Creating a Microsoft Azure Office 365 connection
Use a Microsoft Azure Office 365 connection to enable provisioning from PingOne to the Microsoft Azure identity platform.
Before you begin
You should review the information about registering applications with the Microsoft identity platform. Learn more in Register an application in Microsoft Entra ID in the Microsoft documentation.
Make sure that you have:
-
An Azure account that has an active subscription. Learn more in Microsoft’s Create your Azure Free account.
-
The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select View endpoints. Copy the ID from the URL under Microsoft Azure AD Graph API Endpoint.
-
The client ID and client secret for the connected application. You can find the client ID and client secret in the Azure portal. Learn more in Register an application in Microsoft Entra ID in the Microsoft documentation.
-
The following application permissions in your application:
-
Application.ReadWrite.All
-
Group.ReadWrite.All
-
Organization.Read.All
-
User.ReadWrite.All
Learn more in Configure app permissions for a web API in the Microsoft documentation.
-
Steps
-
In the PingOne admin console, go to Integrations > Provisioning.
-
Click , and then click New Connection.
-
On the Identity Store line, click Select.
-
On the Microsoft Azure (Microsoft 365) tile, click Select. Click Next.
-
Enter a name and description for the provisioning connection.
Result:
The connection name appears in the provisioning list after you save the connection.
-
Click Next.
-
In the Configure Authentication section, enter the values for the following fields:
Field Value Tenant Domain ID
The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Learn more in Local tenant ID and primary domain in the Microsoft documentation.
Client ID
The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal.
Client secret
The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal.
-
Click Test Connection to verify that PingOne can establish a connection to Azure.
Result:
If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.
You can’t use the connection for provisioning until you’ve established a valid connection to Azure. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.
Troubleshooting:
Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
-
In the Configure Preferences and Actions sections, configure the following:
Field Description Remove Licenses when SKU ID is empty
Determines whether to remove a user’s license from their account if you don’t configure the skuId field in the rule’s attribute mappings, or if the user’s skuId field is cleared in the external identity store.
-
True: When enabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will be removed from their account.
-
False (default): When disabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will not be removed from their account. However, if you configure the skuId field in the rule’s attribute mapping, and if the user’s skuId field is cleared in the directory, the user’s licenses will be removed from their account.
Allow Users to be Created
Determines whether to create a user in the Azure identity store when the user is created in the PingOne identity store.
Allow Users to be Updated
Determines whether to update user attributes in the Azure identity store when the user is updated in the PingOne identity store.
Allow Users to be Disabled
Determines whether to disable a user in the Azure identity store when the user is disabled in the PingOne identity store.
Allow Users to be Deprovisioned
Determines whether to deprovision a user in the Azure identity store when the user is deprovisioned in the PingOne identity store.
Remove Action
Determines the action to take when removing a user from the Azure identity store.
-
Delete: When a user is deprovisioned from the PingOne identity store, PingOne removes the user from the external identity store.
-
Disable: When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.
Deprovision on Rule Deletion
Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.
-
-
Click Save.
-
To enable the connection, click the toggle at the top of the details panel to the right (blue).
You can disable the connection by clicking the toggle to the left (gray).
Result
The Azure Office 365 provisioning connection is complete and added to the list of provisioning connections on the Provisioning page.
When you create the provisioning rule, make sure that you map a value for the |
Next steps
Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in Configuring outbound group provisioning.
Microsoft Azure Office 365 attribute mapping
The following table lists common Microsoft Azure Office 365 attributes that can be mapped for user provisioning.
Attribute | Description | ||
---|---|---|---|
password |
A value for the user’s initial password. The field can also be set to a static default value. This field is required when a user is created. It can not be updated, but you can force the user to update their password on their next sign on by setting
|
||
mailNickname |
The mail alias for the user. |
||
resetPassword |
Determines whether a user must reset their password the next time they sign on. The default value is |
||
userPrincipalName |
The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. |
||
immutableid |
Associates a user ID with a user account in the Microsoft Azure identity store. |
||
displayName |
The name as it will look in the PingOne identity store. |
||
accountEnabled |
Determines whether a user account is enabled. The default value is |
||
surname |
The last (family) name of the user. |
||
givenName |
The first name of the user. |
||
usageLocation |
Determines the location of license usage, which is required for licensing. Map to an attribute that contains the ISO-3166 formatted country (2-letter country code) of license usage. Required for users that will be assigned licenses due to a legal requirement to check the availability of services in various countries. Examples include: |