--- title: Setting up PingOne SSO and PingID as the external MFA provider for Microsoft Entra ID description: Learn how to set up Entra ID, PingOne SSO, and PingID to support an external authentication method in Microsoft Entra ID. component: pingone page_id: pingone:use_cases:p1_set_up_external_mfa_provider_microsoft_entra_use_case canonical_url: https://docs.pingidentity.com/pingone/use_cases/p1_set_up_external_mfa_provider_microsoft_entra_use_case.html revdate: April 25, 2025 page_aliases: ["strong_authentication_mfa:p1_set_up_external_mfa_provider_microsoft_entra_use_case.adoc"] section_ids: goals: Goals what-youll-do: What you'll do before-you-begin: Before you begin tasks: Tasks new_pingid_account: "New PingID accounts: Creating a population for Entra ID users" steps: Steps existing_pingid_account: "Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population" steps-2: Steps result: Result registering-your-application-with-microsoft: Registering your application with Microsoft before-you-begin-2: Before you begin steps-3: Steps enabling-the-implicit-grant: Enabling the implicit grant steps-4: Steps getting-the-client-id-and-client-secret-for-your-application-and-the-tenant-id-of-your-entra-tenant: Getting the client ID and client secret for your application and the tenant ID of your Entra tenant steps-5: Steps setting-up-api-permissions: Setting up API permissions steps-6: Steps add_microsoft_idp: Adding Microsoft as an identity provider in PingOne steps-7: Steps updating-the-population: Updating the population steps-8: Steps auth_policy_eam: Adding an authentication policy for Entra ID external authentication steps-9: Steps configuring-the-oidc-application: Configuring the OIDC application steps-10: Steps creating-external-mfa-in-microsoft-entra: Creating external MFA in Microsoft Entra steps-11: Steps result-2: Result: creating-a-conditional-access-policy-in-microsoft-entra: Creating a conditional access policy in Microsoft Entra steps-12: Steps configuring-pingid-as-the-external-mfa: Configuring PingID as the external MFA steps-13: Steps result-3: Result: adding-an-authentication-policy-for-oidc-authentication: Adding an authentication policy for OIDC authentication steps-14: Steps result-4: Result: adding-the-callback-url-to-the-entra-admin-center: Adding the callback URL to the Entra admin center steps-15: Steps result-5: Result assigning-the-oidc-authentication-policy-to-an-application-in-pingone: Assigning the OIDC authentication policy to an application in PingOne steps-16: Steps next-steps: Next steps validation: Validation result-6: Result: result-7: Result: result-8: Result: result-9: Result: result-10: Result: result-11: Result: --- # Setting up PingOne SSO and PingID as the external MFA provider for Microsoft Entra ID Microsoft Entra ID allows customers to use an external authentication provider for multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* through Entra ID external MFA, formerly known as external authentication methods (EAMs). In this use case, you'll learn how to set up Entra ID, PingOne SSO, and PingID to support external MFA in Entra ID. Set up external MFA in Entra ID if: * Entra ID is the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)*. * The users reside in a [managed domain](https://learn.microsoft.com/en-us/entra/identity/users/domains-manage#add-custom-domain-names-to-your-microsoft-entra-organization) in Entra ID. Learn more in [Create and configure a managed domain](https://learn.microsoft.com/en-us/entra/identity/domain-services/tutorial-create-instance) in the Entra ID documentation. * PingOne is the external authentication provider. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you [added a Microsoft 365 application to PingOne using the application catalog](../applications/p1_adding_microsoft_365.html) and completed the PowerShell cmdlets to set up PingOne as the federated IdP for the domain in Entra ID, external MFA isn't required for MFA. Instead, you can [add an MFA claim in the Microsoft 365 application](../applications/p1_configure_authentication_claim_microsoft_365.html) to communicate to Entra ID that PingOne will handle MFA. Learn more in [Using WS-Fed or SAML 1.1 federated IdP](https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-mfa-expected-inbound-assertions#using-ws-fed-or-saml-11-federated-idp) in the Entra ID documentation. | The high-level process of signing on with external MFA works as follows, with PingOne and PingID acting as the external authentication provider: 1. A user opens an application protected by Entra ID and is prompted to complete first-factor MFA in Entra ID. 2. Entra ID determines that another factor needs to be satisfied, such as if a conditional access policy requires MFA. 3. The user chooses the applicable external MFA as second-factor MFA. 4. Entra ID sends an OpenID Connect (OIDC) *(tooltip: \
\

An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.\

