Azure AD Identity Protection Integration Kit

The Azure AD Identity Protection Integration Kit allows PingFederate to communicate with Azure AD Identity Protection for risk-based authentication.

By sending a Microsoft user ID to Azure AD Identity Protection when a user signs on, PingFederate can get a security risk level based on the user’s history. You can use this to dynamically adjust the authentication requirements. For example, you could configure your PingFederate authentication policy to require multi-factor authentication (MFA) when a user with a high risk level signs on.

Features

Uses the Azure AD Identity Protection "riskyUsers" resource
Supports the PingFederate Authentication API
Supports the JavaScript Widget for the PingFederate Authentication API

Components

Azure AD Identity Protection IdP Adapter:
- When a user signs on through PingFederate, the adapter sends the user ID to Azure AD Identity Protection.
- The adapter receives the user’s risk level and makes it available in the PingFederate authentication policy.

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

The following sections of the PingFederate documentation:
- Managing IdP adapters
- Authentication Policies
The following sections of the Azure AD Identity Protection documentation:

System requirements

PingFederate 9.3 or later.
A valid Azure AD Identity Protection license. For details, see .microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection//[License requirements] in the Azure AD Identity Protection documentation.
This integration uses the Microsoft Cloud Identity Connector to get Microsoft user IDs. Setup details are provided in Setting up the Microsoft Cloud Identity Connector.