SetDescription(&description) 
displayName := "Admin,WAAD"
appRole2.SetDisplayName(&displayName) 
id := uuid.MustParse("3a84e31e-bffa-470f-b9e6-754a61e4dc63")
appRole2.SetId(&id) 
isEnabled := true
appRole2.SetIsEnabled(&isEnabled) 
value := "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
appRole2.SetValue(&value) 
appRole3 := graphmodels.NewAppRole()
allowedMemberTypes := []string {
	"User",
}
appRole3.SetAllowedMemberTypes(allowedMemberTypes)
description := "Finance,WAAD"
appRole3.SetDescription(&description) 
displayName := "Finance,WAAD"
appRole3.SetDisplayName(&displayName) 
id := uuid.MustParse("7a960000-ded3-455b-8c04-4f2ace00319b")
appRole3.SetId(&id) 
isEnabled := true
appRole3.SetIsEnabled(&isEnabled) 
value := "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
appRole3.SetValue(&value) 

appRoles := []graphmodels.AppRoleable {
	appRole,
	appRole1,
	appRole2,
	appRole3,
}
requestBody.SetAppRoles(appRoles)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
LinkedList<AppRole> appRoles = new LinkedList<AppRole>();
AppRole appRole = new AppRole();
LinkedList<String> allowedMemberTypes = new LinkedList<String>();
allowedMemberTypes.add("User");
appRole.setAllowedMemberTypes(allowedMemberTypes);
appRole.setDescription("User");
appRole.setDisplayName("User");
appRole.setId(UUID.fromString("8774f594-1d59-4279-b9d9-59ef09a23530"));
appRole.setIsEnabled(true);
appRole.setOrigin("Application");
appRole.setValue(null);
appRoles.add(appRole);
AppRole appRole1 = new AppRole();
LinkedList<String> allowedMemberTypes1 = new LinkedList<String>();
allowedMemberTypes1.add("User");
appRole1.setAllowedMemberTypes(allowedMemberTypes1);
appRole1.setDescription("msiam_access");
appRole1.setDisplayName("msiam_access");
appRole1.setId(UUID.fromString("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"));
appRole1.setIsEnabled(true);
appRole1.setOrigin("Application");
appRole1.setValue(null);
appRoles.add(appRole1);
AppRole appRole2 = new AppRole();
LinkedList<String> allowedMemberTypes2 = new LinkedList<String>();
allowedMemberTypes2.add("User");
appRole2.setAllowedMemberTypes(allowedMemberTypes2);
appRole2.setDescription("Admin,WAAD");
appRole2.setDisplayName("Admin,WAAD");
appRole2.setId(UUID.fromString("3a84e31e-bffa-470f-b9e6-754a61e4dc63"));
appRole2.setIsEnabled(true);
appRole2.setValue("arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD");
appRoles.add(appRole2);
AppRole appRole3 = new AppRole();
LinkedList<String> allowedMemberTypes3 = new LinkedList<String>();
allowedMemberTypes3.add("User");
appRole3.setAllowedMemberTypes(allowedMemberTypes3);
appRole3.setDescription("Finance,WAAD");
appRole3.setDisplayName("Finance,WAAD");
appRole3.setId(UUID.fromString("7a960000-ded3-455b-8c04-4f2ace00319b"));
appRole3.setIsEnabled(true);
appRole3.setValue("arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD");
appRoles.add(appRole3);
servicePrincipal.setAppRoles(appRoles);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
    appRoles: [
        {
            allowedMemberTypes: [
                'User'
            ],
            description: 'User',
            displayName: 'User',
            id: '8774f594-1d59-4279-b9d9-59ef09a23530',
            isEnabled: true,
            origin: 'Application',
            value: null
        },
        {
            allowedMemberTypes: [
                'User'
            ],
            description: 'msiam_access',
            displayName: 'msiam_access',
            id: 'e7f1a7f3-9eda-48e0-9963-bd67bf531afd',
            isEnabled: true,
            origin: 'Application',
            value: null
        },
        {
            allowedMemberTypes: [
                'User'
            ],
            description: 'Admin,WAAD',
            displayName: 'Admin,WAAD',
            id: '3a84e31e-bffa-470f-b9e6-754a61e4dc63',
            isEnabled: true,
            value: 'arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD'
        },
        {
            allowedMemberTypes: [
                'User'
            ],
            description: 'Finance,WAAD',
            displayName: 'Finance,WAAD',
            id: '7a960000-ded3-455b-8c04-4f2ace00319b',
            isEnabled: true,
            value: 'arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD'
        }
    ]
};

await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
	.update(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
use Microsoft\Graph\Generated\Models\AppRole;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$appRolesAppRole1 = new AppRole();
$appRolesAppRole1->setAllowedMemberTypes(['User', 	]);
$appRolesAppRole1->setDescription('User');
$appRolesAppRole1->setDisplayName('User');
$appRolesAppRole1->setId('8774f594-1d59-4279-b9d9-59ef09a23530');
$appRolesAppRole1->setIsEnabled(true);
$appRolesAppRole1->setOrigin('Application');
$appRolesAppRole1->setValue(null);
$appRolesArray []= $appRolesAppRole1;
$appRolesAppRole2 = new AppRole();
$appRolesAppRole2->setAllowedMemberTypes(['User', 	]);
$appRolesAppRole2->setDescription('msiam_access');
$appRolesAppRole2->setDisplayName('msiam_access');
$appRolesAppRole2->setId('e7f1a7f3-9eda-48e0-9963-bd67bf531afd');
$appRolesAppRole2->setIsEnabled(true);
$appRolesAppRole2->setOrigin('Application');
$appRolesAppRole2->setValue(null);
$appRolesArray []= $appRolesAppRole2;
$appRolesAppRole3 = new AppRole();
$appRolesAppRole3->setAllowedMemberTypes(['User', 	]);
$appRolesAppRole3->setDescription('Admin,WAAD');
$appRolesAppRole3->setDisplayName('Admin,WAAD');
$appRolesAppRole3->setId('3a84e31e-bffa-470f-b9e6-754a61e4dc63');
$appRolesAppRole3->setIsEnabled(true);
$appRolesAppRole3->setValue('arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD');
$appRolesArray []= $appRolesAppRole3;
$appRolesAppRole4 = new AppRole();
$appRolesAppRole4->setAllowedMemberTypes(['User', 	]);
$appRolesAppRole4->setDescription('Finance,WAAD');
$appRolesAppRole4->setDisplayName('Finance,WAAD');
$appRolesAppRole4->setId('7a960000-ded3-455b-8c04-4f2ace00319b');
$appRolesAppRole4->setIsEnabled(true);
$appRolesAppRole4->setValue('arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD');
$appRolesArray []= $appRolesAppRole4;
$requestBody->setAppRoles($appRolesArray);


