IdentityProvider.ReadWrite.All

Allows the app to read and write your organization’s identity (authentication) providers’ properties on behalf of the user.

Merill's Note

For an app to access data in Microsoft Graph, the user or administrator must grant it the permissions it needs. This article lists all the Microsoft Graph APIs and your tenant data that can be accessed by the application (vendor/developer) if you consent to the IdentityProvider.ReadWrite.All permission.

If you need to create an audit report of the permissions granted to all the apps in your tenant, you can run the Export-MsIdAppConsentGrantReport command. See How To: Run a quick OAuth app audit of your tenant

Category	Application	Delegated
Identifier	90db2b9a-d928-4d33-a4dd-8442ae3d41e4	f13ce604-1677-429f-90bd-8a10b9f01325
DisplayText	Read and write identity providers	Read and write identity providers
Description	Allows the app to read and write your organization’s identity (authentication) providers’ properties without a signed in user.	Allows the app to read and write your organization’s identity (authentication) providers’ properties on behalf of the user.
AdminConsentRequired	Yes	Yes

Graph Methods

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/identityProviders/{id}
	DELETE /identityProviders/{id}
	DELETE directory/federationConfigurations/{samlOrWsFedExternalDomainFederation ID}
	GET /directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/{samlOrWsFedExternalDomainFederation ID}/domains
	GET /identity/identityProviders
	GET /identity/identityProviders/{id}
	GET /identity/identityProviders/availableProviderTypes
	GET /identityProviders
	GET /identityProviders/{id}
	GET /identityProviders/availableProviderTypes
	PATCH /identity/identityProviders/{id}
	PATCH /identityProviders/{id}
	PATCH directory/federationConfigurations/graph.samlOrWsFedExternalDomainFederation/{samlOrWsFedExternalDomainFederation ID}
	POST /directory/federationConfigurations/{samlOrWsFedExternalDomainFederation ID}/microsoft.graph.samlOrWsFedExternalDomainFederation/domains
	POST /directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation
	POST /identity/identityProviders
	POST /identityProviders

→ API supports delegated access (access on behalf of a user)
→ API supports app-only access (access without a user)

	Methods
	DELETE /identity/identityProviders/{id}
	DELETE /identityProviders/{id}
	DELETE directory/federationConfigurations/{samlOrWsFedExternalDomainFederation ID}
	GET /directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation/{samlOrWsFedExternalDomainFederation ID}/domains
	GET /identity/identityProviders
	GET /identity/identityProviders/{id}
	GET /identity/identityProviders/availableProviderTypes
	GET /identityProviders
	GET /identityProviders/{id}
	GET /identityProviders/availableProviderTypes
	PATCH /identity/identityProviders/{id}
	PATCH /identityProviders/{id}
	PATCH directory/federationConfigurations/graph.samlOrWsFedExternalDomainFederation/{samlOrWsFedExternalDomainFederation ID}
	POST /directory/federationConfigurations/{samlOrWsFedExternalDomainFederation ID}/microsoft.graph.samlOrWsFedExternalDomainFederation/domains
	POST /directory/federationConfigurations/microsoft.graph.samlOrWsFedExternalDomainFederation
	POST /identity/identityProviders
	POST /identityProviders

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgIdentityProvider
	Invoke-MgAvailableIdentityProviderType
	New-MgIdentityProvider
	Remove-MgBetaDirectoryFederationConfiguration
	Remove-MgIdentityProvider
	Update-MgIdentityProvider

→ Command supports delegated access (access on behalf of a user)
→ Command supports app-only access (access without a user)

	Commands
	Get-MgBetaIdentityProvider
	Invoke-MgBetaAvailableIdentityProviderType
	New-MgBetaIdentityProvider
	Remove-MgBetaDirectoryFederationConfiguration
	Remove-MgBetaIdentityProvider
	Update-MgBetaIdentityProvider

Resources

Granting this permission allows the calling application to access (and/or update) the following information in your tenant.

Graph reference: appleManagedIdentityProvider

Property	Type	Description
certificateData	String	The certificate data, which is a long string of text from the certificate. Can be null.
developerId	String	The Apple developer identifier. Required.
displayName	String	The display name of the identity provider. Inherited from identityProviderBase.
id	String	The identifier of the identity provider. Inherited from identityProviderBase. Read-only.
keyId	String	The Apple key identifier. Required.
serviceId	String	The Apple service identifier. Required.

