Documentation Index
Fetch the complete documentation index at: https://ps365.clidsys.com/llms.txt
Use this file to discover all available pages before exploring further.
SYNOPSIS
Retrieves all Entra ID applications configured for SAML SSO.
SYNTAX
All (Default)
Get-MgApplicationSAML [-ForceNewToken] [-ExportToExcel] [-RunFromAzureAutomation]
[-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
[-IncludeSignInStats] [-DisableParallel] [-ThrottleLimit <Int32>] [-ProgressAction <ActionPreference>]
[<CommonParameters>]
ByObjectId
Get-MgApplicationSAML [-ObjectID <String>] [-ForceNewToken] [-ExportToExcel] [-RunFromAzureAutomation]
[-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
[-IncludeSignInStats] [-DisableParallel] [-ThrottleLimit <Int32>] [-ProgressAction <ActionPreference>]
[<CommonParameters>]
ByDisplayName
Get-MgApplicationSAML [-DisplayName <String>] [-ForceNewToken] [-ExportToExcel] [-RunFromAzureAutomation]
[-ExpirationThresholdDays <Int32>] [-NotificationRecipient <String>] [-NotificationSender <String>]
[-IncludeSignInStats] [-DisableParallel] [-ThrottleLimit <Int32>] [-ProgressAction <ActionPreference>]
[<CommonParameters>]
DESCRIPTION
This function returns a list of all Entra ID applications configured for SAML Single Sign-On
along with their SAML-related properties.
Each row represents one SAML signing certificate
(KeyCredential with Usage ‘Sign’), so an application with multiple certificates will appear
on multiple rows.
The SamlSigningCertificateIsPreferred column identifies the currently active certificate:
- True : this is the active signing certificate
- False : this certificate exists on the application but is not currently active
EXAMPLES
EXAMPLE 1
Retrieves all Entra ID applications configured for SAML SSO.
EXAMPLE 2
Get-MgApplicationSAML -DisableParallel
EXAMPLE 3
Get-MgApplicationSAML -IncludeSignInStats
EXAMPLE 4
Get-MgApplicationSAML -ObjectID "xxx-xxx-xxx"
EXAMPLE 5
Get-MgApplicationSAML -DisplayName "My SAML App"
EXAMPLE 6
Get-MgApplicationSAML -DisplayName "Azure*"
EXAMPLE 7
Get-MgApplicationSAML -DisplayName "*Portal*"
EXAMPLE 8
Get-MgApplicationSAML -ForceNewToken
EXAMPLE 9
Get-MgApplicationSAML -ExportToExcel
EXAMPLE 10
Get-MgApplicationSAML -RunFromAzureAutomation -ExpirationThresholdDays 30 -NotificationRecipient 'admin@company.com' -NotificationSender 'automation@company.com'
EXAMPLE 11
Get-MgApplicationSAML -RunFromAzureAutomation -ExpirationThresholdDays 7 -NotificationRecipient 'admin@company.com' -NotificationSender 'automation@company.com'
PARAMETERS
-ObjectID
(Optional) Retrieves the SAML configuration for a specific application by its ObjectID.
Type: String
Parameter Sets: ByObjectId
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DisplayName
(Optional) Retrieves the SAML configuration for a specific application by its DisplayName.
Supports wildcards (* and ?) for partial name matching (e.g.
“Azure*”, “Portal”).
Type: String
Parameter Sets: ByDisplayName
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ForceNewToken
(Optional) Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ExportToExcel
(Optional) If specified, exports the results to an Excel file in the user’s profile directory.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-RunFromAzureAutomation
(Optional) If specified, uses managed identity authentication instead of interactive authentication.
This is useful when running the script in Azure environments like Azure Functions, Logic Apps, or VMs with managed identity enabled.
When this parameter is used, ExpirationThresholdDays, NotificationRecipient and NotificationSender are required.
PowerShell modules used in Azure Automation must be a MAXIMUM of version 2.25.0 when using PowerShell < 7.4.0, because starting from version 2.26.0, PowerShell 7.4.0 is required, and Azure Automation does not support it yet as of February 2026.
For PowerShell 7.4.0+, there are no version restrictions.
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3147
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3151
https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3166
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ExpirationThresholdDays
(Required when RunFromAzureAutomation is enabled) Number of days threshold for expiration notification.
Default is 30 days.
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 30
Accept pipeline input: False
Accept wildcard characters: False
-NotificationRecipient
(Required when RunFromAzureAutomation is enabled) Email address to receive expiration notifications.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-NotificationSender
(Required when RunFromAzureAutomation is enabled) Email address of the sender for expiration notifications.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-IncludeSignInStats
(Optional) If specified, includes sign-in statistics for the last 30 days for each application.
Requires AuditLog.Read.All permission.
Please be advised that this process is time-consuming.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-DisableParallel
(Optional) Forces sequential processing.
By default, on PowerShell 7+ the function processes SAML applications in
parallel (ForEach-Object -Parallel) to speed up discovery; on PowerShell 5.1 it always runs sequentially.
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
-ThrottleLimit
(Optional) Maximum number of concurrent runspaces when running in parallel.
Default is 5.
Keep this value moderate to avoid Microsoft Graph throttling (HTTP 429).
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 5
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
OUTPUTS
NOTES
Limitations:
The information about the SAML applications clams is not available in the Microsoft Graph API v1 but in https://main.iam.ad.ext.azure.com/api/ApplicationSso/<service-principal-id>/FederatedSsoV2 so we don’t get them
https://ps365.clidsys.com/docs/commands/Get-MgApplicationSAML