$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	appRoles = @(
		@{
			allowedMemberTypes = @(
			"User"
		)
		description = "User"
		displayName = "User"
		id = "8774f594-1d59-4279-b9d9-59ef09a23530"
		isEnabled = $true
		origin = "Application"
		value = $null
	}
	@{
		allowedMemberTypes = @(
		"User"
	)
	description = "msiam_access"
	displayName = "msiam_access"
	id = "e7f1a7f3-9eda-48e0-9963-bd67bf531afd"
	isEnabled = $true
	origin = "Application"
	value = $null
}
@{
	allowedMemberTypes = @(
	"User"
)
description = "Admin,WAAD"
displayName = "Admin,WAAD"
id = "3a84e31e-bffa-470f-b9e6-754a61e4dc63"
isEnabled = $true
value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD"
}
@{
allowedMemberTypes = @(
"User"
)
description = "Finance,WAAD"
displayName = "Finance,WAAD"
id = "7a960000-ded3-455b-8c04-4f2ace00319b"
isEnabled = $true
value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD"
}
)
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
from msgraph.generated.models.app_role import AppRole
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	app_roles = [
		AppRole(
			allowed_member_types = [
				"User",
			],
			description = "User",
			display_name = "User",
			id = UUID("8774f594-1d59-4279-b9d9-59ef09a23530"),
			is_enabled = True,
			origin = "Application",
			value = None,
		),
		AppRole(
			allowed_member_types = [
				"User",
			],
			description = "msiam_access",
			display_name = "msiam_access",
			id = UUID("e7f1a7f3-9eda-48e0-9963-bd67bf531afd"),
			is_enabled = True,
			origin = "Application",
			value = None,
		),
		AppRole(
			allowed_member_types = [
				"User",
			],
			description = "Admin,WAAD",
			display_name = "Admin,WAAD",
			id = UUID("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
			is_enabled = True,
			value = "arn:aws:iam::212743507312:role/accountname-aws-admin,arn:aws:iam::212743507312:saml-provider/WAAD",
		),
		AppRole(
			allowed_member_types = [
				"User",
			],
			description = "Finance,WAAD",
			display_name = "Finance,WAAD",
			id = UUID("7a960000-ded3-455b-8c04-4f2ace00319b"),
			is_enabled = True,
			value = "arn:aws:iam::212743507312:role/accountname-aws-finance,arn:aws:iam::212743507312:saml-provider/WAAD",
		),
	],
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

Schritt 5: Konfigurieren der Anspruchszuordnung

Sie möchten die SAML-Attribute konfigurieren, indem Sie die Microsoft Entra-ID-Felder bestimmten AWS IAM Identity Center-Anwendungsattributen zuordnen. Daher erstellen Sie eine Anspruchszuordnungsrichtlinie und weisen sie dem Dienstprinzipal zu.

Schritt 5.1: Erstellen einer Anspruchszuordnungsrichtlinie

Konfigurieren Sie zusätzlich zu den grundlegenden Ansprüchen die folgenden Ansprüche für microsoft Entra ID, die im SAML-Token ausgegeben werden sollen:

Anspruchsname	Quelle
`https://aws.amazon.com/SAML/Attributes/Role`	`assignedroles`
`https://aws.amazon.com/SAML/Attributes/RoleSessionName`	`userprincipalname`
`https://aws.amazon.com/SAML/Attributes/SessionDuration`	`"900"`
`appRoles`	`assignedroles`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier`	`userprincipalname`

Hinweis

Bei einigen Schlüsseln in der Anspruchszuordnungsrichtlinie, z. B. Version, wird die Groß-/Kleinschreibung beachtet. Die Fehlermeldung "Property has an invalid value" (Eigenschaft hat einen ungültigen Wert) kann ein Problem mit der Unterscheidung nach Groß-/Kleinschreibung sein.

Erstellen Sie die Anspruchszuordnungsrichtlinie, und notieren Sie ihre ID zur späteren Verwendung in diesem Tutorial.

Anforderung

POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Content-type: application/json

{
    "definition": [
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
    ],
    "displayName": "AWS Claims Policy",
    "isOrganizationDefault": false
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ClaimsMappingPolicy
{
	Definition = new List<string>
	{
		"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
	},
	DisplayName = "AWS Claims Policy",
	IsOrganizationDefault = false,
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Policies.ClaimsMappingPolicies.PostAsync(requestBody);



mgc policies claims-mapping-policies create --body '{\
    "definition": [\
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"\
    ],\
    "displayName": "AWS Claims Policy",\
    "isOrganizationDefault": false\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewClaimsMappingPolicy()
definition := []string {
	"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
}
requestBody.SetDefinition(definition)
displayName := "AWS Claims Policy"
requestBody.SetDisplayName(&displayName) 
isOrganizationDefault := false
requestBody.SetIsOrganizationDefault(&isOrganizationDefault) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
claimsMappingPolicies, err := graphClient.Policies().ClaimsMappingPolicies().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ClaimsMappingPolicy claimsMappingPolicy = new ClaimsMappingPolicy();
LinkedList<String> definition = new LinkedList<String>();
definition.add("{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}");
claimsMappingPolicy.setDefinition(definition);
claimsMappingPolicy.setDisplayName("AWS Claims Policy");
claimsMappingPolicy.setIsOrganizationDefault(false);
ClaimsMappingPolicy result = graphClient.policies().claimsMappingPolicies().post(claimsMappingPolicy);


const options = {
	authProvider,
};

const client = Client.init(options);

const claimsMappingPolicy = {
    definition: [
        '{\"ClaimsMappingPolicy\':{\'Version\':1,\'IncludeBasicClaimSet\':\'true\", \"ClaimsSchema\': [{\'Source\':\'user\",\"ID\':\'assignedroles\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\':\'user\",\"ID\':\'userprincipalname\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\':\'900\",\"SamlClaimType\': \'https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\':\'user\",\"ID\':\'assignedroles\",\"SamlClaimType\': \'appRoles\"}, {\"Source\':\'user\",\"ID\':\'userprincipalname\",\"SamlClaimType\': \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
    ],
    displayName: 'AWS Claims Policy',
    isOrganizationDefault: false
};

await client.api('/policies/claimsMappingPolicies')
	.post(claimsMappingPolicy);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ClaimsMappingPolicy;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ClaimsMappingPolicy();
$requestBody->setDefinition(['{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}', 	]);
$requestBody->setDisplayName('AWS Claims Policy');
$requestBody->setIsOrganizationDefault(false);

$result = $graphServiceClient->policies()->claimsMappingPolicies()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Identity.SignIns

$params = @{
	definition = @(
	'{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true", "ClaimsSchema": [{"Source":"user","ID":"assignedroles","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/Role"}, {"Source":"user","ID":"userprincipalname","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/RoleSessionName"}, {"Value":"900","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/SessionDuration"}, {"Source":"user","ID":"assignedroles","SamlClaimType": "appRoles"}, {"Source":"user","ID":"userprincipalname","SamlClaimType": "https://aws.amazon.com/SAML/Attributes/nameidentifier"}]}}'
)
displayName = "AWS Claims Policy"
isOrganizationDefault = $false
}

New-MgPolicyClaimMappingPolicy -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.claims_mapping_policy import ClaimsMappingPolicy
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ClaimsMappingPolicy(
	definition = [
		"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}",
	],
	display_name = "AWS Claims Policy",
	is_organization_default = False,
)

result = await graph_client.policies.claims_mapping_policies.post(request_body)

Antwort

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#policies/claimsMappingPolicies/$entity",
    "id": "92037c7a-a875-49a0-814e-8ec30f880e2e",
    "deletedDateTime": null,
    "definition": [
        "{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
    ],
    "displayName": "AWS Claims Policy",
    "isOrganizationDefault": false
}

Schritt 5.2: Zuweisen der Anspruchszuordnungsrichtlinie zum Dienstprinzipal

Die Anforderung gibt einen 204 No Content Antwortcode zurück.

