Skip to main content

SYNOPSIS

Retrieves all Entra ID applications configured for SAML SSO.

SYNTAX

All (Default)

ByObjectId

ByDisplayName

DESCRIPTION

This function returns a list of all Entra ID applications configured for SAML Single Sign-On along with their SAML-related properties. Each row represents one SAML signing certificate (KeyCredential with Usage ‘Sign’), so an application with multiple certificates will appear on multiple rows. The SamlSigningCertificateIsPreferred column identifies the currently active certificate:
  • True : this is the active signing certificate
  • False : this certificate exists on the application but is not currently active

EXAMPLES

EXAMPLE 1

Retrieves all Entra ID applications configured for SAML SSO.

EXAMPLE 2

Forces sequential processing even on PowerShell 7+ (useful for debugging or to avoid concurrent Graph calls).

EXAMPLE 3

Retrieves all Entra ID applications configured for SAML SSO with sign-in statistics for the last 30 days.

EXAMPLE 4

Retrieves the SAML configuration for a specific application by its ObjectID.

EXAMPLE 5

Retrieves the SAML configuration for a specific application by its DisplayName.

EXAMPLE 6

Retrieves the SAML configuration for all applications whose DisplayName starts with “Azure”.

EXAMPLE 7

Retrieves the SAML configuration for all applications whose DisplayName contains “Portal”.

EXAMPLE 8

Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.

EXAMPLE 9

Gets all SAML applications and exports them to an Excel file.

EXAMPLE 10

Gets all SAML applications using managed identity authentication and sends notification for certificates expiring within 30 days.

EXAMPLE 11

Gets all SAML applications using managed identity and sends email notification for certificates expiring within 7 days.

PARAMETERS

-ObjectID

(Optional) Retrieves the SAML configuration for a specific application by its ObjectID.

-DisplayName

(Optional) Retrieves the SAML configuration for a specific application by its DisplayName. Supports wildcards (* and ?) for partial name matching (e.g. “Azure*”, “Portal”).

-ForceNewToken

(Optional) Forces the function to disconnect and reconnect to Microsoft Graph to obtain a new access token.

-ExportToExcel

(Optional) If specified, exports the results to an Excel file in the user’s profile directory.

-ExportPath

Optional output directory for the Excel export (defaults to the user profile).

-RunFromAzureAutomation

(Optional) If specified, uses managed identity authentication instead of interactive authentication. This is useful when running the script in Azure environments like Azure Functions, Logic Apps, or VMs with managed identity enabled. When this parameter is used, ExpirationThresholdDays, NotificationRecipient and NotificationSender are required. PowerShell modules used in Azure Automation must be a MAXIMUM of version 2.25.0 when using PowerShell < 7.4.0, because starting from version 2.26.0, PowerShell 7.4.0 is required, and Azure Automation does not support it yet as of February 2026. For PowerShell 7.4.0+, there are no version restrictions. https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3147 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3151 https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/3166

-ExpirationThresholdDays

(Required when RunFromAzureAutomation is enabled) Number of days threshold for expiration notification. Default is 30 days.

-NotificationRecipient

(Required when RunFromAzureAutomation is enabled) Email address to receive expiration notifications.

-NotificationSender

(Required when RunFromAzureAutomation is enabled) Email address of the sender for expiration notifications.

-IncludeSignInStats

(Optional) If specified, includes sign-in statistics for the last 30 days for each application. Requires AuditLog.Read.All permission. Please be advised that this process is time-consuming.

-DisableParallel

(Optional) Forces sequential processing. By default, on PowerShell 7+ the function processes SAML applications in parallel (ForEach-Object -Parallel) to speed up discovery; on PowerShell 5.1 it always runs sequentially.

-ThrottleLimit

(Optional) Maximum number of concurrent runspaces when running in parallel. Default is 5. Keep this value moderate to avoid Microsoft Graph throttling (HTTP 429).

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

Limitations: The information about the SAML applications clams is not available in the Microsoft Graph API v1 but in https://main.iam.ad.ext.azure.com/api/ApplicationSso/&lt;service-principal-id&gt;/FederatedSsoV2 so we don’t get them https://ps365.clidsys.com/docs/commands/Get-MgApplicationSAML