--- title: Creating a Microsoft Azure Office 365 connection description: Use a Microsoft Azure Office 365 connection to enable provisioning from PingOne to the Microsoft Azure identity platform. component: pingone page_id: pingone:integrations:p1_create_azure_connection canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_azure_connection.html revdate: June 4, 2024 page_aliases: ["p1_azure_attribute_mapping.adoc"] section_ids: before-you-begin: Before you begin steps: Steps result: Result: result-2: Result: troubleshooting: Troubleshooting: result-3: Result next-steps: Next steps microsoft-azure-office-365-attribute-mapping: Microsoft Azure Office 365 attribute mapping --- # Creating a Microsoft Azure Office 365 connection Use a Microsoft Azure Office 365 connection to enable provisioning from PingOne to the Microsoft Azure identity platform. ## Before you begin You should review the information about registering applications with the Microsoft identity platform. Learn more in [Register an application in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) in the Microsoft documentation. Make sure that you have: * An Azure account that has an active subscription. Learn more in Microsoft's [Create your Azure Free account](https://azure.microsoft.com/en-us/pricing/purchase-options/azure-account?icid=azurefreeaccount\&WT.mc_id=A261C142F). * The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select **View endpoints**. Copy the ID from the URL under **Microsoft Azure AD Graph API Endpoint**. * The client ID and client secret for the connected application. You can find the client ID and client secret in the Azure portal. Learn more in [Register an application in Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) in the Microsoft documentation. * The following application permissions in your application: * `Application.ReadWrite.All` * `Group.ReadWrite.All` * `Organization.Read.All` * `User.ReadWrite.All` Learn more in [Configure app permissions for a web API](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-configure-app-access-web-apis#add-permissions-to-access-web-apis) in the Microsoft documentation. ## Steps 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**, and then click **New Connection**. 3. On the **Identity Store** line, click **Select**. 4. On the **Microsoft Azure (Microsoft 365)** tile, click **Select**. Click **Next**. 5. Enter a name and description for the provisioning connection. ### Result: The connection name appears in the provisioning list after you save the connection. 6. Click **Next**. 7. In the **Configure Authentication** section, enter the values for the following fields: | Field | Value | | -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Tenant Domain ID** | The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Learn more in [Local tenant ID and primary domain](https://learn.microsoft.com/en-us/azure/cost-management-billing/manage/find-tenant-id-domain) in the Microsoft documentation. | | **Client ID** | The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal. | | **Client secret** | The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal. | 8. Click **Test Connection** to verify that PingOne can establish a connection to Azure. ### Result: If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't use the connection for provisioning until you've established a valid connection to Azure. To retry, click **Cancel** in the **Test Connection Failed** modal and repeat step 7. | ### Troubleshooting: Learn more about troubleshooting your connection in [Troubleshooting test connection failure](p1_provisioning_troubleshooting_test_connection_failure.html). 9. In the **Configure Preferences** and **Users Actions** sections, configure the following: | Field | Description | | ---------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Remove Licenses when SKU ID is empty** | Determines whether to remove a user's license from their account if you don't configure the **skuId** field in the rule's attribute mappings, or if the user's **skuId** field is cleared in the external identity store.- **True**: When enabled, if you choose to not configure the **skuId** field in the rule's attribute mapping, the user's licenses will be removed from their account. - **False** (default): When disabled, if you choose to not configure the **skuId** field in the rule's attribute mapping, the user's licenses will not be removed from their account. However, if you configure the **skuId** field in the rule's attribute mapping, and if the user's **skuId** field is cleared in the directory, the user's licenses will be removed from their account. | | **Enable users creation** | Determines whether to create a user in the target identity store when the user is created in the source identity store. | | **Enable users updation** | Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable** which determines whether to disable a user in the target identity store when the user is disabled in the source identity store. | | **Enable users deprovision** | Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.If Enable users deprovision is selected, the following configurations appear.- **Remove Action**: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**. Remove Action is only available if you select Enable users disable. - **Deprovision on rule deletion**: Determines whether to deprovision users if the associated provisioning rule is deleted. | 10. Click **Save**. 11. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------------- | | | You can disable the connection by clicking the toggle to the left (gray). | ## Result The Azure Office 365 provisioning connection is complete and added to the list of provisioning connections on the **Provisioning** page. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When you create the provisioning rule, make sure that you map a value for the `Password` attribute before you enable the rule. Learn more in [Creating an outbound rule](p1_create_provisioning_rule_outbound.html). | ## Next steps Sync group members out of PingOne into a software as a service (SaaS) application. Learn more in [Configuring outbound group provisioning](p1_provisioning_configuring_outbound_group_provisioning.html). ## Microsoft Azure Office 365 attribute mapping The following table lists common Microsoft Azure Office 365 attributes that can be mapped for user provisioning. | Attribute | Description | | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **password** | A value for the user's initial password. The field can also be set to a static default value.This field is required when a user is created. It can not be updated, but you can force the user to update their password on their next sign on by setting `resetPassword` to `true`. The password must satisfy the minimum requirements of the user's password policy. We recommend using a strong password. | | **mailNickname** | The mail alias for the user. | | **resetPassword** | Determines whether a user must reset their password the next time they sign on. The default value is `true`, but it can be mapped to an attribute. | | **userPrincipalName** | The user principal name (UPN) of the user. The UPN is an Internet-style login name for the user based on the Internet standard RFC 822. | | **immutableid** | Associates a user ID with a user account in the Microsoft Azure identity store. | | **displayName** | The name as it will look in the PingOne identity store. | | **accountEnabled** | Determines whether a user account is enabled. The default value is `Enabled`. | | **surname** | The last (family) name of the user. | | **givenName** | The first name of the user. | | **usageLocation** | Determines the location of license usage, which is required for licensing. Map to an attribute that contains the ISO-3166 formatted country (2-letter country code) of license usage.Required for users that will be assigned licenses due to a legal requirement to check the availability of services in various countries. Examples include: `US`, `JP`, and `GB`. |