Set-EntraDomainFederationSettings
Updates settings for a federated domain.
Syntax
Set-EntraDomainFederationSettings
-DomainName <String>
[-SigningCertificate <String>]
[-NextSigningCertificate <String>]
[-LogOffUri <String>]
[-PassiveLogOnUri <String>]
[-ActiveLogOnUri <String>]
[-IssuerUri <String>]
[-FederationBrandName <String>]
[-MetadataExchangeUri <String>]
[-PreferredAuthenticationProtocol <AuthenticationProtocol>]
[-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
[-PromptLoginBehavior <PromptLoginBehavior>]
[<CommonParameters>]
Description
The Set-EntraDomainFederationSettings
cmdlet is used to update the settings of a single sign-on domain.
For delegated scenarios, the calling user must be assigned at least one of the following Microsoft Entra roles:
- Domain Name Administrator
- External Identity Provider Administrator
- Hybrid Identity Administrator
- Security Administrator
Examples
Example 1: Set the PromptLoginBehavior
Connect-Entra -Scopes 'Domain.ReadWrite.All'
$params = @{
DomainName = 'contoso.com'
PreferredAuthenticationProtocol = 'WsFed'
PromptLoginBehavior = 'TranslateToFreshPasswordAuth' # Or 'NativeSupport' or 'Disabled', depending on the requirement
}
Set-EntraDomainFederationSettings @params
This command updates the PromptLoginBehavior
to either TranslateToFreshPasswordAuth
, NativeSupport
, or Disabled
. These possible values are described:
TranslateToFreshPasswordAuth
- means the default Microsoft Entra ID behavior of translatingprompt=login
towauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
andwfresh=0
.NativeSupport
- means that theprompt=login
parameter is sent as is to ADFS.Disabled
- means that only wfresh=0 is sent to ADFS
Use the Get-EntraDomainFederationSettings -DomainName <your_domain_name> | Format-List *
to get the values for PreferredAuthenticationProtocol
and PromptLoginBehavior
for the federated domain.
-DomainName
parameter specifies the fully qualified domain name to retrieve.-PreferredAuthenticationProtocol
parameter specifies the preferred authentication protocol.-PromptLoginBehavior
parameter specifies the prompt sign-in behavior.
Parameters
-ActiveLogOnUri
A URL that specifies the end point used by active clients when authenticating with domains set up for single sign-on (also known as identity federation) in Microsoft Entra ID.
Type: | System.String |
Position: | 6 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-DomainName
The fully qualified domain name (FQDN) to update.
Type: | System.String |
Position: | 1 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-FederationBrandName
The name of the string value shown to users when signing in to Microsoft Entra ID. We recommend that customers use something that is familiar to users such as "Contoso Inc."
Type: | System.String |
Position: | 8 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-IssuerUri
The unique identifier of the domain in the Microsoft Entra ID Identity platform derived from the federation server.
Type: | System.String |
Position: | 7 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-LogOffUri
The URL clients are redirected to when they sign out of Microsoft Entra ID services.
Type: | System.String |
Position: | 4 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-MetadataExchangeUri
The URL that specifies the metadata exchange end point used for authentication from rich client applications such as Lync Online.
Type: | System.String |
Position: | 9 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-NextSigningCertificate
The next token signing certificate that will be used to sign tokens when the primary signing certificate expires.
Type: | System.String |
Position: | 3 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PassiveLogOnUri
The URL that web-based clients will be directed to when signing in to Microsoft Entra ID services.
Type: | System.String |
Position: | 5 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PreferredAuthenticationProtocol
Specifies the preferred authentication protocol.
Type: | System.String |
Position: | 10 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PromptLoginBehavior
Specifies the prompt login behavior.
Type: | System.String |
Position: | 12 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-SigningCertificate
The current certificate used to sign tokens passed to the Microsoft Entra ID Identity platform.
Type: | System.String |
Position: | 2 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-SigningCertificateUpdateStatus
Specifies the update status of the signing certificate.
Type: | System.Object |
Position: | 11 |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |