--- title: Configuring PingID MFA for Microsoft Azure AD Conditional Access description: Integrating PingID multi-factor authentication (MFA) requires setting up the configuration in the admin portal and in Azure AD. component: pingid page_id: pingid:pingid_integrations:pid_cfg_azure_conditional_access canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_cfg_azure_conditional_access.html revdate: June 10, 2024 section_ids: about-this-task: About this task steps: Steps result: Result: result-2: Result: result-3: Result: result-4: Result next-steps: Next steps --- # Configuring PingID MFA for Microsoft Azure AD Conditional Access Integrating PingID multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* requires setting up the configuration in the admin portal and in Azure AD. ## About this task Setting up PingID MFA for Microsoft Azure AD Conditional Access involves the following steps: * In the admin portal, set up the integration, including attribute mapping. * In Azure AD: * Create a PingID MFA custom control. * Create a PingID MFA conditional access policy. * Optionally apply a PingID MFA policy to the Azure AD integration. Default attribute mapping is based on the attributes that Azure sends to PingOne during the authorization request to trigger PingID MFA and includes the following attributes. | PingID PingIDattribute | Azure AD attribute | | ---------------------- | ------------------ | | `username` | `upn` | | `fname` | `given_name` | | `lname` | `family_name` | **Video (Brightcove)** \ ## Steps 1. In the Admin portal, go to **Setup → PingID → Client Integration**. 2. In the **Integrate with Microsoft Azure AD** section, click **Setup Integration**. ### Result: The **Azure AD Integration** window opens. ![Screen capture of the Azure AD Integration window, currently showing the Connect to Active Directory section with the fields for Directory IDS, Application Name, and Application Icon. There is a hyperlink option to Add directory id under the filed for Directory IDS.](_images/iej1633938438344.png) 3. To find the relevant Directory ID, in the Azure portal: 1. In the **FAVORITES** menu in the left side bar, go to **Azure Active Directory**. 2. In the **Manage** section, click **Properties**. 3. Copy the value from the **Directory ID** field. 4. In the Admin portal: 1. Paste the directory ID value into the **Directory IDS** field. 2. **Optional:** To add additional directory IDs, click **Add directory ID** and paste the relevant Directory ID, as it appears in the relevant Azure AD account. | | | | - | --------------------------------------------- | | | The directory ID must be a valid UUID string. | 3. In the **Application Name** field, enter the name you want to use to represent authorization requests from Azure AD. This is the name that users will see displayed if using the PingID mobile app during authorization. This name is also used to identify the Azure AD application in the PingID policy applications list. 4. To change the application icon, choose one of the following: * Select a new icon: Click the application icon and go to the icon you want to use. * Use the default icon: Click **Remove**. | | | | - | ---------------------------------------------------------------------- | | | The PingID mobile app displays the selected icon during authorization. | 5. If your environment uses a redirect URI that is different than the default Azure AD redirect URI, use the **Override Redirect URI** field to specify the correct URI. 6. Click **Next**. The **Map Attributes** tab opens, displaying the default attribute mapping. ![Screen capture of the Map Attributes section in the Azure AD Integration window. Each field is a drop-down list. The default values are shown for each field. To the right of each field is an Advanced button.](_images/nht1564020608202.png) 5. **Optional:** To map Azure AD attributes that are not provided in the initial MFA request to the relevant PingID attributes: 1. In the relevant attribute field, select the Azure AD attribute from the drop-down list, or type the attribute into the field. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | By default, the username for PingID is taken from the *upn* attribute in Azure. However, if you are also using Azure as the identity provider (IdP) for PingOne for Enterprise, make sure that you select from the list the attribute that you mapped to *MFA\_SUBJECT*. Otherwise, you may end up with a situation where a single user is listed as two different users: one whose username comes from the *upn* attribute and one whose username comes from the attribute mapped to *MFA\_SUBJECT*. | 2. To perform attribute transformations on a specific attribute, in the relevant row, click **Advanced** and configure the fields as required. For more information, see [Creating advanced attribute mappings](http://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_creating_advaced_attribute_mappings.html). 