ESC
Type to search...
Navigate Open ESC Close

Domain-InternalFederation.Read.All

Export JSON
Export CSV
Copy URL
Print
ApplicationDelegated Read All Resources

Allows the app to read internal federation configuration for a domain.

Permission data: April 6, 2026 at 4:06 AM UTC
Delegated Access App-Only Access

Permission Details

Application Permission

Read internal federation configuration for a domain.

Allows the app to read internal federation configuration for a domain.

Permission ID: c0e5a7b0-e8b7-40a7-b8e0-8249e6ea81d5
Delegated Permission Admin consent required

Read internal federation configuration for a domain.

Allows the app to read internal federation configuration for a domain.

User sees: Allows the app to read internal federation configuration for a domain.
Permission ID: 33203a2a-a761-40f0-8a7c-a7e74a9f8ac6

Properties

Microsoft Graph v1.0 endpoint-derived-docs

Properties is shown from stable Microsoft Graph v1.0 metadata.

Property Type Description
authenticationType String Indicates the configured authentication type for the domain. The value is either Managed or Federated. Managed indicates a cloud managed domain where Microsoft Entra ID performs user authentication. Federated indicates authentication is federated with an identity provider such as the tenant's on-premises Active Directory via Active Directory Federation Services. Not nullable. , , To update this property in delegated scenarios, the calling app must be assigned the Domain-InternalFederation.ReadWrite.All permission.
availabilityStatus StringNullable This property is always null except when the verify action is used. When the verify action is used, a domain entity is returned in the response. The availabilityStatus property of the domain entity in the response is either AvailableImmediately or EmailVerifiedDomainTakeoverScheduled.
id String The fully qualified name of the domain. Key, immutable, not nullable, unique.
isAdminManaged Boolean The value of the property is false if the DNS record management of the domain is delegated to Microsoft 365. Otherwise, the value is true. Not nullable
isDefault Boolean true if this is the default domain that is used for user creation. There's only one default domain per company. Not nullable.
isInitial Boolean true if this is the initial domain created by Microsoft Online Services (contoso.com). There's only one initial domain per company. Not nullable
isRoot Boolean true if the domain is a verified root domain. Otherwise, false if the domain is a subdomain or unverified. Not nullable.
isVerified Boolean true if the domain completed domain ownership verification. Not nullable.
passwordNotificationWindowInDays Int32Nullable Specifies the number of days before a user receives notification that their password expires. If the property isn't set, a default value of 14 days is used.
passwordValidityPeriodInDays Int32Nullable Specifies the length of time that a password is valid before it must be changed. If the property isn't set, a default value of 90 days is used.
state domainState Status of asynchronous operations scheduled for the domain.
supportedServices String collection The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.
domainNameReferences directoryObject collection The objects such as users and groups that reference the domain ID. Read-only, Nullable. Doesn't support $expand. Supports $filter by the OData type of objects returned. For example, /domains/{domainId}/domainNameReferences/microsoft.graph.user and /domains/{domainId}/domainNameReferences/microsoft.graph.group.
federationConfiguration internalDomainFederation collection Domain settings configured by a customer when federated with Microsoft Entra ID. Doesn't support $expand.
manufacturer stringNullable

Showing 15 of 19 properties.

JSON Representation

Microsoft Graph v1.0 endpoint-derived-docs

JSON representation is shown from stable Microsoft Graph v1.0 metadata.

JSON representation 
{
  "authenticationType": "String",
  "availabilityStatus": "String",
  "id": "String (identifier)",
  "isAdminManaged": true,
  "isDefault": true,
  "isInitial": true,
  "isRoot": true,
  "isVerified": true,
  "passwordNotificationWindowInDays": 14,
  "passwordValidityPeriodInDays": 90,
  "state": {
    "@odata.type": "microsoft.graph.domainState"
  },
  "supportedServices": [
    "String"
  ]
}

Relationships

Microsoft Graph v1.0 endpoint-derived-docs

Relationships is shown from stable Microsoft Graph v1.0 metadata.

