PingOne

Setting up PingOne SSO, DaVinci, and PingID as the external MFA provider for Microsoft Entra ID

Microsoft Entra ID allows customers to use an external authentication provider for multi-factor authentication (MFA) through external authentication methods (EAMs). In this use case, you’ll learn how to set up Entra ID, PingOne SSO, DaVinci, and PingID to support an EAM in Entra ID.

Set up an EAM in Entra ID if:

If you added a Microsoft 365 application to PingOne using the application catalog and completed the PowerShell cmdlets to set up PingOne as the federated IdP for the domain in Entra ID, an EAM isn’t required for MFA. Instead, you can add an MFA claim in the Microsoft 365 application to communicate to Entra ID that PingOne will handle MFA. Learn more in Using WS-Fed or SAML 1.1 federated IdP in the Entra ID documentation.

The high-level process of signing on with an EAM works as follows, with PingOne and PingID acting as the external authentication provider:

  1. A user opens an application protected by Entra ID and is prompted to complete first-factor MFA in Entra ID.

  2. Entra ID determines that another factor needs to be satisfied, such as if a conditional access policy requires MFA.

  3. The user chooses the applicable EAM as second-factor MFA.

  4. Entra ID sends an OpenID Connect (OIDC) authentication request to PingOne (the external authentication provider in this use case).

  5. PingOne initiates MFA for the user.

  6. The user completes the MFA requirement using the PingID app.

  7. PingOne returns an ID token to Entra ID in the authentication response.

  8. Entra ID validates the ID token and signs the users on to the application.

Learn more about EAMs in the Microsoft Entra MFA external method provider reference in the Entra ID documentation.

Goals

After completing this use case, you’ll know how to:

  • Configure Microsoft Entra ID to support an EAM for MFA.

  • Add Entra ID as an external IdP in PingOne.

  • Set up PingID as the MFA solution for Entra ID users.

What you’ll do

In Microsoft Entra ID, you’ll configure three components:

  1. Add and configure an application.

  2. Create an EAM.

  3. Add a conditional access policy.

In PingOne, you’ll configure the following:

  1. Create a population for Entra ID users.

  2. Create a Microsoft IdP connection.

In PingOne DaVinci, you’ll configure two flows:

  1. Add a flow to handle external authentication requests from Entra ID.

  2. Add a second DaVinci flow to redirect users to Entra ID for OIDC authentication.

The last step is configuring PingID as the EAM for Entra ID.

Before you begin

To set up this use case, you’ll need:

  • A PingOne organization. Learn more in Starting a PingOne trial.

  • A PingOne environment with the PingOne SSO, DaVinci, and PingID services added.

    Create a new environment as follows, depending on whether you’re already using PingID:

  • A Microsoft Entra account with an active subscription and an Entra tenant.

Tasks

New PingID accounts: Creating a population for Microsoft Entra ID users

If you created a new PingID environment in PingOne, your new environment includes a population named Default. Learn more in Creating a new PingOne environment with MFA.

If you integrated an existing PingID account with a new PingOne account, skip to Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population.
A screen capture of the Populations page with one Default environment.

When you configure an EAM for Microsoft Entra, you’ll need to create a new population in PingOne for users coming from Entra ID.

Steps

  1. In the PingOne admin console, go to Directory > Populations.

  2. Click the icon to add a new population.

  3. Enter the following:

    1. Population Name: A unique label for the population, such as Entra ID users.

    2. Description (optional): A brief description of the population.

    3. Default Population (optional): Don’t select this checkbox in this scenario unless you want to specify this population as the new default population.

  4. Click Save.

    A screen capture of the Populations page with a Default and Entra ID population.

Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population

If you integrated your PingID account with a new PingOne account, your new environment includes a population named Default with users from PingID assigned to this population. The following image shows the Default population with two users from PingID.

If you created a new PingID environment in PingOne, follow the steps in New PingID accounts: Creating a population for Microsoft Entra ID users.
A screen capture of the Populations page with one Default environment that has two identities.

