FederatedIdpMfaBehavior cannot be empty

HTYZ1380 0 Reputation points


I executed New-MgDomainFederationConfiguration and tried to federate my Microsoft 365 custom domain to my third party IdP.

New-MgDomainFederationConfiguration -DomainId "my.custom.domain" ` 
-ActiveSignInUri "https://signinurl.of.idp" `   
-DisplayName "ServiceNameofidp" `  
-IssuerUri "https://issuer.of.idp" `   
-MetadataExchangeUri "https://url.from.idp" `   
-PassiveSignInUri "https://url.from.idp" `   
-SignOutUri "https://login.microsoftonline.com/logout.srf" `   
-SigningCertificate "MII_idp_signing_cert=="  | Format-List  

Then I saw below error message

New-MgDomainFederationConfiguration : FederatedIdpMfaBehavior cannot be empty 
Status: 400 (BadRequest) 
ErrorCode: Request_BadRequest  

I found the document about FederatedIdpMfaBehavior.

The document says that FederatedIdpMfaBehavior is used to configure who process the MFA(in my case, third party IdP or Entra ID).


And FederatedIdpMfaBehavior is a successor of SupportsMfa of MsolDomainAuthentication command, which is planned to be obsoleted.

When I use MsolDomainAuthentication, SupportsMfa is not a required option. The command works well without SupportsMfa option.

According to below document, FederatedIdpMfaBehavior is not a required option too(Required: False).


I could find below forum post, but I could not find the method to surpress or bypass the error message above.


Does anyone know if FederatedIdpMfaBehavior is a required or not?

If it is not requied, how can we execute New-MgDomainFederationConfiguration without FederatedIdpMfaBehavior?

Thanks in advance.

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,050 questions
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,218 questions
0 comments No comments
{count} votes