--- title: Adding Microsoft 365 to allow users to sign on using PingOne description: Use the application catalog in PingOne to add Microsoft 365 to your application portal. component: pingone page_id: pingone:applications:p1_adding_microsoft_365 canonical_url: https://docs.pingidentity.com/pingone/applications/p1_adding_microsoft_365.html revdate: May 21, 2025 section_ids: before-you-begin: Before you begin steps: Steps choose-from: Choose from: next-steps: Next steps --- # Adding Microsoft 365 to allow users to sign on using PingOne Use the application catalog to add Microsoft 365 to your application portal and connect the application to a Microsoft Entra ID domain. PingOne supports the Microsoft 365 passive and active profiles for single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)*: * Passive profile Passive profile enables web browser SSO, where Microsoft 365 redirects the user's browser to PingOne for authentication, and the user provides their PingOne credentials. If the PingOne environment is configured with an [LDAP gateway](../integrations/p1_ldap_gateways.html), PingOne can validate the credentials against an on-premise LDAP server, such as Microsoft Active Directory (AD). If the LDAP gateway is configured with [Kerberos authentication](p1_enabling_kerberos_authentication.html), the user can sign on seamlessly to Microsoft 365 using the Kerberos protocol. * Active profile Active profile allows an application to collect the user's credentials and initiates an exchange with PingOne for a security token. The exchange uses the WS-Trust protocol to allow the user to access Microsoft 365. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you plan to set up hybrid join to join users and devices to existing on-premise AD deployments and sync them in the cloud with Microsoft Entra ID now or later, follow the steps in [Setting up PingOne as the federated IdP for Microsoft Entra ID](../use_cases/p1_microsoft_entra_hybrid_join.html). You can configure PingOne to allow users to sign on to Microsoft 365 now and then complete the hybrid join configuration at a later time. | ## Before you begin You must have a Microsoft Azure account with a custom domain configured in Microsoft Entra ID as either of the following: * Managed domain, where Entra ID is the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* and manages authentication. In step 12, you'll change the domain to a federated domain and set up PingOne as the federated IdP for this domain. * Federated domain, where Entra ID redirects users to a federated IdP for authentication. In step 12, you'll update Entra ID to use PingOne as the federated IdP for this domain. Learn more about domains in [Managing custom domain names](https://learn.microsoft.com/en-us/entra/identity/users/domains-manage) in the Entra ID documentation. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Each Microsoft 365 custom domain requires a unique `IssuerURI` value. To set up PingOne as the federated IdP for multiple domains, you must add a Microsoft 365 application for each domain. | ## Steps 1. In the PingOne admin console, go to **Applications > Application Catalog**. 2. In the **Search for applications** bar, enter `Microsoft 365`. 3. Click the **Microsoft 365** entry to open the details panel. 4. On the **Quick Setup** page, review the following: * **Name** (optional): Enter a new name to replace the default application name. * **Icon** (optional): Select a new image to replace the default application icon. * **Domain Name**: Enter the `` value from your Entra ID account. You can find your \ in the Microsoft Entra admin center by going to **Identity > Settings > Domain Names**. * **Subject NameIdentifier Format**: Select the value in the list to use for the `Subject NameIdentifier` attribute in the WS-Federation security token. Possible values are `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` (default) or `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. | | | | - | ------------------------------------------------------------------------------------------------------------- | | | If the application is already configured, click **View in Applications list** to view the full configuration. | 5. Click **Next**. 6. On the **Map Attributes** page, select the PingOne attributes to map to the required `ImmutableID`, `Subject`, and `UPN` Microsoft 365 attributes. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | **ImmutableID** uniquely identifies a user in Entra ID. You can find the **ImmutableID** value by running the `Get-MgUser` command in PowerShell after you configure federation with Entra ID. Learn more about [Get-MgUser](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.users/get-mguser) in the Microsoft documentation.For **Subject**, the mapping attribute defaults to **Email Address** but can be configured to a different value.For **UPN**, use an email address with a domain name that matches the domain name registered with Microsoft 365. | * If your user identities are stored in the PingOne Directory, use the default mapping of `ImmutableID` to `ExternalID`. `ExternalID` is the user's **User ID** in PingOne. * If the Microsoft 365 users are migrated into PingOne from Entra ID through the LDAP gateway, and the source of the `ExternalID` is `objectGUID` or `ms-DS-ConsistencyGuid`, add an expression to the mapping configuration: 1. Locate the `ImmutableID` mapping. 