---
title: Azure AD Password Credential Validator
description: Password credential validators (PCVs) enable PingFederate administrators to define a centralized location for username or password validation, allowing various PingFederate configurations to reference PCV instances. The Azure AD Password Credential Validator uses the Microsoft Graph API for credential validation.
component: azure
page_id: azure:azure_ad_password_credential_validator:pf_azuread_pcv
canonical_url: https://docs.pingidentity.com/integrations/azure/azure_ad_password_credential_validator/pf_azuread_pcv.html
revdate: September 19, 2025
section_ids:
  features: Features
  intended-audience: Intended audience
  system-requirements: System requirements
---

# Azure AD Password Credential Validator

Password credential validators (PCVs) enable PingFederate administrators to define a centralized location for username or password validation, allowing various PingFederate configurations to reference PCV instances. The Azure AD Password Credential Validator uses the Microsoft Graph API for credential validation.

## Features

* Allows sign on with full usernames, such as `john.smith@mydomain.com`.

  |   |                                   |
  | - | --------------------------------- |
  |   | Short usernames aren't supported. |

* Returns an error message for failed sign-on attempts, such as one of the following:

  * `invalid credentials`

  * `account is disabled`

  * `forced password change`

* Supports non-federated single and multi-tenant Azure AD user accounts.

* Provides support for Azure AD Custom Properties (Directory Schema Extensions).

* Responses include all user group memberships.

|   |                                                                                                                                                                          |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Review the [Azure AD Password Credential Validator's known issues and limitations](pf_azuread_pcv_known_issues_and_limitations.html) before implementing these features. |

## Intended audience

This document is intended for PingFederate admins and application developers.

Learn more about the PCV setup process in the following PingFederate resources:

* [Password credential validators](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_passwordcredentialvalidatortasklet_passwordcredentialvalidatormgmtstate.html)

* [SP connection management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_sp_connect_management.html)

Learn more about the IdP adapter setup process in the following PingFederate resources:

* [HTTP Basic Adapter](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_http_basic_adapt.html)

  * [Configuring an HTTP Basic Adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_http_basic_adapt_instance.html)

* [HTML Form Adapter](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_html_form_adapt.html)

  * [Configuring an HTML Form Adapter instance](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_config_html_form_adapt_instance.html)

Learn more about using PingFederate as an SP provider in the following PingFederate resources:

* [Managing SP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_adaptermanagementtasklet_spadaptermanagementstate.html)

* [Managing IdP connections](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_manag_idp_connect.html)

Learn more about Azure in the following Microsoft resources:

* [Register a Microsoft Entra app and create a service principal](https://learn.microsoft.com/en-us/entra/identity-platform/howto-create-service-principal-portal)

* [Get a user](https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0\&tabs=http)

## System requirements

* PingFederate 11.3 or later.

  |   |                                                                                                                                                                                                                             |
  | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
  |   | Make sure you've configured either an HTTP Basic or HTML Form IdP Adapter instance. Learn more in [Associating the PCV with an IdP adapter instance](pf_azuread_pcv_associating_the_pcv_with_an_idp_adapter_instance.html). |

* A Microsoft Azure account with Active Directory or Active Directory B2C configured.

  |   |                                                                                                                                    |
  | - | ---------------------------------------------------------------------------------------------------------------------------------- |
  |   | Learn more about supported user account types in [Known issues and limitations](pf_azuread_pcv_known_issues_and_limitations.html). |

* An Azure AD application with the following permissions:

  * Microsoft Graph > Delegated Permission

    * Sign in and read user profile

    * Read directory data

* To allow PingFederate to make outbound connections to the Microsoft API, you might need to allow the following endpoints in your firewall:

  * Token endpoint

    `https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token`

  * User attributes endpoint

    `https://graph.microsoft.com/v1.0/me/`

  * Group membership endpoint

    `https://graph.microsoft.com/v1.0/me/memberOf`