\
)* authentication request to PingOne (the external authentication provider in this use case). 5. PingOne initiates MFA for the user. 6. The user completes the MFA requirement using the PingID app. 7. PingOne returns an ID token to Entra ID in the authentication response. 8. Entra ID validates the ID token and signs the users on to the application. Learn more about external MFA in [Use Microsoft Entra MFA with an external MFA provider](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider) in the Entra ID documentation. ## Goals After completing this use case, you'll know how to: * Configure Entra ID to support external MFA. * Add Entra ID as an external IdP in PingOne. * Set up PingID as the MFA solution for Entra ID users. ## What you'll do In Entra ID, you'll configure three components: 1. Add and configure an application. 2. Create external MFA. 3. Add a conditional access policy. In PingOne, you'll configure the following: 1. Create a population for Entra ID users. 2. Create a Microsoft IdP connection. 3. Add an authentication policy and OIDC application to handle external authentication requests from Entra ID. 4. Add a second authentication policy to redirect users to Entra ID for OIDC authentication. The last step is configuring PingID as external MFA for Entra ID. ## Before you begin To set up this use case, you'll need: * A PingOne organization. Learn more in [Starting a PingOne trial](../getting_started_with_pingone/p1_start_a_p1_trial.html). * A PingOne environment with the PingOne SSO and PingID services added. Create a new environment as follows, depending on whether you're already using PingID: * If you aren't using PingID already or if you want to create a new PingID account, [create a new PingID environment in PingOne](../strong_authentication_mfa/p1_create_environment_strong_authentication_start.html). * If you're using PingID currently and want to use your existing PingID account, [integrate a PingID account with a new PingOne account](../strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html). You should also follow these steps if you've previously integrated PingID with Entra ID using custom controls. Learn more about integrating PingID with Entra ID in the [PingID documentation](https://docs.pingidentity.com/pingid/pingid_integrations/pid_integrate_with_azure_ad.html). * An Entra account with an active subscription and an Entra tenant. ## Tasks ### New PingID accounts: Creating a population for Entra ID users If you created a new PingID environment in PingOne, your new environment includes a population named **Default**. Learn more in [Setting up an environment for strong authentication (MFA)](../strong_authentication_mfa/p1_create_environment_strong_authentication_start.html). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you [integrated an existing PingID account with a new PingOne account](../strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html), skip to [Existing PingID accounts: Creating a population for Entra ID users and changing the default population](#existing_pingid_account). | ![A screen capture of the Populations page with one Default environment.](_images/p1_pingid_env_default_population.png) When you configure external MFA for Entra ID, you'll need to create a new population in PingOne for users coming from Entra ID. ## Steps 1. In the PingOne admin console, go to **Directory > Populations**. 2. Click the **[icon: plus, set=fa]**icon to add a new population. 3. Enter the following: 1. **Population Name**: A unique label for the population, such as `Entra ID users`. 2. **Description** (optional): A brief description of the population. 3. **Default Population** (optional): Don't select this checkbox in this scenario unless you want to specify this population as the new default population. 4. Click **Save**. ![A screen capture of the Populations page with a Default and Entra ID population.](_images/p1_population_entra_eam.png) ### Existing PingID accounts: Creating a population for Microsoft Entra ID users and changing the default population If you [integrated your PingID account with a new PingOne account](../strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html), your new environment includes a population named **Default** with users from PingID assigned to this population. The following image shows the **Default** population with two users from PingID. