OIDC authentication
Adding Microsoft as an external identity provider (IdP) gives your users the option to sign on with their Microsoft accounts when accessing your application.
Registering your application with Microsoft
To configure an EAM, register an application in Microsoft Entra. Learn more in Quickstart to registering an app in the Microsoft Entra documentation.
Before you begin
Ensure that you have:
-
A Microsoft Entra account with an active subscription
-
An Entra tenant
Steps
-
Go to the Microsoft Entra admin center.
If you don’t have a Microsoft Entra account, you can create one now.
-
On the left, expand Identity > Applications.
-
Click App registrations.
-
At the top, click New registration.
-
In the Name field, enter a user-facing display name for the application.
-
For Supported account types, select Accounts in this organizational directory only (Ping Identity only - Single tenant) or Accounts in any organizational directory and personal Microsoft accounts, depending on the needs of your organization.
Select the Single tenant option if you’re only working with identities from your environment.
-
Under Redirect URI, select Web as the platform and enter the authorization URL of your PingOne environment.
The format is
<issuer>/authorize
. You can also find this URL when you go to the Configuration tab of any OpenID Connect (OIDC) application in the PingOne admin console and look under the URLs section.Example 1:
https://auth.pingone.<region>/<envID>/as/authorize
Example 2:
https://<customDomain>/as/authorize
if you set up a custom domain. Learn more in Setting up a custom domain. -
Click Register.
Enabling the implicit grant
After registering an application in Entra, enable the implicit grant type for your application to support an EAM.
Steps
-
Go to the Microsoft Entra admin center.
-
In the App registrations section, select your application.
-
Go to Manage > Authentication.
-
In the Implicit grant and hybrid flows section, select the ID tokens checkbox.
-
Click Save.
Getting the client ID and client secret for your application
When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application.
You’ll copy these values and enter them into PingOne.
Steps
-
Go to the Microsoft Entra admin center.
-
In the App registrations section, select your application.
-
On the left, click Certificates & secrets.
-
In the Client secrets section, click New client secret.
-
Enter the following:
-
Description: A brief characterization of the client secret.
-
Expires: Select the duration of the certificate, based on the needs of your organization.
-
-
Click Add.
-
In the Client secrets section, locate the value for the applicable secret and copy it to a secure location.
-
On the left, click Overview.
-
Locate the Application (client) ID and copy it to a secure location.
Setting up API permissions
Using an EAM with Microsoft Entra requires certain API permissions that you’ll need to enable in your application.
Steps
-
Go to the Microsoft Entra admin center.
-
In the App registrations section, select your application.
-
On the left, click API permissions.
-
Click Add a permission.
-
Click Microsoft Graph.
-
Click Delegated permissions and expand Openid permissions.
-
Select the following:
-
email
-
offline_access
-
openid
-
profile
-
User.Read
User.Read
is included by default and should remain selected.
-
-
Click Add permissions.
Adding Microsoft as an identity provider in PingOne
Configure the IdP connection in PingOne.
Steps
-
In PingOne, go to Integrations > External IdPs.
-
Click Add Provider.
-
Click Microsoft.
-
On the Create Profile page, enter the following information:
-
Name: A unique identifier for the IdP.
-
Description: (Optional). A brief description of the IdP.
You cannot change the icon and login button, in accordance with the provider’s brand standards.
-
-
Click Continue.
-
On the Configure IDP Connection page, enter the following information:
-
Client ID: The application ID from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.
-
Client secret: The application secret from the IdP that you copied earlier. You can find this information on the Microsoft Entra admin center.
-
-
Click Save and Continue.
-
On the Map Attributes page, define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.
-
Leave the default PingOne user profile attributes and the external IdP attributes:
-
Preferred Username (from Microsoft) as the source of the PingOne Username
-
Email (from Microsoft) as the source of the PingOne Email Address
-
-
To add an attribute, click Add attribute.
-
To use the expression builder, click Build and test or Advanced Expression. Learn more in Using the expression builder.
-
Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:
-
Empty only: Update the PingOne attribute only if the existing attribute is empty.
-
Always: Always update the PingOne directory attribute.
-
-
-
Click Save & Finish.
Adding the redirect URI to the Microsoft Entra admin center
If you want to allow users to sign on to the PingOne Self-Service - MyAccount application to manage their MFA methods or to other applications you’ve added to PingOne, you must use the same Microsoft IdP and configure a policy to redirect the user to Entra ID for authentication through the OIDC protocol. Learn more in OIDC authentication.
Copy the value for the callback URL from the Microsoft IdP and enter it into the Microsoft Entra admin center.
Steps
-
In PingOne, go to Integrations → External IdPs.
-
Locate the appropriate IdP and then click the More Options icon to expand the IdP.
-
Click the Connection tab. Copy the Callback URL and paste it in a secure location.
The following examples show the URL format:
Example 1:
https://auth.pingone.<region>/<envID>/rp/callback/microsoft
Example 2:
https://<customDomain>/rp/callback/microsoft
-
Go to the Microsoft Entra admin center.
-
In the App registrations section, select your application.
-
On the left, click Overview.
-
For Redirect URIs, click Add a Redirect URI.
-
For Platform configurations, click Add a platform.
-
In the Web applications section, click Web.
-
For Redirect URIs, enter the value that you copied from PingOne.
-
Click Configure.
Next steps
-
Add the Microsoft IdP to an authentication policy followed by an MFA step. Learn more in Adding an external identity provider sign-on step.
-
Add the authentication policy to your application. Ensure that registration is enabled in the authentication policy. Learn more in Applications.