Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Set-EntraDomainFederationSettings
Updates settings for a federated domain.
Syntax
Default (Default)
Set-EntraDomainFederationSettings
-DomainName <String>
[-SigningCertificate <String>]
[-NextSigningCertificate <String>]
[-LogOffUri <String>]
[-PassiveLogOnUri <String>]
[-ActiveLogOnUri <String>]
[-IssuerUri <String>]
[-FederationBrandName <String>]
[-MetadataExchangeUri <String>]
[-PreferredAuthenticationProtocol <AuthenticationProtocol>]
[-SigningCertificateUpdateStatus <SigningCertificateUpdateStatus>]
[-PromptLoginBehavior <PromptLoginBehavior>]
[<CommonParameters>]
Description
The Set-EntraDomainFederationSettings cmdlet is used to update the settings of a single sign-on domain.
For delegated scenarios, the calling user must be assigned at least one of the following Microsoft Entra roles:
- Domain Name Administrator
- External Identity Provider Administrator
- Hybrid Identity Administrator
- Security Administrator
Examples
Example 1: Set the PromptLoginBehavior
Connect-Entra -Scopes 'Domain.ReadWrite.All'
$domain = 'contoso.com'
$authProtocol = 'WsFed'
$promptLoginBehavior = 'TranslateToFreshPasswordAuth' # Or 'NativeSupport' or 'Disabled', depending on the requirement
Set-EntraDomainFederationSettings -DomainName $domain -PreferredAuthenticationProtocol $authProtocol -PromptLoginBehavior $promptLoginBehavior
This command updates the PromptLoginBehavior to either TranslateToFreshPasswordAuth, NativeSupport, or Disabled. These possible values are described:
TranslateToFreshPasswordAuth- means the default Microsoft Entra ID behavior of translatingprompt=logintowauth=https://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordandwfresh=0.NativeSupport- means that theprompt=loginparameter is sent as is to ADFS.Disabled- means that only wfresh=0 is sent to ADFS
Use the Get-EntraDomainFederationSettings -DomainName <your_domain_name> | Format-List * to get the values for PreferredAuthenticationProtocol and PromptLoginBehavior for the federated domain.
-DomainNameparameter specifies the fully qualified domain name to retrieve.-PreferredAuthenticationProtocolparameter specifies the preferred authentication protocol.-PromptLoginBehaviorparameter specifies the prompt sign-in behavior.
Parameters
-ActiveLogOnUri
A URL that specifies the end point used by active clients when authenticating with domains set up for single sign-on (also known as identity federation) in Microsoft Entra ID.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-DomainName
The fully qualified domain name (FQDN) to update.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-FederationBrandName
The name of the string value shown to users when signing in to Microsoft Entra ID. We recommend that customers use something that is familiar to users such as "Contoso Inc."
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-IssuerUri
The unique identifier of the domain in the Microsoft Entra ID Identity platform derived from the federation server.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-LogOffUri
The URL clients are redirected to when they sign out of Microsoft Entra ID services.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-MetadataExchangeUri
The URL that specifies the metadata exchange end point used for authentication from rich client applications such as Lync Online.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-NextSigningCertificate
The next token signing certificate that will be used to sign tokens when the primary signing certificate expires.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-PassiveLogOnUri
The URL that web-based clients will be directed to when signing in to Microsoft Entra ID services.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-PreferredAuthenticationProtocol
Specifies the preferred authentication protocol.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-PromptLoginBehavior
Specifies the prompt login behavior.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SigningCertificate
The current certificate used to sign tokens passed to the Microsoft Entra ID Identity platform.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
-SigningCertificateUpdateStatus
Specifies the update status of the signing certificate.
Parameter properties
| Type: | System.Object |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Related Links
Feedback
Was this page helpful?