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you [created a new PingID environment in PingOne](../strong_authentication_mfa/p1_create_environment_strong_authentication_start.html), follow the steps in [New PingID accounts: Creating a population for Entra ID users](#new_pingid_account). | ![A screen capture of the Populations page with one Default environment that has two identities.](_images/p1_existing_pingid_env_default_population.png) By default, the **Identity Provider** for this population is set to **PingOne**. You'll update this setting as part of this process. ![A screen capture of the Populations page with the Default population selected and the details panel showing.](_images/p1_existing_pingid_identity_provider.png) Because you could have a future scenario where users in this environment aren't coming from Entra ID, you should rename the **Default** population, create a new population for users coming from Entra ID, and set the new population as the default population. ## Steps 1. In the PingOne admin console, go to **Directory > Populations**. 2. Click the **Default** population, and then click the **Pencil** icon ([icon: pencil, set=fa]) to edit the population. 3. Change **Population Name** from **Default** to a new name, such as `Entra ID users`. ![A screen capture of the Edit Population panel with the Population Name changed to Entra ID users.](_images/p1_existing_pingid_change_population_name.png) 4. Click **Save**. 5. To create a new population, click the **[icon: plus, set=fa]**icon. 6. Enter the following: 1. **Population Name**: A unique label for the population, such as `Home`. 2. **Description** (optional): A brief description of the population. 3. **Default Population**: Select the **Enable** checkbox to set this population as the new default population. 4. In the confirmation modal, click **Confirm** to make this population the new default population. ![A screen capture of the New Population with the Make Default Population confirmation message showing.](_images/p1_existing_pingid_new_default_population.png) 7. Click **Save**. ## Result You now have two populations in your environment: 1. **Entra ID users**: Users from PingID are assigned to this population. This is also the population where future Entra ID users will be assigned when Entra ID redirects users to PingOne for MFA. Previously, this population was named **Default** and was set as the default population. 2. **Home**: This population is the new default population and was created for future scenarios where users aren't coming from Entra ID. ![A screen capture of the Populations page with two populations: Entra ID users and Home.](_images/p1_existing_pingid_two_populations.png) ### Registering your application with Microsoft To configure external MFA, register an application in Microsoft Entra. Learn more in [Quickstart to registering an app](https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app) in the Microsoft Entra documentation. #### Before you begin Ensure that you have: * A Microsoft Entra account with an active subscription * An Entra tenant #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/) and sign on to your account. If you don't have a Microsoft Entra account, you can create one now. 2. In the sidebar, go to **Identity > Applications > App registrations**. 3. Click **[icon: plus, set=fa]New registration**. ![A screenshot of the App registrations page in the Entra admin center.](_images/p1-entra-eam-new-app-registration.png) 4. Enter and configure the following: 1. **Name**: Enter a user-facing display name for the application. 2. **Supported account types**: Select either of the following, depending on the needs of your organization: * **Accounts in this organizational directory only (\ only - Single tenant)**: Select this option if you're working with only identities from your environment. * **Accounts in any organizational directory and personal Microsoft accounts** 3. **Redirect URI**: Select **Web** as the platform and enter the authorization URL of your PingOne environment. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------- | | | You can find this URL on the **Overview** tab of any OIDC application in the PingOne admin console in the **Connection Details** section. | The format is `/authorize`. Example 1: `https://auth.pingone.//as/authorize` Example 2: `https:///as/authorize` if you set up a custom domain. Learn more in [Setting up a custom domain](../settings/p1_set_up_custom_domain.html). ![A screenshot of the Register an application page in the Entra admin center.](_images/p1-entra-eam-register-app.png) 5. Click **Register**. ### Enabling the implicit grant After registering the application in Entra, enable the implicit grant type for your application to support external MFA. #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Identity > Applications > App registrations** and click your application. 3. On the **App registrations** page, in the **Manage** section, click **Authentication**. 4. In the **Implicit grant and hybrid flows** section, select the **ID tokens** checkbox for the token type to be issued by the authorization endpoint. ![A screenshot of the Authentication page for the application in the Entra admin center.](_images/p1-entra-eam-implicit-grant.png) 5. Click **Save**. ### Getting the client ID and client secret for your application and the tenant ID of your Entra tenant When you register your application with Microsoft, Microsoft generates an application (client) ID and application secret for the application. Microsoft also generates a directory (tenant) ID for each Entra tenant. You'll copy these values and enter them into PingOne. #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Identity > Applications > App registrations** and click your application. 