3. Click **Next**. 4. If you included Azure AD attributes that are not provided in the initial MFA request from Azure AD, you'll receive a prompt requesting that you grant PingID permission to access and collect those attributes from your Azure AD tenant. | | | | - | ------------------------------------------------------------- | | | If you are not prompted to grant permissions, skip this step. | ![Screen capture of the Grant Permission section in the Azure AD Integration window](_images/zzt1564020609008.png) In the **Grant Permission** window, for each Azure AD tenant: 1. To open the Azure login window, in the **Grant Permission** section, click **Grant Permission**. ![Screen capture of Microsoft Azure login screen](_images/fts1564020609751.png) 2. To grant the relevant access to PingID, sign on to your Azure AD Tenant and click **Accept**. ![Screen capture of the permissions request window in Azure](_images/zcx1564020611908.png) You are redirected back to the Azure AD Integration window. 5. If you selected an attribute mapping for the `memberOf` group attribute in the Admin portal, when prompted to synchronize groups, select the **Synchronize Groups** box to copy your Azure AD group names into PingID and click **Next**. ![Screen capture of the Synchronize Groups section on the Azure AD Integration window](_images/gjm1564020614640.png) ### Result: After groups are synchronized and the integration is complete, Azure groups appear in the PingID policy groups list, and the **User Groups** list at **Users → User Groups**, enabling you to apply the PingID policy to your Azure groups. 6. To save the integration, click **Done**. The custom control JSON object that is generated includes a summary of the attribute mapping. This custom control JSON must be provided to your Azure AD account. ![Screen capture of a JSON object generated by the completed integration process](_images/aqz1564020615443.png) 7. In the Azure AD portal, create a new PingID MFA custom control: 1. On the left side bar, click Azure Active Directory. 2. In the **Security** section, go to **Conditional access → Custom controls**. 3. Click **New custom control**. ![Screen capture of the customized controls JSON input field in Azure AD.](_images/inp1564020616415.png) 4. Delete the default JSON text, and then paste the custom control JSON that you copied from the PingOne admin portal into the Azure AD custom control field. 5. Click **Create**. ### Result: The new custom control appears in the custom controls list. ![Screen capture of the newly-created custom control in the custom controls list in Azure AD.](_images/jyq1564020617370.png) 8. In the Azure AD portal, create a new PingID MFA conditional access policy. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To avoid blocking administrator access to the Azure AD portal, do not apply the PingID policy to all users and applications until you have successfully tested the integration between Azure AD and PingID. | 1. Go to **Azure Active Directory → Conditional access**. 2. Click **New policy**. 3. Enter a meaningful name for the policy (for example, Require PingID MFA). 4. To specify which users and groups the policy applies to, in the **Assignments** section, click **Users and groups**. On the **Include** tab, select the users and groups that you want to include in the policy. Click **Select**. 5. To specify which cloud apps you want the policy to apply to, in the **Assignments** section, click **Cloud apps**. On the **Include** tab, click **Select apps**, and select the relevant apps. Click **Select**. 6. Go to **Access controls → Grant**, click **Grant access**, and select the check box next to the custom control that you created earlier. Click **Select**. ![Screen capture of the conditional access policy window in Azure AD](_images/hrg1564020618362.png) 7. Click **Create**. ## Result The conditional access policy is created and is shown in the Azure **Policies** list. ![Screen capture of the conditional access policy in the Azure AD Policies list](_images/cbz1564020619426.png) ## Next steps For information about applying a PingID MFA policy to your Azure AD integration, see [Configuring an app or group-specific authentication policy](../pingid_service_management/pid_configuring_app_group_authentication_policy.html). The Azure AD app will appear in the PingID policy app list.