The Office 365 Provisioner includes a quick connection template to easily set up a connection with Office 365, which can be used for single sign-on (SSO), provisioning, or both. The provisioner makes use of the Microsoft Graph API to communicate with Azure, which acts as the user and group repository for Office 365. The provisioner includes licensing support (skuId and disabledPlans attributes) and the ability for managers to be assigned to provisioned users (manager and pingSourceDN attributes).


This provisioner is for outbound provisioning only and is not intended for inbound or hybrid environments.


  • Browser-based SP and IdP-initiated SSO
  • Includes support for user and group life cycle management (including creates, updates, disables, and deletes).
  • Includes configuration options for workflow capabilities (for example, the ability to disable updates).

Intended audience

This document is intended for PingFederate administrators.

If you need help during the setup process, see the following resources:

System requirements

  • PingFederate 9.0 or later.
  • An existing Office 365 account.
  • SSO requires the following:
    • A domain that has been created for use as a federated domain and is accessible and DNS resolvable by Microsoft.
    • Administrative access to modify DNS records for the federated domain.
    • The PingFederate server must be externally accessible.
    • A Windows platform in order to run SSO related configuration using Powershell. The Windows platform must be able to access the Azure management portal.