---
title: OIDC authentication
description: Add Microsoft as an external identity provider in PingOne to allow users to sign on with Microsoft when accessing your application using OIDC authentication.
component: pingone
page_id: pingone:integrations:p1_add_idp_microsoft_oidc
canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_add_idp_microsoft_oidc.html
revdate: April 23, 2025
section_ids:
  registering-your-application-with-microsoft: Registering your application with Microsoft
  before-you-begin: Before you begin
  steps: Steps
  enabling-the-implicit-grant: Enabling the implicit grant
  steps-2: Steps
  getting-the-client-id-and-client-secret-for-your-application: Getting the client ID and client secret for your application
  steps-3: Steps
  setting-up-api-permissions: Setting up API permissions
  steps-4: Steps
  adding-microsoft-as-an-identity-provider-in-pingone: Adding Microsoft as an identity provider in PingOne
  steps-5: Steps
  add_redirect_uri: Adding the callback URL to the Microsoft Entra admin
  steps-6: Steps
  next-steps: Next steps
---

# OIDC authentication

Adding Microsoft as an external identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)* gives your users the option to sign on with their Microsoft accounts when accessing your application.

## Registering your application with Microsoft

Register an application in Microsoft Entra. Learn more in [Quickstart: Register an application with the Microsoft identity platform](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) in the Microsoft Entra documentation.

### Before you begin

Ensure that you have:

* A Microsoft Entra account with an active subscription

* An Entra tenant

### Steps

1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/) and sign on to your account.

   If you don't have a Microsoft Entra account, you can create one now.

2. In the sidebar, go to **Identity > Applications > App registrations**.

3. Click **[icon: plus, set=fa]New registration**.

   ![A screenshot of the App registrations page in the Entra admin center.](../use_cases/_images/p1-entra-eam-new-app-registration.png)

4. Enter and configure the following:

   1. **Name**: Enter a user-facing display name for the application.

   2. **Supported account types**: Select either of the following, depending on the needs of your organization:

      * **Accounts in this organizational directory only (\<Your Entra tenant name> only - Single tenant)**: Select this option if you're working with only identities from your environment.

      * **Accounts in any organizational directory and personal Microsoft accounts**

   3. **Redirect URI**: Select **Web** as the platform and enter the authorization URL of your PingOne environment.

      |   |                                                                                                                                           |
      | - | ----------------------------------------------------------------------------------------------------------------------------------------- |
      |   | You can find this URL on the **Overview** tab of any OIDC application in the PingOne admin console in the **Connection Details** section. |

      The format is `<issuer>/authorize`.

      Example 1: `https://auth.pingone.<region>/<envID>/as/authorize`

      Example 2: `https://<customDomain>/as/authorize` if you set up a custom domain. Learn more in [Setting up a custom domain](../settings/p1_set_up_custom_domain.html).

      ![A screenshot of the Register an application page in the Entra admin center.](../use_cases/_images/p1-entra-eam-register-app.png)

5. Click **Register**.

## Enabling the implicit grant

After registering an application in Entra, enable the implicit grant type for your application.

### Steps

1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/).

2. In the sidebar, go to **Identity > Applications > App registrations** and click your application.

3. On the **App registrations** page, in the **Manage** section, click **Authentication**.

4. In the **Implicit grant and hybrid flows** section, select the **ID tokens** checkbox for the token type to be issued by the authorization endpoint.

   ![A screenshot of the Authentication page for the application in the Entra admin center.](../use_cases/_images/p1-entra-eam-implicit-grant.png)

5. Click **Save**.

## Getting the client ID and client secret for your application

When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application.

You'll copy these values and enter them into PingOne.

### Steps

1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/).

2. In the sidebar, go to **Identity > Applications > App registrations** and click your application.

3. On the **App registrations** page, in the **Manage** section, click **Certificates & secrets**.

4. On the **Client secrets** tab, click **[icon: plus, set=fa]New client secret**.

5. Enter the following:

   1. **Description**: A brief description of the client secret.

   2. **Expires**: Select the duration of the certificate based on the needs of your organization.

6. Click **Add**.

7. On the **Client secrets** tab, click the **Copy** icon ([icon: copy, set=fa]) for the **Value** and paste it in a secure location.

   ![A screenshot of the Certificates & secrets page in the Entra admin center.](../use_cases/_images/p1-entra-eam-certificate-secrets.png)

8. In the **App registrations** sidebar, click **Overview**.

   ![A screenshot of the Certificates & secrets page in the Entra admin center.](../use_cases/_images/p1-entra-eam-certificates-secrets-overview.png)

9. Copy the **Application (client) ID** and paste it in a secure location.

   ![A screenshot of the Application Overview page - Application ID in the Entra admin center.](../use_cases/_images/p1-entra-eam-application-id.png)

## Setting up API permissions

Adding Microsoft as an external IdP requires certain API permissions that you'll need to enable in your application.

