Set-MsolDomainFederationSettings
Updates settings for a federated domain.
Syntax
Set-MsolDomainFederationSettings
-DomainName <String>
[-SigningCertificate <String>]
[-NextSigningCertificate <String>]
[-LogOffUri <String>]
[-PassiveLogOnUri <String>]
[-ActiveLogOnUri <String>]
[-IssuerUri <String>]
[-FederationBrandName <String>]
[-MetadataExchangeUri <String>]
[-PreferredAuthenticationProtocol <AuthenticationProtocol>]
[-SupportsMfa <Boolean>]
[-DefaultInteractiveAuthenticationMethod <String>]
[-OpenIdConnectDiscoveryEndpoint <String>]
[-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
[-PromptLoginBehavior <PromptLoginBehavior>]
[-TenantId <Guid>]
[<CommonParameters>] Description
The Set-MsolDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain. Single sign-on is also known as identity federation.
Examples
Example 1: Set the PromptLoginBehavior
PS C:\> Set-MsolDomainFederationSettings -DomainName <your_domain_name> -PreferredAuthenticationProtocol <your_preferred_authentication_protocol> -SupportsMfa <current_value_for_supportsmfa> -PromptLoginBehavior <TranslateToFreshPasswordAuth|NativeSupport|Disabled>This command updates the PromptLoginBehavior to either TranslateToFreshPasswordAuth, NativeSupport, or Disabled. These possible values are described below:
- TranslateToFreshPasswordAuth: means the default Azure AD behavior of translating
prompt=logintowauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordandwfresh=0. - NativeSupport: means that the
prompt=loginparameter will be sent as is to AD FS. - Disabled: means that only wfresh=0 is sent to AD FS
Use the Get-MsolDomainFederationSettings -DomainName <your_domain_name> | Format-List * to get the values for PreferredAuthenticationProtocol, SupportsMfa, and PromptLoginBehavior for the federated domain.
Parameters
-ActiveLogOnUri
Specifies the URL of the end point used by active clients when authenticating with domains set up for single sign-on in Azure Active Directory.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-DefaultInteractiveAuthenticationMethod
Specifies the default authentication method that should be used when an application requires the user to have interactive login.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-DomainName
Specifies the fully qualified domain name (FQDN) to update.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-FederationBrandName
Specifies the name of the string value shown to users when signing in to Azure Active Directory. We recommend that you use something that is familiar to users, like your company name, such as Contoso Inc.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-IssuerUri
Specifies the URI of the domain in the Azure Active Directory Identity platform derived from the federation server.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-LogOffUri
Specifies the URL clients are redirected to when they sign out of Azure Active Directory services.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-MetadataExchangeUri
Specifies the URL of the metadata exchange end point used for authentication from rich client applications such as Lync Online.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-NextSigningCertificate
Specifies the next token signing certificate that you use to sign tokens when the primary signing certificate expires.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-OpenIdConnectDiscoveryEndpoint
Specifies the OpenID Connect Discovery Endpoint of the federated IDP STS.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PassiveLogOnUri
Specifies the URL that web-based clients are directed to when signing in to Azure Active Directory services.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PreferredAuthenticationProtocol
Specifies the preferred authentication protocol. Valid values are WsFed and Samlp.
| Type: | AuthenticationProtocol |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PromptLoginBehavior
Specifies the prompt login behavior.
| Type: | PromptLoginBehavior |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SigningCertificate
Specifies the current certificate used to sign tokens passed to the Azure Active Directory Identity platform.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SigningCertificateUpdateStatus
Specifies the update status of the signing certificate.
| Type: | SigningCertificateUpdateStatus |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-SupportsMfa
Indicates whether the IDP STS supports MFA.
Note
To secure your Azure AD resource, it is recommended to require MFA through a Conditional Access policy, set the domain setting SupportsMfa to $True and emit the multipleauthn claim when a user performs two-step verification successfully.
| Type: | Boolean |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-TenantId
Specifies the unique ID of the tenant on which to perform the operation. The default value is the tenant of the current user. This parameter applies only to partner users.
| Type: | Guid |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |