Adding Microsoft 365 to the PingOne application portal
Use the application catalog to add Microsoft 365 to your application portal and connect the application to a Microsoft Entra ID domain.
PingOne supports the Microsoft 365 passive and active profiles for single sign-on (SSO):
- Passive profile
-
Passive profile enables web browser SSO, where Microsoft 365 redirects the user’s browser to PingOne for authentication, and the user provides their PingOne credentials.
If the PingOne environment is configured with an LDAP gateway, PingOne can validate the credentials against an on-premise LDAP server, such as Microsoft Active Directory (AD). If the LDAP gateway is configured with Kerberos authentication, the user can sign on seamlessly to Microsoft 365 using the Kerberos protocol.
- Active profile
-
Active profile allows an application to collect the user’s credentials and initiates an exchange with PingOne for a security token. The exchange uses the WS-Trust protocol to allow the user to access Microsoft 365.
Before you begin
You must have a Microsoft Azure account with a custom domain configured in Microsoft Entra ID as either of the following:
-
Managed domain, where Entra ID is the identity provider (IdP) and manages authentication. In step 12, you’ll change the domain to a federated domain and set up PingOne as the federated IdP for this domain.
-
Federated domain, where Entra ID redirects users to a federated IdP for authentication. In step 12, you’ll update Entra ID to use PingOne as the federated IdP for this domain.
Learn more about domains in Managing custom domain names in the Entra ID documentation.
Each Microsoft 365 custom domain requires a unique |
Steps
-
In the PingOne admin console, go to Applications > Application Catalog.
-
In the Search for applications bar, enter
Microsoft 365
. -
Click the Microsoft 365 entry to open the details panel.
-
On the Quick Setup page, review the following:
-
Name (optional): Enter a new name to replace the default application name.
-
Icon (optional): Select a new image to replace the default application icon.
-
Domain Name: Enter the
<Custom Domain>
value from your Entra ID account. You can find your <Custom Domain> in the Microsoft Entra admin center by going to Identity > Settings > Domain Names. -
Subject NameIdentifier Format: Select the value in the list to use for the
Subject NameIdentifier
attribute in the WS-Federation security token.Possible values are
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
(default) orurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
.If the application is already configured, click View in Applications list to view the full configuration.
-
-
Click Next.
-
On the Map Attributes page, select the PingOne attributes to map to the required
ImmutableID
,Subject
, andUPN
Microsoft 365 attributes.ImmutableID uniquely identifies a user in Entra ID. You can find the ImmutableID value by running the
Get-MsolUser
command in PowerShell after you configure federation with Entra ID. Learn more about Get-MsolUser in the Microsoft documentation.For Subject, the mapping attribute defaults to Email Address but can be configured to a different value.
For UPN, use an email address with a domain name that matches the domain name registered with Microsoft 365.
-
If your user identities are stored in the PingOne Directory, use the default mapping of
ImmutableID
toExternalID
.ExternalID
is the user’s User ID in PingOne. -
If the Microsoft 365 users are migrated into PingOne from Entra ID through the LDAP gateway, and the source of the
ExternalID
isobjectGUID
orms-DS-ConsistencyGuid
, add an expression to the mapping configuration:-
Locate the
ImmutableID
mapping. -
Click the Gear icon to open the Advanced Expression modal.
-
Enter the following expression:
#string.uuidAsBase64Guid(user.externalId,null)
Learn more in Using ms-DS-ConsistencyGuid as sourceAnchor in the Entra ID documentation.
-
Click Save.
-
-
You can create a custom PingOne user attribute instead of using
ExternalID
. MapobjectGUID
orms-DS-ConsistencyGuid
as the attribute source:-
Locate the
ImmutableID
mapping. -
Click the Gear icon to open the Advanced Expression modal.
-
Enter the following expression:
#string.uuidAsBase64Guid(user.customAttrName,null)
where
customAttrName
represents the custom PingOne user attribute. You can also replacenull
with a custom value, such as an error. -
Click Save.
-
-
-
Click Next.
-
On the Select Groups page, click the name of the user groups that you want to have access to the application. You can browse or search for groups. Click the Added tab to see the groups that currently have access to the application.
By default, all users have access to the application. Assigning groups restricts application access to those groups only.
-
Click Save.
-
Click the View in Applications list link.
-
On the Overview tab, determine which cmdlets to use:
Choose from:
-
If you’ve upgraded to Graph PowerShell, locate the Microsoft Graph PowerShell cmdlets.
-
If you haven’t upgraded to Graph PowerShell, locate the MSOnline cmdlets.
-
-
Execute PowerShell cmdlets to configure PingOne as the federated IdP:
Choose from:
-
Entra managed domain: Set up identity federation settings for the first time to use PingOne as the IdP.
-
Locate either Microsoft Graph PowerShell cmdlets or MSOnline cmdlets, depending on your configuration.
-
Click the Copy to clipboard icon for the appropriate section.
-
-
Entra federated domain: Update existing identity federation settings to use PingOne as the IdP.
-
Locate either Microsoft Graph PowerShell cmdlets or MSOnline cmdlets, depending on your configuration.
-
Click the Copy to clipboard icon for the appropriate section.
-
You might have to scroll to the right to see the Copy to clipboard icon.
You might have to collapse the Microsoft Graph PowerShell cmdlets entry to see the MSOnline cmdlets entry.
-
-
Open Windows PowerShell.
-
In PowerShell, paste the copied commands and run them.
These commands update the domain authentication in Entra ID to SSO. Learn more about the Microsoft cmdlets that are used in PingOne in the following topics in the Microsoft documentation:
Next steps
-
You can optionally enable Kerberos authentication for Microsoft 365 applications. Learn more in Enabling Kerberos authentication.
-
Add an MFA claim in the Microsoft 365 application for PingOne to communicate to Entra ID that PingOne will handle MFA. Learn more in Configuring an authentication claim for the Microsoft 365 application.
-
After you configure the application, you can manage it from Applications > Applications. Learn more in Editing an application.