You must have a Microsoft Azure account with a custom domain configured in Azure Active Directory (AD).


The IssuerURI value that PingOne provides during application configuration must be unique in Microsoft Azure. This means that two domains or subdomains within a single Azure account can't be connected to the same PingOne Office 365 application.

PingOne supports the Microsoft 365 passive and active profiles for single sign-on (SSO). Passive profile enables web browser SSO, while active profile is used by native clients, such as mobile devices and email clients. To authenticate with an active profile, users must provide their PingOne username and password to the client. Microsoft verifies these credentials with PingOne using the WS-Trust protocol.

If the PingOne environment is configured with an LDAP Gateway, these credentials can be validated against Active Directory. For more information, see Gateways.

  1. In PingOne, go to Connections > Application Catalog.
  2. In the Search for applications field, enter Microsoft 365.
  3. Click the Microsoft 365 entry to open the details panel.
  4. Review the following:
    • Name – Enter a new name to replace the default application name (optional).
    • Icon – Select a new image to replace the default application icon (optional).
    • Domain name – Enter the <Custom Domain> value from your Azure AD account. You can find your <Custom Domain> in the Azure AD portal by going to Azure Active Directory > Custom Domain Names.
  5. Click Next.
  6. On the Map Attributes page, select the PingOne attributes to map to the required UPN and ImmutableID Microsoft 365 attributes.

    ImmutableID uniquely identifies a user in Azure AD. You can find the ImmutableID value by running the Get-MsolUser command in Powershell after you configure federation with Azure AD. For more information, see Get-MsolUser in the Microsoft documentation.

    For UPN, use an email address with a domain name that matches the domain name registered with Microsoft 365.

  7. Consider the following:
    • If your user identities are stored in the PingOne Directory, use the default mapping of ImmutableID to ExternalID. ExternalID is the user's User ID in PingOne.
    • If the Microsoft 365 users are migrated into PingOne from AD through the LDAP Gateway and the source of the ExternalID is the objectGUID or ms-DS-ConsistencyGuid, add an expression to the mapping configuration. Locate the ImmutableID mapping, and click the gears icon to open the expression builder. Enter the following expression:


      For more information, see Using ms-DS-ConsistencyGuid as sourceAnchor in the Microsoft documentation.

    • You can create a custom PingOne user attribute instead of using ExternalID. Map objectGUID or ms-DS-ConsistencyGuid as the attribute source. Locate the ImmutableID mapping, and click the gears icon to open the expression builder. Enter the following expression:


      where customAttrName represents the custom PingOne user attribute. You can also replace null with a custom value, such as an error.

  8. Click Next.
  9. In the Search Groups field, enter the name of the user groups that you want to grant access to for the application.

    By default, all users have access to the application. Assigning groups restricts application access only to those groups.

  10. On the Connection Details tab, click the Copy to Clipboard () icon to copy the commands.
  11. Open Windows PowerShell.
  12. In PowerShell, paste the copied commands and run them.

    These commands update the domain authentication in Azure AD to SSO.

  13. Optional: If you have an existing Azure federation configuration, you can modify it:
    1. Click View in Applications list.
    2. Click the Configuration tab.
    3. In the Execute following commands in PowerShell to change existing federation settings section, copy the commands.
    4. In PowerShell, paste the copied commands and run them.

    For more information, see Set-MsolDomainFederationSettings in the Microsoft documentation.

  14. To close the application configuration wizard, click the X in the upper right corner.

You can enable Kerberos authentication for Microsoft 365 apps (optional). For more information, see Enabling Kerberos authentication.