--- title: Configuring an access token manager description: Configure an access token manager (ATM). component: microsoft-eam page_id: microsoft-eam:setup:pf_ms_eam_configuring_an_atm canonical_url: https://docs.pingidentity.com/integrations/microsoft-eam/setup/pf_ms_eam_configuring_an_atm.html revdate: August 28, 2025 section_ids: steps: Steps creating-access-token-mappings: Creating access token mappings steps-2: Steps --- # Configuring an access token manager Configure an access token manager (ATM). Learn more in the [Access token management](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_access_token_management.html) section of the PingFederate documentation. ## Steps 1. Go to **Applications > Access Token Management** and open an existing ATM configuration or click **Create New Instance**. 2. On the **Type** tab: 1. Enter a unique **Instance Name** and **Instance ID**. 2. In the **Type** list, select **JSON Web Tokens**. 3. Click **Next**. 3. On the **Instance Configuration** tab: 1. In the **JWS Algorithm** list, select the RSA key type that you configured in [Enabling signing keys](pf_ms_eam_enabling_signing_keys.html). 2. Select the **Use Centralized Signing Key** checkbox or, in the **Active Signing Certificate Key ID** list, select the **Active Signing Certificate** that you configured in [Enabling signing keys](pf_ms_eam_enabling_signing_keys.html). You can find more information about instance configuration options on the JSON token management tab in [Configuring an access token management instance](https://docs.pingidentity.com/pingfederate/12.3/administrators_reference_guide/pf_configuring_access_token_management_instance.html) in the PingFederate documentation. 4. (Optional) On the **Session Validation** tab, define a session validation policy. Click **Next**. You can find more information about configuration options in [Managing session validation settings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_beareraccesstokenmgmtplugintasklet_sessionvalidationstate.html) in the PingFederate documentation. 5. On the **Access Token Attribute Contract** tab: 1. In the **Extend the Contract** field, enter `acr`. 2. In the **Action** column, click **Add**. 3. Repeat this process for `amr` and any optional attributes that you extended the contract for in step 4 of [Configuring an adapter instance](pf_ms_eam_configuring_an_adapter_instance.html). 4. Click **Next**. 6. (Optional) On the **Resource URIs** tab, enter a list of base resource URIs that can be used to select this access token management instance. Click **Next**. You can find more information in [Managing resource URIs](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_beareraccesstokenmgmtplugintasklet_atmselectionsettingsstate.html) in the PingFederate documentation. 7. (Optional) On the **Access Control** tab, select whether to restrict allowed clients. Click **Next**. You can find more information in [Defining access control](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_beareraccesstokenmgmtplugintasklet_atmaccesscontrolsettingsstate.html). 8. On the **Summary** tab, click **Save**. ## Creating access token mappings Configure the access token mappings for the ATM you configured in the previous procedure. You can find more information about configuration options in [Managing access token mappings](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_accesstokenmappingtasklet_oauthuserkey2accesstokenmappingstate.html) and [Configuring access token mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_configure_access_token_mapping.html) in the PingFederate documentation. ### Steps 1. On the **Access Token Mappings** page: 1. In the **Context** menu, select the desired authentication policy contract. 2. In the **Access Token Manager** menu, select the JWT ATM that you configured in the previous procedure. 3. Click **Add Mapping**. 2. On the **Attribute Sources & User Lookup** tab, click **Next**. 3. On the **Contract Fulfillment** tab, select a **Source** and **Value** to map into the `acr` and `amr` attributes in the **Contract** list: For example, to configure contract fulfillment for the `acr` attribute: 1. In the **Source** list, select **Authentication Policy Contract**. 2. In the **Value** list, select **acr**. 3. Repeat for `amr` and any optional attributes that you extended the contract for in step 4 of [Configuring an adapter instance](pf_ms_eam_configuring_an_adapter_instance.html). * For the `amr` attribute, in the **Source** list, select **Authentication Policy Contract**, and in the **Value** list, select **amr**. 4. Click **Next**. You can find more configuration information in [Configuring access token fulfillment](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthuserkey2accesstokenmappingtasklet_oauthsource2targetmappingstate.html) in the PingFederate documentation. 4. (Optional) On the **Issuance Criteria** tab, configure the criteria for use with this token authorization: You can find more configuration information in [Defining issuance criteria for access token mapping](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_oauthuserkey2accesstokenmappingtasklet_oauthsource2targetissuancecriteriastate.html) in the PingFederate documentation. 5. On the **Summary** tab, click **Save**.