New-MgDomainFederationConfiguration
Create a new internalDomainFederation object.
Note
To view the beta release of this cmdlet, view New-MgBetaDomainFederationConfiguration
Syntax
New-MgDomainFederationConfiguration
-DomainId <String>
[-ResponseHeadersVariable <String>]
[-ActiveSignInUri <String>]
[-AdditionalProperties <Hashtable>]
[-DisplayName <String>]
[-FederatedIdpMfaBehavior <String>]
[-Id <String>]
[-IsSignedAuthenticationRequestRequired]
[-IssuerUri <String>]
[-MetadataExchangeUri <String>]
[-NextSigningCertificate <String>]
[-PassiveSignInUri <String>]
[-PreferredAuthenticationProtocol <String>]
[-PromptLoginBehavior <String>]
[-SignOutUri <String>]
[-SigningCertificate <String>]
[-SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-MgDomainFederationConfiguration
-DomainId <String>
-BodyParameter <IMicrosoftGraphInternalDomainFederation>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-MgDomainFederationConfiguration
-InputObject <IIdentityDirectoryManagementIdentity>
[-ResponseHeadersVariable <String>]
[-ActiveSignInUri <String>]
[-AdditionalProperties <Hashtable>]
[-DisplayName <String>]
[-FederatedIdpMfaBehavior <String>]
[-Id <String>]
[-IsSignedAuthenticationRequestRequired]
[-IssuerUri <String>]
[-MetadataExchangeUri <String>]
[-NextSigningCertificate <String>]
[-PassiveSignInUri <String>]
[-PreferredAuthenticationProtocol <String>]
[-PromptLoginBehavior <String>]
[-SignOutUri <String>]
[-SigningCertificate <String>]
[-SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] New-MgDomainFederationConfiguration
-InputObject <IIdentityDirectoryManagementIdentity>
-BodyParameter <IMicrosoftGraphInternalDomainFederation>
[-ResponseHeadersVariable <String>]
[-Headers <IDictionary>]
[-ProgressAction <ActionPreference>]
[-WhatIf]
[-Confirm]
[<CommonParameters>] Description
Create a new internalDomainFederation object.
Permissions
| Permission type | Least privileged permissions | Higher privileged permissions |
|---|---|---|
| Delegated (work or school account) | Domain.ReadWrite.All | Not available. |
| Delegated (personal Microsoft account) | Not supported. | Not supported. |
| Application | Domain.ReadWrite.All | Not available. |
Examples
Example 1: Configure federation settings for a federated domain
New-MgDomainFederationConfiguration -DomainId "contoso.com" -ActiveSignInUri "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed" -DisplayName "Contoso" -IssuerUri "http://contoso.com/adfs/services/trust/" -MetadataExchangeUri "https://sts.contoso.com/adfs/services/trust/mex" -NextSigningCertificate "MIIC3jCCAcagAwIBAgIQEt0T0G5GPZ9" -PassiveSignInUri "https://sts.contoso.com/adfs/ls/" -SignOutUri "https://sts.contoso.com/adfs/ls/" -SigningCertificate "MIIC3jCCAcagAwIBAgIQFsO0R8deG4h" -FederatedIdpMfaBehavior "rejectMfaByFederatedIdp" | Format-List
ActiveSignInUri : https://sts.deverett.info/adfs/services/trust/2005/usernamemixed
DisplayName : Contoso
FederatedIdpMfaBehavior : rejectMfaByFederatedIdp
Id : 2a8ce608-bb34-473f-9e0f-f373ee4cbc5a
IsSignedAuthenticationRequestRequired :
IssuerUri : http://contoso.com/adfs/services/trust/
MetadataExchangeUri : https://sts.contoso.com/adfs/services/trust/mex
NextSigningCertificate : MIIC3jCCAcagAwIBAgIQEt0T0G5GPZ9
PassiveSignInUri : https://sts.contoso.com/adfs/ls/
PreferredAuthenticationProtocol : wsFed
PromptLoginBehavior :
SignOutUri : https://sts.deverett.info/adfs/ls/
SigningCertificate : MIIC3jCCAcagAwIBAgIQFsO0R8deG4h
SigningCertificateUpdateStatus : Microsoft.Graph.PowerShell.Models.MicrosoftGraphSigningCertificateUpdateStatus
AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#domains('contoso.com')/federationConfiguration/$entity]}This examples creates new federation settings for the specified domain.