3. On the **App registrations** page, in the **Manage** section, click **Certificates & secrets**. 4. On the **Client secrets** tab, click **[icon: plus, set=fa]New client secret**. 5. Enter the following: 1. **Description**: A brief description of the client secret. 2. **Expires**: Select the duration of the certificate based on the needs of your organization. 6. Click **Add**. 7. On the **Client secrets** tab, click the **Copy** icon ([icon: copy, set=fa]) for the **Value** and paste it in a secure location. ![A screenshot of the Certificates & secrets page in the Entra admin center.](_images/p1-entra-eam-certificate-secrets.png) 8. In the **App registrations** sidebar, click **Overview**. ![A screenshot of the Certificates & secrets page in the Entra admin center.](_images/p1-entra-eam-certificates-secrets-overview.png) 9. Copy the **Application (client) ID** and paste it in a secure location. ![A screenshot of the Application Overview page - Application ID in the Entra admin center.](_images/p1-entra-eam-application-id.png) 10. Copy the **Directory (tenant) ID** and paste it in a secure location. ![A screenshot of the Application Overview page - Directory ID in the Entra admin center.](_images/p1-entra-eam-directory-id.png) ### Setting up API permissions Using external MFA with Microsoft Entra requires certain API permissions that you'll need to enable in your application. #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Identity > Applications > App registrations** and click your application. 3. On the **App registrations** page, in the **Manage** section, click **API permissions**. 4. Click **[icon: plus, set=fa]Add a permission**. ![A screenshot of the API permissions page in the Entra admin center.](_images/p1-entra-eam-api-permissions-default.png) 5. On the **Request API permissions** panel, click **Microsoft Graph**. ![A screenshot of the Request API permissions panel in the Entra admin center.](_images/p1-entra-eam-api-permissions-microsoft-graph.png) 6. Click **Delegated permissions** for the type of permissions to allow for your application. ![A screenshot of the Request API permissions panel - Type of permissions in the Entra admin center.](_images/p1-entra-eam-api-permissions-delegated-permissions.png) 7. Expand **Openid permissions**. 8. Select the `openid` and `profile` permissions. | | | | - | -------------------------------------------------------------- | | | `User.Read` is included by default and should remain selected. | ![A screenshot of the Request API permissions page - Openid permissions in the Entra admin center.](_images/p1-entra-eam-api-permissions-openid-profile.png) 9. In the **Application permissions** section, expand **User** and select the `User.Read.All` permission. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you don't intend to retrieve many attributes from Entra ID and populate them into PingOne, you can select the `User.ReadBasic.All` permission instead of the `User.Read.All` permission.Both of these permissions require admin consent. | 10. To grant admin consent, click **Add permissions**. 11. Click **Grant admin consent for \**. ![A screenshot of the API permissions page in the Entra admin center showing how to grant admin consent.](_images/p1-entra-eam-api-permissions-granted.png) ### Adding Microsoft as an identity provider in PingOne Configure the IdP connection in PingOne. #### Steps 1. In the PingOne admin console, go to **Integrations > External IdPs** and click the **[icon: plus, set=fa]**icon. 2. Click **Microsoft** as the **Identity Provider Type**. 3. Click **Next**. 4. In the **Create Profile** step, enter the following information: * **Name**: A unique identifier for the IdP. * **Description** (optional): A brief description of the IdP. * **Population**: Select a population that overrides the authentication policy's registration population and enables just-in-time (JIT) registration from the IdP. | | | | - | -------------------------------------------------------------------------------------------------------- | | | You can't change the **Icon** and **Sign-on button**, in accordance with the provider's brand standards. | 5. Click **Next**. 6. In the **Connection Details** step, enter the following information: * **Client ID**: The application ID from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center. * **Client secret**: The application secret from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center. * **Tenant ID**: The tenant ID of your Entra tenant from the Microsoft Entra admin center that you copied earlier. You can find this information on the Microsoft Entra admin center. * **Callback URL**: Copy the **Callback URL** and paste it in a secure location. You'll add this value in the Microsoft Entra admin center later. 