By default, the Identity Provider for this population is set to PingOne. You’ll update this setting as part of this process.

A screen capture of the Populations page with the Default population selected and the details panel showing.

Because you could have a future scenario where users in this environment aren’t coming from Microsoft Entra ID, you should rename the Default population, create a new population for users coming from Entra ID, and set the new population as the default population.

Steps

  1. In the PingOne admin console, go to Directory > Populations.

  2. Click the Default population, and then click the Pencil icon () to edit the population.

  3. Change Population Name from Default to a new name, such as Entra ID users.

    A screen capture of the Edit Population panel with the Population Name changed to Entra ID users.

  4. Click Save.

  5. To create a new population, click the icon.

  6. Enter the following:

    1. Population Name: A unique label for the population, such as Home.

    2. Description (optional): A brief description of the population.

    3. Default Population: Select the Enable checkbox to set this population as the new default population.

    4. In the confirmation modal, click Confirm to make this population the new default population.

      A screen capture of the New Population with the Make Default Population confirmation message showing.

  7. Click Save.

Result

You now have two populations in your environment:

  1. Entra ID users: Users from PingID are assigned to this population. This is also the population where future Entra ID users will be assigned when Entra ID redirects users to PingOne for MFA. Previously, this population was named Default and was set as the default population.

  2. Home: This population is the new default population and was created for future scenarios where users aren’t coming from Entra ID.

A screen capture of the Populations page with two populations: Entra ID users and Home.

Registering your application with Microsoft

To configure an EAM, register an application in Microsoft Entra. Learn more in Quickstart to registering an app in the Microsoft Entra documentation.

Before you begin

Ensure that you have:

  • A Microsoft Entra account with an active subscription

  • An Entra tenant

Steps

  1. Go to the Microsoft Entra admin center and sign on to your account.

    If you don’t have a Microsoft Entra account, you can create one now.

  2. In the sidebar, go to Identity > Applications > App registrations.

  3. Click New registration.

    A screenshot of the App registrations page in the Entra admin center.

  4. Enter and configure the following:

    1. Name: Enter a user-facing display name for the application.

    2. Supported account types: Select either of the following, depending on the needs of your organization:

      • Accounts in this organizational directory only (<Your Entra tenant name> only - Single tenant): Select this option if you’re working with only identities from your environment.

      • Accounts in any organizational directory and personal Microsoft accounts

    3. Redirect URI: Select Web as the platform and enter the authorization URL of your PingOne environment.

      You can find this URL on the Overview tab of any OIDC application in the PingOne admin console in the Connection Details section.

      The format is <issuer>/authorize.

      Example 1: https://auth.pingone.<region>/<envID>/as/authorize

      Example 2: https://<customDomain>/as/authorize if you set up a custom domain. Learn more in Setting up a custom domain.

      A screenshot of the Register an application page in the Entra admin center.

  5. Click Register.

Enabling the implicit grant

After registering the application in Entra, enable the implicit grant type for your application to support an EAM.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Identity > Applications > App registrations and click your application.

  3. On the App registrations page, in the Manage section, click Authentication.

  4. In the Implicit grant and hybrid flows section, select the ID tokens checkbox for the token type to be issued by the authorization endpoint.

    A screenshot of the Authentication page for the application in the Entra admin center.

  5. Click Save.

Getting the client ID and client secret for your application and the tenant ID of your Entra tenant

When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application.

Microsoft also generates a directory (tenant) ID for each Microsoft Entra tenant. You’ll copy these values and enter them into PingOne.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Identity > Applications > App registrations and click your application.

  3. On the App registrations page, in the Manage section, click Certificates & secrets.

  4. On the Client secrets tab, click New client secret.

  5. Enter the following:

    1. Description: A brief description of the client secret.

    2. Expires: Select the duration of the certificate based on the needs of your organization.

  6. Click Add.

  7. On the Client secrets tab, click the Copy icon () for the Value and paste it in a secure location.

    A screenshot of the Certificates & secrets page in the Entra admin center.

