Editing an application for the Microsoft Entra ID external authentication method
If you want to connect PingOne as the external authentication provider for multi-factor authentication (MFA) in Entra ID, you also need to add a Microsoft identity provider.
With Microsoft Entra ID configured as the identity provider (IdP), you can configure external authentication methods (EAMs) for users to authenticate with for second-factor authentication.
When a user attempts to access an application configured in Microsoft Entra, the user authenticates first with Microsoft Entra ID and then is redirected to a third-party MFA provider, such as PingOne, for second-factor authentication.
To use PingOne as an EAM for Microsoft Entra, you must configure an OpenID Connect (OIDC) application to handle authentication requests from Microsoft Entra ID.
Before you begin
-
Set up a connection to Microsoft to support an EAM in Microsoft Entra ID.
-
Copy the application (client) ID of the application that you registered in Entra ID to a secure location. Learn more in Getting the client ID and client secret for your application and the tenant ID of your Entra tenant.
-
Add the Microsoft IdP to an authentication policy followed by an MFA step. Learn more in Adding an external identity provider sign-on step.
Configuring the OIDC application
Configure an OIDC application to handle authentication requests from Microsoft Entra ID.
Steps
-
In PingOne, go to Applications > Applications.
-
Click to add an application.
-
Enter the following:
-
Application name: A unique identifier for the application.
-
Description (optional): A brief characterization of the application.
-
Icon (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.
-
-
For Application Type, select OIDC Web App.
-
Click Save.
-
On the Configuration tab, click the Pencil icon, and enter or edit the following:
-
For Response Type, clear the default Code checkbox and select ID Token.
-
For Grant Type, clear the default Authorization Code checkbox and select Implicit.
-
For Redirect URIs, enter
https://login.microsoftonline.com/common/federation/externalauthprovider
. -
Click Save.
-
-
On the Policies tab, click Add policies.
-
On the PingOne Policies tab, select the authentication policy that you created for users to authenticate with PingOne as the EAM for Microsoft Entra ID.
-
Click Save.
-
In the Applications list, click the application’s toggle to enable it.
-
Click the application entry to open the details panel.
-
On the Configuration tab, copy the following PingOne application details to add in the Microsoft Entra admin center:
-
Expand the URLs section and copy the OIDC Discovery Endpoint to a secure location.
-
In the General section, copy the Client ID to a secure location.
-
Creating an external authentication method in Microsoft Entra
After creating the OIDC application in PingOne and copying the application ID, OIDC discovery endpoint, and client ID, create an EAM in Microsoft Entra.
Steps
-
Go to the Microsoft Entra admin center.
-
On the left, go to Protection > Authentication methods.
-
Click App external method.
-
Enter the following:
-
Name: Enter a name for the EAM.
-
Client ID: Enter your PingOne application’s client ID that you copied earlier.
-
Discovery Endpoint: Enter the OIDC Discovery Endpoint that you copied earlier. The format is
<issuer>/.well-known/openid-configuration
. -
App ID: Enter the ID of the Microsoft Entra application that you copied previously. You can find the application ID in the Microsoft Entra admin center.
-
-
Click Request permission.
The browser opens a new window for you to sign on with your Microsoft Entra admin credentials.
-
Review the requested permissions and click Accept if you agree.
-
In the Enable and target section, configure whether you want to include a subset of your users or all users.
-
Click the Enable toggle to enable the EAM.
Creating a conditional access policy in Microsoft Entra
Configure a conditional access policy in Microsoft Entra to define authentication requirements for users accessing applications.
If your Microsoft Entra tenant contains other conditional access policies that use custom controls to initiate MFA, ensure those policies don’t apply to the same users, groups, and applications that you select in this conditional access policy. Otherwise, your users could be prompted multiple times for MFA. |
Steps
-
Go to the Microsoft Entra admin center.
-
On the left, go to Protection > Conditional Access.
-
Click Policies.
-
Update an existing policy or create a new policy.
-
Configure the following:
-
Name: Enter a name.
-
Users: Select the same users and groups that you selected in your EAM.
-
Target resources: Select the applications to which you want to apply this conditional access policy.
-
Grant:
-
Click Grant access.
-
Select the Require multifactor authentication checkbox.
-
Click Select.
-
-
Enable policy: Select On to turn on the policy.
-
-
Click Save.
Configuring PingID as the external authentication method
Configure a PingID policy to process user MFA requests coming from the PingOne application that you created to handle Microsoft Entra requests.
Steps
-
In the PingID admin portal, go to Setup > PingID and click the Configuration tab.
If you selected Enable for Enforce Policy, you might need to create an additional PingID policy. Learn more in the next step.
-
Click the Policy tab, and on the Web tab, expand and review each policy.
Microsoft Entra ID doesn’t allow MFA bypasses from an EAM and requires always prompting the user to complete MFA. If you have a policy that can apply to all applications and that has a rule with an action of Approve, you must create a new policy for the PingOne application. Examples of such policies include Recent Authentication or Accessing from Company Network.
-
To add a new policy, click Add Policy.
-
Enter a name for the policy, such as
EAM PingID policy
. -
In the Target section, in the Applications list, select the PingOne application that you previously created.
-
For Groups, select all applicable groups.
-
(Optional) In the Allowed Methods section, select the authentication methods you want to allow.
-
Click Save.
Result:
The new policy becomes the first PingID policy, which works as a Microsoft Entra ID EAM. PingID will use this new policy when processing MFA requests coming from the PingOne application that you created to handle Microsoft Entra ID requests.
-
-
In a scenario where a user forgot or lost their mobile phone and cannot use the PingID app for MFA, you can allow a user to bypass MFA with PingID for a specificed period of time, such as 8 hours.
-
In PingOne, go to Directory > Users.
-
Browse or search for the applicable user, and click the user entry to open the details panel.
-
In the list for the Services tab, select Authentication.
-
Scroll down to the Integrations section, click the More Options icon, and select Bypass.
-
In the Bypass window, select the desired amount of time from the Allow bypass of PingID authentication on SSO for list and click Bypass.
Because Microsoft Entra ID requires the third-party MFA provider to specify the MFA method used and does not accept MFA bypasses as an acceptable MFA method, you must also configure bypass in the Microsoft Entra admin center. Learn more about configuring conditional access in the Microsoft Entra documentation.
-