Integrating PingID requires setting up the configuration in the admin portal and in Azure AD.
Setting up PingID MFA for Microsoft Azure AD Conditional Access involves the following steps:
- In the admin portal, set up the integration, including attribute mapping.
- In Azure AD:
- Create a PingID MFA custom control.
- Create a PingID MFA conditional access policy.
- Optionally apply a PingID MFA policy to the Azure AD integration.
Default attribute mapping is based on the attributes that Azure sends to PingOne during the authorization request to trigger PingID MFA and includes the following attributes.
|PingID attribute||Azure AD attribute|
- In the Admin portal, go to .
In the Integrate with Microsoft Azure AD section, click
The Azure AD Integration window opens.
To find the relevant Directory ID, in the Azure portal:
- In the FAVORITES menu in the left side bar, go to .
- In the Manage section, click Properties.
- Copy the value from the Directory ID field.
In the Admin portal:
- Paste the directory ID value into the Directory IDS field.
To add additional directory IDs, click Add directory
ID and paste the relevant Directory ID, as it appears in the
relevant Azure AD account.
The directory ID must be a valid UUID string.
In the Application Name field, enter the name you want
to use to represent authorization requests from Azure AD.
This is the name that users will see displayed if using the PingID mobile app during authorization. This name is also used to identify the Azure AD application in the PingID policy applications list.
To change the application icon, choose one of the following:
- Select a new icon: Click the application icon and go to the icon you want to use.
- Use the default icon: Click Remove.
The PingID mobile app displays the selected icon during authorization.
- If your environment uses a redirect URI that is different than the default Azure AD redirect URI, use the Override Redirect URI field to specify the correct URI.
The Map Attributes tab opens, displaying the default attribute mapping.
To map Azure AD attributes that are not provided in the initial MFA request to the
relevant PingID attributes:
In the relevant attribute field, select the Azure AD attribute from the
drop-down list, or type the attribute into the field.
By default, the username for PingID is taken from the upn attribute in Azure. However, if you are also using Azure as the identity provider (IdP) for PingOne for Enterprise, make sure that you select from the list the attribute that you mapped to MFA_SUBJECT. Otherwise, you may end up with a situation where a single user is listed as two different users: one whose username comes from the upn attribute and one whose username comes from the attribute mapped to MFA_SUBJECT.
To perform attribute transformations on a specific attribute, in the relevant
row, click Advanced and configure the fields as
For more information, see Creating advanced attribute mappings.
- Click Next.
If you included Azure AD attributes that are not provided in the initial MFA
request from Azure AD, you'll receive a prompt requesting that you grant
PingID permission to
access and collect those attributes from your Azure AD tenant.
If you are not prompted to grant permissions, skip this step.
In the Grant Permission window, for each Azure AD tenant:
- To open the Azure login window, in the Grant Permission section, click Grant Permission.
- To grant the relevant access to PingID, sign on to your Azure AD Tenant and click Accept.
- In the relevant attribute field, select the Azure AD attribute from the drop-down list, or type the attribute into the field.