AADDomainFederation: New resource proposal #6995
Description
Description
Should it be a new resource or extend MSFT_AADFederationConfiguration? Feedback please!
Looking to manage entra federation per domain including the graph endpoint /beta/domains//federationConfiguration or cmd get-mgbetaDomainFederationConfiguration including SAML signing certs, endpoints, nextsigningcert.
The MSFT_AADFederationConfiguration resource seems to be similar but does not focus on the specifics for each domain. Any changes would need to be a fairly significant breaking change to account for the per domain settings.
Proposed properties
displayName | String | Display name of the federated IdP
issuerUri | String | Issuer URI of the federation server
metadataExchangeUri | String | MEX endpoint URI for rich clients (Exchange/Outlook)
passiveSignInUri | String | URI for passive/browser-based sign-in (WS-Fed/SAML)
activeSignInUri | String | URI for active sign-in (rich clients, e.g. Exchange ActiveSync)
signOutUri | String | URI users are redirected to when signing out
signingCertificate | String | Base64-encoded current token-signing certificate (public key)
nextSigningCertificate | String | Base64-encoded next/fallback signing certificate — used for certificate rollover
signingCertificateUpdateStatus | Object (signingCertificateUpdateStatus) | Read-only status of the last cert update; contains certificateUpdateResultand lastRunDateTime
preferredAuthenticationProtocol | authenticationProtocolenum | wsFed or saml
federatedIdpMfaBehavior | federatedIdpMfaBehaviorenum | How Entra handles MFA when the federated IdP claims MFA was done. Values: acceptIfMfaDoneByFederatedIdp, enforceMfaByFederatedIdp, rejectMfaByFederatedIdp
isSignedAuthenticationRequestRequired | Boolean | Whether Entra sends signed SAML authentication requests to the federated IdP
promptLoginBehavior | promptLoginBehaviorenum | How prompt=login is handled: translateToFreshPasswordAuthentication, nativeSupport, disabled