  8. In the App registrations sidebar, click Overview.

    A screenshot of the Certificates & secrets page in the Entra admin center.

  9. Copy the Application (client) ID and paste it in a secure location.

    A screenshot of the Application Overview page - Application ID in the Entra admin center.

  10. Locate the Directory (tenant) ID and copy it to a secure location.

Setting up API permissions

Using an EAM with Microsoft Entra requires certain API permissions that you’ll need to enable in your application.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Identity > Applications > App registrations and click your application.

  3. On the App registrations page, in the Manage section, click API permissions.

  4. Click Add a permission.

    A screenshot of the API permissions page in the Entra admin center.

  5. On the Request API permissions panel, click Microsoft Graph.

    A screenshot of the Request API permissions panel in the Entra admin center.

  6. Click Delegated permissions for the type of permissions to allow for your application.

    A screenshot of the Request API permissions panel - Type of permissions in the Entra admin center.

  7. Expand Openid permissions.

  8. Select the openid and profile permissions.

    User.Read is included by default and should remain selected.

  9. Click Application permissions, expand User, and select the User.Read.All permission.

    If you don’t intend to retrieve many attributes from Microsoft Entra ID and populate them into PingOne, you can select the User.ReadBasic.All permission instead of the User.Read.All permission.

    Both of these permissions require admin consent.

  10. To grant admin consent, click Add permissions.

  11. Click Grant admin consent for <your Entra tenant>.

Adding Microsoft as an identity provider in PingOne

Configure the IdP connection in PingOne.

Steps

  1. In the PingOne admin console, go to Integrations > External IdPs and click the icon.

  2. Click Microsoft as the Identity Provider Type.

  3. Click Next.

  4. In the Create Profile step, enter the following information:

    • Name: A unique identifier for the IdP.

    • Description (optional): A brief description of the IdP.

    • Population: Select a population that overrides the authentication policy’s registration population and enables just-in-time (JIT) registration from the IdP.

      You can’t change the Icon and Sign-on button, in accordance with the provider’s brand standards.

  5. Click Next.

  6. In the Connection Details step, enter the following information:

    • Client ID: The application ID from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Client secret: The application secret from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Tenant ID: The tenant ID of your Entra tenant from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center.

    • Callback URL: Copy the Callback URL and paste it in a secure location. You’ll add this value in the Microsoft Entra admin center later.

  7. Click Next.

  8. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in Mapping attributes.

    • Leave the default PingOne user profile attributes and the external IdP attributes:

      • Preferred Username (from Microsoft) as the source of the PingOne Username

      • Email (from Microsoft) as the source of the PingOne Email Address

    • To add an attribute, click Add.

    • To use the advanced expression builder, click the Gear icon (). Learn more in Using the expression builder and Using expressions to retrieve Microsoft Entra attributes.

    • Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are:

      • Empty only: Update the PingOne attribute only if the existing attribute is empty.

      • Always: Always update the PingOne directory attribute.

  9. Click Save.

  10. Click the connection in the External IdPs list to expand the connection details.

  11. On the Profile tab, click .

  12. For Population, select the population that you previously created for Entra ID users.

  13. Click Save.

  14. To enable the IdP, click the toggle at the top of the details panel to the right (blue).

    You can disable the IdP by clicking the toggle to the left (gray).
A screen capture of the Microsoft external IdP connection with the Entra ID users population selected.

Updating the population

After creating your connection to Microsoft, update the Identity Provider setting for the population that you created for users coming from Entra ID.

The Identity Provider setting is used as the runtime fallback IdP for users in the population who don’t have an authoritative IdP configured in their user profile. Updating the population is especially important if you integrated your PingID account with a new PingOne account because those user profiles are created in PingOne without an authoritative IdP set. If the user is removed from the population, the IdP set in the population no longer applies to them.

Steps

  1. In the PingOne admin console, go to Directory > Populations.

  2. Click the population that you previously created for Entra ID users and click .

  3. In the Identity Provider list, select the IdP that you previously created in Adding Microsoft as an identity provider in PingOne.

