Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Update the properties of a federatedIdentityCredential object.
This API is available in the following national cloud deployments.
| Global service |
US Government L4 |
US Government L5 (DOD) |
China operated by 21Vianet |
| ✅ |
✅ |
✅ |
✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
| Permission type |
Least privileged permissions |
Higher privileged permissions |
| Delegated (work or school account) |
Application.ReadWrite.All |
Not available. |
| Delegated (personal Microsoft account) |
Application.ReadWrite.All |
Not available. |
| Application |
Application.ReadWrite.OwnedBy |
Application.ReadWrite.All |
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
- A non-admin member user with default user permissions - for applications they own
- Application Developer - for applications they own
- Cloud Application Administrator
- Application Administrator
HTTP request
You can address the application using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.
You can also address the federated identity credential with either its id or name.
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
Request body
In the request body, supply only the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
The following table specifies the properties that can be updated.
| Property |
Type |
Description |
| audiences |
String collection |
The audience that can appear in the issued token. For Microsoft Entra ID, set its value to api://AzureADTokenExchange. This field can only accept a single value and has a limit of 600 characters. |
| claimsMatchingExpression |
federatedIdentityExpression |
Nullable. Defaults to null if not set. Enables the use of claims matching expressions against specified claims. If claimsMatchingExpression is defined, subject must be null. For the list of supported expression syntax and claims, visit the Flexible FIC reference. |
| description |
String |
A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters. |
| issuer |
String |
The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Microsoft Entra ID is the issuer and a valid value would be https://login.microsoftonline.com/{tenantid}/v2.0. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters. |
| subject |
String |
Nullable. Defaults to null if not set. For Microsoft Entra issuer, the objectId of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.For all other issuers, a string with no additional validation
The combination of the values of issuer and subject must be unique on the app. If subject is defined, claimsMatchingExpression must be null. It has a limit of 600 characters. |
Response
If successful, this method returns a 204 No Content response code.
Examples
Request
PATCH https://graph.microsoft.com/beta/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
Content-Type: application/json
{
"name": "testing02",
"issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
"subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
"description": "Updated description",
"audiences": [
"api://AzureADTokenExchange"
]
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Beta.Models;
var requestBody = new FederatedIdentityCredential
{
Name = "testing02",
Issuer = "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
Subject = "a7d388c3-5e3f-4959-ac7d-786b3383006a",
Description = "Updated description",
Audiences = new List<string>
{
"api://AzureADTokenExchange",
},
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Applications["{application-id}"].FederatedIdentityCredentials["{federatedIdentityCredential-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v0.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-beta-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewFederatedIdentityCredential()
name := "testing02"
requestBody.SetName(&name)
issuer := "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0"
requestBody.SetIssuer(&issuer)
subject := "a7d388c3-5e3f-4959-ac7d-786b3383006a"
requestBody.SetSubject(&subject)
description := "Updated description"
requestBody.SetDescription(&description)
audiences := []string {
"api://AzureADTokenExchange",
}
requestBody.SetAudiences(audiences)
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=go
federatedIdentityCredentials, err := graphClient.Applications().ByApplicationId("application-id").FederatedIdentityCredentials().ByFederatedIdentityCredentialId("federatedIdentityCredential-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
FederatedIdentityCredential federatedIdentityCredential = new FederatedIdentityCredential();
federatedIdentityCredential.setName("testing02");
federatedIdentityCredential.setIssuer("https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0");
federatedIdentityCredential.setSubject("a7d388c3-5e3f-4959-ac7d-786b3383006a");
federatedIdentityCredential.setDescription("Updated description");
LinkedList<String> audiences = new LinkedList<String>();
audiences.add("api://AzureADTokenExchange");
federatedIdentityCredential.setAudiences(audiences);
FederatedIdentityCredential result = graphClient.applications().byApplicationId("{application-id}").federatedIdentityCredentials().byFederatedIdentityCredentialId("{federatedIdentityCredential-id}").patch(federatedIdentityCredential);
const options = {
authProvider,
};
const client = Client.init(options);
const federatedIdentityCredential = {
name: 'testing02',
issuer: 'https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0',
subject: 'a7d388c3-5e3f-4959-ac7d-786b3383006a',
description: 'Updated description',
audiences: [
'api://AzureADTokenExchange'
]
};
await client.api('/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0')
.version('beta')
.update(federatedIdentityCredential);
<?php
use Microsoft\Graph\Beta\GraphServiceClient;
use Microsoft\Graph\Beta\Generated\Models\FederatedIdentityCredential;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new FederatedIdentityCredential();
$requestBody->setName('testing02');
$requestBody->setIssuer('https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0');
$requestBody->setSubject('a7d388c3-5e3f-4959-ac7d-786b3383006a');
$requestBody->setDescription('Updated description');
$requestBody->setAudiences(['api://AzureADTokenExchange', ]);
$result = $graphServiceClient->applications()->byApplicationId('application-id')->federatedIdentityCredentials()->byFederatedIdentityCredentialId('federatedIdentityCredential-id')->patch($requestBody)->wait();
Import-Module Microsoft.Graph.Beta.Applications
$params = @{
name = "testing02"
issuer = "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0"
subject = "a7d388c3-5e3f-4959-ac7d-786b3383006a"
description = "Updated description"
audiences = @(
"api://AzureADTokenExchange"
)
}
Update-MgBetaApplicationFederatedIdentityCredential -ApplicationId $applicationId -FederatedIdentityCredentialId $federatedIdentityCredentialId -BodyParameter $params
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph_beta import GraphServiceClient
from msgraph_beta.generated.models.federated_identity_credential import FederatedIdentityCredential
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = FederatedIdentityCredential(
name = "testing02",
issuer = "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
subject = "a7d388c3-5e3f-4959-ac7d-786b3383006a",
description = "Updated description",
audiences = [
"api://AzureADTokenExchange",
],
)
result = await graph_client.applications.by_application_id('application-id').federated_identity_credentials.by_federated_identity_credential_id('federatedIdentityCredential-id').patch(request_body)
Response
HTTP/1.1 204 No Content