Outbound provisioning details are managed within an SP connection. You can configure outbound provisioning with or without Browser SSO, WS-Trust STS, or both when you create a new SP connection. You also have the option to add outbound provisioning to an existing SP connection.

For SSO instructions, see Configure SSO.

  1. Create a new SP connection or select an existing SP connection from the SP Configuration menu.
  2. On the Connection Template screen, select the Use a template for this connection option and choose Office 365 Connector from the Connection Template drop-down list. You will be asked to provide the federationmetadata.xml file you obtained earlier in Download Office 365 SAML 2.0 metadata file.
    Tip: If this selection is not available, verify the connector installation and restart PingFederate.
  3. On the Connection Type screen, ensure the Outbound Provisioning checkbox is selected, and the Browser SSO Profiles checkbox is cleared (if appropriate).
  4. On the General Info screen, the default values are taken from the metadata file you selected in an earlier step. We recommend using the metadata default values.
  5. Follow the connection wizard to configure the connection.
  6. On the Outbound Provisioning screen, click Configure Provisioning.
  7. On the Target screen, enter the values for each field as required by the Office 365 Connector.
    Image of the Target screen.
    Field Name Value
    Application ID The application ID for the application created in Azure. For more information, see Obtain Azure application ID and secret.
    Application Secret The secret generated during application creation in Azure. For more information, see Obtain Azure application ID and secret.
    Global Default Password The default password. Only used if the password attribute is not mapped, or value of the mapped field is empty.
    Do a Base64 Conversion on ImmutableID True (default) is recommended. Set to false if the ImmutableID is not base64. The conversion assumes it is mapped to a hex number.
    Remove Licenses from User when SkuId is Empty

    False (default) – When disabled, if you choose to not configure the skuId field in your configuration's Attribute Mapping screen, or if the user's skuId field is cleared in the datastore, the user's licenses will not be removed from their account.

    True – When enabled, if you choose to not configure the skuId field in your configuration's Attribute Mapping screen, or if the user's skuId field is cleared in the datastore, the user's licenses will be removed from their account.
    Tenant Domain The tenant domain configured in Azure, which is retrieved by going to the application properties and selecting view endpoints, and copying the ID from the URL under Windows Azure AD Graph API Endpoint.
    Provisioning Options
    User Create

    True (default) – Users will be created in Office 365.

    False – Users will not be created in Office 365.

    Note: The provisioner.log will display a warning within the create user workflow that the user was not created in Office 365.
    User Update

    True (default) – Users will be updated in Office 365.

    False – Users will not be updated in Office 365.

    Note: The provisioner.log will display a warning within the update user workflow that the user was not updated in Office 365.
    User Disable / Delete True (default) – Users will be disabled or deleted in Office 365.

    False – Users will not be disabled or deleted in Office 365.

    Note: The provisioner.log will display a warning indicating that the user was not disabled or deleted in Office 365.
    Provision Disabled Users

    This option is only relevant if User Create is True.

    True (default) – Office 365 users will be created in a disabled state.

    False – Office 365 users will not be created in a disabled state. This is desirable for scenarios where there are disabled users in the data store, not intended for creation in Office 365 during initial synchronization.

    Note: The provisioner.log will display a warning within the create user workflow indicating that the user was not created in Office 365.
    Remove User Action

    Select a deprovision method (Disable or Delete). Deprovisioning is triggered when previously provisioned users no longer meet the condition set in the Source Location screen, or when a user has been suspended or deleted from the data store. This option is only applicable if User Disable / Delete is set to True.

    Disable (default) – when selected, if you delete a user from Active Directory, the user will be disabled in Office 365 (also known as a soft delete).

    Delete – when selected, if you delete a user from Active Directory, the user will be deleted in Office 365 (also known as a hard delete).

    Note: When a user is deleted in Azure Active Directory, the deleted user is retained for 30 days from the deletion date. During that time, the user and its properties can be restored under Users > Deleted users.
    Important: For user provisioning to succeed, the users’ userPrincipalName domain must match a verified domain in Azure.
  8. Click Next to continue the provisioning configuration.
    For more information, see the following sections under Configure outbound provisioning:
    Note: Credentials will be verified when the channel and SP connection is set to Active and provisioning is initiated.
    Tip: If you are not ready to complete the provisioning configuration, you can click Save and return to the configuration page later. To return to the configuration page, select the connection from Identity Provider > SP Connections > Manage All.