Merge pull request #25747 from microsoftgraph/nickludwig-patch-1

Update graph beta documentation for Flexible FIC release

Author: Lauragra

api-reference/beta/api/federatedidentitycredential-get.md

@@ -5,7 +5,7 @@ author: "nickludwig"
 ms.localizationpriority: medium
 ms.subservice: "entra-applications"
 doc_type: apiPageType
-ms.date: 04/05/2024
+ms.date: 12/03/2024
 ---
 
 # Get federatedIdentityCredential
@@ -127,7 +127,8 @@ Content-Type: application/json
     "description": "This is my test  federated identity credential",
     "audiences": [
         "api://AzureADTokenExchange"
-    ]
+    ],
+    "claimsMatchingExpression": null
   }
 }
 ```

api-reference/beta/api/federatedidentitycredential-update.md

@@ -5,7 +5,7 @@ author: "nickludwig"
 ms.localizationpriority: medium
 ms.subservice: "entra-applications"
 doc_type: apiPageType
-ms.date: 04/05/2024
+ms.date: 12/03/2024
 ---
 
 # Update federatedIdentityCredential
@@ -132,5 +132,4 @@ Content-Type: application/json
 -->
 ``` http
 HTTP/1.1 204 No Content
-
 ```

api-reference/beta/resources/federatedidentitycredential.md

@@ -6,7 +6,7 @@ ms.localizationpriority: medium
 ms.subservice: "entra-applications"
 doc_type: resourcePageType
 toc.keywords: [ Workload identity federation, workload identities ]
-ms.date: 07/22/2024
+ms.date: 12/03/2024
 ---
 
 # federatedIdentityCredential resource type
@@ -34,13 +34,16 @@ Inherits from [entity](../resources/entity.md).
 |Property|Type|Description|
 |:---|:---|:---|
 | audiences | String collection | The audience that can appear in the external token. This field is mandatory and should be set to `api://AzureADTokenExchange` for Microsoft Entra ID. It says what Microsoft identity platform should accept in the `aud` claim in the incoming token. This value represents Microsoft Entra ID in your external identity provider and has no fixed value across identity providers - you may need to create a new application registration in your identity provider to serve as the audience of this token. This field can only accept a single value and has a limit of 600 characters. Required. |
+| claimsMatchingExpression |[federatedIdentityExpression](../resources/federatedidentityexpression.md)| Enables the use of claims matching expressions against specified claims. For the list of supported expression syntax and claims, visit the [Flexible FIC reference](https://aka.ms/flexiblefic). |
 | description | String | The un-validated, user-provided description of the federated identity credential. It has a limit of 600 characters. Optional.  |
 | id| String | The unique identifier for the federated identity. Required. Read-only.  |
 | issuer | String | The URL of the external identity provider and must match the `issuer` claim of the external token being exchanged. The combination of the values of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Required. |
 | name | String | The unique identifier for the federated identity credential, which has a limit of 120 characters and must be URL friendly. It is immutable once created. Alternate key. Required. Not nullable. Supports `$filter` (`eq`). |
 | subject | String | Required. The identifier of the external software workload within the external identity provider. Like the audience value, it has no fixed format, as each identity provider uses their own - sometimes a GUID, sometimes a colon delimited identifier, sometimes arbitrary strings. The value here must match the `sub` claim within the token presented to Microsoft Entra ID. The combination of **issuer** and **subject** must be unique on the app. It has a limit of 600 characters. Supports `$filter` (`eq`). |
 
 
+
+
 ## Relationships
 
 None
@@ -59,12 +62,16 @@ The following JSON representation shows the resource type.
 ``` json
 {
   "@odata.type": "#microsoft.graph.federatedIdentityCredential",
+  "id": "String (identifier)",
   "name": "String",
   "issuer": "String",
   "subject": "String",