Relationship Type Description
domainNameReferences directoryObject collection The objects such as users and groups that reference the domain ID. Read-only, Nullable. Doesn't support $expand. Supports $filter by the OData type of objects returned. For example, /domains/{domainId}/domainNameReferences/microsoft.graph.user and /domains/{domainId}/domainNameReferences/microsoft.graph.group.
federationConfiguration internalDomainFederation Domain settings configured by a customer when federated with Microsoft Entra ID. Doesn't support $expand.
rootDomain domain Root domain of a subdomain. Read-only, Nullable. Supports $expand.
serviceConfigurationRecords domainDnsRecord collection DNS records the customer adds to the DNS zone file of the domain before the domain can be used by Microsoft Online services. Read-only, Nullable. Doesn't support $expand.
verificationDnsRecords domainDnsRecord collection DNS records that the customer adds to the DNS zone file of the domain before the customer can complete domain ownership verification with Microsoft Entra ID. Read-only, Nullable. Doesn't support $expand.
supportedServices string collection The capabilities assigned to the domain. Can include 0, 1 or more of following values: Email, Sharepoint, EmailInternalRelayOnly, OfficeCommunicationsOnline, SharePointDefaultDomain, FullRedelegation, SharePointPublic, OrgIdAuthentication, Yammer, Intune. The values that you can add or remove using the API include: Email, OfficeCommunicationsOnline, Yammer. Not nullable.
sharedEmailDomainInvitations sharedEmailDomainInvitation collection Related sharedEmailDomainInvitations data exposed by this resource.

Graph Methods

Delegated access App-only access
Exact Microsoft Learn match

Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /domains/{domainsId}/federationConfiguration
GET /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}
Exact Microsoft Learn match

Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.

Methods
GET /domains/{domainsId}/federationConfiguration
GET /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgDomainFederationConfiguration /domains/{domainsId}/federationConfiguration
List internalDomainFederations
Get-MgDomainFederationConfiguration /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}
Get internalDomainFederation
Exact Microsoft Learn PowerShell match

Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.

Commands
Get-MgBetaDomainFederationConfiguration /domains/{domainsId}/federationConfiguration
List internalDomainFederations
Get-MgBetaDomainFederationConfiguration /domains/{domainsId}/federationConfiguration/{internalDomainFederationId}
Get internalDomainFederation

Code Examples

C# / .NET SDK
Get internalDomainFederation
View official example on Microsoft Learn
// Code snippets are only available for the latest version. Current version is 5.x

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Domains["{domain-id}"].FederationConfiguration["{internalDomainFederation-id}"].GetAsync();
JavaScript
Get internalDomainFederation
View official example on Microsoft Learn
const options = {
	authProvider,
};

const client = Client.init(options);

let internalDomainFederation = await client.api('/domains/contoso.com/federationConfiguration/6601d14b-d113-8f64-fda2-9b5ddda18ecc')
	.get();
PowerShell
Get internalDomainFederation
View official example on Microsoft Learn
Import-Module Microsoft.Graph.Identity.DirectoryManagement

Get-MgDomainFederationConfiguration -DomainId $domainId -InternalDomainFederationId $internalDomainFederationId
Python
Get internalDomainFederation
View official example on Microsoft Learn
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python

result = await graph_client.domains.by_domain_id('domain-id').federation_configuration.by_internal_domain_federation_id('internalDomainFederation-id').get()

App Registration

1

Navigate to Azure Portal

Go to App registrations in Microsoft Entra admin center

2

Add API Permission

Select your app → API permissions → Add a permission → Microsoft Graph

3

Select Permission Type

Choose Application permissions or delegated permissions and search for Domain-InternalFederation.Read.All

4

Grant Admin Consent

Application permissions always require admin consent.