This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 65%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECH%3C/text%3E%3C/svg%3E)
Trying to Configure Google Workspace as an IdP for Microsoft Entra ID. Following the microsoft guide
here:
The powershell script for changing the authentication method for the custom DNS domains returns an error.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph $domainId = "<your domain name>" $xml = Xml $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() $issuerUri = $xml.EntityDescriptor.entityID $signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $.Binding.Contains('Redirect') } | % { $.Location } $signoutUri = "https://accounts.google.com/logout" $displayName = "Google Workspace Identity" Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All" $domainAuthParams = @{ DomainId = $domainId IssuerUri = $issuerUri DisplayName = $displayName ActiveSignInUri = $signinUri PassiveSignInUri = $signinUri SignOutUri = $signoutUri SigningCertificate = $cert PreferredAuthenticationProtocol = "saml" federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp" } New-MgDomainFederationConfiguration @domainAuthParams
Returns the below error:
New-MgDomainFederationConfiguration : Invalid value specified for property 'issuerUri' of resource 'InternalDomainFederation'. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-02-25T16:47:09 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : f717d098-7c3d-4775-813d-8645c2c421cc client-request-id : 40ad7a71-6b50-454b-b329-2125bc73446e x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00015DD7"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Tue, 25 Feb 2025 16:47:08 GMT At line:1 char:1
- New-MgDomainFederationConfiguration @domainAuthParams
+ CategoryInfo : InvalidOperation: ({ DomainId = ap...ainFederation }:<>f__AnonymousType83`3) [New-MgDomainFed..._CreateExpanded], Exception + FullyQualifiedErrorId : Request_BadRequest,Microsoft.Graph.PowerShell.Cmdlets.NewMgDomainFederationConfiguration_CreateExpanded
When I check the variable, $IssuerURI, it returns the appropriate issuerURI as specified in my downloaded metadata.
Not sure where to go from here.
Thanks for any help.
Clarke
Hot fix graph 2.26.1 fixed this issue.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue:
You are trying to configure Google Workspace as an Identity Provider (IdP) for Microsoft Entra ID and you seem to be encountering issues with the federation setup, and you got error which is
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force Install-Module Microsoft.Graph -Scope CurrentUser Import-Module Microsoft.Graph $domainId = "<your domain name>" $xml = Xml $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() $issuerUri = $xml.EntityDescriptor.entityID $signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $.Binding.Contains('Redirect') } | % { $.Location } $signoutUri = "https://accounts.google.com/logout" $displayName = "Google Workspace Identity" Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All" $domainAuthParams = @{ DomainId = $domainId IssuerUri = $issuerUri DisplayName = $displayName ActiveSignInUri = $signinUri PassiveSignInUri = $signinUri SignOutUri = $signoutUri SigningCertificate = $cert PreferredAuthenticationProtocol = "saml" federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp" } New-MgDomainFederationConfiguration @domainAuthParams
Returns the below error: New-MgDomainFederationConfiguration : Invalid value specified for property 'issuerUri' of resource 'InternalDomainFederation'. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2025-02-25T16:47:09 Headers: Transfer-Encoding : chunked Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000 request-id : f717d098-7c3d-4775-813d-8645c2c421cc client-request-id : 40ad7a71-6b50-454b-b329-2125bc73446e x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"West US","Slice":"E","Ring":"4","ScaleUnit":"002","RoleInstance":"BY3PEPF00015DD7"}} x-ms-resource-unit : 1 Cache-Control : no-cache Date : Tue, 25 Feb 2025 16:47:08 GMT At line:1 char:1 New-MgDomainFederationConfiguration @domainAuthParams
Solution:
You have got fixed the issue by using graph 2.26.1
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi @Clarke Headlee
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.