1. Sign on to the PingFederate administrative console and go to Server Configuration > Password Credential Validators > Create New Instance .
  2. On the Type tab, populate the Instance Name and Instance ID fields, choose Azure AD Password Credential Validator 2.0 in the Type field, and click Next.
    Screencapture of the Create Credential Validator Instance Type tab showing the Instance Name, Instance ID, Type and Parent Instance fields.
  3. On the Instance Configuration tab, populate the Tenant ID, Client ID and Client Secret fields using the information specific to your Azure AD application, and click Next.
    Note:

    For more information about obtaining the Client ID and Client Secret, see Use the portal to create an Azure AD application and service principal that can access resources.

    Configuration fields
    Field Type Description

    Tenant ID

    String. Required.

    The tenant ID generated by Microsoft when you register an application in Azure.

    Client ID

    String. Required.

    The client ID generated by Microsoft when you register an application in Azure.

    Client Secret

    String. Required.

    The client secret generated by Microsoft when you register an application in Azure.

    Disable User Group Retrieval

    Check box

    Disable the PCV from retrieving the memberOf attribute for users.

    Microsoft Login Base URL

    String. Required.

    The base URL used by Microsoft for any authentication calls.

    The default value is https://login.microsoftonline.com/.

    Microsoft Token Endpoint

    String. Required

    The endpoint used by Microsoft to retrieve an access token.

    The default value is /oauth2v2.0/token.

    User Attributes Endpoint

    String. Required.

    The endpoint used to retrieve user attributes.

    The default value is https://graph.microsoft.com/v1.0/me.

    Group Membership Endpoint

    String. Required.

    The endpoint used to retrieve group membership info.

    The default value is https://graph.microsoft.com/v1.0/me/memberOf.

    API Request Timeout

    The amount of time in milliseconds that PingFederate waits for Microsoft APIs to respond to requests. A value of 0 disables the timeout.

    The default value is 5000.

    Proxy Settings
    • No Proxy
    • System Defaults
    • Custom

    Defines proxy settings for outbound HTTP requests.

    The default value is System Defaults.

    Custom Proxy Host

    String. Optional.

    The proxy server hostname to use when Proxy Settings is set to Custom.

    Custom Proxy Port

    String. Optional.

    The proxy server port to use when Proxy Settings is set to Custom.
    Note:

    If the user’s group memberships are not required, select the option to Disable User Group Retrieval.

  4. The attribute contract can be extended with any additional Azure AD attributes, including Azure AD custom properties. For more information, see Known issues and limitations.
    Important:

    If you're upgrading from Azure AD Password Credential Validator 1.2 or earlier, and used the objectID attribute in your extended contract, change the attribute to ID.

    The core contract contains the following attributes:

    1. displayName
    2. givenName
    3. mail
    4. memberOf
    5. surname
    6. username
    7. userPrincipalName
  5. Click Next, review your settings, then click Save.