Create identityProvider (deprecated)

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Caution

This identity provider API is deprecated and will stop returning data after March, 2023. Please use the new identity provider API.

Create a new identityProvider object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) IdentityProvider.ReadWrite.All Not available.
Delegated (personal Microsoft account) Not supported. Not supported.
Application IdentityProvider.ReadWrite.All Not available.

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. External Identity Provider Administrator is the least privileged role supported for this operation.

HTTP request

POST /identityProviders

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, provide a JSON representation of identityProvider or openIdConnectProvider (only for Azure AD B2C) object. All the properties listed in the following table are required.

identityProvider object

Property Type Description
clientId String The client ID for the application. This is the client ID obtained when registering the application with the identity provider.
clientSecret String The client secret for the application. This is the client secret obtained when registering the application with the identity provider.
name String The display name of the identity provider.
type String The identity provider type.
    For B2B scenario:
  • Google
  • Facebook
    For B2C scenario:
  • Microsoft
  • Google
  • Amazon
  • LinkedIn
  • Facebook
  • GitHub
  • Twitter
  • Weibo
  • QQ
  • WeChat
  • OpenIDConnect

openIdConnectProvider object

Property Type Description
clientId String The client ID for the application. This is the client ID obtained when registering the application with the identity provider.
clientSecret String The client secret for the application. This is the client secret obtained when registering the application with the identity provider.
name String The display name of the identity provider.
type String The identity provider type. The value must be OpenIdConnect.
claimsMapping claimsMapping The userId and displayname properties are required in the claimsMapping object.
metadataUrl String The URL for the metadata document of the OpenID Connect identity provider.
responseMode String Defines the method that should be used to send the data back from the custom identity provider to Azure AD B2C. The following response modes can be used:
  • form_post : This response mode is recommended for best security. The response is transmitted via the HTTP POST method, with the code or token being encoded in the body using the application/x-www-form-urlencoded format.
  • query : The code or token is returned as a query parameter.
responseType String Describes what kind of information is sent back in the initial call to the authorization_endpoint of the custom identity provider. The following response types can be used:
  • code : As per the authorization code flow, a code will be returned back to Azure AD B2C. Azure AD B2C proceeds to call the token_endpoint to exchange the code for the token.
  • id_token : An ID token is returned back to Azure AD B2C from the custom identity provider.
  • token : An access token is returned back to Azure AD B2C from the custom identity provider. (This value is not supported by Azure AD B2C at the moment)
scope String Scope defines the information and permissions you are looking to gather from your custom identity provider.

Response

If successful, this method returns a 201 Created response code and identityProvider or openIdConnectProvider (only for Azure AD B2C) object in the response body. If unsuccessful, a 4xx error will be returned with specific details.

Examples

Example 1: Create a specific identityProvider

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/identityProviders
Content-type: application/json

{
  "@odata.type": "microsoft.graph.identityProvider",
  "name": "Login with Amazon",
  "type": "Amazon",
  "clientId": "56433757-cadd-4135-8431-2c9e3fd68ae8",
  "clientSecret": "000000000000"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
   "@odata.type": "microsoft.graph.identityProvider",
    "id": "Amazon-OAUTH",
    "name": "Login with Amazon",
    "type": "Amazon",
    "clientId": "56433757-cadd-4135-8431-2c9e3fd68ae8",
    "clientSecret": "*****"
}

Example 2: Create a specific openIDConnectProvider (only for Azure AD B2C)

Request

The following example shows a request.

POST https://graph.microsoft.com/beta/identityProviders
Content-type: application/json

{
  "@odata.type": "microsoft.graph.openIdConnectProvider",
    "name": "Login with the Contoso identity provider",
    "type": "OpenIDConnect",
    "clientId": "56433757-cadd-4135-8431-2c9e3fd68ae8",
    "clientSecret": "12345",
    "claimsMapping": {
        "userId": "myUserId",
        "givenName": "myGivenName",
        "surname": "mySurname",
        "email": "myEmail",
        "displayName": "myDisplayName"
    },
    "domainHint": "mycustomoidc",
    "metadataUrl": "https://mycustomoidc.com/.well-known/openid-configuration",
    "responseMode": "form_post",
    "responseType": "code",
    "scope": "openid"
}

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-type: application/json

{
  "@odata.type": "microsoft.graph.openIdConnectProvider",
  "id": "OIDC-V1-MyTest-085a8a0c-58cb-4b6d-8e07-1328ea404e1a",
  "name": "Login with the Contoso identity provider",
  "type": "OpenIDConnect",
  "clientId": "56433757-cadd-4135-8431-2c9e3fd68ae8",
  "clientSecret": "12345",
  "claimsMapping": {
      "userId": "myUserId",
      "givenName": "myGivenName",
      "surname": "mySurname",
      "email": "myEmail",
      "displayName": "myDisplayName"
  },
  "domainHint": "mycustomoidc",
  "metadataUrl": "https://mycustomoidc.com/.well-known/openid-configuration",
  "responseMode": "form_post",
  "responseType": "code",
  "scope": "openid"
}