Forum Discussion
How to configure Azure AD domain federation configuration other than via Azure AD Powershell
As I am trying setup User sign-in for Office365 with a 3rd party Identity Provider, I came across multiple resources on how to configure Azure AD via Windows PowerShell like https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0#msonline
ex: https://docs.microsoft.com/en-us/powershell/module/msonline/set-msoldomainfederationsettings?view=azureadps-1.0
I am curios whether there are other means Azure AD web interface or a REST API to do the same?Appreciate any reference on this.
4 Replies
Hi Ayesha,
Unfortunately there is no web interface to do this, but I think you could use Graph API. However, it is easiest to setup using PowerShell. Below is a script to start with. It is using MSOnline module (see http://o365blog.com/powershell).
Active and Passive login urls are used by active clients (i.e. Skype for Business) and web clients. Issuer and signin cert must match your IdP's settings.
$Domain="yourdomain.com"
$LogOffUrl = "https://yourprovider/logoff/"
$ActiveLoginUrl = "https://yourprovider/login/"
$PassiveLoginUrl = "https://yourprovider/login/"
$SigningCert = "yourpublickey_in_Base64"
$Issuer = "http://yourprovider/something"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication -DomainName $Domain -Authentication Federated -IssuerUri $Issuer -LogOffUri $LogOffUrl -PassiveLogOnUri $PassiveLogInUrl -ActiveLogOnUri $ActiveLogInUrl -SigningCertificate $SigningCert -PreferredAuthenticationProtocol $Protocol
Nestori Syynimaa wrote:Hi Ayesha,
Unfortunately there is no web interface to do this, but I think you could use Graph API. However, it is easiest to setup using PowerShell. Below is a script to start with. It is using MSOnline module (see http://o365blog.com/powershell).
Active and Passive login urls are used by active clients (i.e. Skype for Business) and web clients. Issuer and signin cert must match your IdP's settings.
$Domain="yourdomain.com"
$LogOffUrl = "https://yourprovider/logoff/"
$ActiveLoginUrl = "https://yourprovider/login/"
$PassiveLoginUrl = "https://yourprovider/login/"
$SigningCert = "yourpublickey_in_Base64"
$Issuer = "http://yourprovider/something"
$Protocol = "SAMLP"
Set-MsolDomainAuthentication -DomainName $Domain -Authentication Federated -IssuerUri $Issuer -LogOffUri $LogOffUrl -PassiveLogOnUri $PassiveLogInUrl -ActiveLogOnUri $ActiveLogInUrl -SigningCertificate $SigningCert -PreferredAuthenticationProtocol $ProtocolThank you very much for the valuable information Nestori Syynimaa.
As I am working on a non Windows OS, I am interested in a way other than a Powershell.
I have referred the https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/api-catalog and couldn't find any API resource ffor modifying federation configuration.
Any reference on how to use some API is highly appreciated.
Hi Ayesha,
I double-checked both Azure AD Graph API and Microsoft Graph API (newer one) but creating/editing federated domains is not currently supported. So I guess you need to borrow someone's Windows machine to do this..