Graph reference: builtInIdentityProvider

Property	Type	Description
displayName	String	The display name of the identity provider. Inherited from identityProviderBase.
id	String	The identifier of the identity provider. Inherited from identityProviderBase. Read-only.
identityProviderType	String	The identity provider type. For a B2B scenario, possible values: `AADSignup`, `MicrosoftAccount`, `EmailOTP`. Required.

Graph reference: claimsMapping

Property	Type	Description
displayName	String	The claim that provides the display name or full name for the user. Required.
email	String	The claim that provides the email address of the user.
givenName	String	The claim that provides the first name of the user.
surname	String	The claim that provides the last name of the user.
userId	String	The claim that provides the unique identifier for the signed-in user. Required.

Property	Type	Description
id	String	The unique identifier for an entity. Read-only.

Graph reference: externalDomainName

Property	Type	Description
id	String	Domain name of the external organization that the Microsoft Entra tenant is federating with. Inherited from entity.

Graph reference: identityprovider

Property	Type	Description
clientId	String	The client ID for the application. This is the client ID obtained when registering the application with the identity provider. Required. Not nullable.
clientSecret	String	The client secret for the application. This is the client secret obtained when registering the application with the identity provider. This is write-only. A read operation will return `****`. Required. Not nullable.
id	String	The ID of the identity provider.
name	String	The display name of the identity provider. Not nullable.
type	String	The identity provider type is a required field. For B2B scenario: `Google`, `Facebook`. For B2C scenario: `Microsoft`, `Google`, `Amazon`, `LinkedIn`, `Facebook`, `GitHub`, `Twitter`, `Weibo`, `QQ`, `WeChat`, `OpenIDConnect`. Not nullable.

Property	Type	Description
displayName	String	The display name of the identity provider.
id	String	The identifier of the identity provider.

Graph reference: openIdConnectIdentityProvider

Property	Type	Description
clientId	String	The client identifier for the application obtained when registering the application with the identity provider. Required.
clientSecret	String	The client secret for the application obtained when registering the application with the identity provider. The clientSecret has a dependency on responseType. When responseType is `code`, a secret is required for the auth code exchange. When responseType is `id_token` the secret is not required because there is no code exchange. The id_token is returned directly from the authorization response. This is write-only. A read operation returns `****`.
id	String	The identifier of the identity provider.Required. Inherited from identityProviderBase. Read-only.
displayName	String	The display name of the identity provider.
claimsMapping	claimsMapping	After the OIDC provider sends an ID token back to Microsoft Entra ID, Microsoft Entra ID needs to be able to map the claims from the received token to the claims that Microsoft Entra ID recognizes and uses. This complex type captures that mapping. Required.
domainHint	String	The domain hint can be used to skip directly to the sign-in page of the specified identity provider, instead of having the user make a selection among the list of available identity providers.
metadataUrl	String	The URL for the metadata document of the OpenID Connect identity provider. Every OpenID Connect identity provider describes a metadata document that contains most of the information required to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. The OpenID Connect metadata document is always located at an endpoint that ends in `.well-known/openid-configuration`. Provide the metadata URL for the OpenID Connect identity provider you add. Read-only. Required.
responseMode	openIdConnectResponseMode	The response mode defines the method used to send data back from the custom identity provider to Azure AD B2C. Possible values: `form_post`, `query`. Required.
responseType	openIdConnectResponseTypes	The response type describes the type of information sent back in the initial call to the authorization_endpoint of the custom identity provider. Possible values: `code` , `id_token` , `token`. Required.
scope	String	Scope defines the information and permissions you are looking to gather from your custom identity provider. OpenID Connect requests must contain the openid scope value in order to receive the ID token from the identity provider. Without the ID token, users are not able to sign in to Azure AD B2C using the custom identity provider. Other scopes can be appended, separated by a space. For more details about the scope limitations, see RFC6749 Section 3.3. Required.