### Steps

1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/).

2. In the sidebar, go to **Identity > Applications > App registrations** and click your application.

3. On the **App registrations** page, in the **Manage** section, click **API permissions**.

4. Click **[icon: plus, set=fa]Add a permission**.

   ![A screenshot of the API permissions page in the Entra admin center.](../use_cases/_images/p1-entra-eam-api-permissions-default.png)

5. On the **Request API permissions** panel, click **Microsoft Graph**.

   ![A screenshot of the Request API permissions panel in the Entra admin center.](../use_cases/_images/p1-entra-eam-api-permissions-microsoft-graph.png)

6. Click **Delegated permissions** for the type of permissions to allow for your application.

   ![A screenshot of the Request API permissions panel - Type of permissions in the Entra admin center.](../use_cases/_images/p1-entra-eam-api-permissions-delegated-permissions.png)

7. Expand **Openid permissions**.

8. Select the following:

   * `email`

   * `offline_access`

   * `openid`

   * `profile`

   * `User.Read`

     |   |                                                                |
     | - | -------------------------------------------------------------- |
     |   | `User.Read` is included by default and should remain selected. |

9. Click **Add permissions**.

## Adding Microsoft as an identity provider in PingOne

Configure the IdP connection in PingOne.

#### Steps

1. In the PingOne admin console, go to **Integrations > External IdPs** and click the **[icon: plus, set=fa]**icon.

2. Click **Microsoft** as the **Identity Provider Type**.

3. Click **Next**.

4. In the **Create Profile** step, enter the following information:

   * **Name**: A unique identifier for the IdP.

   * **Description** (optional): A brief description of the IdP.

   * **Population**: Select a population that overrides the authentication policy's registration population and enables just-in-time (JIT) registration from the IdP.

     |   |                                                                                                          |
     | - | -------------------------------------------------------------------------------------------------------- |
     |   | You can't change the **Icon** and **Sign-on button**, in accordance with the provider's brand standards. |

5. Click **Next**.

6. In the **Connection Details** step, enter the following information:

   * **Client ID**: The application ID from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

   * **Client secret**: The application secret from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

   * **Tenant ID**: The tenant ID of your Entra tenant from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

   * **Callback URL**: Copy the **Callback URL** and paste it in a secure location. You'll add this value in the Microsoft Entra admin center later.

7. Click **Next**.

8. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html).

   * Leave the default PingOne user profile attributes and the external IdP attributes:

     * **Preferred Username** (from Microsoft) as the source of the PingOne **Username**

     * **Email** (from Microsoft) as the source of the PingOne **Email Address**

   * To add an attribute, click **[icon: plus, set=fa]Add**.

   * To use the advanced expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html) and [Using expressions to retrieve Microsoft Entra attributes](../pingone_expression_language/p1_expressionlang_expressions_concatenation.html#p1-expressions-microsoft).

   * Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

     * **Empty only**: Update the PingOne attribute only if the existing attribute is empty.

     * **Always**: Always update the PingOne directory attribute.

9. Click **Save**.

## Adding the callback URL to the Microsoft Entra admin

Add the callback URL from the Microsoft IdP connection to the application you registered in the Microsoft Entra admin center.

#### Steps

1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/).

2. In the sidebar, go to **Identity > Applications > App registrations** and click your application.

3. On the **App registrations** page, in the **Manage** section, click **Authentication**.

4. In the **Platform configurations > Web > Redirect URIs** section, click **Add URI**.

   ![A screenshot of the Authentication page - Redirect URIs in the Entra admin center.](../use_cases/_images/p1-entra-eam-redirect-uris.png)

5. Paste the **Callback URL** that you copied from the PingOne admin console.

   The following examples show the URL format:

   Example 1: `https://auth.pingone.<region>/<envID>/rp/callback/microsoft`

   Example 2: `https://<customDomain>/rp/callback/microsoft`

6. Click **Save**.

## Next steps

* [Add the Microsoft IdP to an authentication policy](../authentication/p1_add_idp_signon_step.html) followed by an MFA step.

* Ensure that registration is enabled in the authentication policy. Learn more in [Authentication policies](../authentication/p1_authenticationpolicies.html) and [Add the authentication policy to your application](../applications/p1_apply_auth_policy_to_applications.html).