Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Update the properties of a federatedIdentityCredential object assigned to an application or an agentIdentityBlueprint.
This API is available in the following national cloud deployments.
| Global service | US Government L4 | US Government L5 (DOD) | China operated by 21Vianet |
|---|---|---|---|
| ✅ | ✅ | ✅ | ✅ |
Permissions
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permissions for an application
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Application.ReadWrite.All | Not available. |
| Delegated (personal Microsoft account) | Application.ReadWrite.All | Not available. |
| Application | Application.ReadWrite.OwnedBy | Application.ReadWrite.All |
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
- A non-admin member user with default user permissions - for applications they own
- Application Developer - for applications they own
- Cloud Application Administrator
- Application Administrator
Permissions for an agentIdentityBlueprint
| Permission type | Least privileged permission | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | AgentIdentityBlueprint.AddRemoveCreds.All, AgentIdentityBlueprint.UpdateBranding.All | AgentIdentityBlueprint.ReadWrite.All, Directory.ReadWrite.All |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | AgentIdentityBlueprint.AddRemoveCreds.All, AgentIdentityBlueprint.UpdateBranding.All | AgentIdentityBlueprint.ReadWrite.All, Directory.ReadWrite.All |
Important
The AgentIdentity* permissions are currently unavailable for consent through the API permissions experience on the Microsoft Entra admin center. To use these permissions, you can consent to them through Microsoft Graph API calls as described in Grant or revoke API permissions programmatically. See Permissions for managing agent identities for more information about these permissions.
When using delegated permissions, the authenticated user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
- Agent ID Administrator.
- Agent ID Developer - Create agent identity blueprints. The principal with this role is assigned ownership of the blueprint they create and can perform write operations on that blueprint.
HTTP request
For an application:
- You can address the application using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.
- You can also address the federated identity credential with either its id or name.
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}
For an agentIdentityBlueprint:
- You can address the federated identity credential with either its id or name.
PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/{federatedIdentityCredentialName}
Request headers
| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
Request body
In the request body, supply only the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
The following table specifies the properties that can be updated.
| Property | Type | Description |
|---|---|---|
| audiences | String collection | The audience that can appear in the issued token. For Microsoft Entra ID, set its value to api://AzureADTokenExchange. This field can only accept a single value and has a limit of 600 characters. |
| claimsMatchingExpression | federatedIdentityExpression | Nullable. Defaults to null if not set. Enables the use of claims matching expressions against specified claims. If claimsMatchingExpression is defined, subject must be null. For the list of supported expression syntax and claims, visit the Flexible FIC reference. |
| description | String | A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters. |
| issuer | String | The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Microsoft Entra ID is the issuer and a valid value would be https://login.microsoftonline.com/{tenantid}/v2.0. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters. |
| subject | String | Nullable. Defaults to null if not set. objectId of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.The combination of the values of issuer and subject must be unique on the app. If subject is defined, claimsMatchingExpression must be null. It has a limit of 600 characters. |
Response
If successful, this method returns a 204 No Content response code.
Examples
Example 1: Update a federated identity credential for an application
Request
PATCH https://graph.microsoft.com/beta/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
Content-Type: application/json
{
"name": "testing02",
"issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
"subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
"description": "Updated description",
"audiences": [
"api://AzureADTokenExchange"
]
}
Response
HTTP/1.1 204 No Content
Example 2: Update a federated identity credential for an agentIdentityBlueprint
Request
PATCH https://graph.microsoft.com/beta/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
Content-Type: application/json
{
"name": "testing02",
"issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
"subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
"description": "Updated description",
"audiences": [
"api://AzureADTokenExchange"
]
}
Response
HTTP/1.1 204 No Content