---
title: Configuring an authentication claim for the Microsoft 365 application
description: If you set up a Microsoft 365 application to connect to a Microsoft Entra ID domain, PingOne is the federated identity provider (IdP) for users of the domain, and Entra ID redirects users to PingOne for authentication.
component: pingone
page_id: pingone:applications:p1_configure_authentication_claim_microsoft_365
canonical_url: https://docs.pingidentity.com/pingone/applications/p1_configure_authentication_claim_microsoft_365.html
section_ids:
  before-you-begin: Before you begin
  steps: Steps
  result: Result
---

# Configuring an authentication claim for the Microsoft 365 application

If you set up a [Microsoft 365 application](p1_adding_microsoft_365.html) to connect to a Microsoft Entra ID domain, PingOne is the federated identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)* for users of the domain, and Entra ID redirects users to PingOne for authentication.

When users complete multi-factor authentication (MFA) *(tooltip: \<div class="paragraph">
\<p>An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\</p>
\</div>)* with the federated IdP, such as PingOne, Entra ID expects the IdP to send an MFA claim to Entra ID to communicate that authentication has been completed. Add an MFA claim in the Microsoft 365 application in PingOne for Entra ID to consider MFA fulfilled.

|   |                                                                                                                                                           |
| - | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | External MFA, formerly known as external authentication methods (EAMs), in Entra ID isn't required when the users reside in an Entra ID federated domain. |

## Before you begin

* Add Microsoft 365 to the application catalog and and complete the PowerShell cmdlets to set up PingOne as the federated IdP for the domain in Entra ID. Learn more in [Adding Microsoft 365 to allow users to sign on using PingOne](p1_adding_microsoft_365.html).

* Review [Using WS-Fed or SAML 1.1 federated IdP](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-expected-inbound-assertions#using-ws-fed-or-saml-11-federated-idp) in the Entra ID documentation.

## Steps

1. In the PingOne admin console, go to **Applications > Applications** and click the **Microsoft 365 application** in the **Applications** list.

2. On the **Attribute Mappings** tab, click the **Pencil** icon ([icon: pencil, set=fa]).

3. Add a new attribute for the authentication method:

   1. Click **+ Add**.

   2. In the **Attributes** field, enter `authenticationmethod`.

   3. Click the **More Options** (⋮) icon and click **Update NameFormat**.

   4. In the **NameFormat** list, select **http\://schemas.microsoft.com/ws/2008/06/identity/claims**.

   5. Click **Update**.

   6. Click the **Gear** icon ([icon: gear, set=fa]) to open the **Advanced Expression** modal.

   7. Enter `"http://schemas.microsoft.com/claims/multipleauthn"` (with the quotation marks).

      ![A screen capture of the Microsoft 365 Editing Attribute Mappings modal with a new attribute for authenticationmethod.](_images/p1_microsoft_365_authentication_method_attribute.png)

   8. Click **Save**.

4. On the **Attribute Mappings** tab, click **Save**.

## Result

Assertions from PingOne include the `authenticationmethod` attribute with the correct `AttributeNamespace` and `AttributeValue` attributes, and Entra ID honors the MFA status of the authenticated users from PingOne.