PingOne

Entra ID external authentication method

If you want to connect PingOne as the external authentication provider for multi-factor authentication (MFA) in Entra ID, you also need to add a Microsoft identity provider (IdP).

Before you begin

When you configure external authentication methods for Microsoft Entra, you should create a new population in PingOne for users coming from Microsoft Entra ID. Creating a new population for Microsoft Entra users allows you to configure an IdP for the population.

  1. Go to Directory → Populations.

  2. Click the icon to add a new population.

  3. Enter the following:

    1. Population Name: A unique label for the population.

    2. Description (optional): A brief characterization of the population.

    3. Default Population (optional): Specify the current population as the new default population.

  4. Click Save.

    A screen capture of the Populations page with a Default and Entra ID population.

Registering your application with Microsoft

To set up Microsoft as an external IdP for your application, you’ll need to register the application with Microsoft. Learn more in Quickstart to registering an app in the Microsoft Entra documentation.

Before you begin

Ensure that you have:

  • A Microsoft Entra account with an active subscription

  • An Entra tenant

Steps

  1. Go to the Microsoft Entra admin center.

    If you don’t have a Microsoft Entra account, you can create one now.

  2. On the left, expand Identity > Applications

  3. Click App registrations.

  4. At the top, click New registration.

  5. In the Name field, enter a user-facing display name for the application.

  6. For Supported account types, select Accounts in this organizational directory only (Ping Identity only - Single tenant) or Accounts in any organizational directory and personal Microsoft accounts, depending on the needs of your organization.

    Select the Single tenant option if you’re only working with identities from your environment.

  7. Under Redirect URI, select Web as the platform and enter the authorization URL of your PingOne environment.

    The format is <issuer>/as/authorize. You can also find this URL when you go to the Configuration tab of any OIDC application in the PingOne admin console and look under the URLs section.

  8. Click Register.

Enabling the implicit grant

Set the grant type in Microsoft Entra.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. Go Manage > Authentication.

  4. Select the ID tokens option under Implicit grant and hybrid flows.

  5. Click Save.

Getting the client ID and client secret for your application and the tenant ID of your Entra tenant

When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application.

Microsoft also generates a directory (tenant) ID for each Microsoft Entra tenant. You’ll copy these values and enter them into PingOne.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. On the left, click Certificates & secrets.

  4. In the Client secrets section, click New client secret.

  5. Enter the following:

    1. Description: A brief characterization of the client secret.

    2. Expires: Select the duration of the certificate, based on the needs of your organization.

  6. Click Add.

  7. In the Client secrets section, locate the value for the appropriate secret and copy it to a secure location.

  8. On the left, click Overview.

  9. Locate the Application (client) ID and copy it to a secure location.

  10. Locate the Directory (tenant) ID and copy it to a secure location.

Setting up API permissions

Set up Microsoft as an external IdP for your application and enable permissions for your application.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the App registrations section, select your application.

  3. On the left, click API permissions.

  4. Click Add a permission.

  5. Click Microsoft Graph.

  6. Click Delegated permissions and expand Openid permissions.

  7. Select the openid and profile permissions.

    User.Read is included by default and should remain selected.

  8. Click Application permissions, expand User, and select the User.Read.All permission.

    If you do not intend to retrieve many attributes from Microsoft Entra ID and populate them into PingOne, you can select the User.ReadBasic.All permission instead of the User.Read.All permission.

    Both of these permissions require admin consent.

  9. To grant admin consent, click Add permissions.

  10. Click Grant admin consent for <your Entra tenant>.

Adding Microsoft as an identity provider in PingOne

Configure the identity provider connection in PingOne.

Steps

  1. In PingOne, go to Integrations → Provisioning.

  2. Click Add Provider.

  3. Click Microsoft.

  4. On the Create Profile page, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description: (Optional). A brief description of the IdP.

    You cannot change the icon and login button, in accordance with the provider’s brand standards.

  5. Click Continue.

  6. On the Configure IDP Connection page, enter the following information:

    • Client ID: The application ID from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Client secret: The application secret from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Tenant ID: The tenant ID of your Entra tenant that you copied earlier. You can find this information on the Microsoft Entra admin center.

  7. Click Save and Continue.

  8. On the Map Attributes page, define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Enter the PingOne user profile attribute and the external IdP attribute. Learn more about attribute syntax in Identity provider attributes.

    • To add an attribute, click Add attribute.

    • To use the expression builder, click Build and test or Advanced Expression. Learn more in Using the expression builder.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  9. Click Save and Finish.

  10. Click the connection in the Identity Providers list to expand the connection details.

  11. Click the Registration tab, and then click the Pencil icon.

  12. For Population, select the population that you previously created for Entra ID users.

  13. Click Save.

A screen capture of the Microsoft Identity Provider connection with the Entra ID users population selected.

Updating the population

A population defines a set of users and can help you make user management simple.

Steps

  1. Go to Directory → Populations.

  2. Click the population that you previously selected in Adding Microsoft as an identity provider in PingOne.

  3. Click the Pencil icon.

  4. In the Identity Provider list, select your Microsoft Identity Provider.

  5. Click Confirm in the popup message, and then click Save.

Adding the redirect URI to the Microsoft Entra admin center

If you plan to use the same application in Microsoft Entra for both OIDC authentication and external authentication method integration, you must add the redirect URI to the Microsoft portal. Learn more in Adding the Redirect URI to the Microsoft Entra admin center.

Next steps