7. Click **Next**. 8. Define how the PingOne user attributes are mapped to IdP attributes. Learn more in [Mapping attributes](../directory/p1_editsamlattributemapping.html). * Leave the default PingOne user profile attributes and the external IdP attributes: * **Preferred Username** (from Microsoft) as the source of the PingOne **Username** * **Email** (from Microsoft) as the source of the PingOne **Email Address** * To add an attribute, click **[icon: plus, set=fa]Add**. * To use the advanced expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html) and [Using expressions to retrieve Microsoft Entra attributes](../pingone_expression_language/p1_expressionlang_expressions_concatenation.html#p1-expressions-microsoft). * Select the update condition, which determines how PingOne updates its user directory with the values from the IdP. The options are: * **Empty only**: Update the PingOne attribute only if the existing attribute is empty. * **Always**: Always update the PingOne directory attribute. 9. Click **Save**. 10. Click the connection in the **External IdPs** list to expand the connection details. 11. On the **Profile** tab, click [icon: pencil, set=fa]. 12. For **Population**, select the population that you previously created for Entra ID users. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * If you [created a new PingID environment in PingOne](../strong_authentication_mfa/p1_create_environment_strong_authentication_start.html), use the population that you created in [New PingID accounts: Creating a population for Entra ID users](#new_pingid_account). * If you [integrated your PingID account with a new PingOne account](../strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html), use the population that you created in [Existing PingID accounts: Creating a population for Entra ID users and changing the default population](#existing_pingid_account). | 13. Click **Save**. 14. To enable the IdP, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------ | | | You can disable the IdP by clicking the toggle to the left (gray). | ![A screen capture of the Microsoft Identity Provider connection with the Entra ID users population selected.](_images/p1_microsoft_entra_registration_population.png) ### Updating the population After creating your connection to Microsoft, update the **Identity Provider** setting for the population that you created for users coming from Entra ID. The **Identity Provider** setting is used as the runtime fallback IdP for users in the population who don't have an authoritative IdP configured in their user profile. Updating the population is especially important if you [integrated your PingID account with a new PingOne account](../strong_authentication_mfa/p1_integrate_pid_env_with_new_p1_env_updated.html) because those user profiles are created in PingOne without an authoritative IdP set. If the user is removed from the population, the IdP set in the population no longer applies to them. #### Steps 1. In the PingOne admin console, go to **Directory > Populations** and click the population that you previously created for Entra ID users. 2. On the **Overview** tab, click [icon: pencil, set=fa]. 3. In the **Identity Provider** list, select the IdP that you previously created in [Adding Microsoft as an identity provider in PingOne](#add_microsoft_idp). 4. In the **Confirm Changes** modal, click **Confirm**. 5. Click **Save**. ### Adding an authentication policy for Entra ID external authentication Add the Microsoft IdP to an authentication policy followed by an MFA step. #### Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add policy** and enter a name for the policy. 3. For the first step: 1. In the **Step Type** list, select **External Identity Provider**. 2. In the **External Identity Provider** list, select your Microsoft IdP. 3. For **Policy Purpose**, select the **Entra ID External Authentication Method** option. 4. Click **[icon: plus, set=fa]Add step**. 5. For the second step, in the **Step Type** list, select **PingID Authentication**. ![A screen capture of an authentication policy with External IDP as the first step and PingID Authentication as the second step.](_images/p1_pingid_authentication_policy.png) 6. Click **Save**. ### Configuring the OIDC application Configure an OIDC application to handle authentication requests from Microsoft Entra ID. ## Steps 1. In the PingOne admin console, go to **Applications > Applications**. 2. Click the **[icon: plus, set=fa]**icon to add an application. 3. On the **Add Application** panel, enter and choose the following: 1. **Application Name**: A unique identifier for the application. 2. **Description** (optional): A brief description of the application. 