  4. Click Confirm in the modal, and then click Save.

Adding a DaVinci flow and flow policy for Entra ID external authentication

Download and configure the DaVinci Entra ID EAM sample flow to handle external authentication requests from Entra ID.

Steps

  1. Download the Entra ID EAM & OIDC Authentication Reference Flow from the Ping Identity Marketplace and extract the contents of the .zip archive to a folder on your computer.

  2. In DaVinci, on the Flows tab, click Add Flow and select Import Flow.

  3. Upload the entra-id-external-authentication-reference-flow.json file from the sample flow .zip file and click Import.

  4. Configure the Entra ID external authentication method (EAM) - Sign On with External Identity Provider node:

    1. Click the node to open the configuration settings.

    2. On the General tab, in the PingOne External Identity Provider list, select the Microsoft IdP you created in Adding Microsoft as an identity provider in PingOne.

    3. Make sure the following default configurations are set:

      • Policy Purpose is set to Entra ID External Authentication Method.

      • ID Token Hint is set to {{global.parameters.authorizationRequest.id_token_hint}}.

      • The Link with PingOne User toggle is enabled (blue).

    4. In the PingOne Population list, select the applicable population.

    5. Click Apply.

  5. Review the default configuration settings for the Mint Tokens - Return Success Response node:

    1. Click the node to open the settings.

    2. On the General tab, make sure User ID is mapped to id from the Entra ID external authentication method (EAM) - Sign On with External Identity Provider node.

    3. Make sure Custom Authentication Methods is mapped to entraIdAmr from the Map PingID AMR Value - Custom Function node.

    4. Click Apply.

  6. Add a DaVinci flow policy for the sample flow:

    1. Go to the Applications tab and click Add Application.

    2. In the Name field, enter a name for the application and click Create.

    3. To edit the application, select the application in the Applications list.

    4. On the Flow Policy tab, click Add Flow Policy.

    5. In the Policy Name field, enter a name for the flow policy.

    6. Select PingOne Flow Policy to enable flows in the policy to be launched directly through PingOne.

      This option can’t be changed after the flow policy is created. PingOne flow policies can only include flows and flow versions that have the PingOne Flow setting enabled. Learn more in Configuring a flow policy in the DaVinci documentation.

    7. Click Next.

    8. In the flow list, click Entra ID External Authentication Method Sample Flow and select one or more versions of the flow to use.

      A screen capture of the Add FLow Policy modal with Entra ID EAM Sample Flow and Latest Version selected.

    9. Click Next.

    10. (Optional) Add weight distribution and analytics information for each flow and flow version. Learn more in Configuring a flow policy in the DaVinci documentation.

    11. Click Create Flow Policy.

Configuring the OIDC application

Configure an OIDC application to handle authentication requests from Microsoft Entra ID.

Steps

  1. In the PingOne admin console, go to Applications > Applications.

  2. Click the icon to add an application.

  3. On the Add Application panel, enter and choose the following:

    1. Application Name: A unique identifier for the application.

    2. Description (optional): A brief description of the application.

    3. Icon (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format.

    4. Application Type: Choose OIDC Web App.

    5. Click Save.

  4. On the Configuration tab, click and enter or edit the following:

    1. Response Type: Clear the default Code checkbox and select ID Token.

    2. Grant Type: Clear the default Authorization Code checkbox and select Implicit checkbox.

    3. Redirect URIs: Enter https://login.microsoftonline.com/common/federation/externalauthprovider.

    4. Click Save.

  5. On the Policies tab, click Add Policies.

  6. On the DaVinci Policies tab, select the DaVinci flow policy that you created to handle external authentication requests from Entra ID.

    A screen capture of the Entra ID External Authentication Method Flow Policy selected on the DaVinci Policies tab.

  7. Click Save.

  8. To enable the application, click the toggle at the top of the details panel to the right (blue).

    You can disable the application by clicking the toggle to the left (gray).

  9. Click the application entry to open the details panel.

  10. On the Overview tab, copy the following PingOne application details to add in the Microsoft Entra admin center:

    • In the General section, copy the Client ID and paste it in a secure location.

