Setting up PingID MFA for Microsoft Azure AD Conditional Access involves the following steps:

  • In the admin portal, set up the integration, including attribute mapping.
  • In Azure AD:
    • Create a PingID MFA custom control.
    • Create a PingID MFA conditional access policy.
  • Optionally apply a PingID MFA policy to the Azure AD integration.

Default attribute mapping is based on the attributes that Azure sends to PingOne during the authorization request to trigger PingID MFA and includes the following attributes.

PingID attribute Azure AD attribute

username

upn

fname

given_name

lname

family_name

  1. In the Admin portal, go to Setup > PingID > Client Integration.
  2. In the Integrate with Microsoft Azure AD section, click Setup Integration.

    The Azure AD Integration window opens.


    Screen capture of the Azure AD Integration window, currently showing the Connect to Active Directory section with the fields for Directory IDS, Application Name, and Application Icon. There is a hyperlink option to Add directory id under the filed for Directory IDS.
  3. To find the relevant Directory ID, in the Azure portal:
    1. In the FAVORITES menu in the left side bar, go to Azure Active Directory.
    2. In the Manage section, click Properties.
    3. Copy the value from the Directory ID field.
  4. In the Admin portal:
    1. Paste the directory ID value into the Directory IDS field.
    2. Optional: To add additional directory IDs, click Add directory ID and paste the relevant Directory ID, as it appears in the relevant Azure AD account.
      Note:

      The directory ID must be a valid UUID string.

    3. In the Application Name field, enter the name you want to use to represent authorization requests from Azure AD.

      This is the name that users will see displayed if using the PingID mobile app during authorization. This name is also used to identify the Azure AD application in the PingID policy applications list.

    4. To change the application icon, choose one of the following:
      • Select a new icon: Click the application icon and go to the icon you want to use.
      • Use the default icon: Click Remove.
      Note:

      The PingID mobile app displays the selected icon during authorization.

    5. If your environment uses a redirect URI that is different than the default Azure AD redirect URI, use the Override Redirect URI field to specify the correct URI.
    6. Click Next.

      The Map Attributes tab opens, displaying the default attribute mapping.

      Screen capture of the Map Attributes section in the Azure AD Integration window. Each field is a drop-down list. The default values are shown for each field. To the right of each field is an Advanced button.
  5. Optional: To map Azure AD attributes that are not provided in the initial MFA request to the relevant PingID attributes:
    1. In the relevant attribute field, select the Azure AD attribute from the drop-down list, or type the attribute into the field.
      Note:

      By default, the username for PingID is taken from the upn attribute in Azure. However, if you are also using Azure as the identity provider (IdP) for PingOne for Enterprise, make sure that you select from the list the attribute that you mapped to MFA_SUBJECT. Otherwise, you may end up with a situation where a single user is listed as two different users: one whose username comes from the upn attribute and one whose username comes from the attribute mapped to MFA_SUBJECT.

    2. To perform attribute transformations on a specific attribute, in the relevant row, click Advanced and configure the fields as required.

      For more information, see Creating advanced attribute mappings.

    3. Click Next.
    4. If you included Azure AD attributes that are not provided in the initial MFA request from Azure AD, you'll receive a prompt requesting that you grant PingID permission to access and collect those attributes from your Azure AD tenant.
      Note:

      If you are not prompted to grant permissions, skip this step.

      Screen capture of the Grant Permission section in the Azure AD Integration window

      In the Grant Permission window, for each Azure AD tenant:

      1. To open the Azure login window, in the Grant Permission section, click Grant Permission.

        Screen capture of Microsoft Azure login screen
      2. To grant the relevant access to PingID, sign on to your Azure AD Tenant and click Accept.

        Screen capture of the permissions request window in Azure

        You are redirected back to the Azure AD Integration window.

    5. If you selected an attribute mapping for the memberOf group attribute in the Admin portal, when prompted to synchronize groups, select the Synchronize Groups box to copy your Azure AD group names into PingID and click Next.
      Screen capture of the Synchronize Groups section on the Azure AD Integration window

      After groups are synchronized and the integration is complete, Azure groups appear in the PingID policy groups list, and the User Groups list at Users > User Groups, enabling you to apply the PingID policy to your Azure groups.

  6. To save the integration, click Done.

    The custom control JSON object that is generated includes a summary of the attribute mapping. This custom control JSON must be provided to your Azure AD account.

    Screen capture of a JSON object generated by the completed integration process
  7. In the Azure AD portal, create a new PingID MFA custom control:
    1. On the left side bar, click Azure Active Directory.
    2. In the Security section, go to Conditional access > Custom controls.
    3. Click New custom control.
      Screen capture of the customized controls JSON input field in Azure AD.
    4. Delete the default JSON text, and then paste the custom control JSON that you copied from the PingOne admin portal into the Azure AD custom control field.
    5. Click Create.

      The new custom control appears in the custom controls list.


      Screen capture of the newly-created custom control in the custom controls list in Azure AD.
  8. In the Azure AD portal, create a new PingID MFA conditional access policy.
    Note:

    To avoid blocking administrator access to the Azure AD portal, do not apply the PingID policy to all users and applications until you have successfully tested the integration between Azure AD and PingID.

    1. Go to Azure Active Directory > Conditional access.
    2. Click New policy.
    3. Enter a meaningful name for the policy (for example, Require PingID MFA).
    4. To specify which users and groups the policy applies to, in the Assignments section, click Users and groups. On the Include tab, select the users and groups that you want to include in the policy. Click Select.
    5. To specify which cloud apps you want the policy to apply to, in the Assignments section, click Cloud apps. On the Include tab, click Select apps, and select the relevant apps. Click Select.
    6. Go to Access controls > Grant, click Grant access, and select the check box next to the custom control that you created earlier. Click Select.
      Screen capture of the conditional access policy window in Azure AD
    7. Click Create.

The conditional access policy is created and is shown in the Azure Policies list.


Screen capture of the conditional access policy in the Azure AD Policies list

For information about applying a PingID MFA policy to your Azure AD integration, see Configuring an app or group-specific authentication policy. The Azure AD app will appear in the PingID policy app list.