命名空间:microsoft.graph
创建新的 internalDomainFederation 对象。
此 API 可用于以下国家级云部署。
| 全局服务 |
美国政府 L4 |
美国政府 L5 (DOD) |
由世纪互联运营的中国 |
| ✅ |
✅ |
✅ |
✅ |
权限
为此 API 选择标记为最低特权的权限。
只有在应用需要它时,才使用更高的特权权限。 有关委派权限和应用程序权限的详细信息,请参阅权限类型。 要了解有关这些权限的详细信息,请参阅 权限参考。
| 权限类型 |
最低特权权限 |
更高特权权限 |
| 委派(工作或学校帐户) |
Domain.ReadWrite.All |
不可用。 |
| 委派(个人 Microsoft 帐户) |
不支持。 |
不支持。 |
| 应用程序 |
Domain.ReadWrite.All |
不可用。 |
重要
若要更新 authenticationType 属性,必须为调用应用分配 Domain-InternalFederation.ReadWrite.All 权限。
在具有工作或学校帐户的委托方案中,必须为登录用户分配受支持的Microsoft Entra角色或具有支持的角色权限的自定义角色。 此作支持以下最低特权角色。
- 域名管理员
- 外部标识提供者管理员
- 混合标识管理员
- 安全管理员
HTTP 请求
POST /domains/{domainsId}/federationConfiguration
| 名称 |
说明 |
| Authorization |
持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type |
application/json. 必需。 |
请求正文
在请求正文中,提供 internalDomainFederation 对象的 JSON 表示形式。
创建 internalDomainFederation 时,可以指定以下属性。
| 属性 |
类型 |
说明 |
| displayName |
String |
联合标识提供者的显示名称。 |
| issuerUri |
String |
联合服务器的颁发者 URI。 |
| metadataExchangeUri |
String |
用于从富客户端应用程序进行身份验证的元数据交换终结点的 URI。 |
| signingCertificate |
String |
用于对传递到Microsoft 标识平台的令牌进行签名的当前证书。 证书的格式设置为联合 IdP 令牌签名证书的公共部分的 Base 64 编码字符串,并且必须与 X509Certificate2 类兼容。
此属性在以下方案中使用: 如果在自动注册更新之外需要滚动更新 正在设置新的联合身份验证服务 如果在更新联合身份验证服务证书后联合身份验证属性中不存在新的令牌签名证书。
Microsoft Entra ID 通过自动注册过程更新证书,在该过程中,它尝试在当前证书到期前 30 天从联合身份验证服务元数据中检索新证书。 如果新证书不可用,Microsoft Entra ID 将每天监视元数据,并在新证书可用时更新域的联合设置。 |
| passiveSignInUri |
String |
登录Microsoft Entra服务时,基于 Web 的客户端定向到的 URI。 |
| preferredAuthenticationProtocol |
authenticationProtocol |
首选身份验证协议。 必须显式配置此参数,联合被动身份验证流才能正常工作。 可能的值包括 wsFed、saml、unknownFutureValue。 |
| activeSignInUri |
String |
使用在 ID 中为单一登录设置的联合域进行身份验证时活动客户端使用的终结点 Microsoft Entra的 URL。 对应于 Set-EntraDomainFederationSettings PowerShell cmdlet 的 ActiveLogOnUri 属性。 |
| signOutUri |
String |
客户端注销Microsoft Entra服务时重定向到的 URI。 对应于 Set-EntraDomainFederationSettings PowerShell cmdlet 的 LogOffUri 属性。 |
| promptLoginBehavior |
promptLoginBehavior |
设置登录提示的首选行为。 可能的值包括 translateToFreshPasswordAuthentication、nativeSupport、disabled、unknownFutureValue。 |
| isSignedAuthenticationRequestRequired |
布尔值 |
如果为 true,则当 SAML 身份验证请求发送到联合 SAML IDP 时,Microsoft Entra ID 使用 OrgID 签名密钥对这些请求进行签名。 如果 false (默认) ,则不会对发送到联合 IDP 的 SAML 身份验证请求进行签名。 |
| nextSigningCertificate |
String |
主签名证书过期时用于对令牌进行签名的回退令牌签名证书。 格式为联合 IdP 令牌签名证书的公共部分的 Base 64 编码字符串。 需要与 X509Certificate2 类兼容。 与 signingCertificate 非常类似,如果在自动注册更新之外需要滚动更新、正在设置新的联合身份验证服务,或者在更新联合身份验证服务证书后联合身份验证属性中不存在新的令牌签名证书,则使用 nextSigningCertificate 属性。 |
| signingCertificateUpdateStatus |
signingCertificateUpdateStatus |
提供签名证书上次更新的状态和时间戳。 |
| federatedIdpMfaBehavior |
federatedIdpMfaBehavior |
确定当联合用户访问受需要 MFA 的条件访问策略管理的应用程序时,Microsoft Entra ID 是否接受联合 IdP 执行的 MFA。 可能的值包括 acceptIfMfaDoneByFederatedIdp、enforceMfaByFederatedIdp、rejectMfaByFederatedIdp、unknownFutureValue。 有关详细信息,请参阅 federatedIdpMfaBehavior 值。 |
federatedIdpMfaBehavior 值
| 成员 |
说明 |
| acceptIfMfaDoneByFederatedIdp |
Microsoft Entra ID 接受联合标识提供者执行的 MFA。 如果联合标识提供者未执行 MFA,Microsoft Entra ID 执行 MFA。 |
| enforceMfaByFederatedIdp |
Microsoft Entra ID 接受联合标识提供者执行的 MFA。 如果联合标识提供者未执行 MFA,它会将请求重定向到联合标识提供者以执行 MFA。 |
| rejectMfaByFederatedIdp |
Microsoft Entra ID 始终执行 MFA,并拒绝联合标识提供者执行的 MFA。 |
注意
federatedIdpMfaBehavior 是 Set-EntraDomainFederationSettings PowerShell cmdlet 的 SupportsMfa 属性的演进版本。
- 不支持在 federatedIdpMfaBehavior 和 SupportsMfa 之间切换。
- 设置 federatedIdpMfaBehavior 属性时,Microsoft Entra ID 将忽略 SupportsMfa 设置。
- 如果从未设置 federatedIdpMfaBehavior 属性,Microsoft Entra ID 将继续遵循 SupportsMfa 设置。
- 如果未设置 federatedIdpMfaBehavior 和 SupportsMfa,Microsoft Entra ID 将默认为
