Share via


Update-MgDomainFederationConfiguration

Update the properties of an internalDomainFederation object.

Note

To view the beta release of this cmdlet, view Update-MgBetaDomainFederationConfiguration

Syntax

UpdateExpanded (Default)

Update-MgDomainFederationConfiguration
    -DomainId <String>
    -InternalDomainFederationId <String>
    [-ResponseHeadersVariable <String>]
    [-ActiveSignInUri <String>]
    [-AdditionalProperties <Hashtable>]
    [-DisplayName <String>]
    [-FederatedIdpMfaBehavior <String>]
    [-Id <String>]
    [-IsSignedAuthenticationRequestRequired]
    [-IssuerUri <String>]
    [-MetadataExchangeUri <String>]
    [-NextSigningCertificate <String>]
    [-PassiveSignInUri <String>]
    [-PasswordResetUri <String>]
    [-PreferredAuthenticationProtocol <String>]
    [-PromptLoginBehavior <String>]
    [-SignOutUri <String>]
    [-SigningCertificate <String>]
    [-SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Update

Update-MgDomainFederationConfiguration
    -DomainId <String>
    -InternalDomainFederationId <String>
    -BodyParameter <IMicrosoftGraphInternalDomainFederation>
    [-ResponseHeadersVariable <String>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

UpdateViaIdentityExpanded

Update-MgDomainFederationConfiguration
    -InputObject <IIdentityDirectoryManagementIdentity>
    [-ResponseHeadersVariable <String>]
    [-ActiveSignInUri <String>]
    [-AdditionalProperties <Hashtable>]
    [-DisplayName <String>]
    [-FederatedIdpMfaBehavior <String>]
    [-Id <String>]
    [-IsSignedAuthenticationRequestRequired]
    [-IssuerUri <String>]
    [-MetadataExchangeUri <String>]
    [-NextSigningCertificate <String>]
    [-PassiveSignInUri <String>]
    [-PasswordResetUri <String>]
    [-PreferredAuthenticationProtocol <String>]
    [-PromptLoginBehavior <String>]
    [-SignOutUri <String>]
    [-SigningCertificate <String>]
    [-SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

UpdateViaIdentity

Update-MgDomainFederationConfiguration
    -InputObject <IIdentityDirectoryManagementIdentity>
    -BodyParameter <IMicrosoftGraphInternalDomainFederation>
    [-ResponseHeadersVariable <String>]
    [-Headers <IDictionary>]
    [-WhatIf]
    [-Confirm]
    [<CommonParameters>]

Description

Update the properties of an internalDomainFederation object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Domain.ReadWrite.All,
Delegated (personal Microsoft account) Not supported
Application Domain.ReadWrite.All,

Examples

Example 1: Update the federation settings for a federated ___domain

Update-MgDomainFederationConfiguration -DomainId 'contoso.com' -InternalDomainFederationId '2a8ce608-bb34-473f-9e0f-f373ee4cbc5a' -DisplayName "Contoso name change"

This example updates the DisplayName setting.

Parameters

-ActiveSignInUri

URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-EntraDomainFederationSettings PowerShell cmdlet.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-AdditionalProperties

Additional Parameters

Parameter properties

Type:Hashtable
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-BodyParameter

internalDomainFederation To construct, see NOTES section for BODYPARAMETER properties and create a hash table.

Parameter properties

Type:IMicrosoftGraphInternalDomainFederation
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

Update
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentity
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:cf

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DisplayName

The display name of the identity provider.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-DomainId

The unique identifier of ___domain

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
Update
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-FederatedIdpMfaBehavior

federatedIdpMfaBehavior

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Headers

Optional headers that will be added to the request.

Parameter properties

Type:IDictionary
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-Id

The unique identifier for an entity. Read-only.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-InputObject

Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.

Parameter properties

Type:IIdentityDirectoryManagementIdentity
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateViaIdentityExpanded
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentity
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:False
Value from remaining arguments:False

-InternalDomainFederationId

The unique identifier of internalDomainFederation

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
Update
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IsSignedAuthenticationRequestRequired

If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed.

Parameter properties

Type:SwitchParameter
Default value:False
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IssuerUri

Issuer URI of the federation server.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-MetadataExchangeUri

URI of the metadata exchange endpoint used for authentication from rich client applications.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-NextSigningCertificate

Fallback token signing certificate that can also be used to sign tokens, for example when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PassiveSignInUri

URI that web-based clients are directed to when signing in to Microsoft Entra services.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PasswordResetUri

Update the properties of an internalDomainFederation object.

Permissions

Permission type Permissions (from least to most privileged)
Delegated (work or school account) Domain.ReadWrite.All,
Delegated (personal Microsoft account) Not supported
Application Domain.ReadWrite.All,

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PreferredAuthenticationProtocol

authenticationProtocol

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PromptLoginBehavior

promptLoginBehavior

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ResponseHeadersVariable

Optional Response Headers Variable.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:RHV

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SigningCertificate

Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the ___domain when a new certificate is available.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SigningCertificateUpdateStatus

signingCertificateUpdateStatus To construct, see NOTES section for SIGNINGCERTIFICATEUPDATESTATUS properties and create a hash table.

