Set-EntraBetaApplicationProxyApplicationSingleSignOn
The Set-EntraBetaApplicationProxyApplicationSingleSignOn cmdlet allows you to set and modify single sign-on (SSO) settings for an application configured for Application Proxy in Microsoft Entra ID.
Syntax
Default (Default)
Set-EntraBetaApplicationProxyApplicationSingleSignOn
-ApplicationId <String>
-SingleSignOnMode <SingleSignOnModeEnum>
[-KerberosInternalApplicationServicePrincipalName <String>]
[-KerberosDelegatedLoginIdentity <KerberosSignOnMappingAttributeTypeEnum>]
[<CommonParameters>]
Description
The Set-EntraBetaApplicationProxyApplicationSingleSignOn cmdlet allows you to set and modify single sign-on (SSO) settings for an application configured for Application Proxy in Microsoft Entra ID.
This is limited to setting No SSO, Kerberos Constrained Delegation (for applications using Integrated Windows Authentication), and Header-based SSO.
Examples
Example 1: Assign an application to use Kerberos Constrained Delegation, and specify required parameters
Connect-Entra -Scopes 'Directory.ReadWrite.All'
$application = Get-EntraBetaApplication -Filter "DisplayName eq 'Contoso App Proxy'"
$params = @{
ApplicationId = $application .Id
SingleSignOnMode = 'OnPremisesKerberos'
KerberosInternalApplicationServicePrincipalName = 'https/www.adventure-works.com'
KerberosDelegatedLoginIdentity = 'OnPremisesUserPrincipalName'
}
Set-EntraBetaApplicationProxyApplicationSingleSignOn @params
This example assigns an application to use Kerberos Constrained Delegation, and specify required parameters.
-ApplicationIdparameter specifies the application ID.-SingleSignOnModeparameter specifies the type of SSO.-KerberosInternalApplicationServicePrincipalNameparameter specifies the internal application ServicePrincipalName of the application server.-KerberosDelegatedLoginIdentityparameter specifies the Connector group ID that assigned to this application.
Example 2: Remove SSO from an application
Connect-Entra -Scopes 'Directory.ReadWrite.All'
Set-EntraBetaApplicationProxyApplicationSingleSignOn -ApplicationId $application .Id -SingleSignOnMode None'
This example demonstrates how to remove SSO from an application.
-ApplicationIdparameter specifies the application ID.-SingleSignOnModeparameter specifies the type of SSO.
Parameters
-ApplicationId
The unique application ID of the application that needs different SSO settings.
ObjectId can be found using the Get-EntraBetaApplication command.
You can also find this in the Microsoft Portal by navigating to Microsoft Entra ID, Enterprise Applications, All Applications, Select your application, go to the properties tab, and use the ObjectId on that page.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | ObjectId |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-KerberosDelegatedLoginIdentity
The identity that the Connector can use on behalf of your users to authenticate.
Parameter properties
| Type: | KerberosSignOnMappingAttributeTypeEnum |
| Default value: | None |
| Accepted values: | UserPrincipalName, OnPremisesUserPrincipalName, UserPrincipalUsername, OnPremisesUserPrincipalUsername, OnPremisesSAMAccountName |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-KerberosInternalApplicationServicePrincipalName
The internal application SPN of the application server. This ServicePrincipalName (SPN) needs to be in the list of services to which the Connector can present delegated credentials.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-SingleSignOnMode
Choose the type of SSO you would like the application to use. Only three SSO settings are supported in PowerShell, for more options, please use the Microsoft Portal.
Parameter properties
| Type: | SingleSignOnModeEnum |
| Default value: | None |
| Accepted values: | None, OnPremisesKerberos, HeaderBased |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
Inputs
System.String
System.Nullable`1[[Microsoft.Open.MSGraph.Model.OnPremisesPublishingSingleSignOnObject+SingleSignOnModeEnum, Microsoft.Open.MS.GraphV10.Client, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null]] System.Nullable`1[[Microsoft.Open.MSGraph.Model.OnPremisesPublishingKerberosSignOnSettingsObject+KerberosSignOnMappingAttributeTypeEnum, Microsoft.Open.MS.GraphV10.Client, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null]]