acceptIfMfaDoneByFederatedIdp行为。
响应
如果成功,此方法在 201 Created 响应正文中返回响应代码和 internalDomainFederation 对象。
示例
请求
POST https://graph.microsoft.com/v1.0/domains/contoso.com/federationConfiguration
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.internalDomainFederation",
"displayName": "Contoso",
"issuerUri": "http://contoso.com/adfs/services/trust",
"metadataExchangeUri": "https://sts.contoso.com/adfs/services/trust/mex",
"signingCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
"passiveSignInUri": "https://sts.contoso.com/adfs/ls",
"preferredAuthenticationProtocol": "wsFed",
"activeSignInUri": "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
"signOutUri": "https://sts.contoso.com/adfs/ls",
"promptLoginBehavior": "nativeSupport",
"isSignedAuthenticationRequestRequired": true,
"nextSigningCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
"federatedIdpMfaBehavior": "rejectMfaByFederatedIdp"
}
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new InternalDomainFederation
{
OdataType = "#microsoft.graph.internalDomainFederation",
DisplayName = "Contoso",
IssuerUri = "http://contoso.com/adfs/services/trust",
MetadataExchangeUri = "https://sts.contoso.com/adfs/services/trust/mex",
SigningCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
PassiveSignInUri = "https://sts.contoso.com/adfs/ls",
PreferredAuthenticationProtocol = AuthenticationProtocol.WsFed,
ActiveSignInUri = "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
SignOutUri = "https://sts.contoso.com/adfs/ls",
PromptLoginBehavior = PromptLoginBehavior.NativeSupport,
IsSignedAuthenticationRequestRequired = true,
NextSigningCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
FederatedIdpMfaBehavior = FederatedIdpMfaBehavior.RejectMfaByFederatedIdp,
};
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Domains["{domain-id}"].FederationConfiguration.PostAsync(requestBody);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewInternalDomainFederation()
displayName := "Contoso"
requestBody.SetDisplayName(&displayName)
issuerUri := "http://contoso.com/adfs/services/trust"
requestBody.SetIssuerUri(&issuerUri)
metadataExchangeUri := "https://sts.contoso.com/adfs/services/trust/mex"
requestBody.SetMetadataExchangeUri(&metadataExchangeUri)
signingCertificate := "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI"
requestBody.SetSigningCertificate(&signingCertificate)
passiveSignInUri := "https://sts.contoso.com/adfs/ls"
requestBody.SetPassiveSignInUri(&passiveSignInUri)
preferredAuthenticationProtocol := graphmodels.WSFED_AUTHENTICATIONPROTOCOL
requestBody.SetPreferredAuthenticationProtocol(&preferredAuthenticationProtocol)
activeSignInUri := "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed"
requestBody.SetActiveSignInUri(&activeSignInUri)
signOutUri := "https://sts.contoso.com/adfs/ls"
requestBody.SetSignOutUri(&signOutUri)
promptLoginBehavior := graphmodels.NATIVESUPPORT_PROMPTLOGINBEHAVIOR
requestBody.SetPromptLoginBehavior(&promptLoginBehavior)
isSignedAuthenticationRequestRequired := true
requestBody.SetIsSignedAuthenticationRequestRequired(&isSignedAuthenticationRequestRequired)
nextSigningCertificate := "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI"
requestBody.SetNextSigningCertificate(&nextSigningCertificate)
federatedIdpMfaBehavior := graphmodels.REJECTMFABYFEDERATEDIDP_FEDERATEDIDPMFABEHAVIOR
requestBody.SetFederatedIdpMfaBehavior(&federatedIdpMfaBehavior)
// To initialize your graphClient, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=go