Graph reference: openidconnectprovider

Property	Type	Description
clientId	String	The client identifier for the application obtained when registering the application with the identity provider. Inherited from identityProvider. This is a required property.
clientSecret	String	The client secret for the application obtained when registering the application with the identity provider. The clientSecret has a dependency on responseType. When responseType is `code`, a secret is required for the auth code exchange. When responseType is `id_token` the secret isn't required because there's no code exchange, the `id_token` is returned directly from the authorization response. This is write-only. A read operation returns "****". Inherited from identityProvider.
id	String	The ID of the identity provider. It's a required property and is read only after creation.
name	String	The display name of the identity provider. It's a required property and is read only after creation.
type	String	The identity provider type. It must be `OpenIDConnect`. It's a required property and is read only after creation.
claimsMapping	claimsMapping	After the OIDC provider sends an ID token back to Microsoft Entra ID, Microsoft Entra ID needs to be able to map the claims from the received token to the claims that Microsoft Entra ID recognizes and uses. This complex type captures that mapping. It's a required property.
domainHint	String	The domain hint can be used to skip directly to the sign-in page of the specified identity provider, instead of having the user make a selection among the list of available identity providers.
metadataUrl	String	The URL for the metadata document of the OpenID Connect identity provider. Every OpenID Connect identity provider describes a metadata document that contains most of the information required to perform sign-in. This includes information such as the URLs to use and the location of the service's public signing keys. The OpenID Connect metadata document is always located at an endpoint that ends in a well-known/openid-configuration. For the OpenID Connect identity provider you're looking to add, you need to provide the metadata URL. It's a required property and is read only after creation.
responseMode	openIdConnectResponseMode	The response mode defines the method that should be used to send the data back from the custom identity provider to Azure AD B2C. The following response modes can be used: `form_post`, `query`. `query` response mode means the code or token is returned as a query parameter. `form_post` response mode is recommended for the best security. The response is transmitted via the HTTP POST method, with the code or token being encoded in the body using the application/x-www-form-urlencoded format. It's a required property.
responseType	openIdConnectResponseTypes	response type describes what kind of information is sent back in the initial call to the authorization_endpoint of the custom identity provider. The following response types can be used: `code` , `id_token` , `token`. It's a required property.
scope	String	Scope defines the information and permissions you're looking to gather from your custom identity provider. OpenID Connect requests must contain the openid scope value in order to receive the ID token from the identity provider. Without the ID token, users aren't able to sign in to Azure AD B2C using the custom identity provider. Other scopes can be appended separated by space. For more information about the scope limitations, see RFC6749 Section 3.3. It's a required property.

Graph reference: samlOrWsFedExternalDomainFederation

Property	Type	Description
displayName	String	The display name of the SAML or WS-Fed based IdP. Inherited from identityProviderBase.
id	String	The identifier of the identity provider. Inherited from entity.
issuerUri	String	Issuer URI of the federation server. Inherited from samlOrWsFedProvider.
metadataExchangeUri	String	URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.
passiveSignInUri	String	URI that web-based clients are directed to when signing in to Microsoft Entra services. Inherited from samlOrWsFedProvider.
preferredAuthenticationProtocol	authenticationProtocol	Preferred authentication protocol. The possible values are: `wsFed`, `saml`, `unknownFutureValue`. Inherited from samlOrWsFedProvider.
signingCertificate	String	Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available. Inherited from samlOrWsFedProvider.

Graph reference: samlOrWsFedProvider

Property	Type	Description
displayName	String	The display name of the SAML/WS-Fed based identity provider. Inherited from identityProviderBase.
id	String	The identifier of the identity provider. Inherited from entity.
issuerUri	String	Issuer URI of the federation server.
metadataExchangeUri	String	URI of the metadata exchange endpoint used for authentication from rich client applications.
passiveSignInUri	String	URI that web-based clients are directed to when signing in to Microsoft Entra services.
preferredAuthenticationProtocol	authenticationProtocol	Preferred authentication protocol. The possible values are: `wsFed`, `saml`, `unknownFutureValue`.
signingCertificate	String	Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available.

Graph reference: socialIdentityProvider

Property	Type	Description
clientId	String	The identifier for the client application obtained when registering the application with the identity provider. Required.
clientSecret	String	The client secret for the application that is obtained when the application is registered with the identity provider. This is write-only. A read operation returns `****`. Required.
displayName	String	The display name of the identity provider. Inherited from identityProviderBase.
id	String	The identifier of the identity provider. Inherited from identityProviderBase. Read-only.
identityProviderType	String	For a B2B scenario, possible values: `Google`, `Facebook`. For a B2C scenario, possible values: `Microsoft`, `Google`, `Amazon`, `LinkedIn`, `Facebook`, `GitHub`, `Twitter`, `Weibo`, `QQ`, `WeChat`. Required.

Table of Contents

IdentityProvider.ReadWrite.All

Graph Methods

Resources