| title | Update internalDomainFederation |
|---|---|
| description | Update the properties of an internalDomainFederation object. |
| author | vimrang |
| ms.localizationpriority | medium |
| ms.custom | has-azure-ad-ps-ref, azure-ad-ref-level-one-done |
| ms.subservice | entra-sign-in |
| doc_type | apiPageType |
| ms.date | 11/25/2024 |
Namespace: microsoft.graph
[!INCLUDE beta-disclaimer]
Update the properties of an internalDomainFederation object.
[!INCLUDE national-cloud-support]
Choose the permission or permissions marked as least privileged for this API. Use a higher privileged permission or permissions only if your app requires it. For details about delegated and application permissions, see Permission types. To learn more about these permissions, see the permissions reference.
[!INCLUDE permissions-table]
[!INCLUDE rbac-domainfederation-apis-write]
PATCH /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
[!INCLUDE table-intro]
| Property | Type | Description |
|---|---|---|
| activeSignInUri | String | URL of the endpoint used by active clients when authenticating with federated domains set up for single sign-on in Microsoft Entra ID. |
| displayName | String | The display name of the federated identity Provider (IdP). |
| federatedIdpMfaBehavior | federatedIdpMfaBehavior | Determines whether Microsoft Entra ID accepts the MFA performed by the federated IdP when a federated user accesses an application that is governed by a conditional access policy that requires MFA. The possible values are: acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp, unknownFutureValue. For more information, see federatedIdpMfaBehavior values. |
| isSignedAuthenticationRequestRequired | Boolean | If true, when SAML authentication requests are sent to the federated SAML IdP, Microsoft Entra ID sign in those requests using the OrgID signing key. If false (default), the SAML authentication requests sent to the federated IdP aren't signed. |
| issuerUri | String | Issuer URI of the federation server. |
| metadataExchangeUri | String | URI of the metadata exchange endpoint used for authentication from rich client applications. |
| nextSigningCertificate | String | Fallback token signing certificate that is used to sign tokens when the primary signing certificate expires. Formatted as Base 64 encoded strings of the public portion of the federated IdP's token signing certificate. Needs to be compatible with the X509Certificate2 class. Much like the signingCertificate, the nextSigningCertificate property is used if a rollover is required outside of the autorollover update, a new federation service is being set up, or if the new token signing certificate isn't present in the federation properties after the federation service certificate has been updated. |
| passiveSignInUri | String | URI that web-based clients are directed to when signing into Microsoft Entra services. |
| passwordResetUri | String | URI that clients are redirected to for resetting their password. |
| preferredAuthenticationProtocol | authenticationProtocol | Preferred authentication protocol. This parameter must be configured explicitly for the federation passive authentication flow to work. The possible values are: wsFed, saml, unknownFutureValue. |
| promptLoginBehavior | promptLoginBehavior | Sets the preferred behavior for the sign-in prompt. The possible values are: translateToFreshPasswordAuthentication, nativeSupport, disabled, unknownFutureValue. |
| signingCertificate | String | Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base 64 encoded string of the public portion of the federated IdP's token signing certificate and must be compatible with the X509Certificate2 class. This property is used in the following scenarios: Microsoft Entra ID updates certificates via an autorollover process in which it attempts to retrieve a new certificate from the federation service metadata, 30 days before expiry of the current certificate. If a new certificate isn't available, Microsoft Entra ID monitors the metadata daily and updates the federation settings for the domain when a new certificate is available. Inherited from samlOrWsFedProvider. |
| signingCertificateUpdateStatus | signingCertificateUpdateStatus | Provides status and timestamp of the last update of the signing certificate. |
| signOutUri | String | URI that clients are redirected to when they sign out of Microsoft Entra services. |
| Member | Description |
|---|---|
| acceptIfMfaDoneByFederatedIdp | Microsoft Entra ID accepts MFA that's performed by the federated identity provider. If the federated identity provider didn't perform MFA, Microsoft Entra ID performs the MFA. |
| enforceMfaByFederatedIdp | Microsoft Entra ID accepts MFA that's performed by federated identity provider. If the federated identity provider didn't perform MFA, it redirects the request to federated identity provider to perform MFA. |
| rejectMfaByFederatedIdp | Microsoft Entra ID always performs MFA and rejects MFA that's performed by the federated identity provider. |
Note
federatedIdpMfaBehavior is an evolved version of the SupportsMfa property of the Set-MsolDomainFederationSettings cmdlet of the retired MSOnline PowerShell module.
- Switching between federatedIdpMfaBehavior and SupportsMfa is not supported.
- When federatedIdpMfaBehavior property is set, Microsoft Entra ID ignores the SupportsMfa setting.
- If the federatedIdpMfaBehavior property is never set, Microsoft Entra ID will continue to honor the SupportsMfa setting.
- If neither federatedIdpMfaBehavior nor SupportsMfa is set, Microsoft Entra ID will default to
acceptIfMfaDoneByFederatedIdpbehavior.
If successful, this method returns a 204 No Content response code.
PATCH https://graph.microsoft.com/beta/domains/contoso.com/federationConfiguration/6601d14b-d113-8f64-fda2-9b5ddda18ecc
Content-Type: application/json
{
"displayName": "Contoso name change",
"federatedIdpMfaBehavior": "acceptIfMfaDoneByFederatedIdp"
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
Note: The response object shown here might be shortened for readability.
HTTP/1.1 204 No Content