PingOne

Entra ID external authentication method

If you want to connect PingOne as the external authentication provider for multi-factor authentication (MFA) in Entra ID, you need to add a Microsoft identity provider (IdP).

Before you begin

Make sure you have a PingOne organization and an environment with PingOne SSO and PingID added. Create a new environment as follows, depending on whether you’re already using PingID:

New PingID accounts: Creating a population for Microsoft Entra ID users

If you created a new PingID environment in PingOne, your new environment includes a population named Default. Learn more in Creating a new PingID environment in PingOne.

If you integrated an existing PingID account with a new PingOne account, skip to Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population.
A screen capture of the Populations page with one Default environment.

When you configure an EAM for Microsoft Entra, you’ll need to create a new population in PingOne for users coming from Entra ID.

Steps

  1. Go to Directory > Populations.

  2. Click the icon to add a new population.

  3. Enter the following:

    1. Population Name: A unique label for the population, such as Entra ID users.

    2. Description (optional): A brief description of the population.

    3. Default Population (optional): Do not click this checkbox in this scenario unless you want to specify this population as the new default population.

  4. Click Save.

    A screen capture of the Populations page with a Default and Entra ID population.

Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population

If you integrated your PingID account with a new PingOne account, your new environment includes a population named Default with users from PingID assigned to this population. The following image shows the Default population with two users from PingID.

If you created a new PingID environment in PingOne, follow the steps in New PingID accounts: Creating a population for Microsoft Entra ID users.
A screen capture of the Populations page with one Default environment that has two identities.

By default, the Identity Provider for this population is set to PingOne. You’ll update this setting as part of this process.

A screen capture of the Populations page with the Default population selected and the details panel showing.

Because you could have a future scenario where users in this environment aren’t coming from Microsoft Entra ID, you should rename the Default population, create a new population for users coming from Entra ID, and set the new population as the default population.

Steps

  1. Go to Directory > Populations.

  2. Click the Default population, and then click the Pencil icon to edit the population.

  3. Change Population Name from Default to a new name, such as Entra ID users.

    A screen capture of the Edit Population panel with the Population Name changed to Entra ID users.

  4. Click Save.

  5. To create a new population, click the icon.

  6. Enter the following:

    1. Population Name: A unique label for the population, such as Home.

    2. Description (optional): A brief description of the population.

    3. Default Population: Click the Enable checkbox to set this population as the new default population.

    4. In the confirmation modal, click Confirm to make this population the new default population.

      A screen capture of the New Population with the Make Default Population confirmation message showing.

  7. Click Save.

Result

You now have two populations in your environment:

  1. Entra ID users: Users from PingID are assigned to this population. This is also the population where future Entra ID users will be assigned when Entra ID redirects users to PingOne for MFA. This population was previously named Default and was previously set as the default population.

  2. Home: This population is the new default population and was created for future scenarios where users are not coming from Entra ID.

A screen capture of the Populations page with two populations: Entra ID users and Home.

Registering your application with Microsoft

To configure an EAM, register an application in Microsoft Entra. Learn more in Quickstart to registering an app in the Microsoft Entra documentation.

Before you begin

Ensure that you have:

  • A Microsoft Entra account with an active subscription

  • An Entra tenant

Steps

  1. Go to the Microsoft Entra admin center.

    If you don’t have a Microsoft Entra account, you can create one now.

  2. On the left, expand Identity > Applications.

  3. Click App registrations.

  4. At the top, click New registration.

  5. In the Name field, enter a user-facing display name for the application.

  6. For Supported account types, select Accounts in this organizational directory only (Ping Identity only - Single tenant) or Accounts in any organizational directory and personal Microsoft accounts, depending on the needs of your organization.

    Select the Single tenant option if you’re working with only identities from your environment.

  7. Under Redirect URI, select Web as the platform and enter the authorization URL of your PingOne environment.

    You can find this URL on the Configuration tab of any OpenID Connect (OIDC) application in the PingOne admin console, in the URLs section.

    The format is <issuer>/authorize.

    Example 1: https://auth.pingone.<region>/<envID>/as/authorize

    Example 2: https://<customDomain>/as/authorize if you set up a custom domain. Learn more in Setting up a custom domain.

  8. Click Register.

Enabling the implicit grant

After registering an application in Entra, enable the implicit grant type for your application to support an EAM.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. Go to Manage > Authentication.

