Azure AD Identity Protection Integration Kit

The Azure AD Identity Protection Integration Kit allows PingFederate to communicate with Azure AD Identity Protection for risk-based authentication.

By sending a Microsoft user ID to Azure AD Identity Protection when a user signs on, PingFederate can get a security Result based on the user’s history. You can use this to dynamically adjust the authentication requirements. For example, you could configure your PingFederate authentication policy to require multifactor authentication (MFA) when a user with a high-risk level signs on.

Features

Uses the Azure AD Identity Protection "riskyUsers" resource
Supports the PingFederate Authentication API
Supports the JavaScript Widget for the PingFederate Authentication API

Components

Azure AD Identity Protection IdP Adapter:
- When a user signs on through PingFederate, the adapter sends the user ID to Azure AD Identity Protection.
- The adapter receives the user’s Result and makes it available in the PingFederate authentication policy.

Intended audience

This document is intended for PingFederate administrators.

Learn more about the setup process with the following resources:

The following sections of the PingFederate documentation:
- Managing IdP adapters
- Authentication Policies
The following sections of the Azure AD Identity Protection documentation:

System requirements

PingFederate 9.3 or later.
A valid Azure AD Identity Protection license. Learn more about License requirements in the Azure AD Identity Protection documentation.
This integration uses the Microsoft Cloud Identity Connector to get Microsoft user IDs. Setup details are provided in Setting up the Microsoft Cloud Identity Connector.