If you use Azure Active Directory as your identity repository, you cannot integrate with Microsoft 365 through PingOne for Enterprise. This configuration creates a redirect loop where Azure and PingOne for Enterprise try to authenticate through one another.

PingOne for Enterprise support for Microsoft 365 depends on factors such as:

  • The type of Microsoft 365 client you want to use
  • The identity repository you've configured for PingOne for Enterprise
PingOne for Enterprise Support for Microsoft 365
Client Support Level Exceptions

Passive profile or browser-based logins.

These logins use or



Active Profile or thick clients.

These logins use thick clients installed on servers, desktops, or mobile devices.


  • Word
  • Excel
  • Powerpoint
  • Outlook
  • SharePoint

Supported only when AD Connect is your identity repository.


You must disable Integrated Windows Authentication (IWA) if you're using AD Connect without IIS,.

AD Connect without IIS does not support IWA with the Active Profile, and Office clients don't support forms-based authentication.

Not supported whenPingFederate or ADFS is your identity repository.

If you use any identity provider (IdP) other than AD Connect, thick client logins are not supported.

For more information about identity repositories, see Connecting to an identity repository.

Microsoft 365 prerequisites

  • Active Directory must be deployed and running with a functional level of mixed or native mode on:
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
    • Windows Server 2019 (Desktop only, not Core)
  • You must configure Microsoft Azure Active Directory Module for Windows PowerShell to establish a federated trust between your IdP and Azure AD.

    For more information, see Connect to Microsoft 365 with PowerShell in the Microsoft documentation.

  • You must install the required Microsoft cloud service subscription updates to make sure your users are running the latest version of Windows.