2. Click the **Gear** icon ([icon: gear, set=fa]) to open the **Advanced Expression** modal. 3. Enter the following expression: ``` #string.uuidAsBase64Guid(user.externalId,null) ``` Learn more in [Using `ms-DS-ConsistencyGuid` as `sourceAnchor`](https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/plan-connect-design-concepts#using-ms-ds-consistencyguid-as-sourceanchor) in the Entra ID documentation. 4. Click **Save**. * To create a custom PingOne user attribute instead of using `ExternalID`, map `objectGUID` or `ms-DS-ConsistencyGuid` as the attribute source: 1. Locate the `ImmutableID` mapping. 2. Click [icon: gear, set=fa]to open the **Advanced Expression** modal. 3. Enter the following expression: ``` #string.uuidAsBase64Guid(user.customAttrName,null) ``` where `customAttrName` represents the custom PingOne user attribute. You can also replace `null` with a custom value, such as an error. 4. Click **Save**. 7. Click **Next**. 8. On the **Select Groups** page, click the name of the user groups that you want to have access to the application. You can browse or search for groups. Click the **Added** tab to see the groups that currently have access to the application. | | | | - | ------------------------------------------------------------------------------------------------------------------------- | | | By default, all users have access to the application. Assigning groups restricts application access to those groups only. | 9. Click **Save**. 10. Click the **View in Applications list** link. 11. On the **Overview** tab, locate the **Microsoft Graph PowerShell cmdlets**. 12. Copy the PowerShell cmdlets to configure PingOne as the federated IdP: ### Choose from: * **Entra managed domain**: Set up identity federation settings for the first time to use PingOne as the IdP: 1. Locate the **Microsoft Graph PowerShell cmdlets**. 2. Click the **Copy to clipboard** icon ([icon: copy, set=fa]) for the appropriate section. * **Entra federated domain**: Update existing identity federation settings to use PingOne as the IdP: 1. Locate **Microsoft Graph PowerShell cmdlets**. 2. Click [icon: copy, set=fa]for the appropriate section. | | | | - | ------------------------------------------------------------------ | | | You might have to scroll to the right to see [icon: copy, set=fa]. | 13. Open Windows PowerShell. 14. In PowerShell, paste the copied commands and run them. These commands update the domain authentication in Entra ID to SSO. Learn more about the Microsoft cmdlets used in PingOne in the following topics in the Microsoft documentation: * [Connect-MgGraph](https://learn.microsoft.com/en-us/powershell/microsoftgraph/authentication-commands) * [New-MgDomainFederationConfiguration](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/new-mgdomainfederationconfiguration) * [Update-MgDomainFederationConfiguration](https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/update-mgdomainfederationconfiguration) 15. On the **Policies** tab, click the **Pencil** icon ([icon: pencil, set=fa]) to add an authentication policy for the application. * If you have a DaVinci license, you can select a PingOne policy or DaVinci flow policy, but not both. If you don't have a DaVinci license, you'll see PingOne policies only. * To add a PingOne authentication policy, click the **PingOne Policies** tab. If the application was previously configured with a DaVinci flow policy, click **Deselect all other Policies** to remove it from the application and select the PingOne authentication policy you want to apply to the application. * To add a DaVinci flow policy, click the **DaVinci Policies** tab. If the application was previously configured with a PingOne authentication policy, click **Deselect all other Policies** to remove it from the application and select the DaVinci flow policy you want to apply to the application. Learn more in [Authentication policies for applications](p1_auth_policies_for_applications.html). 16. Click **Save**. ## Next steps * Add an MFA claim in the Microsoft 365 application to communicate to Entra ID that PingOne will handle MFA. Learn more in [Configuring an authentication claim for the Microsoft 365 application](p1_configure_authentication_claim_microsoft_365.html). * After you configure the application, you can manage it in **Applications > Applications**. * For passive profile sign-ons only, do the following as needed: * [Fine-tune the assertion validity duration](p1_fine-tuning_assertion_validity_duration.html). * [Set the WS-Trust version](p1_setting_ws-trust_version.html).