You should review the information about registering applications with the Microsoft Azure identity platform. See Register an application with the Microsoft identity platform.

Make sure that you have:

  • An Azure account that has an active subscription. See Create your Azure Free account.
  • The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select View endpoints. Copy the ID from the URL under Windows Azure AD Graph API Endpoint.
  • The client ID and client secret for the connected application. You can find the client ID and client secret in the Azure portal. See Register an application with the Microsoft identity platform.
  1. Go to Connections > Provisioning.
  2. Click the + icon, and then click New connection.
  3. For Identity Store, click the Select button.
  4. Under Microsoft Azure (Microsoft 365), click Select, and then click Next.
  5. Enter a name and description for this provisioning connection.

    The connection name is shown in the list when you've completed and saved the connection.

  6. Click Next.
  7. On the Configure authentication pane, enter the values for the following fields.
    Field Value

    Tenant domain ID

    The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select View endpoints. Copy the ID from the URL under Windows Azure AD Graph API Endpoint.

    Client ID

    The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal. See Register an application with the Microsoft identity platform.

    Client secret

    The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal. See Register an application with the Microsoft identity platform.

  8. Click Test connection to verify that PingOne can establish a connection to Azure.

    If there are any issues with the connection, a Test connection failed message appears. Click Continue to resume the setup with an invalid connection.

    You will not be able to use the connection for provisioning until you have established a valid connection to Azure. Click Cancel to modify the settings and try again.

  9. On the Configure preferences pane, configure the following options.
    Option Description

    Remove Licenses when SKU ID is empty

    Determines whether to remove a user's license from their account if you do not configure the skuId field in the rule's attribute mappings, or if the user's skuId field is cleared in the external identity store.

    • True. When enabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user's licenses will be removed from their account.
    • False (default). When disabled, if you choose to not configure the skuId field in the rule’s attribute mapping, the user's licenses will not be removed from their account. However, if you configure the skuId field in rule’s attribute mapping, and if the user's skuId field is cleared in the directory, the user's licenses will be removed from their account.

    Allow users to be created

    Determines whether to create a user in the Azure identity store when the user is created in the PingOne identity store.

    Allow users to be updated

    Determines whether to update user attributes in the Azure identity store when the user is updated in the PingOne identity store.

    Allow users to be disabled

    Determines whether to disable a user in the Azure identity store when the user is disabled in the PingOne identity store.

    Allow users to be deprovisioned

    Determines whether to deprovision a user in the Azure identity store when the user is deprovisioned in the PingOne identity store.

    Remove action

    Determines the action to take when removing a user from the Azure identity store.

    • Delete. When a user is deprovisioned from the PingOne identity store, PingOne removes the user from the external identity store.
    • Disable. When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.

    Deprovision on rule deletion

    Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

  10. Click Finish.

The Azure Office 365 provisioning connection is complete and is added to the list of provisioning connections on the Provisioning page.

Note:

When you create the provisioning rule, make sure that you map a value for the Password attribute. You must map a value for Password before you can enable the rule. For more information, see Adding attribute mapping.

Creating a rule