federationConfiguration, err := graphClient.Domains().ByDomainId("domain-id").FederationConfiguration().Post(context.Background(), requestBody, nil)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
InternalDomainFederation internalDomainFederation = new InternalDomainFederation();
internalDomainFederation.setOdataType("#microsoft.graph.internalDomainFederation");
internalDomainFederation.setDisplayName("Contoso");
internalDomainFederation.setIssuerUri("http://contoso.com/adfs/services/trust");
internalDomainFederation.setMetadataExchangeUri("https://sts.contoso.com/adfs/services/trust/mex");
internalDomainFederation.setSigningCertificate("MIIE3jCCAsagAwIBAgIQQcyDaZz3MI");
internalDomainFederation.setPassiveSignInUri("https://sts.contoso.com/adfs/ls");
internalDomainFederation.setPreferredAuthenticationProtocol(AuthenticationProtocol.WsFed);
internalDomainFederation.setActiveSignInUri("https://sts.contoso.com/adfs/services/trust/2005/usernamemixed");
internalDomainFederation.setSignOutUri("https://sts.contoso.com/adfs/ls");
internalDomainFederation.setPromptLoginBehavior(PromptLoginBehavior.NativeSupport);
internalDomainFederation.setIsSignedAuthenticationRequestRequired(true);
internalDomainFederation.setNextSigningCertificate("MIIE3jCCAsagAwIBAgIQQcyDaZz3MI");
internalDomainFederation.setFederatedIdpMfaBehavior(FederatedIdpMfaBehavior.RejectMfaByFederatedIdp);
InternalDomainFederation result = graphClient.domains().byDomainId("{domain-id}").federationConfiguration().post(internalDomainFederation);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
const options = {
authProvider,
};
const client = Client.init(options);
const internalDomainFederation = {
'@odata.type': '#microsoft.graph.internalDomainFederation',
displayName: 'Contoso',
issuerUri: 'http://contoso.com/adfs/services/trust',
metadataExchangeUri: 'https://sts.contoso.com/adfs/services/trust/mex',
signingCertificate: 'MIIE3jCCAsagAwIBAgIQQcyDaZz3MI',
passiveSignInUri: 'https://sts.contoso.com/adfs/ls',
preferredAuthenticationProtocol: 'wsFed',
activeSignInUri: 'https://sts.contoso.com/adfs/services/trust/2005/usernamemixed',
signOutUri: 'https://sts.contoso.com/adfs/ls',
promptLoginBehavior: 'nativeSupport',
isSignedAuthenticationRequestRequired: true,
nextSigningCertificate: 'MIIE3jCCAsagAwIBAgIQQcyDaZz3MI',
federatedIdpMfaBehavior: 'rejectMfaByFederatedIdp'
};
await client.api('/domains/contoso.com/federationConfiguration')
.post(internalDomainFederation);
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\InternalDomainFederation;
use Microsoft\Graph\Generated\Models\AuthenticationProtocol;
use Microsoft\Graph\Generated\Models\PromptLoginBehavior;
use Microsoft\Graph\Generated\Models\FederatedIdpMfaBehavior;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new InternalDomainFederation();
$requestBody->setOdataType('#microsoft.graph.internalDomainFederation');
$requestBody->setDisplayName('Contoso');
$requestBody->setIssuerUri('http://contoso.com/adfs/services/trust');
$requestBody->setMetadataExchangeUri('https://sts.contoso.com/adfs/services/trust/mex');
$requestBody->setSigningCertificate('MIIE3jCCAsagAwIBAgIQQcyDaZz3MI');
$requestBody->setPassiveSignInUri('https://sts.contoso.com/adfs/ls');
$requestBody->setPreferredAuthenticationProtocol(new AuthenticationProtocol('wsFed'));
$requestBody->setActiveSignInUri('https://sts.contoso.com/adfs/services/trust/2005/usernamemixed');
$requestBody->setSignOutUri('https://sts.contoso.com/adfs/ls');
$requestBody->setPromptLoginBehavior(new PromptLoginBehavior('nativeSupport'));
$requestBody->setIsSignedAuthenticationRequestRequired(true);
