Creating a Microsoft Azure Office 365 connection

Use a Microsoft Azure Office 365 connection to enable provisioning from PingOne to the Microsoft Azure identity platform.

Before you begin

You should review the information about registering applications with the Microsoft identity platform. Learn more in Register an application in Microsoft Entra ID in the Microsoft documentation.

Make sure that you have:

An Azure account that has an active subscription. Learn more in Microsoft’s Create your Azure Free account.
The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select View endpoints. Copy the ID from the URL under Microsoft Azure AD Graph API Endpoint.
The client ID and client secret for the connected application. You can find the client ID and client secret in the Azure portal. Learn more in Register an application in Microsoft Entra ID in the Microsoft documentation.
The following application permissions in your application:
- Application.ReadWrite.All
- Group.ReadWrite.All
- Organization.Read.All
- User.ReadWrite.All
Learn more in Configure app permissions for a web API in the Microsoft documentation.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
Click , and then click New Connection.
On the Identity Store line, click Select.
On the Microsoft Azure (Microsoft 365) tile, click Select. Click Next.
Enter a name and description for the provisioning connection.

Result:

The connection name appears in the provisioning list after you save the connection.
Click Next.

In the Configure Authentication section, enter the values for the following fields:

Field	Value
Tenant Domain ID	The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Learn more in Local tenant ID and primary domain in the Microsoft documentation.
Client ID	The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal.
Client secret	The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal.

Field

Value

Tenant Domain ID

The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Learn more in Local tenant ID and primary domain in the Microsoft documentation.

Client ID

The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal.

Client secret

The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal.

Click Test Connection to verify that PingOne can establish a connection to Azure.

Result:

If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.

You can’t use the connection for provisioning until you’ve established a valid connection to Azure. To retry, click Cancel in the Test Connection Failed modal and repeat step 7.

Troubleshooting:

Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.

In the Configure Preferences and Actions sections, configure the following:

Field	Description
Remove Licenses when SKU ID is empty	Determines whether to remove a user’s license from their account if you don’t configure the skuId field in the rule’s attribute mappings, or if the user’s skuId field is cleared in the external identity store. True: When enabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will be removed from their account. False (default): When disabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will not be removed from their account. However, if you configure the skuId field in the rule’s attribute mapping, and if the user’s skuId field is cleared in the directory, the user’s licenses will be removed from their account.
Allow Users to be Created	Determines whether to create a user in the Azure identity store when the user is created in the PingOne identity store.
Allow Users to be Updated	Determines whether to update user attributes in the Azure identity store when the user is updated in the PingOne identity store.
Allow Users to be Disabled	Determines whether to disable a user in the Azure identity store when the user is disabled in the PingOne identity store.
Allow Users to be Deprovisioned	Determines whether to deprovision a user in the Azure identity store when the user is deprovisioned in the PingOne identity store.
Remove Action	Determines the action to take when removing a user from the Azure identity store. Delete: When a user is deprovisioned from the PingOne identity store, PingOne removes the user from the external identity store. Disable: When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.
Deprovision on Rule Deletion	Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

Field

Description

Remove Licenses when SKU ID is empty

Determines whether to remove a user’s license from their account if you don’t configure the skuId field in the rule’s attribute mappings, or if the user’s skuId field is cleared in the external identity store.

True: When enabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will be removed from their account.
False (default): When disabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user’s licenses will not be removed from their account. However, if you configure the skuId field in the rule’s attribute mapping, and if the user’s skuId field is cleared in the directory, the user’s licenses will be removed from their account.

Allow Users to be Created

Determines whether to create a user in the Azure identity store when the user is created in the PingOne identity store.

Allow Users to be Updated

Determines whether to update user attributes in the Azure identity store when the user is updated in the PingOne identity store.

Allow Users to be Disabled

Determines whether to disable a user in the Azure identity store when the user is disabled in the PingOne identity store.

Allow Users to be Deprovisioned

Determines whether to deprovision a user in the Azure identity store when the user is deprovisioned in the PingOne identity store.

Remove Action

Determines the action to take when removing a user from the Azure identity store.

Delete: When a user is deprovisioned from the PingOne identity store, PingOne removes the user from the external identity store.
Disable: When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.

Deprovision on Rule Deletion

Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

Click Save.
To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Result

The Azure Office 365 provisioning connection is complete and added to the list of provisioning connections on the Provisioning page.

When you create the provisioning rule, make sure that you map a value for the Password attribute. You must map a value for Password before you can enable the rule. Learn more in Adding attribute mapping for outbound provisioning.

Next steps

Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in Configuring outbound group provisioning.

Microsoft Azure Office 365 attribute mapping

The following table lists common Microsoft Azure Office 365 attributes that can be mapped for user provisioning.

Attribute Description

password

A value for the user’s initial password. The field can also be set to a static default value.

This field is required when a user is created. It can not be updated, but you can force the user to update their password on their next sign on by setting resetPassword to true.

The password must satisfy the minimum requirements of the user’s password policy. We recommend using a strong password.

mailNickname

The mail alias for the user.

resetPassword

Determines whether a user must reset their password the next time they sign on. The default value is true, but it can be mapped to an attribute.

userPrincipalName

The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822.

immutableid

Associates a user ID with a user account in the Microsoft Azure identity store.

displayName

The name as it will look in the PingOne identity store.

accountEnabled

Determines whether a user account is enabled. The default value is Enabled.

surname

The last (family) name of the user.

givenName

The first name of the user.

usageLocation

Determines the location of license usage, which is required for licensing. Map to an attribute that contains the ISO-3166 formatted country (2-letter country code) of license usage.

Required for users that will be assigned licenses due to a legal requirement to check the availability of services in various countries. Examples include: US, JP, and GB.

PingOne