  4. In the Implicit grant and hybrid flows section, select the ID tokens checkbox.

  5. Click Save.

Getting the client ID and client secret for your application and the tenant ID of your Entra tenant

When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application.

Microsoft also generates a directory (tenant) ID for each Microsoft Entra tenant. You’ll copy these values and enter them into PingOne.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. On the left, click Certificates & secrets.

  4. In the Client secrets section, click New client secret.

  5. Enter the following:

    1. Description: A brief characterization of the client secret.

    2. Expires: Select the duration of the certificate, based on the needs of your organization.

  6. Click Add.

  7. In the Client secrets section, locate the value for the applicable secret and copy it to a secure location.

  8. On the left, click Overview.

  9. Locate the Application (client) ID and copy it to a secure location.

  10. Locate the Directory (tenant) ID and copy it to a secure location.

Setting up API permissions

Using an EAM with Microsoft Entra requires certain API permissions that you’ll need to enable in your application.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. On the left, click API permissions.

  4. Click Add a permission.

  5. Click Microsoft Graph.

  6. Click Delegated permissions and expand Openid permissions.

  7. Select the openid and profile permissions.

    User.Read is included by default and should remain selected.

  8. Click Application permissions, expand User, and select the User.Read.All permission.

    If you don’t intend to retrieve many attributes from Microsoft Entra ID and populate them into PingOne, you can select the User.ReadBasic.All permission instead of the User.Read.All permission.

    Both of these permissions require admin consent.

  9. To grant admin consent, click Add permissions.

  10. Click Grant admin consent for <your Entra tenant>.

Adding Microsoft as an identity provider in PingOne

Configure the IdP connection in PingOne.

Steps

  1. In PingOne, go to Integrations > External IdPs.

  2. Click Add Provider.

  3. Click Microsoft.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description: (Optional). A brief description of the IdP.

    You cannot change the icon and login button, in accordance with the provider’s brand standards.

  5. Click Continue.

  6. On the Configure IDP Connection page, enter the following information:

    • Client ID: The application ID from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Client secret: The application secret from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Tenant ID: The tenant ID of your Entra tenant that you copied earlier. You can find this information on the Microsoft Entra admin center.

  7. Click Save and Continue.

  8. On the Map Attributes page, define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Leave the default PingOne user profile attributes and the external IdP attributes:

      • Preferred Username (from Microsoft) as the source of the PingOne Username

      • Email (from Microsoft) as the source of the PingOne Email Address

    • To add an attribute, click Add attribute.

    • To use the expression builder, click Build and test or Advanced Expression. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  9. Click Save & Finish.

  10. Click the connection in the Identity Providers list to expand the connection details.

  11. Click the Registration tab, and then click the Pencil icon.

  12. For Population, select the population that you previously created for Entra ID users.

  13. Click Save.

A screen capture of the Microsoft Identity Provider connection with the Entra ID users population selected.

Updating the population

After creating your connection to Microsoft, update the Identity Provider setting for the population that you created for users coming from Entra ID.

The Identity Provider setting is used as the runtime fallback IdP for users in the population who do not have an authoritative IdP configured in their user profile. Updating the population is especially important if you integrated your PingID account with a new PingOne account because those user profiles are created in PingOne without an authoritative IdP set. If the user is removed from the population, the IdP set in the population no longer applies to them.

Steps

  1. Go to Directory > Populations.

  2. Click the population that you previously created for Entra ID users.

  3. Click the Pencil icon.

  4. In the Identity Provider list, select the IdP that you previously created in Adding Microsoft as an identity provider in PingOne.

  5. Click Confirm in the modal, and then click Save.

Adding the callback URL to the Microsoft Entra admin center

If you created an authentication policy for OIDC authentication, you must also add the callback URL from the Microsoft IdP connection to the application you registered in the Microsoft Entra admin center.

Steps

  1. In PingOne, go to Integrations > External IdPs.

  2. Locate the Microsoft IdP that you created previously and then click the Details icon to expand the IdP.

  3. Click the Connection tab.

  4. Copy the Callback URL.

    The following examples show the URL format:

    Example 1: https://auth.pingone.<region>/<envID>/rp/callback/microsoft

    Example 2: https://<customDomain>/rp/callback/microsoft

  5. Go to the Microsoft Entra admin center.

  6. In the App registrations section, select your application.

  7. On the left, click Authentication.

  8. Go to Platform configurations > Web > Redirect URIs, and click Add URI.

  9. Paste the Callback URL that you copied from PingOne.

  10. Click Save.

Next steps