The default authentication type in the Azure AD or Office 365 domain is managed, which means that access is provided only for Azure AD cloud user identities. To allow usage of the on-prem user accounts, change the authentication type to federated.
Running the Azure AD Connect tool and following its prompts makes these required configuration changes automatically. The steps outlined here can be run manually if required.
You can complete the configuration manually using the Set-MsolDomainAuthentication PowerShell cmdlet. When you execute it, you must provide the URLs for PingFederate, the public portion of its signing certificate, and some other inputs.
The IssuerURI parameter should be unique so that Office 365 can identify your identity provider (IdP).