Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
Permission type
Least privileged permissions
Higher privileged permissions
Delegated (work or school account)
Domain.ReadWrite.All
Not available.
Delegated (personal Microsoft account)
Not supported.
Not supported.
Application
Domain.ReadWrite.All
Not available.
Important
This method has a known permissions issue and might require consenting to the Directory.AccessAsUser.All permission for delegated scenarios.
Important
In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with a supported role permission. The following least privileged roles are supported for this operation.
You can specify the following properties when creating an internalDomainFederation.
Property
Type
Description
displayName
String
The display name of the federated identity provider.
issuerUri
String
Issuer URI of the federation server.
metadataExchangeUri
String
URI of the metadata exchange endpoint used for authentication from rich client applications.
signingCertificate
String
Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base 64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios:
If a rollover is required outside of the autorollover update
A new federation service is being set up
If the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and updates the federation settings for the domain when a new certificate is available.
passiveSignInUri
String
URI that web-based clients are directed to when signing in to Microsoft Entra services.
preferredAuthenticationProtocol
authenticationProtocol
Preferred authentication protocol. This parameter must be configured explicitly for the federation passive authentication flow to work. The possible values are: wsFed, saml, unknownFutureValue.
activeSignInUri
String
URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.
Sets the preferred behavior for the sign-in prompt. The possible values are: translateToFreshPasswordAuthentication, nativeSupport, disabled, unknownFutureValue.
isSignedAuthenticationRequestRequired
Boolean
If true, when SAML authentication requests are sent to the federated SAML IDP, Microsoft Entra ID signs those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IDP aren't signed.
nextSigningCertificate
String
Fallback token signing certificate that is used to sign tokens when the primary signing certificate expires. Formatted as Base 64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the autorollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
Provides status and timestamp of the last update of the signing certificate.
federatedIdpMfaBehavior
federatedIdpMfaBehavior
Determines whether Microsoft Entra ID accepts the MFA performed by the federated IdP when a federated user accesses an application that is governed by a conditional access policy that requires MFA. The possible values are: acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp, unknownFutureValue. For more information, see federatedIdpMfaBehavior values.
Note
Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.
We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.
federatedIdpMfaBehavior values
Member
Description
acceptIfMfaDoneByFederatedIdp
Microsoft Entra ID accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Microsoft Entra ID performs the MFA.
enforceMfaByFederatedIdp
Microsoft Entra ID accepts MFA that's performed by federated identity provider. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA.
rejectMfaByFederatedIdp
Microsoft Entra ID always performs MFA and rejects MFA that's performed by the federated identity provider.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new InternalDomainFederation
{
OdataType = "#microsoft.graph.internalDomainFederation",
DisplayName = "Contoso",
IssuerUri = "http://contoso.com/adfs/services/trust",
MetadataExchangeUri = "https://sts.contoso.com/adfs/services/trust/mex",
SigningCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
PassiveSignInUri = "https://sts.contoso.com/adfs/ls",
PreferredAuthenticationProtocol = AuthenticationProtocol.WsFed,
ActiveSignInUri = "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
SignOutUri = "https://sts.contoso.com/adfs/ls",
PromptLoginBehavior = PromptLoginBehavior.NativeSupport,
IsSignedAuthenticationRequestRequired = true,
NextSigningCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
FederatedIdpMfaBehavior = FederatedIdpMfaBehavior.RejectMfaByFederatedIdp,
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Domains["{domain-id}"].FederationConfiguration.PostAsync(requestBody);
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
InternalDomainFederation internalDomainFederation = new InternalDomainFederation();
internalDomainFederation.setOdataType("#microsoft.graph.internalDomainFederation");
internalDomainFederation.setDisplayName("Contoso");
internalDomainFederation.setIssuerUri("http://contoso.com/adfs/services/trust");
internalDomainFederation.setMetadataExchangeUri("https://sts.contoso.com/adfs/services/trust/mex");
internalDomainFederation.setSigningCertificate("MIIE3jCCAsagAwIBAgIQQcyDaZz3MI");
internalDomainFederation.setPassiveSignInUri("https://sts.contoso.com/adfs/ls");
internalDomainFederation.setPreferredAuthenticationProtocol(AuthenticationProtocol.WsFed);
internalDomainFederation.setActiveSignInUri("https://sts.contoso.com/adfs/services/trust/2005/usernamemixed");
internalDomainFederation.setSignOutUri("https://sts.contoso.com/adfs/ls");
internalDomainFederation.setPromptLoginBehavior(PromptLoginBehavior.NativeSupport);
internalDomainFederation.setIsSignedAuthenticationRequestRequired(true);
internalDomainFederation.setNextSigningCertificate("MIIE3jCCAsagAwIBAgIQQcyDaZz3MI");
internalDomainFederation.setFederatedIdpMfaBehavior(FederatedIdpMfaBehavior.RejectMfaByFederatedIdp);
InternalDomainFederation result = graphClient.domains().byDomainId("{domain-id}").federationConfiguration().post(internalDomainFederation);