Set-MsolDomainFederationSettings

Updates settings for a federated domain.

Syntax

Set-MsolDomainFederationSettings
   -DomainName <String>
   [-SigningCertificate <String>]
   [-NextSigningCertificate <String>]
   [-LogOffUri <String>]
   [-PassiveLogOnUri <String>]
   [-ActiveLogOnUri <String>]
   [-IssuerUri <String>]
   [-FederationBrandName <String>]
   [-MetadataExchangeUri <String>]
   [-PreferredAuthenticationProtocol <AuthenticationProtocol>]
   [-SupportsMfa <Boolean>]
   [-DefaultInteractiveAuthenticationMethod <String>]
   [-OpenIdConnectDiscoveryEndpoint <String>]
   [-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
   [-PromptLoginBehavior <PromptLoginBehavior>]
   [-TenantId <Guid>]
   [<CommonParameters>]

Description

The Set-MsolDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain. Single sign-on is also known as identity federation.

Examples

Example 1: Set the PromptLoginBehavior

PS C:\> Set-MsolDomainFederationSettings -DomainName <your_domain_name> -PreferredAuthenticationProtocol <your_preferred_authentication_protocol> -SupportsMfa <current_value_for_supportsmfa> -PromptLoginBehavior <TranslateToFreshPasswordAuth|NativeSupport|Disabled>

This command updates the PromptLoginBehavior to either TranslateToFreshPasswordAuth, NativeSupport, or Disabled. These possible values are described below:

  • TranslateToFreshPasswordAuth: means the default Azure AD behavior of translating prompt=login to wauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password and wfresh=0.
  • NativeSupport: means that the prompt=login parameter will be sent as is to AD FS.
  • Disabled: means that only wfresh=0 is sent to AD FS

Use the Get-MsolDomainFederationSettings -DomainName <your_domain_name> | Format-List * to get the values for PreferredAuthenticationProtocol, SupportsMfa, and PromptLoginBehavior for the federated domain.

Parameters

-ActiveLogOnUri

Specifies the URL of the end point used by active clients when authenticating with domains set up for single sign-on in Azure Active Directory.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-DefaultInteractiveAuthenticationMethod

Specifies the default authentication method that should be used when an application requires the user to have interactive login.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-DomainName

Specifies the fully qualified domain name (FQDN) to update.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-FederationBrandName

Specifies the name of the string value shown to users when signing in to Azure Active Directory. We recommend that you use something that is familiar to users, like your company name, such as Contoso Inc.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-IssuerUri

Specifies the URI of the domain in the Azure Active Directory Identity platform derived from the federation server.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-LogOffUri

Specifies the URL clients are redirected to when they sign out of Azure Active Directory services.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-MetadataExchangeUri

Specifies the URL of the metadata exchange end point used for authentication from rich client applications such as Lync Online.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-NextSigningCertificate

Specifies the next token signing certificate that you use to sign tokens when the primary signing certificate expires.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-OpenIdConnectDiscoveryEndpoint

Specifies the OpenID Connect Discovery Endpoint of the federated IDP STS.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-PassiveLogOnUri

Specifies the URL that web-based clients are directed to when signing in to Azure Active Directory services.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-PreferredAuthenticationProtocol

Specifies the preferred authentication protocol. Valid values are WsFed and Samlp.

Type:AuthenticationProtocol
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-PromptLoginBehavior

Specifies the prompt login behavior.

Type:PromptLoginBehavior
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-SigningCertificate

Specifies the current certificate used to sign tokens passed to the Azure Active Directory Identity platform.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-SigningCertificateUpdateStatus

Specifies the update status of the signing certificate.

Type:SigningCertificateUpdateStatus
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-SupportsMfa

Indicates whether the IDP STS supports MFA.

Note

To secure your Azure AD resource, it is recommended to require MFA through a Conditional Access policy, set the domain setting SupportsMfa to $True and emit the multipleauthn claim when a user performs two-step verification successfully.

Type:Boolean
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-TenantId

Specifies the unique ID of the tenant on which to perform the operation. The default value is the tenant of the current user. This parameter applies only to partner users.

Type:Guid
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False