POST https://graph.microsoft.com/v1.0/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64/claimsMappingPolicies/$ref
Content-type: application/json

{
    "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ReferenceCreate
{
	OdataId = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].ClaimsMappingPolicies.Ref.PostAsync(requestBody);



mgc service-principals claims-mapping-policies ref post --service-principal-id {servicePrincipal-id} --body '{\
    "@odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewReferenceCreate()
odataId := "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
requestBody.SetOdataId(&odataId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").ClaimsMappingPolicies().Ref().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.models.ReferenceCreate referenceCreate = new com.microsoft.graph.models.ReferenceCreate();
referenceCreate.setOdataId("https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e");
graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").claimsMappingPolicies().ref().post(referenceCreate);


const options = {
	authProvider,
};

const client = Client.init(options);

const claimsMappingPolicy = {
    '@odata.id': 'https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e'
};

await client.api('/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64/claimsMappingPolicies/$ref')
	.post(claimsMappingPolicy);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ReferenceCreate;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ReferenceCreate();
$requestBody->setOdataId('https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e');

$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->claimsMappingPolicies()->ref()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	"@odata.id" = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e"
}

New-MgServicePrincipalClaimMappingPolicyByRef -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.reference_create import ReferenceCreate
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ReferenceCreate(
	odata_id = "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/92037c7a-a875-49a0-814e-8ec30f880e2e",
)

await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').claims_mapping_policies.ref.post(request_body)

Schritt 6: Konfigurieren eines Signaturzertifikats

Sie benötigen ein Zertifikat, das Microsoft Entra ID verwenden kann, um eine SAML-Antwort zu signieren. Sie können den /addTokenSigningCertificate Endpunkt verwenden, um ein Tokensignaturzertifikat für den Dienstprinzipal zu erstellen. Alternativ können Sie ein selbstsigniertes Zertifikat erstellen und in den Dienstprinzipal hochladen.

Nachdem Sie das Zertifikat hinzugefügt haben, enthält der Dienstprinzipal zwei Objekte in der keyCredentials-Auflistung : eines für den privaten Schlüssel und eines für den öffentlichen Schlüssel. und ein -Objekt in der passwordCredentials-Auflistung für das Zertifikatkennwort .

Option 1: Erstellen eines Tokensignaturzertifikats für den Dienstprinzipal

Anforderung

POST https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/addTokenSigningCertificate
Content-type: application/json

{
    "displayName": "CN=AWSContoso",
    "endDateTime": "2027-01-22T00:00:00Z"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.ServicePrincipals.Item.AddTokenSigningCertificate;

var requestBody = new AddTokenSigningCertificatePostRequestBody
{
	DisplayName = "CN=AWSContoso",
	EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AddTokenSigningCertificate.PostAsync(requestBody);



mgc service-principals add-token-signing-certificate post --service-principal-id {servicePrincipal-id} --body '{\
    "displayName": "CN=AWSContoso",\
    "endDateTime": "2027-01-22T00:00:00Z"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  "time"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
	  //other-imports
)

requestBody := graphserviceprincipals.NewAddTokenSigningCertificatePostRequestBody()
displayName := "CN=AWSContoso"
requestBody.SetDisplayName(&displayName) 
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
requestBody.SetEndDateTime(&endDateTime) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
addTokenSigningCertificate, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AddTokenSigningCertificate().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.serviceprincipals.item.addtokensigningcertificate.AddTokenSigningCertificatePostRequestBody addTokenSigningCertificatePostRequestBody = new com.microsoft.graph.serviceprincipals.item.addtokensigningcertificate.AddTokenSigningCertificatePostRequestBody();
addTokenSigningCertificatePostRequestBody.setDisplayName("CN=AWSContoso");
OffsetDateTime endDateTime = OffsetDateTime.parse("2027-01-22T00:00:00Z");
addTokenSigningCertificatePostRequestBody.setEndDateTime(endDateTime);
SelfSignedCertificate result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").addTokenSigningCertificate().post(addTokenSigningCertificatePostRequestBody);


const options = {
	authProvider,
};

const client = Client.init(options);

const selfSignedCertificate = {
    displayName: 'CN=AWSContoso',
    endDateTime: '2027-01-22T00:00:00Z'
};

await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/addTokenSigningCertificate')
	.post(selfSignedCertificate);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\ServicePrincipals\Item\AddTokenSigningCertificate\AddTokenSigningCertificatePostRequestBody;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AddTokenSigningCertificatePostRequestBody();
$requestBody->setDisplayName('CN=AWSContoso');
$requestBody->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->addTokenSigningCertificate()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	displayName = "CN=AWSContoso"
	endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
}

Add-MgServicePrincipalTokenSigningCertificate -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.serviceprincipals.item.add_token_signing_certificate.add_token_signing_certificate_post_request_body import AddTokenSigningCertificatePostRequestBody
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AddTokenSigningCertificatePostRequestBody(
	display_name = "CN=AWSContoso",
	end_date_time = "2027-01-22T00:00:00Z",
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').add_token_signing_certificate.post(request_body)

Antwort

HTTP/1.1 200 OK
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.selfSignedCertificate",
    "customKeyIdentifier": "wt3YBEyVas0CaadaZLeGLbndrD4=",
    "displayName": "CN=AWSContoso",
    "endDateTime": "2027-01-22T00:00:00Z",
    "key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
    "keyId": "04e5ac4e-31f9-41ad-83e2-6dd41e1d81f4",
    "startDateTime": "2024-02-21T17:09:35.0006942Z",
    "thumbprint": "C2DDD8044C956ACD0269A75A64B7862DB9DDAC3E",
    "type": "AsymmetricX509Cert",
    "usage": "Verify"
}

Option 2: Erstellen eines benutzerdefinierten Signaturzertifikats

Sie können die folgenden PowerShell- und C#-Skripts verwenden, um ein selbstsigniertes Zertifikat zum Testen abzurufen. Verwenden Sie die bewährten Sicherheitsmethoden Ihres Unternehmens, um ein Signaturzertifikat für die Produktion zu erstellen.

PowerShell-Skript
C#-Skript

Das folgende Skript erstellt ein selbstsigniertes Zertifikat mit dem Namen, CN=AWSContosoden Sie angeben, wenn Sie fqdn dazu aufgefordert werden, z. B. . Es schützt das Zertifikat mit dem Kennwort, das Sie in pwd angeben, und exportiert die PFX- und CER-Zertifikate an den Speicherort, den Sie in locationangeben.

