Running the Azure AD Connect tool and following its prompts makes these required configuration changes automatically. The steps outlined here can be run manually if required.

You can complete the configuration manually using the Set-MsolDomainAuthentication PowerShell cmdlet. When you execute it, you must provide the URLs for PingFederate, the public portion of its signing certificate, and some other inputs.


The IssuerURI parameter should be unique so that Office 365 can identify your identity provider (IdP).

  1. Export the signing certificate from PingFederate:
    1. Go to Server Configuration > Signing & Decryption Keys & Certificates.
    2. Export the applicable signing certificate to the local file system, such as C:\temp\pf-signing.crt.
    3. When prompted, select Certificate Only.
  2. Use PowerShell to remove unnecessary lines from the certificate file and configure federation for your Azure AD domain.
    $certFile = "C:\temp\pf-signing.crt"
    $cert = [IO.File]::ReadAllText($certFile)
    $cert = $cert.replace("-----BEGIN CERTIFICATE-----","")
    $cert = $cert.replace("-----END CERTIFICATE-----","")
    $cert = $cert.replace("`r","")
    $cert = $cert.replace("`n","")
    $domainName = "<Federated Domain Name>"
    $hostName = "<Hostname>.$domainName"
    $port = 9031
    $pingfederate = "https://${hostName}:$port"
    $brandName = "<Federated Domain Alias>"
    $issuer = "<WS-Federation Realm or Virtual Server ID>"
    $spId = "urn:federation:MicrosoftOnline"
    $activeLogOn = "$pingfederate/idp/sts.wst"
    $logOff = "$pingfederate/idp/prp.wsf"
    $metaData = "$pingfederate/pf/sts_mex.ping?PartnerSpId=$spId"
    Set-MsolDomainAuthentication -Authentication Federated -DomainName 
    "$domainName" -ActiveLogOnUri  "$activeLogOn" -FederationBrandName 
    "$brandName" -IssuerUri "$issuer"  -LogOffUri "$logOff" -MetadataExchangeUri 
    "$metaData" -PassiveLogOnUri  "$passiveLogOnPF" -SigningCertificate "$cert"

    For more information about the Set-MsolDomainAuthentication command, see Set-MsolDomainAuthentication in the Microsoft documentation.

  3. To verify that the domain settings are up-to-date and in effect, run the Get-MsolDomainFederationSettings -DomainName <name> command.

    If you have multiple subdomain accounts in Office 365, you can connect to them in one service provider (SP) connection using multiple virtual server IDs in PingFederate 7.2 or later.