3. **Icon** (optional): A graphic representation of the application. Use a file up to 1 MB in JPG, JPEG, GIF, or PNG format. 4. **Application Type**: Choose **OIDC Web App**. 5. Click **Save**. 4. On the **Configuration** tab, click [icon: pencil, set=fa]and enter or edit the following: 1. **Response Type**: Clear the default **Code** checkbox and select **ID Token**. 2. **Grant Type**: Clear the default **Authorization Code** checkbox and select **Implicit** checkbox. 3. **Redirect URIs**: Enter `https://login.microsoftonline.com/common/federation/externalauthprovider`. 4. Click **Save**. 5. On the **Policies** tab, click **[icon: plus, set=fa]Add Policies**. 6. On the **PingOne Policies** tab, select the authentication policy that you created to handle external authentication requests from Entra ID. 7. Click **Save**. 8. To enable the application, click the toggle at the top of the details panel to the right (blue). | | | | - | -------------------------------------------------------------------------- | | | You can disable the application by clicking the toggle to the left (gray). | 9. Click the application entry to open the details panel. 10. On the **Overview** tab, copy the following PingOne application details to add in the Microsoft Entra admin center: * In the **General** section, copy the **Client ID** and paste it in a secure location. * In the **Connection Details** section, copy the **OIDC Discovery Endpoint** and paste it in a secure location. ### Creating external MFA in Microsoft Entra After creating the OIDC application in PingOne and copying the application ID, OIDC discovery endpoint, and client ID, create external MFA in Microsoft Entra. #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Protection > Authentication methods > Policies**. 3. Click **Add External MFA**. 4. Enter the following: 1. **Name**: Enter a name for the external MFA. 2. **Client ID**: Enter your PingOne application's client ID that you copied earlier. 3. **Discovery Endpoint**: Enter the **OIDC Discovery Endpoint** that you copied earlier from PingOne. The format is `/.well-known/openid-configuration`. 4. **App ID**: Enter the Microsoft Entra application ID that you copied previously. You can find the application ID in the [Microsoft Entra admin center](https://entra.microsoft.com/). 5. Click **Request permission**. ![A screenshot of the External MFA configuration page in the Entra admin center.](_images/p1-entra-eam-add-external-method-request-permission.png) ##### Result: The browser opens a new window for you to sign on with your Microsoft Entra admin credentials. 6. Review the requested permissions and click **Accept** if you agree. 7. In the **Enable and target** section, configure whether you want to include a subset of your users or all users. 8. Click the **Enable** toggle to enable the external MFA. ![A screenshot of the External MFA configuration page in the Entra admin center.](_images/p1-entra-eam-add-external-method-enable.png) ### Creating a conditional access policy in Microsoft Entra Configure a conditional access policy in Microsoft Entra to define authentication requirements for users accessing applications. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your Microsoft Entra tenant contains other conditional access policies that use custom controls to initiate MFA, ensure those policies don't apply to the same users, groups, and applications that you select in this conditional access policy. Otherwise, your users could be prompted multiple times for MFA. | #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Protection > Conditional Access > Policies**. 3. Click **[icon: plus, set=fa]Create new policy** or update an existing policy. 4. Configure the following: 1. **Name**: Enter a name for the policy. 2. **Users**: Select the same users and groups that you selected in your external MFA. 3. **Target resources**: Select the applications to which you want to apply this conditional access policy. 4. **Grant**: 1. Click **Grant access**. 2. Select the **Require multifactor authentication** checkbox. ![A screenshot of Conditional Access Policy - Grant access modal in the Entra admin center.](_images/p1-entra-eam-conditional-access-policy-grant.png) 3. Click **Select**. 5. **Enable policy**: Select **On** to turn on the policy. 5. Click **Save**. ### Configuring PingID as the external MFA Configure a PingID policy to process user MFA requests coming from the PingOne application that you created to handle Microsoft Entra requests. #### Steps 1. In the PingID admin portal, go to **Setup > PingID** and click the **Configuration** tab. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | If you selected **Enable** for **Enforce Policy**, you might need to create an additional PingID policy. Learn more in the next step. | 2. Click the **Policy** tab, and on the **Web** tab, expand and review each policy. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Microsoft Entra ID doesn't allow MFA bypasses from external MFA and requires always prompting the user to complete MFA. If you have a policy that can apply to all applications and that has a rule with an action of **Approve**, you must create a new policy for the PingOne application. Examples of such policies include Recent Authentication or Accessing from Company Network. | ![A screen capture of a PingID policy that has a rule with an action of Approve for Recent Authentication.](_images/pingid_microsoft_entra_eam.png) 1. To add a new policy, click **Add Policy**. 2. Enter a name for the policy, such as `External MFA PingID policy`. 3. In the **Target** section, in the **Applications** list, select the PingOne application that you previously created. 4. For **Groups**, select all applicable groups. 5. (Optional) In the **Allowed Methods** section, select the authentication methods you want to allow. ![A screen capture of a new PingID policy with the PingOne Entra application selected.](_images/pingid_policy_eam.png) 6. Click **Save**. #### Result: The new policy becomes the first PingID policy, which works as Microsoft Entra ID external MFA. PingID will use this new policy when processing MFA requests coming from the PingOne application that you created to handle Microsoft Entra ID requests. 3. In a scenario where a user forgot or lost their mobile phone and can't use the PingID app for MFA, you can allow a user to bypass MFA with PingID for a specificed period of time, such as 8 hours. 1. In the PingOne admin console, go to **Directory > Users**. 2. Browse or search for the applicable user and click the user entry to open the details panel. 3. In the list for the **Services** tab, select **Authentication**. 4. Scroll down to the **Integrations** section, click the **More Options** icon, and select **Bypass**. 5. In the **Bypass** window, select the desired amount of time from the **Allow bypass of PingID authentication on SSO for** list and click **Bypass**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Because Microsoft Entra ID requires the third-party MFA provider to specify the MFA method used and doesn't accept MFA bypasses as an acceptable MFA method, you must also configure bypass in the Microsoft Entra admin center. Learn more about configuring conditional access in the [Microsoft Entra documentation](https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview). | ### Adding an authentication policy for OIDC authentication If you want to allow users to sign on to the **PingOne Self-Service - MyAccount** application to manage their MFA methods or to other applications you've added to PingOne, you must create an authentication policy for OIDC authentication using the same Microsoft IdP connection. #### Steps 1. In the PingOne admin console, go to **Authentication > Authentication**. 2. Click **[icon: plus, set=fa]Add policy** and enter a name for the policy. 3. For the first step: 1. In the **Step Type** list, select **External Identity Provider**. 2. In the **External Identity Provider** list, select your Microsoft IdP. This is the same Microsoft IdP you selected in [Adding an authentication policy for Entra ID external authentication](#auth_policy_eam). 3. For **Policy Purpose**, select the **OIDC Authentication** option. 4. (Optional) To prompt users for MFA, click **[icon: plus, set=fa]Add step** and select **PingID Authentication** in the **Step Type** list for the second step. ![A screen capture of a PingOne authentication policy with External IdP as the first step and PingID Authentication as the second step.](_images/p1_microsoft_entra_oidc_auth_policy.png) 5. Click **Save**. #### Result: You now have two authentication policies: * An authentication policy for users authenticating with PingOne as external MFA for Entra ID * An authentication policy for OIDC authentication to allow users to sign on to other applications ![A screen capture of the PingOne Authentication Policies list with two policies: Entra\_ID\_EAM\_Policy and Entra\_ID\_OIDC\_Auth\_Policy.](_images/p1_microsoft_eam_two_auth_policies.png) ### Adding the callback URL to the Entra admin center If you created an authentication policy for OIDC authentication, you must also add the callback URL from the Microsoft IdP connection in PingOne to the application you registered in the Microsoft Entra admin center. #### Steps 1. Go to the [Microsoft Entra admin center](https://entra.microsoft.com/). 2. In the sidebar, go to **Identity > Applications > App registrations** and click your application. 3. On the **App registrations** page, in the **Manage** section, click **Authentication**. 4. In the **Platform configurations > Web > Redirect URIs** section, click **Add URI**. ![A screenshot of the Authentication page - Redirect URIs in the Entra admin center.](_images/p1-entra-eam-redirect-uris.png) 5. Paste the **Callback URL** that you copied from the PingOne admin console. The following examples show the URL format: Example 1: `https://auth.pingone.