Param(
    [Parameter(Mandatory=$true)]
    [string]$fqdn,
    [Parameter(Mandatory=$true)]
    [string]$pwd,
    [Parameter(Mandatory=$true)]
    [string]$location
) 

if (!$PSBoundParameters.ContainsKey('location'))
{
    $location = "."
} 

$cert = New-SelfSignedCertificate -certstorelocation cert:\currentuser\my -DnsName $fqdn
$pwdSecure = ConvertTo-SecureString -String $pwd -Force -AsPlainText
$path = 'cert:\currentuser\my\' + $cert.Thumbprint
$cerFile = $location + "\\" + $fqdn + ".cer"
$pfxFile = $location + "\\" + $fqdn + ".pfx" 

Export-PfxCertificate -cert $path -FilePath $pfxFile -Password $pwdSecure
Export-Certificate -cert $path -FilePath $cerFile

Die folgende C#-Konsolen-App kann als Proof of Concept verwendet werden, um zu verstehen, wie die erforderlichen Werte abgerufen werden können. Dieser Code dient nur zum Lernen und Verweisen und sollte in der Produktion nicht unverändert verwendet werden.

using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Text;


/* CONSOLE APP - PROOF OF CONCEPT CODE ONLY!!
 * This code uses a self signed certificate and should not be used 
 * in production. This code is for reference and learning ONLY.
 */
namespace Self_signed_cert
{
    class Program
    {
        static void Main(string[] args)
        {
            // Generate a guid to use as a password and then create the cert.
            string password = Guid.NewGuid().ToString();
            var selfsignedCert = buildSelfSignedServerCertificate(password);

            // Print values so we can copy paste into the JSON fields.
            // Print out the private key in base64 format.
            Console.WriteLine("Private Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Pfx, password)), Environment.NewLine);

            // Print out the start date in ISO 8601 format.
            DateTime startDate = DateTime.Parse(selfsignedCert.GetEffectiveDateString()).ToUniversalTime();
            Console.WriteLine("For All startDateTime: " + startDate.ToString("o"));

            // Print out the end date in ISO 8601 format.
            DateTime endDate = DateTime.Parse(selfsignedCert.GetExpirationDateString()).ToUniversalTime();
            Console.WriteLine("For All endDateTime: " + endDate.ToString("o"));

            // Print the GUID used for keyId
            string signAndPasswordGuid = Guid.NewGuid().ToString();
            string verifyGuid = Guid.NewGuid().ToString();
            Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Sign and passwordCredentials: " + signAndPasswordGuid);
            Console.WriteLine("GUID to use for keyId for keyCredentials->Usage == Verify: " + verifyGuid);

            // Print out the password.
            Console.WriteLine("Password is: {0}", password);

            // Print out a displayName to use as an example.
            Console.WriteLine("displayName to use: CN=Example");
            Console.WriteLine();

            // Print out the public key.
            Console.WriteLine("Public Key: {0}{1}", Convert.ToBase64String(selfsignedCert.Export(X509ContentType.Cert)), Environment.NewLine);
            Console.WriteLine();

            // Generate the customKeyIdentifier using hash of thumbprint.
            Console.WriteLine("You can generate the customKeyIdentifier by getting the SHA256 hash of the certs thumprint.\nThe certs thumbprint is: {0}{1}", selfsignedCert.Thumbprint, Environment.NewLine);
            Console.WriteLine("The hash of the thumbprint that we will use for customeKeyIdentifier is:");
            string keyIdentifier = GetSha256FromThumbprint(selfsignedCert.Thumbprint);
            Console.WriteLine(keyIdentifier);
        }

        // Generate a self-signed certificate.
        private static X509Certificate2 buildSelfSignedServerCertificate(string password)
        {
            const string CertificateName = @"Microsoft Azure Federated SSO Certificate TEST";
            DateTime certificateStartDate = DateTime.UtcNow;
            DateTime certificateEndDate = certificateStartDate.AddYears(2).ToUniversalTime();

            X500DistinguishedName distinguishedName = new X500DistinguishedName($"CN={CertificateName}");

            using (RSA rsa = RSA.Create(2048))
            {
                var request = new CertificateRequest(distinguishedName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);

                request.CertificateExtensions.Add(
                    new X509KeyUsageExtension(X509KeyUsageFlags.DataEncipherment | X509KeyUsageFlags.KeyEncipherment | X509KeyUsageFlags.DigitalSignature, false));

                var certificate = request.CreateSelfSigned(new DateTimeOffset(certificateStartDate), new DateTimeOffset(certificateEndDate));
                certificate.FriendlyName = CertificateName;

                return new X509Certificate2(certificate.Export(X509ContentType.Pfx, password), password, X509KeyStorageFlags.Exportable);
            }
        }

        // Generate hash from thumbprint.
        public static string GetSha256FromThumbprint(string thumbprint)
        {
            var message = Encoding.ASCII.GetBytes(thumbprint);
            SHA256Managed hashString = new SHA256Managed();
            return Convert.ToBase64String(hashString.ComputeHash(message));
        }
    }
}

Extrahieren von Zertifikatdetails

Im vorherigen Schritt verfügen Sie über die CER- und PFX-Zertifikate. Extrahieren Sie die Werte für den privaten Schlüssel, das Kennwort, den öffentlichen Schlüssel und den Zertifikatfingerabdruck, die dem Dienstprinzipal hinzugefügt werden sollen.

Extrahieren des Zertifikatfingerabdrucks

Anforderung

Mit dem folgenden PowerShell-Skript können Sie den Fingerabdruck aus der CER-Datei extrahieren. Ersetzen Sie den Dateipfad durch den Speicherort Ihres Zertifikats.

## Replace the file path with the source of your certificate

Get-PfxCertificate -Filepath "C:\Users\admin\Desktop\CN=AWSContoso.cer" | Out-File -FilePath "C:\Users\admin\Desktop\CN=AWSContoso.cer.thumbprint.txt"

Antwort

Die CN=AWSContoso.cer.thumbprint.txt Datei weist einen Eintrag auf, der der folgenden Ausgabe ähnelt.

Thumbprint                                Subject              EnhancedKeyUsageList
----------                                -------              --------------------
5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A  CN=AWSContoso        {Client Authentication, Server Authentication}

Extrahieren des Zertifikatschlüssels

Mit dem folgenden PowerShell-Skript können Sie den öffentlichen Schlüssel aus der CER-Datei extrahieren. Ersetzen Sie den Dateipfad durch den Speicherort Ihres Zertifikats.

Anforderung

[convert]::ToBase64String((Get-Content C:\Users\admin\Desktop\CN=AWSContoso.cer -AsByteStream -Raw))  | Out-File -FilePath "C:\Users\admin\Desktop\CN=AWSContoso.cer.key.txt"

Antwort

Die CN=AWSContoso.cer.key.txt-Datei weist einen Base64-codierten Wert auf, der der folgenden abgeschnittenen Ausgabe ähnelt.

MIIDHjCCAgagAwIBAgIQYDbahiL7NY...6qCMVJKHAQGzGwg==

Hinzufügen des benutzerdefinierten Signaturschlüssels

Fügen Sie die folgenden Details zu keyCredentials und passwordCredentials für den Dienstprinzipal hinzu. Wenn die beiden Objekte über dieselben Eigenschaften verfügen, müssen Sie diesen Eigenschaften dieselben Werte zuweisen.

CustomKeyIdentifier ist der Zertifikatfingerabdruck-Hash.
StartDateTime ist das Datum, an dem oder nachdem das Zertifikat erstellt wurde.
EndDateTime kann maximal drei Jahre ab startDateTime sein. Wenn keine Angabe erfolgt, weist das System automatisch ein Datum ein Jahr nach startDateTime zu.
Der Typ und die Verwendung müssen wie folgt sein:
- AsymmetricX509Cert bzw Verify . im selben Objekt.
- X509CertAndPassword bzw Sign . im selben Objekt.
Weisen Sie den Zertifikatantragstellernamen der displayName-Eigenschaft zu.
Der Schlüssel ist der Base64-codierte Wert, den Sie im vorherigen Schritt generiert haben.
Die keyId ist eine GUID, die Sie definieren können.

