PingOne

Editing an application for the Microsoft Entra ID external authentication method

If you want to connect PingOne as the external authentication provider for multi-factor authentication (MFA) in Entra ID, you also need to add a Microsoft identity provider.

With Microsoft Entra ID configured as the identity provider (IdP), you can configure external authentication methods for users to authenticate with for second-factor authentication.

When a user attempts to access an application configured in Microsoft Entra, the user authenticates first with Microsoft Entra ID and then is redirected to a third-party MFA provider, such as PingOne, for second-factor authentication.

To use PingOne as an external authentication method for Microsoft Entra, you must configure an OIDC application to handle authentication requests from Microsoft Entra ID.

Before you begin

  1. Make sure you have a PingOne organization and environment with PingOne SSO and PingID added. Learn more in Creating a new PingID environment in PingOne.

  2. Create an application in Microsoft Entra and add PingOne as an external authentication method. Learn more in Manage an external authentication method in the Microsoft Entra documentation.

    1. Copy the application ID to a secure location. You’ll use this when you create an external authentication method in Microsoft Entra.

  3. Create an external identity provider (IdP) connection in PingOne.

Configuring the OIDC application

Steps

  1. In PingOne, go to Applications → Applications.

  2. Click to add an application.

  3. Enter the following:

    1. Application name: A unique identifier for the application.

    2. Description (optional): A brief characterization of the application.

    3. Icon (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.

  4. For Application Type, select OIDC Web App.

  5. Click Save.

  6. On the Configuration tab, click the Pencil icon, and enter or edit the following:

    1. For Response Type, clear the default Code checkbox and select ID Token.

    2. For Grant Type, clear the default Authorization Code checkbox and select Implicit.

    3. For Redirect URIs, enter https://login.microsoftonline.com/common/federation/externalauthprovider.

    4. Click Save.

  7. On the Policies tab, click Add policies.

  8. On the PingOne Policies tab, select the authentication policy that you created for users to authenticate with using PingOne as the external authentication method for Microsoft Entra. Learn more in Adding an external identity provider sign-on step.

  9. Click Save.

  10. In the Applications list, click the application’s toggle to enable it.

  11. Click the application entry to open the details panel.

  12. On the Configuration tab, copy the following PingOne application details to add in the Microsoft Entra admin center:

    • Expand the URLs section and copy the OIDC Discovery Endpoint to a secure location.

    • In the General section, copy the Client ID to a secure location.

Creating an external authentication method in Microsoft Entra

After creating the OIDC application in PingOne and copying the application ID, OIDC discovery endpoint, and client ID, you’ll need to create an external authentication method in Microsoft Entra.

Steps

  1. Go to the Microsoft Entra admin center.

  2. On the left, go to Protection > Authentication methods.

  3. Click App external method.

  4. Enter the following:

    1. Name: Enter a name for the external authentication method.

    2. Client ID: Enter your PingOne application’s client ID that you copied earlier.

    3. Discovery Endpoint: Enter the OIDC Discovery Endpoint that you copied earlier. The format is <issuer>/as/.well-known/openid-configuration.

    4. App ID: Enter the ID of the Microsoft Entra application that you copied in Before you begin. You can find the application ID in the Microsoft Entra admin center.

  5. Click Request permission.

    The browser opens a new window for you to sign on with your Microsoft Entra admin credentials.

  6. Review the requested permissions and click Accept if you agree.

  7. In the Enable and target section, configure whether you want to include a subset of your users or all users.

  8. Click the Enable toggle to enable the external authentication method.

Creating a conditional access policy in Microsoft Entra

Steps

Configure a conditional access policy in Microsoft Entra to define authentication requirements for users accessing applications.

  1. Go to the Microsoft Entra admin center.

  2. On the left, go to Protection > Conditional Access.

  3. Click Policies.

  4. Update an existing policy or create a new policy.

  5. Configure the following:

    1. Name: Enter a name.

    2. Users: Select the same users and groups you selected in Creating an external authentication method in Microsoft Entra.

    3. Target resources: Select the applications to which you want to apply this conditional access policy.

    4. Grant:

      1. Click Grant access.

      2. Select the Require multifactor authentication checkbox.

      3. Click Select.

    5. Enable policy: Select On to turn on the policy.

  6. Click Save.

Configuring PingID as the external authentication method

Configure a PingID policy to process user MFA requests coming from the PingOne application that you created to handle Microsoft Entra requests.

Steps

  1. In the PingID admin portal, go to Setup > PingID and click the Configuration tab.

    If you selected Enable for Enforce Policy, you might need to create an additional PingID policy. Learn more in the next step.

  2. Click the Policy tab, and on the Web tab, expand and review each policy.

    Microsoft Entra ID does not allow MFA bypasses from an external authentication method and requires always prompting the user to complete MFA. If you have a policy that can apply to all applications and that has a rule with an action of Approve, you must create a new policy for the PingOne application. Examples of such policies include Recent Authentication or Accessing from Company Network.
    A screen capture of a PingID policy that has a rule with an action of Approve for Recent Authentication.

    1. To add a new policy, click Add Policy.

    2. Enter a name for the policy, such as EAM PingID policy.

    3. In the Target section, select the PingOne application that you previously created in the Applications list.

    4. For Groups, select all applicable groups.

    5. (Optional) Under Allowed Methods, select the authentication methods you want to allow.

    6. Click Save.

      A screen capture of a new PingID policy with the PingOne Entra application selected.

      Result:

      The new policy becomes the first PingID policy, which works as a Microsoft Entra ID external authentication method. PingID will use this new policy when processing MFA requests coming from the PingOne application that you created to handle Microsoft Entra ID requests.

  3. In a scenario where a user forgot or lost their mobile phone and cannot use the PingID app for MFA, you can allow a user to bypass MFA with PingID for a specificed period of time, such as 8 hours.

    1. In PingOne, go to Directory → Users.

    2. Browse or search for the applicable user, and click the user entry to open the details panel.

    3. In the list for the Services tab, select Authentication.

    4. Scroll down to the Integrations section, click the More Options icon, and select Bypass.

    5. In the Bypass window, select the desired amount of time from the Allow bypass of PingID authentication on SSO for list and click Bypass.

      Because Microsoft Entra ID requires the third-party MFA provider to specify the MFA method used and does not accept MFA bypasses as an acceptable MFA method, you must also configure bypass in the Microsoft Entra admin center. Learn more about configuring conditional access in the Microsoft Entra documentation.