Set-EntraDomainFederationSettings

Updates settings for a federated domain.

Syntax

Set-EntraDomainFederationSettings
   -DomainName <String>
   [-SigningCertificate <String>]
   [-NextSigningCertificate <String>]
   [-LogOffUri <String>]
   [-PassiveLogOnUri <String>]
   [-ActiveLogOnUri <String>]
   [-IssuerUri <String>]
   [-FederationBrandName <String>]
   [-MetadataExchangeUri <String>]
   [-PreferredAuthenticationProtocol <AuthenticationProtocol>]
   [-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
   [-PromptLoginBehavior <PromptLoginBehavior>]
   [<CommonParameters>]

Description

The Set-EntraDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain.

For delegated scenarios, the calling user must be assigned at least one of the following Microsoft Entra roles:

  • Domain Name Administrator
  • External Identity Provider Administrator
  • Hybrid Identity Administrator
  • Security Administrator

Examples

Example 1: Set the PromptLoginBehavior

Connect-Entra -Scopes 'Domain.ReadWrite.All'

$params = @{
    DomainName = 'contoso.com'
    PreferredAuthenticationProtocol = 'WsFed'
    PromptLoginBehavior = 'TranslateToFreshPasswordAuth' # Or 'NativeSupport' or 'Disabled', depending on the requirement
}
Set-EntraDomainFederationSettings @params

This command updates the PromptLoginBehavior to either TranslateToFreshPasswordAuth, NativeSupport, or Disabled. These possible values are described:

  • TranslateToFreshPasswordAuth - means the default Microsoft Entra ID behavior of translating prompt=login to wauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password and wfresh=0.
  • NativeSupport - means that the prompt=login parameter is sent as is to ADFS.
  • Disabled - means that only wfresh=0 is sent to ADFS

Use the Get-EntraDomainFederationSettings -DomainName <your_domain_name> | Format-List * to get the values for PreferredAuthenticationProtocol and PromptLoginBehavior for the federated domain.

  • -DomainName parameter specifies the fully qualified domain name to retrieve.
  • -PreferredAuthenticationProtocol parameter specifies the preferred authentication protocol.
  • -PromptLoginBehavior parameter specifies the prompt sign-in behavior.

Parameters

-ActiveLogOnUri

A URL that specifies the end point used by active clients when authenticating with domains set up for single sign-on (also known as identity federation) in Microsoft Entra ID.

Type:System.String
Position:6
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DomainName

The fully qualified domain name (FQDN) to update.

Type:System.String
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-FederationBrandName

The name of the string value shown to users when signing in to Microsoft Entra ID. We recommend that customers use something that is familiar to users such as "Contoso Inc."

Type:System.String
Position:8
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-IssuerUri

The unique identifier of the domain in the Microsoft Entra ID Identity platform derived from the federation server.

Type:System.String
Position:7
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-LogOffUri

The URL clients are redirected to when they sign out of Microsoft Entra ID services.

Type:System.String
Position:4
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-MetadataExchangeUri

The URL that specifies the metadata exchange end point used for authentication from rich client applications such as Lync Online.

Type:System.String
Position:9
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NextSigningCertificate

The next token signing certificate that will be used to sign tokens when the primary signing certificate expires.

Type:System.String
Position:3
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PassiveLogOnUri

The URL that web-based clients will be directed to when signing in to Microsoft Entra ID services.

Type:System.String
Position:5
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PreferredAuthenticationProtocol

Specifies the preferred authentication protocol.

Type:System.String
Position:10
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PromptLoginBehavior

Specifies the prompt login behavior.

Type:System.String
Position:12
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SigningCertificate

The current certificate used to sign tokens passed to the Microsoft Entra ID Identity platform.

Type:System.String
Position:2
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SigningCertificateUpdateStatus

Specifies the update status of the signing certificate.

Type:System.Object
Position:11
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False