---
title: Configuring token provider-specific options
description: Configure plugins that perform particular functions for the selected token provider type.
component: pingaccess
version: 9.0
page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_configuring_token_provider_specific_options
canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_configuring_token_provider_specific_options.html
revdate: February 6, 2023
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
---

# Configuring token provider-specific options

Configure plugins that perform particular functions for the selected token provider type.

## Before you begin

In order to configure these options, you must first perform the steps detailed in [Creating Azure AD Graph API applications](pa_creating_azure_ad_graph_api_apps.html).

## About this task

In the case of the PingAccess for Azure AD solution, the plugin addresses the following problems:

* Data Transformation— The format of data returned from the OpenID Connect (OIDC) *(tooltip: \<div class="paragraph">
  \<p>An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\</p>
  \</div>)* UserInfo endpoint *(tooltip: \<div class="paragraph">
  \<p>One end in a communication channel, typically a URI.\</p>
  \</div>)* results in some unexpected JavaScript Object Notation (JSON) *(tooltip: \<div class="paragraph">
  \<p>An open, lightweight data-interchange format that uses human-readable text to store and transmit data.\</p>
  \</div>)* formatting. This data transforms into a format that PingAccess can easily process.

* Azure AD Graph application programming interface (API) *(tooltip: \<div class="paragraph">
  \<p>A specification of interactions available for building software to access an application or service.\</p>
  \</div>)* usage— If the **groups** attribute contains more than 200 groups, the id\_token contains a level of indirection that points to a Uniform Resource Locator (URL) *(tooltip: \<div class="paragraph">
  \<p>Identifies a resource according to its internet location.\</p>
  \</div>)* in the Azure AD Graph API. Through the creation of a simple purpose-driven application, you can communicate with the Azure ID Graph API to retrieve the complete list of groups.

* Retrieving group display names— The **groups** attribute is a list of GUIDs. The groups for a user are only provided as GUIDs since user-friendly names for Azure AD groups are not globally unique. Configure the Graph API call to include the group names along with the GUID for creation of more robust policies.

## Steps

1. Click **Settings**, then go to **System > Token Provider > Common > OpenID Connect**.

   1. Go to **Settings > System > Token Provider** and select **Common Token Provider**.

2. Go to **Token Provider Specific Options** section.

3. From the **Type** list, select **Azure Active Directory**.

4. To extend the attributes for a web session, select the **Use Azure AD Graph API** check box.

5. In the **Client ID** field, enter the application ID you copied from the Azure AD API application you created.

6. In the **Client Secret** field, paste the key you copied. Select **Retrieve Group Display Names**.

   |   |                                                                                                                                                                                                                                                                                                                                                                                             |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | To retrieve group data for a particular application in the token, the manifest for that application must be modified to include a group membership claim. In the **App Registrations** blade, select the application and click the **Manifest** button. Locate the groupMembershipClaims API, select the following permission, and enter and specify a group type, such as `SecurityGroup`. |

7. Select **Cache Group Display Names** to instruct PingAccess to cache display names retrieved from the Azure AD Graph API.

8. In the **Display Name Cache Max Age (s)** field, enter the number of seconds to cache group display names if caching is enabled. Click **Save**.