You should review the information about registering applications with the Microsoft identity platform. Learn more in Register an application with the Microsoft identity platform in the Microsoft documentation.

Make sure that you have:

  • An Azure account that has an active subscription. Learn more in Microsoft's Create your Azure Free account .
  • The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Go to the application properties and select View endpoints. Copy the ID from the URL under Microsoft Azure AD Graph API Endpoint.
  • The client ID and client secret for the connected application. You can find the client ID and client secret in the Azure portal. Learn more in Register an application with the Microsoft identity platform in the Microsoft documentation.
  • The following application permissions in your application:
    • Application.ReadWrite.All
    • Group.ReadWrite.All
    • Organization.Read.All
    • User.ReadWrite.All

    Learn more in Add permissions to access web APIs.

  1. In PingOne, go to Integrations > Provisioning.
  2. Click +, and then click New connection.
  3. On the Identity Store line, click Select.
  4. Click Microsoft Azure (Microsoft 365), click Select, and then click Next.
  5. Enter a name and description for the provisioning connection.

    The connection name appears in the provisioning list after you save the connection.

  6. Click Next.
  7. On the Configure authentication panel, enter the values for the following fields:
    Field Value

    Tenant domain ID

    The tenant domain ID for the Azure account. You can find the tenant domain in the Azure portal. Learn more in Local tenant ID and primary domain.

    Client ID

    The client ID from Azure for the connected application. You can find the client ID and client secret in the Azure portal.

    Client secret

    The client secret from Azure for the connected application. You can find the client ID and client secret in the Azure portal.

  8. Click Test connection to verify that PingOne can establish a connection to Azure.

    If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.

    Important:

    You cannot use the connection for provisioning until you have established a valid connection to Azure. Click Cancel in the Test Connection Failed dialog box and follow step 7, to try again.

    Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.

  9. On the Configure Preferences pane, configure the following:
    Option Description

    Remove Licenses when SKU ID is empty

    Determines whether to remove a user's license from their account if you do not configure the skuId field in the rule's attribute mappings, or if the user's skuId field is cleared in the external identity store.

    • True: When enabled, if you choose to not configure the skuId field in the rule's attribute mapping, the user's licenses will be removed from their account.
    • False (default): When disabled, if you choose to not configure the skuId field in the rule's attribute mapping, the user's licenses will not be removed from their account. However, if you configure the skuId field in the rule's attribute mapping, and if the user's skuId field is cleared in the directory, the user's licenses will be removed from their account.

    Allow users to be created

    Determines whether to create a user in the Azure identity store when the user is created in the PingOne identity store.

    Allow users to be updated

    Determines whether to update user attributes in the Azure identity store when the user is updated in the PingOne identity store.

    Allow users to be disabled

    Determines whether to disable a user in the Azure identity store when the user is disabled in the PingOne identity store.

    Allow users to be deprovisioned

    Determines whether to deprovision a user in the Azure identity store when the user is deprovisioned in the PingOne identity store.

    Remove action

    Determines the action to take when removing a user from the Azure identity store.

    • Delete: When a user is deprovisioned from the PingOne identity store, PingOne removes the user from the external identity store.
    • Disable: When a user is deprovisioned from the PingOne identity store, PingOne disables the user in the external identity store.

    Deprovision on rule deletion

    Determines whether to deprovision users that were provisioned using this rule if the rule is deleted.

  10. Click Finish.

The Azure Office 365 provisioning connection is complete and is added to the list of provisioning connections on the Provisioning page.

Note:

When you create the provisioning rule, make sure that you map a value for the Password attribute. You must map a value for Password before you can enable the rule. Learn more in Adding attribute mapping for outbound provisioning.

To sync group members out of PingOne into a software as a service (SaaS) application, follow the instructions in Configuring outbound group provisioning.