--- title: Configuring a PingFederate authentication policy description: Configure a PingFederate authentication policy using the Microsoft EAM IdP Adapter and a downstream MFA adapter such as PingID. component: microsoft-eam page_id: microsoft-eam:setup:pf_ms_eam_configuring_a_pf_authentication_policy canonical_url: https://docs.pingidentity.com/integrations/microsoft-eam/setup/pf_ms_eam_configuring_a_pf_authentication_policy.html revdate: August 27, 2025 section_ids: steps: Steps --- # Configuring a PingFederate authentication policy Configure a PingFederate authentication policy using the Microsoft EAM IdP Adapter and a downstream MFA adapter such as PingID. Learn more in the [Policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/qmq1564002987890.html) section of the PingFederate documentation. ## Steps 1. Go to **Authentication > Policies** and click **Add Policy**. 2. In the **Name** field, give the policy a unique name. 3. Configure the Microsoft EAM IdP Adapter as the first step and the PingID adapter as the second step in the policy: 1. In the **Policy** list, select **IdP Adapters**, then select the EAM adapter instance you configured in [Configuring an adapter instance](pf_ms_eam_configuring_an_adapter_instance.html). 2. In the **Fail** section, click **Done**. 3. In the **Success** list, select **IdP Adapters**, then select the PingID adapter instance you configured. 4. Configure the PingID adapter step: 1. In the **Fail** section, click **Done**. 2. In the **Success** list, select **Policy Contracts**, then select a policy contract you've configured. Learn more in [Applying policy contracts or identity profiles to authentication policies](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_apply_policy_contract_or_ident_profile_to_auth_policies.html) in the PingFederate documentation. 5. If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy, set the Microsoft EAM IdP Adapter's `sub` attribute as the `User ID Authenticated` for PingID: 1. On the PingID adapter step, click **Options**. 2. In the **Source** list, select the Microsoft EAM IdP Adapter. 3. In the **Attribute list**, select `sub`. 4. Select the **User ID Authenticated** checkbox. 5. Click **Done**. 6. If the PingID adapter follows the Microsoft EAM IdP Adapter in the authentication policy and the flow ends in a policy contract, select PingID's `amr` attribute as the **Source** for the **Contract Mapping**: 1. On the policy contract step, click **Contract Mapping**. 2. On the **Attribute Sources & User Lookup** tab, click **Next**. 3. On the **Contract Fulfillment** tab: 1. For the `acr` attribute, in the **Source** list, select the EAM adapter instance. In the **Value** list, select `acr`. 2. For the `amr` attribute, in the **Source** list, select the PingID adapter instance. In the **Value** list, select `amr`. 3. For the `subject` attribute, in the **Source** list, select the EAM adapter instance. In the **Value** list, select `sub`. 4. On the **Issuance Criteria** tab, click **Next**. 5. On the **Summary** tab, click **Done**. Learn more in [configuring contract mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configuring_contract_mapping.html). 7. Check your configuration, then click **Done**.