Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents the policy to specify the characteristics of SAML tokens issued by Microsoft Entra ID. You can use token-issuance policies to:
- Set signing options
- Set signing algorithm
- Set SAML token version
Inherits from stsPolicy.
Methods
| Method | Return Type | Description | 
|---|---|---|
| Create | tokenIssuancePolicy | Create a tokenIssuancePolicy object. | 
| Get | tokenIssuancePolicy | Read properties and relationships of a tokenIssuancePolicy object. | 
| List | tokenIssuancePolicy | Read properties and relationships of tokenIssuancePolicy objects. | 
| Update | None | Update a tokenIssuancePolicy object. | 
| Delete | None | Delete a tokenIssuancePolicy object. | 
| List applied to applications | directoryObject collection | Get the list of directoryObjects that this policy has been applied to. | 
Properties
| Property | Type | Description | 
|---|---|---|
| id | String | Unique identifier for this policy. Read-only. | 
| definition | String collection | A string collection containing a JSON string that defines the rules and settings for this policy. See below for more details about the JSON schema for this property. Required. | 
| description | String | Description for this policy. | 
| displayName | String | Display name for this policy. Required. | 
| isOrganizationDefault | Boolean | Ignore this property. The token-issuance policy can only be applied to service principals and can't be set globally for the organization. | 
Properties of a token issuance policy definition
The properties form the JSON object that represents a token issuance policy. This JSON object must be converted to a string with quotations escaped to be inserted into the definition property. The following is an example in JSON format:
"definition": [
    "{ \"TokenIssuancePolicy\":{\"TokenResponseSigningPolicy\":\"TokenOnly\",\"SamlTokenVersion\":\"1.1\",\"SigningAlgorithm\":\"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\"Version\":\"1\",\"EmitSAMLNameFormat\": \"true\"}}"
  ]
| Property | Type | Description | 
|---|---|---|
| TokenResponseSigningPolicy | String | Represents the certificate signing options available in Microsoft Entra ID. Supported values are: ResponseOnly,TokenOnly,ResponseAndToken. | 
| SamlTokenVersion | String | Version of the SAML token. Supported values are: 1.1,2.0. | 
| SigningAlgorithm | String | Signing algorithm use by Microsoft Entra ID to sign the SAML token. Supported values are: http://www.w3.org/2001/04/xmldsig-more#rsa-sha256,http://www.w3.org/2000/09/xmldsig#rsa-sha1. | 
| Version | Integer | Set value of 1. Required. | 
| EmitSamlNameFormat | Boolean | If selected, Microsoft Entra ID will add an additional attribute called "NameFormat" that describes the format of the name to restricted, core, and optional claims for this application. Learn more | 
Relationships
| Relationship | Type | Description | 
|---|---|---|
| appliesTo | directoryObject collection | The directoryObject collection that this policy has been applied to. Read-only. | 
JSON representation
The following JSON representation shows the resource type.
{
  "definition": ["String"],
  "description": "String",
  "displayName": "String",
  "id": "String (identifier)",
  "isOrganizationDefault": true,
}