    • In the Connection Details section, copy the OIDC Discovery Endpoint and paste it in a secure location.

Creating an external authentication method in Microsoft Entra

After creating the OIDC application in PingOne and copying the application ID, OIDC discovery endpoint, and client ID, create an EAM in Microsoft Entra.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Protection > Authentication methods > Policies.

  3. Click Add external method.

  4. Enter the following:

    1. Name: Enter a name for the EAM.

    2. Client ID: Enter your PingOne application’s client ID that you copied earlier.

    3. Discovery Endpoint: Enter the OIDC Discovery Endpoint that you copied earlier from PingOne. The format is <issuer>/.well-known/openid-configuration.

    4. App ID: Enter the Microsoft Entra application ID that you copied previously. You can find the application ID in the Microsoft Entra admin center.

  5. Click Request permission.

    A screenshot of the External Authentication Method configuration page in the Entra admin center.
    Result:

    The browser opens a new window for you to sign on with your Microsoft Entra admin credentials.

  6. Review the requested permissions and click Accept if you agree.

  7. In the Enable and target section, configure whether you want to include a subset of your users or all users.

  8. Click the Enable toggle to enable the EAM.

    A screenshot of the External Authentication Method configuration page in the Entra admin center.

Creating a conditional access policy in Microsoft Entra

Configure a conditional access policy in Microsoft Entra to define authentication requirements for users accessing applications.

If your Microsoft Entra tenant contains other conditional access policies that use custom controls to initiate MFA, ensure those policies don’t apply to the same users, groups, and applications that you select in this conditional access policy. Otherwise, your users could be prompted multiple times for MFA.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Protection > Conditional Access > Policies.

  3. Click Create new policy or update an existing policy.

  4. Configure the following:

    1. Name: Enter a name for the policy.

    2. Users: Select the same users and groups that you selected in your EAM.

    3. Target resources: Select the applications to which you want to apply this conditional access policy.

    4. Grant:

      1. Click Grant access.

      2. Select the Require multifactor authentication checkbox.

        A screenshot of Conditional Access Policy - Grant access modal in the Entra admin center.

      3. Click Select.

    5. Enable policy: Select On to turn on the policy.

  5. Click Save.

Configuring PingID as the external authentication method

Configure a PingID policy to process user MFA requests coming from the PingOne application that you created to handle Microsoft Entra requests.

Steps

  1. In the PingID admin portal, go to Setup > PingID and click the Configuration tab.

    If you selected Enable for Enforce Policy, you might need to create an additional PingID policy. Learn more in the next step.

  2. Click the Policy tab, and on the Web tab, expand and review each policy.

    Microsoft Entra ID doesn’t allow MFA bypasses from an EAM and requires always prompting the user to complete MFA. If you have a policy that can apply to all applications and that has a rule with an action of Approve, you must create a new policy for the PingOne application. Examples of such policies include Recent Authentication or Accessing from Company Network.
    A screen capture of a PingID policy that has a rule with an action of Approve for Recent Authentication.

    1. To add a new policy, click Add Policy.

    2. Enter a name for the policy, such as EAM PingID policy.

    3. In the Target section, in the Applications list, select the PingOne application that you previously created.

    4. For Groups, select all applicable groups.

    5. (Optional) In the Allowed Methods section, select the authentication methods you want to allow.

      A screen capture of a new PingID policy with the PingOne Entra application selected.

    6. Click Save.

      Result:

      The new policy becomes the first PingID policy, which works as a Microsoft Entra ID EAM. PingID will use this new policy when processing MFA requests coming from the PingOne application that you created to handle Microsoft Entra ID requests.

  3. In a scenario where a user forgot or lost their mobile phone and can’t use the PingID app for MFA, you can allow a user to bypass MFA with PingID for a specificed period of time, such as 8 hours.

