--- title: Configuring PingAccess applications for Microsoft Entra ID description: Configure PingAccess applications so they are accessible to users through the Microsoft Entra ID (formerly Microsoft Azure AD) MyApps portal. component: pingaccess version: 9.0 page_id: pingaccess:token_providers:pa_configuring_apps_for_azure canonical_url: https://docs.pingidentity.com/pingaccess/9.0/token_providers/pa_configuring_apps_for_azure.html revdate: March 27, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: example-2: Example: --- # Configuring PingAccess applications for Microsoft Entra ID Configure PingAccess applications so they are accessible to users through the Microsoft Entra ID (formerly Microsoft Azure AD) [MyApps](https://myapps.microsoft.com) portal. ## Before you begin * Install PingAccess and verify that you can access the [administrative console](../installing_and_uninstalling_pingaccess/pa_accessing_the_admin_console.html). Learn more about installing PingAccess in [Installing and Uninstalling PingAccess](../installing_and_uninstalling_pingaccess/pa_installing_and_uninstalling_pa.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The default credential set should be changed upon first usage. The default credentials for your PingAccess installation are:``` Username: Administrator Password: 2Access ``` | * Have a [Microsoft Entra ID](https://portal.azure.com) Premium account for access to the Application Proxy feature. * Configure Microsoft Entra ID. You can find steps to configure Microsoft Entra ID in . * [Configure](pa_configure_pa_to_use_azure_ad_as_the_token_provider.html) PingAccess to use Microsoft Entra ID as the token provider. ## About this task For each application that you want to configure: ## Steps 1. Create a virtual host. Learn more about creating a virtual host in [Creating new virtual hosts](../pingaccess_user_interface_reference_guide/pa_creating_new_virtual_hosts.html). | | | | - | --------------------------------------------------------------------------------------------------- | | | In a typical configuration for this solution, you will create a virtual host for every application. | 1. Click **Applications**, then go to **Applications > Virtual Hosts**. 2. Click **[icon: plus, set=fa]Add Virtual Host**. 3. In the **Host** field, enter the FQDN portion of the Microsoft Entra ID **External URL**. ### Example: For example, external URLs of https\://app-tenant.msappproxy.net/ and https\://app-tenant.msappproxy.net/AppName will both have a **Host** entry of `app-tenant.msappproxy.net`. 4. In the **Port** field, enter `443`. 5. Click **Save**. 2. Create a web session. Learn more about creating a web session in [Creating web sessions](../pingaccess_user_interface_reference_guide/pa_creating_web_sessions.html). 1. Click **Access**, then go to **Web Sessions > Web Sessions**. 2. Click **[icon: plus, set=fa]Add Web Session**. 3. In the **Name** field, enter a name for the web session. 4. From the **Cookie Type** list, select your cookie type, either **Signed JWT** or **Encrypted JWT**. 5. In the **Audience** field, enter a unique value. 6. In the **Client ID** field, enter the Microsoft Entra ID application ID. 7. From the **Client Credentials Type** list, select **Secret**. 8. In the **Client Secret** field, enter the client secret you generated for the application in Microsoft Entra ID. 9. **Optional:** To create and use custom claims with the Microsoft Entra ID GraphAPI, click **Advanced** and clear the **Request Profile** and **Refresh User Attributes** checkboxes. Learn more about using custom claims in [Optional - Use a custom claim](https://docs.microsoft.com/en-us/azure/active-directory/application-proxy-ping-access). 10. Click **Save**. 3. Create an identity mapping. Learn more about creating an identity mapping in [Creating header identity mappings](../pingaccess_user_interface_reference_guide/pa_creating_header_identity_mappings.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | An identity mapping can be used with more than one application if more than one application is expecting the same data in the header. | 1. Click **Access**, then go to **Identity Mappings > Identity Mappings**. 2. Click **[icon: plus, set=fa]Add Identity Mapping**. 3. In the **Name** field, enter a name. 4. From the **Type** list, select **Header Identity Mapping**. 5. In the **Attribute to Header Mapping** table, specify the required mappings. ### Example: For example: | Attribute Name | Header Name | | -------------- | ------------------- | | upn | x-userprinciplename | | email | x-email | | oid | x-oid | | scp | x-scope | | amr | x-amr | 6. Click **Save**. 4. Create a site. Learn more about creating a site in [Adding sites](../pingaccess_user_interface_reference_guide/pa_adding_sites.html). | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------- | | | In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate. | 1. Click **Applications**, then go to **Sites > Sites**. 2. Click **[icon: plus, set=fa]Add Site**. 3. In the **Name** field, enter a name for the site. 4. In the **Target** field, specify the target. The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https\://mysite:9999/AppName will have a target value of `mysite:9999`. 5. From the **Secure** list, select whether or not the target is expecting secure connections. 6. Click **Save**. 5. Create an application in PingAccess for each application in Microsoft Entra ID that you want to protect. Learn more about creating an application in [Adding an application](../pingaccess_user_interface_reference_guide/pa_adding_an_app.html). 1. Click **Applications**, then go to **Applications > Applications**. 2. Click **[icon: plus, set=fa]Add Application**. 3. In the **Name** field, enter a name for the application. 4. In the **Description** field, enter a description for the application. 5. In the **Context Root** field, specify the context root for the application. For example, an application at `https://mysite:9999/AppName` will have a context root of `/AppName`. If the application is on the root of the server, you can set the context root as `/`. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example, `/Apps/MyApp`. 6. From the **Virtual Host** list, select the virtual host you created. | | | | - | ------------------------------------------------------------------------------ | | | The combination of virtual host and context root must be unique in PingAccess. | 7. From the **Application Type** list, select **Web**. 8. From the **Web Session** list, select the web session you created. 9. From the **Site** list, select the site you created that contains the application. 10. From the **Web Identity Mapping** list, select the mapping you created. 11. Select the **Enabled** checkbox to enable the site when you save. 12. Click **Save**.