| title | Update federatedIdentityCredential |
|---|---|
| description | Update the properties of a federatedIdentityCredential object assigned to an application or an agentIdentityBlueprint. |
| author | nickludwig |
| ms.localizationpriority | medium |
| ms.subservice | entra-applications |
| doc_type | apiPageType |
| ms.date | 12/03/2025 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Update the properties of a federatedIdentityCredential object assigned to an application or an agentIdentityBlueprint.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-apps-serviceprincipal-creds-apis]
[!INCLUDE permissions-table]
[!INCLUDE rbac-agentid-apis-write]
For an application:
- You can address the application using either its id or appId. id and appId are referred to as the Object ID and Application (Client) ID, respectively, in app registrations in the Microsoft Entra admin center.
- You can also address the federated identity credential with either its id or name.
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/federatedIdentityCredentials/{federatedIdentityCredentialName}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications(appId='{appId}')/federatedIdentityCredentials/{federatedIdentityCredentialName}For an agentIdentityBlueprint:
- You can address the federated identity credential with either its id or name.
PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/{federatedIdentityCredentialId}
PATCH /applications/{id}/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/{federatedIdentityCredentialName}| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply only the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.
The following table specifies the properties that can be updated.
| Property | Type | Description |
|---|---|---|
| audiences | String collection | The audience that can appear in the issued token. For Microsoft Entra ID, set its value to api://AzureADTokenExchange. This field can only accept a single value and has a limit of 600 characters. |
| claimsMatchingExpression | federatedIdentityExpression | Nullable. Defaults to null if not set. Enables the use of claims matching expressions against specified claims. If claimsMatchingExpression is defined, subject must be null. For the list of supported expression syntax and claims, visit the Flexible FIC reference. |
| description | String | A user-provided description of what the federatedIdentityCredential is used for. It has a limit of 600 characters. |
| issuer | String | The URL of the incoming trusted issuer (Secure Token Service). Matches the issuer claim of an access token. For example, with the Customer Managed Keys scenario, Microsoft Entra ID is the issuer and a valid value would be https://login.microsoftonline.com/{tenantid}/v2.0. The combination of the values of issuer and subject must be unique on the app. It has a limit of 600 characters. |
| subject | String | Nullable. Defaults to null if not set. objectId of the servicePrincipal (can represent a managed identity) that can impersonate the app. The object associated with this GUID needs to exist in the tenant.The combination of the values of issuer and subject must be unique on the app. If subject is defined, claimsMatchingExpression must be null. It has a limit of 600 characters. |
If successful, this method returns a 204 No Content response code.
PATCH https://graph.microsoft.com/beta/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
Content-Type: application/json
{
"name": "testing02",
"issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
"subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
"description": "Updated description",
"audiences": [
"api://AzureADTokenExchange"
]
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
HTTP/1.1 204 No ContentPATCH https://graph.microsoft.com/beta/applications/bcd7c908-1c4d-4d48-93ee-ff38349a75c8/microsoft.graph.agentIdentityBlueprint/federatedIdentityCredentials/15be77d1-1940-43fe-8aae-94a78e078da0
Content-Type: application/json
{
"name": "testing02",
"issuer": "https://login.microsoftonline.com/3d1e2be9-a10a-4a0c-8380-7ce190f98ed9/v2.0",
"subject": "a7d388c3-5e3f-4959-ac7d-786b3383006a",
"description": "Updated description",
"audiences": [
"api://AzureADTokenExchange"
]
}[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
[!INCLUDE snippet-not-available] [!INCLUDE sdk-documentation]
HTTP/1.1 204 No Content