//rp/callback/microsoft` Example 2: `https:///rp/callback/microsoft` 6. Click **Save**. #### Result The **Redirect URIs** section displays both URLs you've added: 1. Authorization URL 2. Callback URL ![A screen capture of the Entra ID Authentication page with two redirect URIs identified with a red number callouts.](_images/p1_microsoft_entra_redirect_uris.png) ### Assigning the OIDC authentication policy to an application in PingOne After you create an authentication policy for OIDC authentication and add the callback URL to the application in Entra ID, assign the OIDC authentication policy to applicable applications in PingOne, such as the **PingOne Self-Service - MyAccount** application or other applications you've added. #### Steps 1. In the PingOne admin console, go to **Applications > Applications** and click the relevant application to open the details panel. 2. On the **Policies** tab, click **[icon: plus, set=fa]Add policies**. 3. On the **PingOne Policies** tab, select the OIDC authentication policy. 4. Click **Save**. ![A screen capture of the PingOne Applications page with the PingOne Self-Service - MyAccount app selected and the Policies tab showing an added policy named Entra\_ID\_OIDC\_Auth\_Policy.](_images/p1_selfservice_app_microsoft_entra_auth_policy.png) #### Next steps Repeat these steps for any other applications to which you want users to be able to sign on, for example **Another App** in the following screenshot. ![A screen capture of the PingOne Applications page with an example application called Another App selected and the Policies tab showing an added policy named Entra\_ID\_OIDC\_Auth\_Policy.](_images/p1_microsoft_entra_another_app_policy.png) ## Validation Now that you've set up external MFA in Entra ID and configured PingOne and PingID as the external MFA provider, you're ready to validate that your Entra ID users can use PingID to complete MFA. 1. Open a new browser window in incognito mode. 2. In the [Entra admin center](https://entra.microsoft.com/), locate the application you added to the conditional access policy that requires MFA and click the URL for the application. In this example, **My Apps** at https\://myapps.microsoft.com. 3. Sign on to the application and complete the first-factor authentication at Microsoft using a test user's credentials. ### Result: Entra ID prompts the user to complete MFA action based on what Entra thinks is the most secure method if: * You, as an Entra ID admin, have activated system-preferred MFA and included the test user as the target user. * The test user has installed and successfully used the system-preferred MFA method. In this example, the test user has installed and used both Microsoft Authenticator and verification code by text message, so Entra ID prompts the user to enter the code from Microsoft Authenticator. ![A screen capture of the Microsoft Enter code page.](_images/p1_microsoft_enter_code.png) | | | | - | ------------------------------------------------------------------------------------------------------------------------------------ | | | If you haven't activated system-preferred MFA, the user won't see the **Enter code** modal and is prompted to verify their identity. | 4. To use your external MFA, click **Sign in another way** at the bottom of the **Enter code** modal. ### Result: After selecting **Sign in another way** or if system-preferred MFA doesn't apply, Entra ID displays the **Verify your identity** modal. ![A screen capture of the Microsoft Enter code page.](_images/p1_microsoft_verify_identity.png) 5. Select the external MFA. ### Result: Entra ID redirects the browser to PingOne. 6. If the test user hasn't yet paired the PingID app, they're shown a **Welcome to PingID** page. Click **Start** to start the pairing process. ![A screen capture of the Welcome to PingID page and then the Add New Device page with a QR code and pairing key.](_images/p1_pingid_add_device.png) ### Result: After pairing, the PingID app prompts the user to complete the MFA requirement. 7. After PingID is paired for the test user, complete the MFA prompt from the PingID app. ### Result: PingOne returns an ID token to Entra ID, and Entra ID processes the ID token and signs the test user on to the application. 8. Sign off of the application. 9. In the [Entra admin center](https://entra.microsoft.com/), locate the same application and authenticate to the application again as the test user. ### Result: This time, PingID shouldn't prompt the test user to pair a device. Instead, the PingID app should prompt the test user to complete the MFA requirement. When the test user completes the MFA requirement, PingOne returns an ID token to Entra ID, and Entra ID processes the ID token and signs the test user on to the application. ![A screen capture of the Microsoft Apps dashboard.](_images/p1_microsoft_my_apps.png)