Parameter properties

Type:IMicrosoftGraphSigningCertificateUpdateStatus
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SignOutUri

URI that clients are redirected to when they sign out of Microsoft Entra services. Corresponds to the LogOffUri property of the Set-EntraDomainFederationSettings PowerShell cmdlet.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

UpdateExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False
UpdateViaIdentityExpanded
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False
Aliases:wi

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

Microsoft.Graph.PowerShell.Models.IIdentityDirectoryManagementIdentity

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphInternalDomainFederation

System.Collections.IDictionary

Outputs

Microsoft.Graph.PowerShell.Models.IMicrosoftGraphInternalDomainFederation

Notes

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

BODYPARAMETER <IMicrosoftGraphInternalDomainFederation>: internalDomainFederation

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [IssuerUri <String>]: Issuer URI of the federation server.
  • [MetadataExchangeUri <String>]: URI of the metadata exchange endpoint used for authentication from rich client applications.
  • [PassiveSignInUri <String>]: URI that web-based clients are directed to when signing in to Microsoft Entra services.
  • [PreferredAuthenticationProtocol <String>]: authenticationProtocol
  • [SigningCertificate <String>]: Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: if a rollover is required outside of the autorollover update a new federation service is being set up if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and will update the federation settings for the ___domain when a new certificate is available.
  • [DisplayName <String>]: The display name of the identity provider.
  • [Id <String>]: The unique identifier for an entity. Read-only.
  • [ActiveSignInUri <String>]: URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. Corresponds to the ActiveLogOnUri property of the Set-EntraDomainFederationSettings PowerShell cmdlet.
  • [FederatedIdpMfaBehavior <String>]: federatedIdpMfaBehavior
  • [IsSignedAuthenticationRequestRequired <Boolean?>]: If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID will sign those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed.
  • [NextSigningCertificate <String>]: Fallback token signing certificate that can also be used to sign tokens, for example when the primary signing certificate expires. Formatted as Base64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the auto-rollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated.
  • [PasswordResetUri <String>]:
  • [PromptLoginBehavior <String>]: promptLoginBehavior
  • [SignOutUri <String>]: URI that clients are redirected to when they sign out of Microsoft Entra services. Corresponds to the LogOffUri property of the Set-EntraDomainFederationSettings PowerShell cmdlet.
  • [SigningCertificateUpdateStatus <IMicrosoftGraphSigningCertificateUpdateStatus>]: signingCertificateUpdateStatus
    • [(Any) <Object>]: This indicates any property can be added to this object.
    • [CertificateUpdateResult <String>]: Status of the last certificate update. Read-only. For a list of statuses, see certificateUpdateResult status.
    • [LastRunDateTime <DateTime?>]: Date and time in ISO 8601 format and in UTC time when the certificate was last updated. Read-only.

INPUTOBJECT <IIdentityDirectoryManagementIdentity>: Identity Parameter

  • [AdministrativeUnitId <String>]: The unique identifier of administrativeUnit
  • [AllowedValueId <String>]: The unique identifier of allowedValue
  • [AttributeSetId <String>]: The unique identifier of attributeSet
  • [CommerceSubscriptionId <String>]: Alternate key of companySubscription
  • [CompanySubscriptionId <String>]: The unique identifier of companySubscription
  • [ContractId <String>]: The unique identifier of contract
  • [CustomSecurityAttributeDefinitionId <String>]: The unique identifier of customSecurityAttributeDefinition
  • [DeviceId <String>]: The unique identifier of device
  • [DeviceLocalCredentialInfoId <String>]: The unique identifier of deviceLocalCredentialInfo
  • [DirectoryObjectId <String>]: The unique identifier of directoryObject
  • [DirectoryRoleId <String>]: The unique identifier of directoryRole
  • [DirectoryRoleTemplateId <String>]: The unique identifier of directoryRoleTemplate
  • [DomainDnsRecordId <String>]: The unique identifier of domainDnsRecord
  • [DomainId <String>]: The unique identifier of ___domain
  • [DomainName <String>]: Usage: domainName='{domainName}'
  • [ExtensionId <String>]: The unique identifier of extension
  • [IdentityProviderBaseId <String>]: The unique identifier of identityProviderBase
  • [InternalDomainFederationId <String>]: The unique identifier of internalDomainFederation
  • [OnPremisesDirectorySynchronizationId <String>]: The unique identifier of onPremisesDirectorySynchronization
  • [OrgContactId <String>]: The unique identifier of orgContact
  • [OrganizationId <String>]: The unique identifier of organization
  • [OrganizationalBrandingLocalizationId <String>]: The unique identifier of organizationalBrandingLocalization
  • [ProfileCardPropertyId <String>]: The unique identifier of profileCardProperty
  • [RoleTemplateId <String>]: Alternate key of directoryRole
  • [ScopedRoleMembershipId <String>]: The unique identifier of scopedRoleMembership
  • [SubscribedSkuId <String>]: The unique identifier of subscribedSku
  • [TenantId <String>]: Usage: tenantId='{tenantId}'
  • [UserId <String>]: The unique identifier of user

SIGNINGCERTIFICATEUPDATESTATUS <IMicrosoftGraphSigningCertificateUpdateStatus>: signingCertificateUpdateStatus

  • [(Any) <Object>]: This indicates any property can be added to this object.
  • [CertificateUpdateResult <String>]: Status of the last certificate update. Read-only. For a list of statuses, see certificateUpdateResult status.
  • [LastRunDateTime <DateTime?>]: Date and time in ISO 8601 format and in UTC time when the certificate was last updated. Read-only.