Setting up PingID MFA for Microsoft Azure AD Conditional Access involves the following steps:

  • In the admin portal, set up the integration, including attribute mapping.
  • In Azure AD:
    • Create a PingID MFA custom control.
    • Create a PingID MFA conditional access policy.
  • Optionally apply a PingID MFA policy to the Azure AD integration.

Default attribute mapping is based on the attributes that Azure sends to PingOne during the authorization request to trigger PingID MFA and includes the following attributes.

PingID attribute Azure AD attribute







  1. In the Admin portal, go to Setup > PingID > Client Integration.
  2. In the Integrate with Microsoft Azure AD section, click Setup Integration.

    The Azure AD Integration window opens.

    Screen capture of the Azure AD Integration window, currently showing the Connect to Active Directory section with the fields for Directory IDS, Application Name, and Application Icon. There is a hyperlink option to Add directory id under the filed for Directory IDS.
  3. To find the relevant Directory ID, in the Azure portal:
    1. In the FAVORITES menu in the left side bar, go to Azure Active Directory.
    2. In the Manage section, click Properties.
    3. Copy the value from the Directory ID field.
  4. In the Admin portal:
    1. Paste the directory ID value into the Directory IDS field.
    2. Optional: To add additional directory IDs, click Add directory ID and paste the relevant Directory ID, as it appears in the relevant Azure AD account.

      The directory ID must be a valid UUID string.

    3. In the Application Name field, enter the name you want to use to represent authorization requests from Azure AD.

      This is the name that users will see displayed if using the PingID mobile app during authorization. This name is also used to identify the Azure AD application in the PingID policy applications list.

    4. To change the application icon, choose one of the following:
      • Select a new icon: Click the application icon and go to the icon you want to use.
      • Use the default icon: Click Remove.

      The PingID mobile app displays the selected icon during authorization.

    5. If your environment uses a redirect URI that is different than the default Azure AD redirect URI, use the Override Redirect URI field to specify the correct URI.
    6. Click Next.

      The Map Attributes tab opens, displaying the default attribute mapping.

      Screen capture of the Map Attributes section in the Azure AD Integration window. Each field is a drop-down list. The default values are shown for each field. To the right of each field is an Advanced button.
  5. Optional: To map Azure AD attributes that are not provided in the initial MFA request to the relevant PingID attributes:
    1. In the relevant attribute field, select the Azure AD attribute from the drop-down list, or type the attribute into the field.

      By default, the username for PingID is taken from the upn attribute in Azure. However, if you are also using Azure as the identity provider (IdP) for PingOne for Enterprise, make sure that you select from the list the attribute that you mapped to MFA_SUBJECT. Otherwise, you may end up with a situation where a single user is listed as two different users: one whose username comes from the upn attribute and one whose username comes from the attribute mapped to MFA_SUBJECT.

    2. To perform attribute transformations on a specific attribute, in the relevant row, click Advanced and configure the fields as required.

      For more information, see Creating advanced attribute mappings.

    3. Click Next.
    4. If you included Azure AD attributes that are not provided in the initial MFA request from Azure AD, you'll receive a prompt requesting that you grant PingID permission to access and collect those attributes from your Azure AD tenant.

      If you are not prompted to grant permissions, skip this step.

      Screen capture of the Grant Permission section in the Azure AD Integration window

      In the Grant Permission window, for each Azure AD tenant:

      1. To open the Azure login window, in the Grant Permission section, click Grant Permission.

        Screen capture of Microsoft Azure login screen
      2. To grant the relevant access to PingID, sign on to your Azure AD Tenant and click Accept.