Die Anforderung gibt einen 204 No Content Antwortcode zurück.

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64
Content-type: application/json

{
    "keyCredentials": [
        {
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
            "endDateTime": "2027-01-22T00:00:00Z",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "startDateTime": "2024-02-21T17:09:35Z",
            "type": "X509CertAndPassword",
            "usage": "Sign",
            "key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
            "displayName": "CN=AWSContoso"
        },
        {
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
            "endDateTime": "2027-01-22T00:00:00Z",
            "keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",
            "startDateTime": "2024-02-21T17:09:35Z",
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",
            "displayName": "CN=AWSContoso"
        }
    ],
    "passwordCredentials": [
        {
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "endDateTime": "2022-01-27T19:40:33Z",
            "startDateTime": "2027-01-22T00:00:00Z",
            "secretText": "61891f4ee44d"
        }
    ]
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	KeyCredentials = new List<KeyCredential>
	{
		new KeyCredential
		{
			CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
			KeyId = Guid.Parse("4c266507-3e74-4b91-aeba-18a25b450f6e"),
			StartDateTime = DateTimeOffset.Parse("2024-02-21T17:09:35Z"),
			Type = "X509CertAndPassword",
			Usage = "Sign",
			Key = Convert.FromBase64String("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
			DisplayName = "CN=AWSContoso",
		},
		new KeyCredential
		{
			CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			EndDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
			KeyId = Guid.Parse("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"),
			StartDateTime = DateTimeOffset.Parse("2024-02-21T17:09:35Z"),
			Type = "AsymmetricX509Cert",
			Usage = "Verify",
			Key = Convert.FromBase64String("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
			DisplayName = "CN=AWSContoso",
		},
	},
	PasswordCredentials = new List<PasswordCredential>
	{
		new PasswordCredential
		{
			CustomKeyIdentifier = Convert.FromBase64String("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			KeyId = Guid.Parse("4c266507-3e74-4b91-aeba-18a25b450f6e"),
			EndDateTime = DateTimeOffset.Parse("2022-01-27T19:40:33Z"),
			StartDateTime = DateTimeOffset.Parse("2027-01-22T00:00:00Z"),
			SecretText = "61891f4ee44d",
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);



mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
    "keyCredentials": [\
        {\
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
            "endDateTime": "2027-01-22T00:00:00Z",\
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",\
            "startDateTime": "2024-02-21T17:09:35Z",\
            "type": "X509CertAndPassword",\
            "usage": "Sign",\
            "key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",\
            "displayName": "CN=AWSContoso"\
        },\
        {\
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
            "endDateTime": "2027-01-22T00:00:00Z",\
            "keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",\
            "startDateTime": "2024-02-21T17:09:35Z",\
            "type": "AsymmetricX509Cert",\
            "usage": "Verify",\
            "key": "MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=",\
            "displayName": "CN=AWSContoso"\
        }\
    ],\
    "passwordCredentials": [\
        {\
            "customKeyIdentifier": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",\
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",\
            "endDateTime": "2022-01-27T19:40:33Z",\
            "startDateTime": "2027-01-22T00:00:00Z",\
            "secretText": "61891f4ee44d"\
        }\
    ]\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()


keyCredential := graphmodels.NewKeyCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
keyCredential.SetCustomKeyIdentifier(&customKeyIdentifier) 
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
keyCredential.SetEndDateTime(&endDateTime) 
keyId := uuid.MustParse("4c266507-3e74-4b91-aeba-18a25b450f6e")
keyCredential.SetKeyId(&keyId) 
startDateTime , err := time.Parse(time.RFC3339, "2024-02-21T17:09:35Z")
keyCredential.SetStartDateTime(&startDateTime) 
type := "X509CertAndPassword"
keyCredential.SetType(&type) 
usage := "Sign"
keyCredential.SetUsage(&usage) 
key := []byte("mIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
keyCredential.SetKey(&key) 
displayName := "CN=AWSContoso"
keyCredential.SetDisplayName(&displayName) 
keyCredential1 := graphmodels.NewKeyCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
keyCredential1.SetCustomKeyIdentifier(&customKeyIdentifier) 
endDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
keyCredential1.SetEndDateTime(&endDateTime) 
keyId := uuid.MustParse("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42")
keyCredential1.SetKeyId(&keyId) 
startDateTime , err := time.Parse(time.RFC3339, "2024-02-21T17:09:35Z")
keyCredential1.SetStartDateTime(&startDateTime) 
type := "AsymmetricX509Cert"
keyCredential1.SetType(&type) 
usage := "Verify"
keyCredential1.SetUsage(&usage) 
key := []byte("mIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
keyCredential1.SetKey(&key) 
displayName := "CN=AWSContoso"
keyCredential1.SetDisplayName(&displayName) 

keyCredentials := []graphmodels.KeyCredentialable {
	keyCredential,
	keyCredential1,
}
requestBody.SetKeyCredentials(keyCredentials)


passwordCredential := graphmodels.NewPasswordCredential()
customKeyIdentifier := []byte("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
passwordCredential.SetCustomKeyIdentifier(&customKeyIdentifier) 
keyId := uuid.MustParse("4c266507-3e74-4b91-aeba-18a25b450f6e")
passwordCredential.SetKeyId(&keyId) 
endDateTime , err := time.Parse(time.RFC3339, "2022-01-27T19:40:33Z")
passwordCredential.SetEndDateTime(&endDateTime) 
startDateTime , err := time.Parse(time.RFC3339, "2027-01-22T00:00:00Z")
passwordCredential.SetStartDateTime(&startDateTime) 
secretText := "61891f4ee44d"
passwordCredential.SetSecretText(&secretText) 

passwordCredentials := []graphmodels.PasswordCredentialable {
	passwordCredential,
}
requestBody.SetPasswordCredentials(passwordCredentials)