Parameters
-ActiveSignInUri
URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AdditionalProperties
Additional Parameters
| Type: | Hashtable |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-BodyParameter
internalDomainFederation To construct, see NOTES section for BODYPARAMETER properties and create a hash table.
| Type: | IMicrosoftGraphInternalDomainFederation |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayName
The display name of the identity provider.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DomainId
The unique identifier of domain
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-FederatedIdpMfaBehavior
federatedIdpMfaBehavior
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Headers
Optional headers that will be added to the request.
| Type: | IDictionary |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Id
The unique identifier for an entity. Read-only.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
| Type: | IIdentityDirectoryManagementIdentity |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-IsSignedAuthenticationRequestRequired
If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | False |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-IssuerUri
Issuer URI of the federation server.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MetadataExchangeUri
URI of the metadata exchange endpoint used for authentication from rich client applications.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NextSigningCertificate
Fallback token signing certificate that can also be used to sign tokens, for example when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PassiveSignInUri
URI that web-based clients are directed to when signing in to Microsoft Entra services.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PreferredAuthenticationProtocol
authenticationProtocol
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProgressAction
{{ Fill ProgressAction Description }}
| Type: | ActionPreference |
| Aliases: | proga |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PromptLoginBehavior
promptLoginBehavior
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResponseHeadersVariable
Optional Response Headers Variable.
| Type: | String |
| Aliases: | RHV |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificate
Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SigningCertificateUpdateStatus
signingCertificateUpdateStatus To construct, see NOTES section for SIGNINGCERTIFICATEUPDATESTATUS properties and create a hash table.
| Type: | IMicrosoftGraphSigningCertificateUpdateStatus |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SignOutUri
URI that clients are redirected to when they sign out of Microsoft Entra services. Corresponds to the LogOffUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Microsoft.Graph.PowerShell.Models.IIdentityDirectoryManagementIdentity
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphInternalDomainFederation
System.Collections.IDictionary
Outputs
Microsoft.Graph.PowerShell.Models.IMicrosoftGraphInternalDomainFederation
Notes
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
BODYPARAMETER <IMicrosoftGraphInternalDomainFederation>: internalDomainFederation
[(Any) <Object>]: This indicates any property can be added to this object.[IssuerUri <String>]: Issuer URI of the federation server.[MetadataExchangeUri <String>]: URI of the metadata exchange endpoint used for authentication from rich client applications.[PassiveSignInUri <String>]: URI that web-based clients are directed to when signing in to Microsoft Entra services.[PreferredAuthenticationProtocol <String>]: authenticationProtocol[SigningCertificate <String>]: Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available.[DisplayName <String>]: The display name of the identity provider.[Id <String>]: The unique identifier for an entity. Read-only.[ActiveSignInUri <String>]: URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.[FederatedIdpMfaBehavior <String>]: federatedIdpMfaBehavior[IsSignedAuthenticationRequestRequired <Boolean?>]: If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed.[NextSigningCertificate <String>]: Fallback token signing certificate that can also be used to sign tokens, for example when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.[PromptLoginBehavior <String>]: promptLoginBehavior[SignOutUri <String>]: URI that clients are redirected to when they sign out of Microsoft Entra services. Corresponds to the LogOffUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.[SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]: signingCertificateUpdateStatus[(Any) <Object>]: This indicates any property can be added to this object.[CertificateUpdateResult <String>]: Status of the last certificate update. Read-only. For a list of statuses, see certificateUpdateResult status.[LastRunDateTime <DateTime?>]: Date and time in ISO 8601 format and in UTC time when the certificate was last updated. Read-only.
INPUTOBJECT <IIdentityDirectoryManagementIdentity>: Identity Parameter
[AdministrativeUnitId <String>]: The unique identifier of administrativeUnit[AllowedValueId <String>]: The unique identifier of allowedValue[AttributeSetId <String>]: The unique identifier of attributeSet[ContractId <String>]: The unique identifier of contract[CustomSecurityAttributeDefinitionId <String>]: The unique identifier of customSecurityAttributeDefinition[DeviceId <String>]: The unique identifier of device[DeviceLocalCredentialInfoId <String>]: The unique identifier of deviceLocalCredentialInfo[DirectoryObjectId <String>]: The unique identifier of directoryObject[DirectoryRoleId <String>]: The unique identifier of directoryRole[DirectoryRoleTemplateId <String>]: The unique identifier of directoryRoleTemplate[DomainDnsRecordId <String>]: The unique identifier of domainDnsRecord[DomainId <String>]: The unique identifier of domain[ExtensionId <String>]: The unique identifier of extension[IdentityProviderBaseId <String>]: The unique identifier of identityProviderBase[InternalDomainFederationId <String>]: The unique identifier of internalDomainFederation[OnPremisesDirectorySynchronizationId <String>]: The unique identifier of onPremisesDirectorySynchronization[OrgContactId <String>]: The unique identifier of orgContact[OrganizationId <String>]: The unique identifier of organization[OrganizationalBrandingLocalizationId <String>]: The unique identifier of organizationalBrandingLocalization[ProfileCardPropertyId <String>]: The unique identifier of profileCardProperty[RoleTemplateId <String>]: Alternate key of directoryRole[ScopedRoleMembershipId <String>]: The unique identifier of scopedRoleMembership[SubscribedSkuId <String>]: The unique identifier of subscribedSku[UserId <String>]: The unique identifier of user
SIGNINGCERTIFICATEUPDATESTATUS <IMicrosoftGraphSigningCertificateUpdateStatus>: signingCertificateUpdateStatus
[(Any) <Object>]: This indicates any property can be added to this object.[CertificateUpdateResult <String>]: Status of the last certificate update. Read-only. For a list of statuses, see certificateUpdateResult status.[LastRunDateTime <DateTime?>]: Date and time in ISO 8601 format and in UTC time when the certificate was last updated. Read-only.