$requestBody->setNextSigningCertificate('MIIE3jCCAsagAwIBAgIQQcyDaZz3MI');
$requestBody->setFederatedIdpMfaBehavior(new FederatedIdpMfaBehavior('rejectMfaByFederatedIdp'));
$result = $graphServiceClient->domains()->byDomainId('domain-id')->federationConfiguration()->post($requestBody)->wait();
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$params = @{
"@odata.type" = "#microsoft.graph.internalDomainFederation"
displayName = "Contoso"
issuerUri = "http://contoso.com/adfs/services/trust"
metadataExchangeUri = "https://sts.contoso.com/adfs/services/trust/mex"
signingCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI"
passiveSignInUri = "https://sts.contoso.com/adfs/ls"
preferredAuthenticationProtocol = "wsFed"
activeSignInUri = "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed"
signOutUri = "https://sts.contoso.com/adfs/ls"
promptLoginBehavior = "nativeSupport"
isSignedAuthenticationRequestRequired = $true
nextSigningCertificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI"
federatedIdpMfaBehavior = "rejectMfaByFederatedIdp"
}
New-MgDomainFederationConfiguration -DomainId $domainId -BodyParameter $params
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.internal_domain_federation import InternalDomainFederation
from msgraph.generated.models.authentication_protocol import AuthenticationProtocol
from msgraph.generated.models.prompt_login_behavior import PromptLoginBehavior
from msgraph.generated.models.federated_idp_mfa_behavior import FederatedIdpMfaBehavior
# To initialize your graph_client, see https://free.blessedness.top/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = InternalDomainFederation(
odata_type = "#microsoft.graph.internalDomainFederation",
display_name = "Contoso",
issuer_uri = "http://contoso.com/adfs/services/trust",
metadata_exchange_uri = "https://sts.contoso.com/adfs/services/trust/mex",
signing_certificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
passive_sign_in_uri = "https://sts.contoso.com/adfs/ls",
preferred_authentication_protocol = AuthenticationProtocol.WsFed,
active_sign_in_uri = "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
sign_out_uri = "https://sts.contoso.com/adfs/ls",
prompt_login_behavior = PromptLoginBehavior.NativeSupport,
is_signed_authentication_request_required = True,
next_signing_certificate = "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
federated_idp_mfa_behavior = FederatedIdpMfaBehavior.RejectMfaByFederatedIdp,
)
result = await graph_client.domains.by_domain_id('domain-id').federation_configuration.post(request_body)
有关如何将 SDK 添加到项目并创建 authProvider 实例的详细信息,请参阅 SDK 文档。
响应
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.internalDomainFederation",
"id": "6601d14b-d113-8f64-fda2-9b5ddda18ecc",
"displayName": "Contoso",
"issuerUri": "http://contoso.com/adfs/services/trust",
"metadataExchangeUri": "https://sts.contoso.com/adfs/services/trust/mex",
"signingCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
"passiveSignInUri": "https://sts.contoso.com/adfs/ls",
"preferredAuthenticationProtocol": "wsFed",
"activeSignInUri": "https://sts.contoso.com/adfs/services/trust/2005/usernamemixed",
"signOutUri": "https://sts.contoso.com/adfs/ls",
"promptLoginBehavior": "nativeSupport",
"isSignedAuthenticationRequestRequired": true,
"nextSigningCertificate": "MIIE3jCCAsagAwIBAgIQQcyDaZz3MI",
"signingCertificateUpdateStatus": {
"certificateUpdateResult": "Success",
"lastRunDateTime": "2021-08-25T07:44:46.2616778Z"
},
"federatedIdpMfaBehavior": "rejectMfaByFederatedIdp"
}