--- title: Ping Identity as external authentication method for Microsoft Entra ID (Azure AD) description: "Estimated time to complete: 45 minutes." component: pingoneaic page_id: pingoneaic:use-cases:use-case-external-entra canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-external-entra.html keywords: ["Implementation Guide", "Use Case", "EAM", "OpenID Connect (OIDC)"] section_ids: eam-description: Description eam-goals: Goals eam-prereqs: Before you begin eam-tasks: Tasks eam-task-1: "Task 1: Create a new OIDC web application in Advanced Identity Cloud" ms-eam-setup-task-2: "Task 2: Set up Microsoft Entra ID as the service provider" register_a_new_app: Register a new app create_a_new_group: Create a new group add_a_new_authentication_method: Add a new authentication method create_new_conditional_access: Create new conditional access aic-final-setup-task-3: "Task 3: Complete set up of Microsoft Entra ID in Advanced Identity Cloud" validation: Validation steps: Steps eam-validation: Video of validation --- # Ping Identity as external authentication method for Microsoft Entra ID (Azure AD) ## Description Estimated time to complete: 45 minutes *(tooltip: This assumes you have completed the prerequisites beforehand.)*. In this use case, you configure Advanced Identity Cloud as an external authentication method for Microsoft Entra ID (formerly Azure AD) using OIDC. This lets a user from Microsoft Entra ID use Advanced Identity Cloud as a second-factor authentication solution. ## Goals After completing this use case, you'll know how to do the following: * Configure a custom OIDC application for SSO * Configure Microsoft Entra ID to use an external authentication method (EAM) * Configure a custom journey for multi-factor authentication (MFA) purposes ## Before you begin Before you start work on this use case, ensure you have these prerequisites: * A basic understanding of: * SSO and federation * OIDC * Microsoft Entra ID * JavaScript * Access to your Advanced Identity Cloud development environment as a tenant administrator. * A test Microsoft Entra ID environment with at least a P1 license. Learn more in [Microsoft Entra licensing options](https://learn.microsoft.com/en-us/entra/fundamentals/licensing). * An administrator with the Privileged Role Administrator or Global Administrator role in Microsoft Entra ID. * A test user in Advanced Identity Cloud to serve as the application owner for the custom OIDC (Microsoft Entra ID) application. * A test end user. The use case matches a user from Microsoft Entra ID to a test user in Advanced Identity Cloud. Specifically the user must have the same username and password. ## Tasks | | | | - | -------------------------------------------------------------------------------------------------------------- | | | This use case requires the use of third-party services. Use your environment specific details where necessary. | ### Task 1: Create a new OIDC web application in Advanced Identity Cloud 1. In the Advanced Identity Cloud admin console, go to Applications > Custom Application > OIDC - OpenId Connect > Web. 2. Create an application with the following configuration: | Field | Value | | ---------------------------------------------------- | -------------------------------------------------------------------------- | | Sign-in URLs | `https://login.microsoftonline.com/common/federation/externalauthprovider` | | Grant Types | `Implicit` | | Scopes | `openid` | | Access: Response Types | `id_token` | | Access: Claims | `profile` | | Authentication: Token Endpoint Authentication Method | `None` | ### Task 2: Set up Microsoft Entra ID as the service provider In this task, you prepare Microsoft Entra ID to serve as a service provider (SP) and use Advanced Identity Cloud as an external authentication method. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Learn more about setting up Microsoft Entra ID to integrate with an external method in the [Microsoft Entra product documentation](https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-external-method-provider#configure-a-new-external-authentication-provider-with-microsoft-entra-id). | #### Register a new app 1. In a browser, navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 2. Click Applications and then click App registrations. ![Microsoft Entra ID admin center](_images/external-entra/1.png) 3. In the top toolbar, click [icon: add, set=material, size=inline] New registration. ![Start new registration for app](_images/external-entra/2.png) 4. Complete the following fields: | Field | Value | | ----------------------- | ------------------------------------------------------------------------------------------------------------------------ | | Name | The app name (for example, `AIC-EAM-DOC`) | | Supported account types | Select Accounts in this organizational directory only (... - Single tenant) | | Redirect URI | Your Advanced Identity Cloud authorization endpoint. For example, `https:///am/oauth2/alpha/authorize`. | | Select a platform | `Web` | ![App registration filled in](_images/external-entra/3.png) 5. Click Register to create the application. 6. Find the application ID: 1. In the application menu, click Overview. 2. Note the Application (client) ID of the application. For example, `fa441b8a-9169-47e3-9b1f-270d2c61e33d`. You'll need this to create an external authentication method. ![Overview page for app](_images/external-entra/4.png) 7. Configure the application's permissions to the API: 1. Select API permissions and then click Add a permission. 