Adding review statuses to your authentication policy

Page created: 8 Oct 2021 |

Page updated: 8 Feb 2022

| 2 min read

LexisNexis ThreatMetrix Other Documents Integrations Language English Integration Content Type Product documentation Audience Administrator

By modifying your PingFederate authentication policy to include the risk level from Azure AD Identity Protection, you can dynamically change authentication requirements based on security risk level.

These steps are designed to help you add to an existing authentication policy. For general information about configuring authentication policies, see Authentication API in the PingFederate documentation.

On the PingFederate administrative console, go to the Policies tab.
- For PingFederate 10.1 or later: go to Authentication > Policies > Policies.
- For PingFederate 10.0 or earlier: go to Identity Provider > Authentication Policies > Policies.
Select the IdP Authentication Policies check box.
Open an existing authentication policy, or click Add Policy.

For help, see Defining authentication policies in the PingFederate documentation.
In the Policy area, select the Microsoft IdP Adapter instance that you created in Setting up the Microsoft Cloud Identity Connector.
In the Success branch following the Microsoft IdP Adapter instance, select your Azure AD Identity Protection IdP Adapter instance.
Map the Microsoft user ID into the Azure AD Identity Protection IdP Adapter instance.
1. Under the Azure AD Identity Protection IdP Adapter instance, click Options.
2. On the Options dialog, from the Source list, select your Microsoft IdP Adapter instance.
3. From the Attribute list, select the id. Click Done.
Define policy paths based on the information provided by Azure AD Identity Protection:
1. Under the Azure AD Identity Protection IdP Adapter instance, click Rules.
2. On the Rules dialog, from the Attribute Name list, select userRiskLevel.
3. From the Condition list, select equal to.
4. In the Value field, enter "low", "medium", or "high", or one of the utility values "none", "hidden", "unknownFutureValue", or "noRiskData".
  The "noRiskData" value is set by the adapter when it does not find risk data for the user.
5. In the Result field, enter a name. This appears as a new policy path that branches from the Azure AD Identity Protection IdP Adapter.
6. If you want to add more authentication paths, click Add and repeat steps b-e.
7. Optional: Clear the Default to success check box.
8. Click Done.
Configure each of the authentication paths.
Click Done. In the Policies window, click Save.