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
LinkedList<KeyCredential> keyCredentials = new LinkedList<KeyCredential>();
KeyCredential keyCredential = new KeyCredential();
byte[] customKeyIdentifier = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
keyCredential.setCustomKeyIdentifier(customKeyIdentifier);
OffsetDateTime endDateTime = OffsetDateTime.parse("2027-01-22T00:00:00Z");
keyCredential.setEndDateTime(endDateTime);
keyCredential.setKeyId(UUID.fromString("4c266507-3e74-4b91-aeba-18a25b450f6e"));
OffsetDateTime startDateTime = OffsetDateTime.parse("2024-02-21T17:09:35Z");
keyCredential.setStartDateTime(startDateTime);
keyCredential.setType("X509CertAndPassword");
keyCredential.setUsage("Sign");
byte[] key = Base64.getDecoder().decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=");
keyCredential.setKey(key);
keyCredential.setDisplayName("CN=AWSContoso");
keyCredentials.add(keyCredential);
KeyCredential keyCredential1 = new KeyCredential();
byte[] customKeyIdentifier1 = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
keyCredential1.setCustomKeyIdentifier(customKeyIdentifier1);
OffsetDateTime endDateTime1 = OffsetDateTime.parse("2027-01-22T00:00:00Z");
keyCredential1.setEndDateTime(endDateTime1);
keyCredential1.setKeyId(UUID.fromString("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"));
OffsetDateTime startDateTime1 = OffsetDateTime.parse("2024-02-21T17:09:35Z");
keyCredential1.setStartDateTime(startDateTime1);
keyCredential1.setType("AsymmetricX509Cert");
keyCredential1.setUsage("Verify");
byte[] key1 = Base64.getDecoder().decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=");
keyCredential1.setKey(key1);
keyCredential1.setDisplayName("CN=AWSContoso");
keyCredentials.add(keyCredential1);
servicePrincipal.setKeyCredentials(keyCredentials);
LinkedList<PasswordCredential> passwordCredentials = new LinkedList<PasswordCredential>();
PasswordCredential passwordCredential = new PasswordCredential();
byte[] customKeyIdentifier2 = Base64.getDecoder().decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
passwordCredential.setCustomKeyIdentifier(customKeyIdentifier2);
passwordCredential.setKeyId(UUID.fromString("4c266507-3e74-4b91-aeba-18a25b450f6e"));
OffsetDateTime endDateTime2 = OffsetDateTime.parse("2022-01-27T19:40:33Z");
passwordCredential.setEndDateTime(endDateTime2);
OffsetDateTime startDateTime2 = OffsetDateTime.parse("2027-01-22T00:00:00Z");
passwordCredential.setStartDateTime(startDateTime2);
passwordCredential.setSecretText("61891f4ee44d");
passwordCredentials.add(passwordCredential);
servicePrincipal.setPasswordCredentials(passwordCredentials);
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
    keyCredentials: [
        {
            customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
            endDateTime: '2027-01-22T00:00:00Z',
            keyId: '4c266507-3e74-4b91-aeba-18a25b450f6e',
            startDateTime: '2024-02-21T17:09:35Z',
            type: 'X509CertAndPassword',
            usage: 'Sign',
            key: 'MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=',
            displayName: 'CN=AWSContoso'
        },
        {
            customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
            endDateTime: '2027-01-22T00:00:00Z',
            keyId: 'e35a7d11-fef0-49ad-9f3e-aacbe0a42c42',
            startDateTime: '2024-02-21T17:09:35Z',
            type: 'AsymmetricX509Cert',
            usage: 'Verify',
            key: 'MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=',
            displayName: 'CN=AWSContoso'
        }
    ],
    passwordCredentials: [
        {
            customKeyIdentifier: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A',
            keyId: '4c266507-3e74-4b91-aeba-18a25b450f6e',
            endDateTime: '2022-01-27T19:40:33Z',
            startDateTime: '2027-01-22T00:00:00Z',
            secretText: '61891f4ee44d'
        }
    ]
};

await client.api('/servicePrincipals/ef04fead-8549-4e59-b5f7-d1d8c697ec64')
	.update(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;
use Microsoft\Graph\Generated\Models\KeyCredential;
use Microsoft\Graph\Generated\Models\PasswordCredential;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$keyCredentialsKeyCredential1 = new KeyCredential();
$keyCredentialsKeyCredential1->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$keyCredentialsKeyCredential1->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$keyCredentialsKeyCredential1->setKeyId('4c266507-3e74-4b91-aeba-18a25b450f6e');
$keyCredentialsKeyCredential1->setStartDateTime(new \DateTime('2024-02-21T17:09:35Z'));
$keyCredentialsKeyCredential1->setType('X509CertAndPassword');
$keyCredentialsKeyCredential1->setUsage('Sign');
$keyCredentialsKeyCredential1->setKey(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=')));
$keyCredentialsKeyCredential1->setDisplayName('CN=AWSContoso');
$keyCredentialsArray []= $keyCredentialsKeyCredential1;
$keyCredentialsKeyCredential2 = new KeyCredential();
$keyCredentialsKeyCredential2->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$keyCredentialsKeyCredential2->setEndDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$keyCredentialsKeyCredential2->setKeyId('e35a7d11-fef0-49ad-9f3e-aacbe0a42c42');
$keyCredentialsKeyCredential2->setStartDateTime(new \DateTime('2024-02-21T17:09:35Z'));
$keyCredentialsKeyCredential2->setType('AsymmetricX509Cert');
$keyCredentialsKeyCredential2->setUsage('Verify');
$keyCredentialsKeyCredential2->setKey(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=')));
$keyCredentialsKeyCredential2->setDisplayName('CN=AWSContoso');
$keyCredentialsArray []= $keyCredentialsKeyCredential2;
$requestBody->setKeyCredentials($keyCredentialsArray);

$passwordCredentialsPasswordCredential1 = new PasswordCredential();
$passwordCredentialsPasswordCredential1->setCustomKeyIdentifier(\GuzzleHttp\Psr7\Utils::streamFor(base64_decode('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A')));
$passwordCredentialsPasswordCredential1->setKeyId('4c266507-3e74-4b91-aeba-18a25b450f6e');
$passwordCredentialsPasswordCredential1->setEndDateTime(new \DateTime('2022-01-27T19:40:33Z'));
$passwordCredentialsPasswordCredential1->setStartDateTime(new \DateTime('2027-01-22T00:00:00Z'));
$passwordCredentialsPasswordCredential1->setSecretText('61891f4ee44d');
$passwordCredentialsArray []= $passwordCredentialsPasswordCredential1;
$requestBody->setPasswordCredentials($passwordCredentialsArray);


$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	keyCredentials = @(
		@{
			customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
			endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
			keyId = "4c266507-3e74-4b91-aeba-18a25b450f6e"
			startDateTime = [System.DateTime]::Parse("2024-02-21T17:09:35Z")
			type = "X509CertAndPassword"
			usage = "Sign"
			key = [System.Text.Encoding]::ASCII.GetBytes("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
			displayName = "CN=AWSContoso"
		}
		@{
			customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
			endDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
			keyId = "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"
			startDateTime = [System.DateTime]::Parse("2024-02-21T17:09:35Z")
			type = "AsymmetricX509Cert"
			usage = "Verify"
			key = [System.Text.Encoding]::ASCII.GetBytes("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs=")
			displayName = "CN=AWSContoso"
		}
	)
	passwordCredentials = @(
		@{
			customKeyIdentifier = [System.Text.Encoding]::ASCII.GetBytes("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A")
			keyId = "4c266507-3e74-4b91-aeba-18a25b450f6e"
			endDateTime = [System.DateTime]::Parse("2022-01-27T19:40:33Z")
			startDateTime = [System.DateTime]::Parse("2027-01-22T00:00:00Z")
			secretText = "61891f4ee44d"
		}
	)
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
from msgraph.generated.models.key_credential import KeyCredential
from msgraph.generated.models.password_credential import PasswordCredential
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	key_credentials = [
		KeyCredential(
			custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			end_date_time = "2027-01-22T00:00:00Z",
			key_id = UUID("4c266507-3e74-4b91-aeba-18a25b450f6e"),
			start_date_time = "2024-02-21T17:09:35Z",
			type = "X509CertAndPassword",
			usage = "Sign",
			key = base64.urlsafe_b64decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
			display_name = "CN=AWSContoso",
		),
		KeyCredential(
			custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			end_date_time = "2027-01-22T00:00:00Z",
			key_id = UUID("e35a7d11-fef0-49ad-9f3e-aacbe0a42c42"),
			start_date_time = "2024-02-21T17:09:35Z",
			type = "AsymmetricX509Cert",
			usage = "Verify",
			key = base64.urlsafe_b64decode("MIICqjCCAZKgAwIBAgIIZYCy..KlDixjUT61i4tFs="),
			display_name = "CN=AWSContoso",
		),
	],
	password_credentials = [
		PasswordCredential(
			custom_key_identifier = base64.urlsafe_b64decode("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"),
			key_id = UUID("4c266507-3e74-4b91-aeba-18a25b450f6e"),
			end_date_time = "2022-01-27T19:40:33Z",
			start_date_time = "2027-01-22T00:00:00Z",
			secret_text = "61891f4ee44d",
		),
	],
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