   "description": "String",
   "audiences": [
     "String"
-  ]
+  ],
+  "claimsMatchingExpression": {
+    "@odata.type": "microsoft.graph.federatedIdentityExpression"
+  }
 }
 ```

api-reference/beta/resources/federatedidentityexpression.md

@@ -0,0 +1,42 @@
+---
+title: "federatedIdentityExpression resource type"
+description: "Enables configuration for flexible federated identity credential matching through the claimsMatchingExpression property of the federatedIdentityCredential resource type."
+author: "nickludwig"
+ms.localizationpriority: medium
+ms.subservice: "entra-applications"
+doc_type: resourcePageType
+ms.date: 12/03/2024
+---
+
+# federatedIdentityExpression resource type
+
+Namespace: microsoft.graph
+
+[!INCLUDE [beta-disclaimer](../../includes/beta-disclaimer.md)]
+
+Enables the use of a restricted expression language for flexible matching of federated identity credentials to workload scenarios. Primarily, this resource type allows the specification of wildcard-based expressions within **claimsMatchingExpression** property of [federatedIdentityCredential resource type](../resources/federatedidentitycredential.md) > **value** property. For more information on supported patterns and scenarios, visit the [flexible federated identity credentials documentation](https://aka.ms/flexiblefic).  
+
+
+## Properties
+|Property|Type|Description|
+|:---|:---|:---|
+|languageVersion|Int32|Indicated the language version to be used. Should always be set to 1. Required.|
+|value|String|Indicates the configured expression. Required.|
+
+## Relationships
+None.
+
+## JSON representation
+The following JSON representation shows the resource type.
+<!-- {
+  "blockType": "resource",
+  "@odata.type": "microsoft.graph.federatedIdentityExpression"
+}
+-->
+``` json
+{
+  "@odata.type": "#microsoft.graph.federatedIdentityExpression",
+  "languageVersion": "Integer",
+  "value": "String"
+}
+```

changelog/Microsoft.DirectoryServices.json

@@ -7290,6 +7290,40 @@
       "WorkloadArea": "Identity and access",
       "SubArea": "Governance"
     },
+    {
+      "ChangeList": [
+        {
+          "Id": "a7cfb7c0-e9b2-4bd9-a964-0c5cb902b29e",
+          "ApiChange": "Resource",
+          "ChangedApiName": "federatedIdentityExpression",
+          "ChangeType": "Addition",
+          "Description": "Added the [federatedIdentityExpression](https://learn.microsoft.com/en-us/graph/api/resources/federatedIdentityExpression?view=graph-rest-beta) resource.",
+          "Target": "federatedIdentityExpression"
+        },
+        {
+          "Id": "a7cfb7c0-e9b2-4bd9-a964-0c5cb902b29e",
+          "ApiChange": "Property",
+          "ChangedApiName": "claimsMatchingExpression",
+          "ChangeType": "Addition",
+          "Description": "Added the **claimsMatchingExpression** property to the [federatedIdentityCredential](https://learn.microsoft.com/en-us/graph/api/resources/federatedIdentityCredential?view=graph-rest-beta) resource.",
+          "Target": "federatedIdentityCredential"
+        },
+        {
+          "Id": "a7cfb7c0-e9b2-4bd9-a964-0c5cb902b29e",
+          "ApiChange": "Property",
+          "ChangedApiName": "subject",
+          "ChangeType": "Change",
+          "Description": "Changed the **subject** property of the [federatedIdentityCredential](https://learn.microsoft.com/en-us/graph/api/resources/federatedIdentityCredential?view=graph-rest-beta) resource from explicitly required. If the **claimsMatchingExpression** property for supporting flexible federated identity credentials is configured, this property must be empty.",
+          "Target": "federatedIdentityCredential"
+        }
+      ],
+      "Id": "a7cfb7c0-e9b2-4bd9-a964-0c5cb902b29e",
+      "Cloud": "Prod",
+      "Version": "beta",
+      "CreatedDateTime": "2024-12-11T20:23:12.4964215Z",
+      "WorkloadArea": "Applications",
+      "SubArea": ""
+    },
     {
       "ChangeList": [
         {