Update federatedIdentityCredential

Namespace: microsoft.graph

Update the properties of a federatedIdentityCredential object.

This API is available in the following national cloud deployments.

Global service US Government L4 US Government L5 (DOD) China operated by 21Vianet

Permissions

Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Application.ReadWrite.All Not available.
Delegated (personal Microsoft account) Application.ReadWrite.All Not available.
Application Application.ReadWrite.OwnedBy Application.ReadWrite.All

HTTP request

You can address the application using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.

You can also address the federated identity credential with either its id or name.

PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}

Request headers

Name Description
Authorization Bearer {token}. Required. Learn more about authentication and authorization.
Content-Type application/json. Required.

Request body

In the request body, supply only the values for properties to update. Existing properties that aren't included in the request body maintain their previous values or are recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
audiences String collection The audience that can appear in the issued token. For Microsoft Entra ID, set its value to api://AzureADTokenExchange. This field can only accept a single value and has a limit of 600 characters.
description String A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters.
issuer String The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Microsoft Entra ID is the issuer and a valid value would be https://login.microsoftonline.com/{tenantid}/v2.0. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters.
subject String
  • For Microsoft Entra issuer, the objectId of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.
  • For all other issuers, a string with no additional validation

    The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters.
  • Response

    If successful, this method returns a 204 No Content response code.

    Examples

    Request

    PATCH https://graph.microsoft.com/v1.0/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
    Content-Type: application/json
    
    {
        "name": "testing02",
        "issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
        "subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
        "description": "Updated description",
        "audiences": [
            "api://AzureADTokenExchange"
        ]
    }
    

    Response

    HTTP/1.1 204 No Content