Aktivieren des benutzerdefinierten Signierschlüssels

Sie müssen die preferredTokenSigningKeyThumbprint-Eigenschaft des Dienstprinzipals auf den Fingerabdruck des Zertifikats festlegen, das die Microsoft Entra-ID zum Signieren der SAML-Antwort verwenden soll. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

Anforderung

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46
Content-type: application/json

{
    "preferredTokenSigningKeyThumbprint": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new ServicePrincipal
{
	PreferredTokenSigningKeyThumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].PatchAsync(requestBody);



mgc service-principals patch --service-principal-id {servicePrincipal-id} --body '{\
    "preferredTokenSigningKeyThumbprint": "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewServicePrincipal()
preferredTokenSigningKeyThumbprint := "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
requestBody.SetPreferredTokenSigningKeyThumbprint(&preferredTokenSigningKeyThumbprint) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").Patch(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

ServicePrincipal servicePrincipal = new ServicePrincipal();
servicePrincipal.setPreferredTokenSigningKeyThumbprint("5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A");
ServicePrincipal result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").patch(servicePrincipal);


const options = {
	authProvider,
};

const client = Client.init(options);

const servicePrincipal = {
    preferredTokenSigningKeyThumbprint: '5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A'
};

await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46')
	.update(servicePrincipal);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\ServicePrincipal;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new ServicePrincipal();
$requestBody->setPreferredTokenSigningKeyThumbprint('5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A');

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->patch($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	preferredTokenSigningKeyThumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A"
}

Update-MgServicePrincipal -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.service_principal import ServicePrincipal
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = ServicePrincipal(
	preferred_token_signing_key_thumbprint = "5214D6BA9438F984A0CC2C856CCEA6A76EDCEC3A",
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').patch(request_body)

Schritt 7: Zuweisen von Benutzern zur Anwendung

Zuweisen eines Benutzers zur Anwendung

Weisen Sie dem Dienstprinzipal den benutzer zu, den Sie erstellt haben, und weisen Sie ihm die Admin,WAAD App-Rolle zu. Geben Sie im Anforderungstext die folgenden Werte an:

principalId : Die ID des Benutzerkontos, das Sie erstellt haben.
appRoleId : Die ID der App-Rolle Admin,WAAD , die Sie hinzugefügt haben.
resourceId : Die ID des Dienstprinzipals.

Anforderung

POST https://graph.microsoft.com/v1.0/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/appRoleAssignments
Content-type: application/json

{
    "principalId": "59bb3898-0621-4414-ac61-74f9d7201355",
    "principalType": "User",
    "appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
    "resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"
}


// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Models;

var requestBody = new AppRoleAssignment
{
	PrincipalId = Guid.Parse("59bb3898-0621-4414-ac61-74f9d7201355"),
	PrincipalType = "User",
	AppRoleId = Guid.Parse("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
	ResourceId = Guid.Parse("d3616293-fff8-4415-9f01-33b05dad1b46"),
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignments.PostAsync(requestBody);



mgc service-principals app-role-assignments create --service-principal-id {servicePrincipal-id} --body '{\
    "principalId": "59bb3898-0621-4414-ac61-74f9d7201355",\
    "principalType": "User",\
    "appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",\
    "resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"\
}\
'



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  "github.com/google/uuid"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
	  //other-imports
)

requestBody := graphmodels.NewAppRoleAssignment()
principalId := uuid.MustParse("59bb3898-0621-4414-ac61-74f9d7201355")
requestBody.SetPrincipalId(&principalId) 
principalType := "User"
requestBody.SetPrincipalType(&principalType) 
appRoleId := uuid.MustParse("3a84e31e-bffa-470f-b9e6-754a61e4dc63")
requestBody.SetAppRoleId(&appRoleId) 
resourceId := uuid.MustParse("d3616293-fff8-4415-9f01-33b05dad1b46")
requestBody.SetResourceId(&resourceId) 

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
appRoleAssignments, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignments().Post(context.Background(), requestBody, nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.setPrincipalId(UUID.fromString("59bb3898-0621-4414-ac61-74f9d7201355"));
appRoleAssignment.setPrincipalType("User");
appRoleAssignment.setAppRoleId(UUID.fromString("3a84e31e-bffa-470f-b9e6-754a61e4dc63"));
appRoleAssignment.setResourceId(UUID.fromString("d3616293-fff8-4415-9f01-33b05dad1b46"));
AppRoleAssignment result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignments().post(appRoleAssignment);


const options = {
	authProvider,
};

const client = Client.init(options);

const appRoleAssignment = {
    principalId: '59bb3898-0621-4414-ac61-74f9d7201355',
    principalType: 'User',
    appRoleId: '3a84e31e-bffa-470f-b9e6-754a61e4dc63',
    resourceId: 'd3616293-fff8-4415-9f01-33b05dad1b46'
};

await client.api('/servicePrincipals/d3616293-fff8-4415-9f01-33b05dad1b46/appRoleAssignments')
	.post(appRoleAssignment);


<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AppRoleAssignment;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AppRoleAssignment();
$requestBody->setPrincipalId('59bb3898-0621-4414-ac61-74f9d7201355');
$requestBody->setPrincipalType('User');
$requestBody->setAppRoleId('3a84e31e-bffa-470f-b9e6-754a61e4dc63');
$requestBody->setResourceId('d3616293-fff8-4415-9f01-33b05dad1b46');

$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignments()->post($requestBody)->wait();


Import-Module Microsoft.Graph.Applications

$params = @{
	principalId = "59bb3898-0621-4414-ac61-74f9d7201355"
	principalType = "User"
	appRoleId = "3a84e31e-bffa-470f-b9e6-754a61e4dc63"
	resourceId = "d3616293-fff8-4415-9f01-33b05dad1b46"
}

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipalId -BodyParameter $params


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.app_role_assignment import AppRoleAssignment
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AppRoleAssignment(
	principal_id = UUID("59bb3898-0621-4414-ac61-74f9d7201355"),
	principal_type = "User",
	app_role_id = UUID("3a84e31e-bffa-470f-b9e6-754a61e4dc63"),
	resource_id = UUID("d3616293-fff8-4415-9f01-33b05dad1b46"),
)

result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assignments.post(request_body)

Antwort

HTTP/1.1 201 Created
Content-type: application/json

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('d3616293-fff8-4415-9f01-33b05dad1b46')/appRoleAssignments/$entity",
    "id": "mDi7WSEGFESsYXT51yATVdouI-92Rw1OgPSpSxEvaLg",
    "deletedDateTime": null,
    "appRoleId": "3a84e31e-bffa-470f-b9e6-754a61e4dc63",
    "createdDateTime": "2024-02-21T18:07:54.7959075Z",
    "principalDisplayName": "Adele Vance",
    "principalId": "59bb3898-0621-4414-ac61-74f9d7201355",
    "principalType": "User",
    "resourceDisplayName": "AWS Contoso",
    "resourceId": "d3616293-fff8-4415-9f01-33b05dad1b46"
}

Schritt 8: Abrufen von Microsoft Entra ID SAML-Metadaten für die AWS Contoso-App

Verwenden Sie die folgende URL, um die Microsoft Entra ID SAML-Metadaten für die AWS Contoso-App abzurufen. Ersetzen Sie durch {tenant-id} die Mandanten-ID und {appId} durch die appId der AWS Contoso-App. Die Metadaten enthalten unter anderem Informationen wie das Signaturzertifikat, Microsoft Entra entityID und Microsoft Entra SingleSignOnService.

https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml?appid={appId}

Im Folgenden finden Sie ein Beispiel dafür, was Für Ihre Anwendung möglicherweise angezeigt wird. Speichern Sie die Daten im XML-Format.