    1. In the PingOne admin console, go to Directory > Users.

    2. Browse or search for the applicable user and click the user entry to open the details panel.

    3. In the list for the Services tab, select Authentication.

    4. Scroll down to the Integrations section, click the More Options icon, and select Bypass.

    5. In the Bypass window, select the desired amount of time from the Allow bypass of PingID authentication on SSO for list and click Bypass.

      Because Microsoft Entra ID requires the third-party MFA provider to specify the MFA method used and doesn’t accept MFA bypasses as an acceptable MFA method, you must also configure bypass in the Microsoft Entra admin center. Learn more about configuring conditional access in the Microsoft Entra documentation.

Adding a DaVinci flow and flow policy for OIDC authentication

If you want to allow users to sign on to the PingOne Self-Service - MyAccount application to manage their MFA methods or to other applications you’ve added to PingOne, you must create a DaVinci flow and flow policy for OIDC authentication using the same Microsoft IdP connection.

Before you begin

Make sure you’ve downloaded the Entra ID EAM & OIDC Authentication Reference Flow from the Ping Library and extracted the contents of the .zip archive to a folder on your computer. Learn more in Adding a DaVinci flow and flow policy for Entra ID external authentication.

Steps

  1. In DaVinci, on the Flows tab, click Add Flow and select Import Flow.

  2. Upload the entra-id-oidc-authentication-flow.json file from the sample flow .zip archive and click Import.

  3. Configure the Entra ID OIDC authentication - Sign On with External Identity Provider node:

    1. Click the node to open the configuration settings.

    2. In the PingOne External Identity Provider list, select the same Microsoft IdP you used in the Entra ID External Authentication Method Sample Flow.

    3. Make sure Policy Purpose is set to OIDC Authentication.

    4. Make sure the Link with PingOne User toggle is enabled (blue).

    5. In the PingOne Population list, select the same population you used in the Entra ID External Authentication Method Sample Flow.

    6. Click Apply.

  4. Review the default configuration settings for the Mint Tokens - Return Success Response node:

    1. Click the node to open the configuration settings.

    2. On the General tab, make sure User ID is mapped to id from the Entra ID OIDC authentication - Sign On with External Identity Provider node.

    3. In the Authentication Methods list, make sure mfa is selected.

      A screen capture of the PingOne Authentication - Return Success Response node configuration settings.

    4. Click Apply.

  5. Add a DaVinci flow policy for the sample flow:

    1. Go to the Applications tab and click Add Application.

    2. In the Name field, enter a name for the application and click Create.

    3. To edit the application, select the application in the Applications list.

    4. On the Flow Policy tab, click Add Flow Policy.

    5. In the Policy Name field, enter a name for the flow policy.

    6. Select PingOne Flow Policy to enable flows in the policy to be launched directly through PingOne.

      This option can’t be changed after the flow policy is created. PingOne flow policies can only include flows and flow versions that have the PingOne Flow setting enabled. Learn more in Configuring a flow policy in the DaVinci documentation.

    7. Click Next.

    8. In the flow list, click Entra ID OIDC Authentication Sample Flow and select one or more versions of the flow to use.

      A screen capture of the Add Flow Policy modal with Entra ID OIDC Authentication Sample Flow and Latest Version selected.

    9. Click Next.

    10. (Optional) Add weight distribution and analytics information for each flow and flow version. Learn more in Configuring a flow policy in the DaVinci documentation.

    11. Click Create Flow Policy.

Result:

You now have two DaVinci flows:

  • A flow for users authenticating with PingOne as the EAM for Microsoft Entra

  • A flow for OIDC authentication to allow users to sign on to other applications

A screen capture of the two Entra ID sample flows in DaVinci.

Adding the callback URL to the Microsoft Entra admin center

If you created an authentication policy for OIDC authentication, you must also add the callback URL from the Microsoft IdP connection in PingOne to the application you registered in the Microsoft Entra admin center.

Steps

  1. Go to the Microsoft Entra admin center.

  2. In the sidebar, go to Identity > Applications > App registrations and click your application.

  3. On the App registrations page, in the Manage section, click Authentication.

  4. In the Platform configurations > Web > Redirect URIs section, click Add URI.

    A screenshot of the Authentication page - Redirect URIs in the Entra admin center.