2. In the top toolbar, select APIs my organization uses. ![Request API permissions list](_images/external-entra/11.png) 3. Search for and select Microsoft Graph. ![Request API permissions selection](_images/external-entra/13.png) 4. Select Delegated permissions. ![Delegated Permissions](_images/external-entra/14.png) 5. In the Openid permissions section, select the openid and profile checkboxes, and click Add permissions. ![Delegated Permissions](_images/external-entra/16.png) 6. Click Grant admin consent for \. ![Delegated Permissions after grant](_images/external-entra/19.png) 7. Complete the necessary steps for this task, including granting admin consent, and refresh the screen to display the updated permission status. Learn more in [Grant tenant-wide admin consent to an application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=portal) in the Microsoft Entra ID documentation.[]() ![Delegated Permissions after grant successful with checks](_images/external-entra/20.png) #### Create a new group Creating a group helps prevent all users from being locked out of the tenant when external authentication is enabled. 1. In a browser, navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 2. In the left panel, click Identity and then click Groups > All groups. ![All groups](_images/external-entra/21.png) 3. Click New group, and complete the following fields: | Field | Value | | --------------- | ----------------- | | Group type | `Security` | | Group Name | Anything you want | | Membership type | `Assigned` | ![New Group](_images/external-entra/22.png) 4. Add a few test users to the group, as needed. 5. Click Create. #### Add a new authentication method 1. In a browser, navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 2. Click Protection and then click Authentication methods. ![New Authentication methods - Policies](_images/external-entra/23.png) 3. In the top toolbar, click Add external method (Preview). Note that this option is available only with a Microsoft Entra P1 license or higher. 4. Complete the following fields and click Save: | Field | Value | | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------- | | Name | Anything you want | | Client ID | The name of the OIDC web application you created in [Task 1 - Create a new OIDC web application in Advanced Identity Cloud](#eam-task-1) | | Discovery Endpoint | `https:///am/oauth2/alpha/.well-known/openid-configuration` | | App ID | The generated Application (client) ID you recorded when [setting up Microsoft Entra ID as the service provider](#ms-eam-setup-task-2) | ![Add external method (Preview)](_images/external-entra/24.png) 5. Ensure that you granted admin consent when you [registered the new app](#grant-admin-consent). You need the Privileged Role Administrator or Global Administrator role to grant admin consent for the provider's application. 6. Click the Enable toggle to enable external authentication methods. 7. Set Include or Exclude users/groups, as needed. 8. Click Save. #### Create new conditional access 1. In a browser, navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/#home). 2. Click Protection and then click Conditional Access. ![Conditional Access Overview](_images/external-entra/25.png) 3. In the top toolbar, click Create new policy. 4. Complete the following fields: | Field | Value | | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | Name | Anything you want | | Users | You can add anyone you want, but you shouldn't include all users initially in case you encounter issues. Instead, use the group you created. | | Target resources | Apps you want to protect (My Apps for testing purposes) | | Network | Set as needed | | Condition | Set as needed | | Grant | Grant access selected: Select Require multifactor authentication | | Grant | For multiple controls: Set according to your security model | 5. Confirm your settings and set Enable policy to Report-only. 6. Click Create. At this point, you: | | | ------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa]Created an OIDC application in Advanced Identity Cloud | | [icon: check, set=fa]Registered an application in Microsoft Entra ID | | [icon: check, set=fa]Created a group in Microsoft Entra ID | | [icon: check, set=fa]Added Advanced Identity Cloud as an external authentication method in Microsoft Entra ID | | [icon: check, set=fa]Created a policy for conditional access in Microsoft Entra ID | ### Task 3: Complete set up of Microsoft Entra ID in Advanced Identity Cloud | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | Learn more in [Override the audience and issuer claims](../am-oauth2/plugins-user-info-claims.html#example-override-issuer-audience). | 1. In the Advanced Identity Cloud admin console, go to Scripts > Auth Scripts. 2. Make a copy of the `Alpha OIDC Claims Script`, and add the following lines in the `getComputedClaims` function, right before `return computedClaims;`:[]() ```javascript } }); //MS Entra EAM var recievedSub = session.getProperty("eamsub"); computedClaims.put("sub", recievedSub); var amrMFAUsed = session.getProperty("eam-mfa-type"); var amrClaim = [amrMFAUsed]; computedClaims.put("amr", amrClaim); return computedClaims; } ``` 3. Update your OIDC client: 1. Go to Native Consoles > Access Management > Applications > OAuth 2.0 > Clients and click the client you created in [Task 1 - Create a new OIDC web application in Advanced Identity Cloud](#eam-task-1). 