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_26313693-22d4-4361-8e48-ea19bb8616e1" entityID="https://sts.windows.net/38d49456-54d4-455d-a8d6-c383c71e0a6d/">
<RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">
<fed:ClaimTypesOffered>
...
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/38d49456-54d4-455d-a8d6-c383c71e0a6d/saml2"/>
</IDPSSODescriptor>
</EntityDescriptor>

Schritt 9: Abschließen und Testen der Integration

Nachdem Sie nun die Konfigurationsschritte für die Anwendung in Microsoft Entra ID abgeschlossen haben und über die SAML-Metadaten verfügen, melden Sie sich bei Ihrer AWS IAM Identity Center-Unternehmenswebsite als Administrator an und:

Führen Sie die Schritte zum Konfigurieren des einmaligen Anmeldens für AWS IAM Identity Center aus.
Erstellen Sie einen Testbenutzer, dessen Benutzername und E-Mail-Adresse dem Benutzerkonto entsprechen, das Sie in Microsoft Entra ID erstellt haben.
Testen Sie die SSO-Integration.

Schritt 10: Bereinigen von Ressourcen

Entfernen Sie in diesem Schritt die Ressourcen, die Sie erstellt haben und nicht mehr benötigen.

Löschen der Anwendung

Wenn Sie die Anwendung löschen, wird auch der Dienstprinzipal in Ihrem Mandanten gelöscht. Die Anforderung gibt einen 204 No Content Antwortcode zurück.

DELETE https://graph.microsoft.com/v1.0/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Applications["{application-id}"].DeleteAsync();



mgc applications delete --application-id {application-id}



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Applications().ByApplicationId("application-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.applications().byApplicationId("{application-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/applications/b7308000-8bb3-467b-bfc7-8dbbfd759ad9')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->applications()->byApplicationId('application-id')->delete()->wait();


Import-Module Microsoft.Graph.Applications

Remove-MgApplication -ApplicationId $applicationId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.applications.by_application_id('application-id').delete()

Löschen des Testbenutzerkontos

Die Anforderung gibt einen 204 No Content Antwortcode zurück.

DELETE https://graph.microsoft.com/v1.0/users/59bb3898-0621-4414-ac61-74f9d7201355


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Users["{user-id}"].DeleteAsync();



mgc users delete --user-id {user-id}



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Users().ByUserId("user-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.users().byUserId("{user-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/users/59bb3898-0621-4414-ac61-74f9d7201355')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->users()->byUserId('user-id')->delete()->wait();


Import-Module Microsoft.Graph.Users

Remove-MgUser -UserId $userId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.users.by_user_id('user-id').delete()

Löschen einer Anspruchszuordnungsrichtlinie

Die Anforderung gibt einen 204 No Content Antwortcode zurück.

DELETE https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78


// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Policies.ClaimsMappingPolicies["{claimsMappingPolicy-id}"].DeleteAsync();



mgc policies claims-mapping-policies delete --claims-mapping-policy-id {claimsMappingPolicy-id}



// Code snippets are only available for the latest major version. Current major version is $v1.*

// Dependencies
import (
	  "context"
	  msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
	  //other-imports
)


// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Policies().ClaimsMappingPolicies().ByClaimsMappingPolicyId("claimsMappingPolicy-id").Delete(context.Background(), nil)


// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

graphClient.policies().claimsMappingPolicies().byClaimsMappingPolicyId("{claimsMappingPolicy-id}").delete();


const options = {
	authProvider,
};

const client = Client.init(options);

await client.api('/policies/claimsMappingPolicies/a4b35718-fd5e-4ca8-8248-a3c9934b1b78')
	.delete();


<?php
use Microsoft\Graph\GraphServiceClient;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);


$graphServiceClient->policies()->claimsMappingPolicies()->byClaimsMappingPolicyId('claimsMappingPolicy-id')->delete()->wait();


Import-Module Microsoft.Graph.Identity.SignIns

Remove-MgPolicyClaimMappingPolicy -ClaimsMappingPolicyId $claimsMappingPolicyId


# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

await graph_client.policies.claims_mapping_policies.by_claims_mapping_policy_id('claimsMappingPolicy-id').delete()

Lesen Sie die Schritte zum Integrieren von Microsoft Entra SSO in AWS IAM Identity Center mithilfe des Microsoft Entra Admin Centers.

Freigeben über

Konfigurieren des SAML-basierten einmaligen Anmeldens für Ihre Anwendung mithilfe von Microsoft Graph

Voraussetzungen

Schritt 1: Identifizieren der zu konfigurierenden Anwendung

Anforderung

Antwort

Schritt 2: Instanziieren der Anwendung

Anforderung

Antwort

Schritt 3: Konfigurieren des einmaligen Anmeldens

Schritt 3.1: Festlegen des Modus für einmaliges Anmelden für den Dienstprinzipal

Schritt 3.2: Festlegen grundlegender SAML-URLs für die Anwendung

Schritt 4: Hinzufügen von App-Rollen

Schritt 5: Konfigurieren der Anspruchszuordnung

Schritt 5.1: Erstellen einer Anspruchszuordnungsrichtlinie

Anforderung

Antwort

Schritt 5.2: Zuweisen der Anspruchszuordnungsrichtlinie zum Dienstprinzipal

Schritt 6: Konfigurieren eines Signaturzertifikats

Option 1: Erstellen eines Tokensignaturzertifikats für den Dienstprinzipal

Anforderung

Antwort

Option 2: Erstellen eines benutzerdefinierten Signaturzertifikats

Extrahieren von Zertifikatdetails

Extrahieren des Zertifikatfingerabdrucks

Anforderung

Antwort

Extrahieren des Zertifikatschlüssels

Anforderung

Antwort

Hinzufügen des benutzerdefinierten Signaturschlüssels

Aktivieren des benutzerdefinierten Signierschlüssels

Anforderung

Schritt 7: Zuweisen von Benutzern zur Anwendung

Zuweisen eines Benutzers zur Anwendung

Anforderung

Antwort

Schritt 8: Abrufen von Microsoft Entra ID SAML-Metadaten für die AWS Contoso-App

Schritt 9: Abschließen und Testen der Integration

Schritt 10: Bereinigen von Ressourcen

Löschen der Anwendung

Löschen des Testbenutzerkontos

Löschen einer Anspruchszuordnungsrichtlinie

Verwandte Inhalte

Feedback

Zusätzliche Ressourcen