AADDomainFederation¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DomainId | Key | String | The domain ID for which the federation configuration is being managed. | |
| Id | Write | String | The unique identifier of the federation configuration. | |
| DisplayName | Write | String | The display name of the federation configuration. | |
| IssuerUri | Write | String | Issuer URI of the federation server. | |
| MetadataExchangeUri | Write | String | URI of the metadata exchange endpoint used for authentication. | |
| SigningCertificate | Write | String | Current certificate used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate. | |
| NextSigningCertificate | Write | String | Next signing certificate that can be used to sign tokens passed to the Microsoft identity platform. The certificate is formatted as a Base64 encoded string of the public portion of the federated IdP's token signing certificate. | |
| PassiveSignInUri | Write | String | URI that web-based clients are directed to when signing in to Microsoft Entra services. | |
| ActiveSignInUri | Write | String | URI that active clients are directed to when signing in to Microsoft Entra services. | |
| SignOutUri | Write | String | URI to which clients are redirected when signing out of Microsoft Entra services. | |
| PreferredAuthenticationProtocol | Write | String | Preferred authentication protocol. Supported values are wsFed and saml. | |
| PromptLoginBehavior | Write | String | Prompt login behavior of the federated IdP. | |
| FederatedIdpMfaBehavior | Write | String | Determines whether Microsoft Entra ID accepts the MFA performed by the federated IdP. Supported values are acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp. | |
| PasswordResetUri | Write | String | URI that clients are redirected to for resetting their password. | |
| IsSignedAuthenticationRequestRequired | Write | Boolean | Specifies whether the federation requires signed authentication requests. | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Azure Active Directory application to authenticate with. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Description¶
This resource manages Azure Active Directory Domain Federation configurations for federated domains. It allows administrators to configure and manage federation settings including SAML/WS-Fed parameters, signing certificates, and authentication protocols for domains that use federated authentication.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
- Read
-
Domain.Read.All
-
Update
- Domain.ReadWrite.All
Application permissions¶
- Read
-
Domain.Read.All
-
Update
- Domain.ReadWrite.All
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADDomainFederation "AADDomainFederation-contoso.com"
{
ActiveSignInUri = "https://adfs.contoso.com/adfs/services/trust/2005/usernamemixed";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DisplayName = "Contoso Federation";
DomainId = "contoso.com";
Ensure = "Present";
FederatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp";
IssuerUri = "http://contoso.com/adfs/services/trust";
IsSignedAuthenticationRequestRequired = $True;
MetadataExchangeUri = "https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
PassiveSignInUri = "https://adfs.contoso.com/adfs/ls/";
PreferredAuthenticationProtocol = "wsFed";
SigningCertificate = "MIIDdzCCAl+gAwIBAgIQXWWjEQHsCgAAAABBAgAAYDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBhZGZzLmNvbnRvc28uY29tIDIwMjQwMTAxMDAwMDAwMB4XDTI0MDEwMTAwMDAwMFoXDTI1MTIzMTIzNTk1OVowNzE1MDMGA1UEAxMsQURGUyBTaWduaW5nIC0gYWRmcy5jb250b3NvLmNvbSAyMDI0MDEwMTAwMDAwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKh5sLmfJLCBPKPONMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq/N0bH8o8Y4Ct5f3QkS1HvqVpFJVxmT8j+KeqgYM3Cj2gYAhBjKKEQEWWLJOVxqmHVxqTQqGfCBJLOENMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq";
SignOutUri = "https://adfs.contoso.com/adfs/ls/?wa=wsignout1.0";
TenantId = $TenantId;
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADDomainFederation "AADDomainFederation-contoso.com"
{
ActiveSignInUri = "https://adfs.contoso.com/adfs/services/trust/2005/usernamemixed";
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DisplayName = "Contoso Federation - Updated";
DomainId = "contoso.com";
Ensure = "Present";
FederatedIdpMfaBehavior = "enforceMfaByFederatedIdp"; # Changed from acceptIfMfaDoneByFederatedIdp
IssuerUri = "http://contoso.com/adfs/services/trust";
IsSignedAuthenticationRequestRequired = $False; # Changed from True
MetadataExchangeUri = "https://adfs.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml";
NextSigningCertificate = "MIIDdzCCAl+gAwIBAgIQYZZkFRHsCgAAAABBAgAAYDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBhZGZzLmNvbnRvc28uY29tIDIwMjUwMTAxMDAwMDAwMB4XDTI1MDEwMTAwMDAwMFoXDTI2MTIzMTIzNTk1OVowNzE1MDMGA1UEAxMsQURGUyBTaWduaW5nIC0gYWRmcy5jb250b3NvLmNvbSAyMDI1MDEwMTAwMDAwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALi6tLmfJLCBPKPONMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq/N0bH8o8Y4Ct5f3QkS1HvqVpFJVxmT8j+KeqgYM3Cj2gYAhBjKKEQEWWLJOVxqmHVxqTQqGfCBJLOENMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq"; # New certificate being staged for rollover
PasswordResetUri = "https://adfs.contoso.com/adfs/portal/updatepassword/";
PassiveSignInUri = "https://adfs.contoso.com/adfs/ls/";
PreferredAuthenticationProtocol = "saml"; # Changed from wsFed
SigningCertificate = "MIIDdzCCAl+gAwIBAgIQXWWjEQHsCgAAAABBAgAAYDANBgkqhkiG9w0BAQsFADA3MTUwMwYDVQQDEyxBREZTIFNpZ25pbmcgLSBhZGZzLmNvbnRvc28uY29tIDIwMjQwMTAxMDAwMDAwMB4XDTI0MDEwMTAwMDAwMFoXDTI1MTIzMTIzNTk1OVowNzE1MDMGA1UEAxMsQURGUyBTaWduaW5nIC0gYWRmcy5jb250b3NvLmNvbSAyMDI0MDEwMTAwMDAwMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKh5sLmfJLCBPKPONMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq/N0bH8o8Y4Ct5f3QkS1HvqVpFJVxmT8j+KeqgYM3Cj2gYAhBjKKEQEWWLJOVxqmHVxqTQqGfCBJLOENMQChLO5z7hLBUCCdHIWP8MdPshEAL+Wq";
SignOutUri = "https://adfs.contoso.com/adfs/ls/?wa=wsignout1.0";
TenantId = $TenantId;
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADDomainFederation "AADDomainFederation-contoso.com"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
DomainId = "contoso.com";
Ensure = "Absent";
TenantId = $TenantId;
}
}
}