--- title: Microsoft EAM Integration Kit description: This integration kit enables PingFederate, together with a downstream multi-factor authentication (MFA) adapter, to serve as a Microsoft External Authentication Method (EAM) provider. component: microsoft-eam page_id: microsoft-eam::pf_ms_eam_ik canonical_url: https://docs.pingidentity.com/integrations/microsoft-eam/pf_ms_eam_ik.html revdate: August 27, 2025 section_ids: components: Components intended-audience: Intended audience system-requirements: System requirements --- # Microsoft EAM Integration Kit This integration kit enables PingFederate, together with a downstream multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* adapter, to serve as a Microsoft External Authentication Method (EAM) provider. The Microsoft EAM Integration Kit processes the **id\_token\_hint** and **claims** parameters sent by Microsoft Entra ID's external authentication mechanism. The integration kit extracts the `acr` and `amr` values from the **claims** parameter and sets them as input for downstream adapters in the PingFederate authentication policy. Typically, a downstream adapter like PingID uses these values to perform MFA. ## Components * Microsoft EAM IdP Adapter When PingFederate receives an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* request from Microsoft Entra ID, the adapter validates the **id\_token\_hint** and extracts the `acr` and `amr` values from the **claims** parameter. You can export additional claims out of the **id\_token\_hint** as necessary. ## Intended audience This document is intended for PingFederate administrators. Use the following resources to find help during the setup process: * You can find more information about configuring PingFederate in the following sections of the PingFederate documentation: * [Access token management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_access_token_management.html) * [OIDC Policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oidc_policies.html) * [Configuring OAuth clients](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_oauth_clients.html) * [Authentication Policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_authentication_policies.html) * If you plan to use the bundled PingID adapter as the downstream adapter, you can find configuration instructions and context in: * The [Managing IdP adapters](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_managing_idp_adapters.html) section of the PingFederate documentation. * The [Integrate with PingID for PingFederate SSO](https://docs.pingidentity.com/pingid/pingid_integrations/pid_integrate_pf_sso.html) section of the PingID documentation. ## System requirements * PingFederate 11.3 or later. * A Microsoft Entra ID account with [external authentication method](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-authentication-external-method-manage) enabled.