  5. Paste the Callback URL that you copied from the PingOne admin console.

    The following examples show the URL format:

    Example 1: https://auth.pingone.<region>/<envID>/rp/callback/microsoft

    Example 2: https://<customDomain>/rp/callback/microsoft

  6. Click Save.

Result

The Redirect URIs section displays both URLs you’ve added:

  1. Authorization URL

  2. Callback URL

A screen capture of the Microsoft Entra Authentication page with two redirect URIs identified with a red number callouts.

Assigning the DaVinci OIDC flow policy to an application in PingOne

After you create a DaVinci flow and flow policy for OIDC authentication and add the callback URL to the application in Microsoft Entra, assign the DaVinci OIDC flow policy to applicable applications in PingOne, such as the PingOne Self-Service - MyAccount application or other applications you’ve added.

Steps

  1. In the PingOne admin console, go to Applications > Applications and click the relevant application to open the details panel.

  2. On the Policies tab, click Add policies.

  3. On the DaVinci Policies tab, select the DaVinci OIDC flow policy that you created in Adding a DaVinci flow and flow policy for OIDC authentication.

    A screen capture of the Entra ID OIDC Authentication Flow Policy selected on the DaVinci Policies tab.

  4. Click Save.

Next steps

Repeat these steps for any other applications to which you want users to be able to sign on, for example Another App in the following screenshot.

A screen capture of the PingOne Applications page with an example application called Another App selected and the Policies tab showing an added policy named Entra_ID_OIDC_Auth_Policy.

Validation

Now that you’ve set up an EAM in Microsoft Entra ID and configured PingOne and PingID as the external MFA provider, you’re ready to validate that your Entra ID users can use PingID to complete MFA.

  1. Open a new browser window in incognito mode.

  2. In the Microsoft Entra admin center, locate the application you added to the conditional access policy that requires MFA and click the URL for the application.

    In this example, My Apps at https://myapps.microsoft.com.

  3. Sign on to the application and complete the first-factor authentication at Microsoft using a test user’s credentials.

    Result:

    Entra ID prompts the user to complete MFA action based on what Entra thinks is the most secure method if:

    • You, as an Entra ID admin, have activated system-preferred MFA and included the test user as the target user.

    • The test user has installed and successfully used the system-preferred MFA method.

    In this example, the test user has installed and used both Microsoft Authenticator and verification code by text message, so Entra ID prompts the user to enter the code from Microsoft Authenticator.

    A screen capture of the Microsoft Enter code page.

    If you haven’t activated system-preferred MFA, the user won’t see the Enter code modal and is prompted to verify their identity.

  4. To use your EAM, click Sign in another way at the bottom of the Enter code modal.

    Result:

    After selecting Sign in another way or if system-preferred MFA doesn’t apply, Entra ID displays the Verify your identity modal.

    A screen capture of the Microsoft Enter code page.

  5. Select the EAM.

    Result:

    Entra ID redirects the browser to PingOne.

  6. If the test user hasn’t yet paired the PingID app, they’re shown a Welcome to PingID page. Click Start to start the pairing process.

    A screen capture of the Welcome to PingID page and then the Add New Device page with a QR code and pairing key.

    Result:

    After pairing, the PingID app prompts the user to complete the MFA requirement.

  7. After PingID is paired for the test user, complete the MFA prompt from the PingID app.

    Result:

    PingOne returns an ID token to Entra ID, and Entra ID processes the ID token and signs the test user on to the application.

  8. Sign off of the application.

  9. In the Microsoft Entra admin center, locate the same application and authenticate to the application again as the test user.

    Result:

    This time, PingID shouldn’t prompt the test user to pair a device. Instead, the PingID app should prompt the test user to complete the MFA requirement.

    When the test user completes the MFA requirement, PingOne returns an ID token to Entra ID, and Entra ID processes the ID token and signs the test user on to the application.

    A screen capture of the Microsoft Apps dashboard.