--- title: Get started with PingAccess for Azure AD description: Protect legacy on-premises applications using Microsoft Entra ID (formerly Microsoft Azure AD) and a limited version of PingAccess called PingAccess for Azure AD. component: pingaccess version: 9.0 page_id: pingaccess:token_providers:pa_get_started_with_pa_for_azure_ad canonical_url: https://docs.pingidentity.com/pingaccess/9.0/token_providers/pa_get_started_with_pa_for_azure_ad.html revdate: November 18, 2025 --- # Get started with PingAccess for Azure AD Protect legacy on-premises applications using Microsoft Entra ID (formerly Microsoft Azure AD) and a limited version of PingAccess called PingAccess for Azure AD. When planning for a successful deployment: * Plan your deployment type and architecture Use the [Deployment reference guide](../reference_guides/pa_deployment_guide.html) to plan your deployment type and architecture. Learn about the differences between and benefits of a proxy deployment versus an agent based deployment, and decide to use one or a combination of both deployment types. * Design and plan a PingAccess cluster Use the [Clustering reference guide](../reference_guides/pa_clustering_ref_guide.html) to design and plan your PingAccess cluster. For a high availability deployment, use a cluster that contains both a primary administrative node and a replica administrative node, along with additional engine nodes. For best performance, employ a [load balancing strategy](../pingaccess_user_interface_reference_guide/pa_load_balancing_strategies.html). * Install PingAccess Ensure your systems meet the [System requirements](../installing_and_uninstalling_pingaccess/pa_installation_requirements.html#system-reqs), so you can install PingAccess. * Tune performance Use the [Performance tuning reference guide](../reference_guides/pa_performance_tuning.html) to configure your deployment for optimal performance. * Configure logging [Configure logging](../configuring_and_customizing_pingaccess/pa_logging_configuration.html) so that you can monitor your PingAccess deployment and troubleshoot application issues. * Configure the PingAccess token provider Configure PingAccess to use Microsoft Entra ID as the [token provider](pa_configure_pa_to_use_azure_ad_as_the_token_provider.html). Perform optional additional configuration that allows for communication with the [Azure AD Graph API](../pingaccess_user_interface_reference_guide/pa_configuring_token_provider_specific_options.html). * Configure applications [Configure applications](#) to be made available by PingAccess to the Microsoft MyApps portal through Microsoft Entra ID using the Entra ID Application Proxy. * Configure for dual internal and external secure access [Configure the solution](pa_apps_for_dual_access_with_azure_ad.html) so that applications are made securely available both externally through the Microsoft MyApps portal and internally through PingAccess for Azure AD.