By modifying your PingFederate authentication policy to include the risk level from Azure AD Identity Protection, you can dynamically change authentication requirements based on security risk level.
These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.
On the PingFederate administrative console, go to the
- For PingFederate 10.1 or later: go to .
- For PingFederate 10.0 or earlier: go to .
- Select the IdP Authentication Policies check box.
Open an existing authentication policy, or click Add
For help, see Defining authentication policies in the PingFederate documentation.
In the Policy area, select the Microsoft IdP Adapter
instance that you created in Setting up the Microsoft Cloud Identity Connector.
In the Success branch following the Microsoft IdP
Adapter instance, select your Azure AD Identity Protection IdP Adapter
Map the Microsoft user ID into the Azure AD Identity Protection IdP Adapter instance.
- Under the Azure AD Identity Protection IdP Adapter instance, click Options.
- On the Options dialog, from the Source list, select your Microsoft IdP Adapter instance.
- From the Attribute list, select the id. Click Done.
Define policy paths based on the information
provided by Azure AD Identity Protection:
- Under the Azure AD Identity Protection IdP Adapter instance, click Rules.
- On the Rules dialog, from the Attribute Name list, select userRiskLevel.
- From the Condition list, select equal to.
In the Value field, enter "low", "medium", or "high", or one of the utility values "none",
"hidden", "unknownFutureValue", or "noRiskData".
The "noRiskData" value is set by the adapter when it does not find risk data for the user.
- In the Result field, enter a name. This appears as a new policy path that branches from the Azure AD Identity Protection IdP Adapter.
- If you want to add more authentication paths, click Add and repeat steps b-e.
- Optional: Clear the Default to success check box.
- Click Done.
Configure each of the authentication
- Click Done. In the Policies window, click Save.