2. On the Core tab, complete the following fields: | Field | Value | | ---------------- | --------------------------------------------------------------------------- | | Redirection URIs | `https:// login.microsoftonline.com/common/federation/externalauthprovider` | | Default Scope(s) | `openid` `profile` | 3. On the Advanced tab, complete the following fields: | Field | Value | | ------------------------------------ | --------------------------------------------------------------------------- | | JavaScript Origins | `https://login.microsoftonline.com` `https://login.microsoftonline.com:443` | | Response Types | `id_token` | | Grant Types | `Implicit` | | Token Endpoint Authentication Method | `None` | 4. On the OAuth2 Provider Overrides tab, complete the following fields: | Field | Value | | ------------------------------------------------------------ | --------------------------------------------------------------- | | Enable OAuth2 Provider Overrides | Enabled | | Access Token Modification Plugin Type | `Scripted` | | Access Token Modification Script | `Alpha OAuth2 Access Token Modification Script` | | OIDC Claims Plugin Type | `SCRIPTED` | | OIDC Claims Script | Name of the script you created in [step 2](#oidc-claims-script) | | OIDC Claims Plugin Implementation Class | `org.forgerock.openam.oauth2.OpenAMScopeValidator` | | Use Client-Side Access & Refresh Tokens | Enabled | | Allow Clients to Skip Consent | Enabled | | Scope Evaluation Plugin Implementation Class | `org.forgerock.openam.oauth2.OpenAMScopeValidator` | | Scope Validation Plugin Type | `JAVA` | | Scope Validation Plugin Implementation Class | `org.forgerock.openam.oauth2.OpenAMScopeValidator` | | Authorize Endpoint Data Provider Plugin Type | `SCRIPTED` | | Authorize Endpoint Data Provider Script | `OAuth2 Authorize Endpoint Data Provider Script` | | Authorize Endpoint Data Provider Plugin Implementation Class | `org.forgerock.openam.oauth2.OpenAMScopeValidator` | | Overrideable Id\_Token Claims | `sub` `acr` `amr` | 5. Click Save Changes. 4. Whitelist the EAM session properties: 1. Go to Services > Session Property Whitelist Service. | | | | - | --------------------------------------------------------------------------------------- | | | If the Session Property Whitelist Service is not listed, click Add a Service to add it. | 2. In the Allowlisted Session Property Names and Session Properties to return for session queries fields, enter `eamsub` and `eam-mfa-type`, and click Save Changes. ![Session Property Whitelist Service](_images/external-entra/26.png) 5. Import and configure the sample journey: 1. In the Advanced Identity Cloud admin console, import [this sample journey](../_attachments/EAM_SAMPLE-journeyExport-alpha-realm-example.forgeblocks.com-2025-05-08T14_09_57.354Z.json). Learn more about importing journeys in [Import journeys](../journeys/journeys.html#import-journeys). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This journey is provided as an example only. It isn't configured to perform multi-factor authentication (MFA).The scripts provided with the journey are samples and are not supported by Ping Identity. | ![Journey example](_images/external-entra/use-case-entra-external-journey.png) 2. In the **GetLoginHint** node, open the `EAMGetLoginHint` script and update the configuration variables with your EAM-specific data. This script takes the redirect from Microsoft Entra ID with a signed JWT containing the username to authenticate the user within the journey. | Field | Value | | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | issuer | The issuer URL in the format `https://login.microsoftonline.com//v2.0`. To find your EAM tenant ID (tid), go to the Microsoft Entra admin center and click Identity > Overview. | | jwksJson | The full JWKS that can be found at `https://login.microsoftonline.com//discovery/v2.0/keys` | | audience | The generated Application (client) ID you recorded when [setting up Microsoft Entra ID as the service provider](#ms-eam-setup-task-2). | | tid | Your EAM tenant ID (tid) | | nodeName | The node name, which is used for logging purposes. | 6. Go to Native Consoles > Access Management > Services > OAuth2 Provider. 7. On the Advanced OpenID Connect tab, update your OAuth 2.0 Provider by completing the following fields: | Field | Value | | ------------------------------------------------ | ----------------------------------------------------------- | | Enable "claims\_parameter\_supported" | True (on) | | OpenID Connect acr\_values to Auth Chain Mapping | possessionorinherence: EAM SAMPLE (the sample journey name) | At this point, you: | | | ------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa]Created an OIDC application in Advanced Identity Cloud | | [icon: check, set=fa]Registered an application in Microsoft Entra ID | | [icon: check, set=fa]Created a group in Microsoft Entra ID | | [icon: check, set=fa]Added Advanced Identity Cloud as an external authentication method in Microsoft Entra ID | | [icon: check, set=fa]Created a policy for conditional access in Microsoft Entra ID | | [icon: check, set=fa]Added the EAM session properties to the OIDC Claims Script in Advanced Identity Cloud | | [icon: check, set=fa]Updated the OIDC application in Advanced Identity Cloud | | [icon: check, set=fa]Whitelisted the EAM session properties | | [icon: check, set=fa]Imported and configured a sample journey | | [icon: check, set=fa]Updated the OAuth 2.0 Provider | ## Validation Now that you have created and configured the EAM setup, validate the configurations. ### Steps 1. In a browser, go to . 2. Sign on using the test user's username and password. 3. When prompted, select the external authentication method you configured. 4. Choose your MFA method (this assumes the journey administrator has configured an MFA challenge). Upon successful authentication, the user should be signed on to Microsoft Entra ID. ### Video of validation The following video displays the expected flow from Microsoft Entra ID to Advanced Identity Cloud: **Video (Brightcove)** \