internalDomainFederation resource type

Namespace: microsoft.graph

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Represents configurations of the domains in a tenant that are federated and verified with Microsoft Entra ID. Use this resource to configure federation settings when setting up federation with Microsoft Entra ID. For information on federation, see What is federation with Microsoft Entra ID?.

Inherits from samlOrWsFedProvider.

Methods

Method Return type Description
List internalDomainFederation collection Read the properties of the internalDomainFederation object for the domain.
Create internalDomainFederation Create a new internalDomainFederation object.
Get internalDomainFederation Read the properties and relationships of an internalDomainFederation object.
Update internalDomainFederation Update the properties of an internalDomainFederation object.
Delete None Delete an internalDomainFederation object.

Properties

Property Type Description
activeSignInUri String URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.
displayName String The display name of the federated identity Provider (IdP). Inherited from identityProviderBase.
federatedIdpMfaBehavior federatedIdpMfaBehavior Determines whether Microsoft Entra ID accepts the MFA performed by the federated IdP when a federated user accesses an application that is governed by a conditional access policy that requires MFA. The possible values are: acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp, unknownFutureValue. For more information, see federatedIdpMfaBehavior values.
id String The identifier of the federated identity provider. Inherited from entity.
isSignedAuthenticationRequestRequired Boolean If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed.
issuerUri String Issuer URI of the federation server. Inherited from samlOrWsFedProvider.
metadataExchangeUri String URI of the metadata exchange endpoint used for authentication from rich client applications. Inherited from samlOrWsFedProvider.
nextSigningCertificate String Fallback token signing certificate that can also be used to sign tokens, for example when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
passiveSignInUri String URI that web-based clients are directed to when signing into Microsoft Entra services. Inherited from samlOrWsFedProvider.
passwordResetUri String URI that clients are redirected to for resetting their password.
preferredAuthenticationProtocol authenticationProtocol Preferred authentication protocol. This parameter must be configured explicitly for the federation passive authentication flow to work. The possible values are: wsFed, saml, unknownFutureValue. Inherited from samlOrWsFedProvider.
promptLoginBehavior promptLoginBehavior Sets the preferred behavior for the sign-in prompt. The possible values are: translateToFreshPasswordAuthentication, nativeSupport, disabled, unknownFutureValue.
signingCertificate String Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class.
This property is used in the following scenarios:
  • If a rollover is required outside of the autorollover update
  • A new federation service is being set up
  • If the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
    Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the domain when a new certificate is available. Inherited from samlOrWsFedProvider.
  • signingCertificateUpdateStatus signingCertificateUpdateStatus Provides status and timestamp of the last update of the signing certificate.
    signOutUri String URI that clients are redirected to when they sign out of Microsoft Entra services. Corresponds to the LogOffUri property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.

    Note

    Azure AD and MSOnline PowerShell modules are deprecated as of March 30, 2024. To learn more, read the deprecation update. After this date, support for these modules are limited to migration assistance to Microsoft Graph PowerShell SDK and security fixes. The deprecated modules will continue to function through March, 30 2025.

    We recommend migrating to Microsoft Graph PowerShell to interact with Microsoft Entra ID (formerly Azure AD). For common migration questions, refer to the Migration FAQ. Note: Versions 1.0.x of MSOnline may experience disruption after June 30, 2024.

    federatedIdpMfaBehavior values

    Member Description
    acceptIfMfaDoneByFederatedIdp Microsoft Entra ID accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Microsoft Entra ID performs the MFA.
    enforceMfaByFederatedIdp Microsoft Entra ID accepts MFA that's performed by federated identity provider. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA.
    rejectMfaByFederatedIdp Microsoft Entra ID always performs MFA and rejects MFA that's performed by the federated identity provider.

    Note: federatedIdpMfaBehavior is an evolved version of the SupportsMfa property of the Set-MsolDomainFederationSettings MSOnline v1 PowerShell cmdlet.

    • Switching between federatedIdpMfaBehavior and SupportsMfa isn't supported.
    • Once federatedIdpMfaBehavior property is set, Microsoft Entra ID ignores the SupportsMfa setting.
    • If the federatedIdpMfaBehavior property is never set, Microsoft Entra ID continues to honor the SupportsMfa setting.
    • If neither federatedIdpMfaBehavior nor SupportsMfa is set, Microsoft Entra ID defaults to acceptIfMfaDoneByFederatedIdp behavior.

    Relationships

    None.

    JSON representation

    The following JSON representation shows the resource type.

    {
      "@odata.type": "#microsoft.graph.internalDomainFederation",
      "id": "String (identifier)",
      "displayName": "String",
      "issuerUri": "String",
      "metadataExchangeUri": "String",
      "signingCertificate": "String",
      "passiveSignInUri": "String",
      "preferredAuthenticationProtocol": "String",
      "activeSignInUri": "String",
      "signOutUri": "String",
      "promptLoginBehavior": "String",
      "isSignedAuthenticationRequestRequired": "Boolean",
      "nextSigningCertificate": "String",
      "signingCertificateUpdateStatus": {
        "certificateUpdateResult": "String",
        "@odata.type": "microsoft.graph.signingCertificateUpdateStatus"
      },
      "federatedIdpMfaBehavior": "String",
      "passwordResetUri": "String"
    }