Azure AD & Microsoft Entra ID OIDC Configuration: Unified Guide

Docs

Search

Help & Feedback

Home
Essential Knowledge
By Type
Building Blocks
APIs
Releases

How-to Guide

Author:

Fluent Commerce

Changed on:

13 Feb 2025

Key Points

Adding the application to PingOne
Registering application with Microsoft
Getting the client ID and client secret for the application
Setting up API permissions
Adding the identity provider in PingOne
Adding the Redirect URI to the Microsoft portal
Do not forget

Steps

Configuring Entra ID & Azure AD – Same Steps, New Name

This guide covers the configuration steps for both Azure Active Directory (Azure AD) and Microsoft Entra ID. The setup process remains the same, with only minor differences in naming—"Active Directory" in Azure AD is now "Applications" in Microsoft Entra ID.

For more details on the name change, see Microsoft’s official documentation.

Overview

Adding Microsoft as an external identity provider gives users the option to sign in with their Microsoft accounts when accessing the application. To add Microsoft as an external identity provider, it is required to do the following.

Adding the application to PingOne

Prerequisites

Ensure that the application has been added to PingOne.

Add the application to PingOne using the implicit grant type.

Registering application with Microsoft

Prerequisites

Ensure that you have:

A Microsoft Azure account with an active subscription
An Azure AD tenant

To set up Microsoft as an external identity provider for the application, it is required to register the application with Microsoft.

Step 1

Go to Microsoft Azure portal. If one does not have a Microsoft Azure account, they can create one.

Step 2

Under Azure services, click Azure Active Directory.

No alt provided

Step 3

On the left, click App registrations.

No alt provided

Step 4

At the top, click New registration.

Step 5

Under Name, enter a user-facing display name for the application.

Step 6

Under Supported account types, select any multi-tenant option. In case you need help to choose the option, click Help me choose link.

No alt provided

Note

In case you select single tenant option you will face with the following error: "Application is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.".

Step 7

Leave Redirect URI blank for now. This value will be required to enter after creation the identity provider in PingOne.

Step 8

Click Register.

No alt provided

Getting the client ID and client secret for the application

Note

When the application is registered with Microsoft, Microsoft will generate an Application (client) ID and Application secret for the application. It is required to copy these values and enter them into PingOne.

Step 1

Go to Microsoft Azure portal.

Step 2

Under App registrations, select the application.

Step 3

On the left, click Certificates and secrets.

No alt provided

Step 4

Under Client secrets, click + New client secret.

No alt provided

Step 5

Enter the following:

Description. A brief characterization of the client secret.
Expires. Select the duration of the certificate, based on the needs of your organization.

No alt provided

Step 6

Click Add.

Step 7

Under Client secrets, locate the value for the appropriate secret and copy it to a secure location.

No alt provided

Step 8

On the left, click Overview.

No alt provided

Step 9

Locate the Application (client) ID and copy it to a secure location.

No alt provided

Setting up API permissions

Note

To set up Microsoft as an external identity provider for the application, it is required to enable some permissions for the application.

Step 1

Go to Microsoft Azure portal.

Step 2

Under App registrations, select the application.

Step 3

On the left, click API permissions.

Step 4

Click the + Add a permission button.

No alt provided

Step 5

Click Microsoft Graph, then click Delegated permissions.

No alt provided

No alt provided

Step 6

Select the following:

```
`email`
```
```
`offline_access`
```
```
`openid`
```
```
`profile`
```
```
`User.Read`
```

Step 7

Click the Add permissions button.

No alt provided

No alt provided

Adding the identity provider in PingOne

Note

In PingOne, add Microsoft as an external identity provider.

Step 1

Go to Connections → External IDPs.

Step 2

Click + Add Provider.

No alt provided

Step 3

Click Microsoft.

No alt provided

Step 4

On the Create Profile screen, enter the following information:

Name. A unique identifier for the identity provider.
Description (optional). A brief characterization of the identity provider.

The icon and login button cannot be changed, in accordance with the provider's brand standards.

No alt provided

Step 5

Click Next.

Step 6

On the Configure Connection screen, enter the following information:

Client ID. The application ID from the identity provider that you copied earlier. You can find this information on the Microsoft Azure portal.
Client secret. The application secret from the identity provider that you copied earlier. You can find this information on the Microsoft Azure portal.

Step 7

Click Save and Continue.

No alt provided

Step 8

On the Map Attributes screen, define how the PingOne user attributes are mapped to Microsoft attributes. Select the PingOne attribute, then select the equivalent Microsoft attribute. Select the update condition, which determines how PingOne updates its user directory with the values from Microsoft.

The options are:

`Empty only`

(update the PingOne attribute only if the existing attribute is empty) and

`Always`

(always update the PingOne directory attribute).

Step 9

Click Save and Close.

No alt provided

Adding the Redirect URI to the Microsoft portal

Note

Copy the value for Redirect URI from PingOne and enter it into the Microsoft portal.

Step 1

Go to the PingOne console.

Step 2

Go to Connections → External IDPs.

Step 3

Locate the appropriate identity provider and then click the details icon to expand the identity provider.

No alt provided

Step 4

Click the Connection tab. Copy the Callback URL and paste it in a secure location.

No alt provided

Step 5

Go to Microsoft Azure portal.

Step 6

Under App registrations, select your application.

Step 7

On the left, click Overview.

Step 8

For Redirect URIs, click Add a Redirect URI.

No alt provided

Step 9

For Platform configurations, click + Add a platform.

No alt provided

Step 10

Under Web applications, click Web.

No alt provided

Step 11

For Redirect URIs, enter the value that you copied from PingOne.

Step 12

Click Configure.

No alt provided

Do not forget

1.

Enable the External Identity Provider.

No alt provided

2.

Create a new Authentication Policy and add the newly created External Identity Provider to it.

No alt provided

3.

Add the Authentication Policy to the application.

No alt provided

Fluent Commerce

Copyright © 2025 Fluent Retail Pty Ltd (trading as Fluent Commerce). All rights reserved. No materials on this docs.fluentcommerce.com site may be used in any way and/or for any purpose without prior written authorisation from Fluent Commerce. Current customers and partners shall use these materials strictly in accordance with the terms and conditions of their written agreements with Fluent Commerce or its affiliates.