Configure Azure AD connection via OIDC

Go to Microsoft Azure portal. If one does not have a Microsoft Azure account, they can create one.

Under Azure services, click Azure Active Directory.

On the left, click App registrations.

At the top, click New registration.

Under Name, enter a user-facing display name for the application.

Under Supported account types, select any multi-tenant option. In case you need help to choose the option, click Help me choose link.

Leave Redirect URI blank for now. This value will be required to enter after creation the identity provider in PingOne.

Click Register.

Go to Microsoft Azure portal.

Under App registrations, select the application.

On the left, click Certificates and secrets.

Under Client secrets, click + New client secret.

Enter the following:

• Description. A brief characterization of the client secret.
• Expires. Select the duration of the certificate, based on the needs of your organization.

Click Add.

Under Client secrets, locate the value for the appropriate secret and copy it to a secure location.

On the left, click Overview.

Locate the Application (client) ID and copy it to a secure location.

Go to Microsoft Azure portal.

Under App registrations, select the application.

On the left, click API permissions.

Click the + Add a permission button.

Click Microsoft Graph, then click Delegated permissions.

Select the following:

• `email`

• `offline_access`

• `openid`

• `profile`

• `User.Read`

Click the Add permissions button.

Go to Connections → External IDPs.

Click + Add Provider.

Click Microsoft.

On the Create Profile screen, enter the following information:

• Name. A unique identifier for the identity provider.
• Description (optional). A brief characterization of the identity provider.

The icon and login button cannot be changed, in accordance with the provider's brand standards.

Click Next.

On the Configure Connection screen, enter the following information:

• Client ID. The application ID from the identity provider that you copied earlier. You can find this information on the Microsoft Azure portal.
• Client secret. The application secret from the identity provider that you copied earlier. You can find this information on the Microsoft Azure portal.

Click Save and Continue.

On the Map Attributes screen, define how the PingOne user attributes are mapped to Microsoft attributes. Select the PingOne attribute, then select the equivalent Microsoft attribute. Select the update condition, which determines how PingOne updates its user directory with the values from Microsoft.

The options are: 

`Empty only`

`Always`

Click Save and Close.

Go to the PingOne console.

Go to Connections → External IDPs.

Locate the appropriate identity provider and then click the details icon to expand the identity provider.

Click the Connection tab. Copy the Callback URL and paste it in a secure location.

Go to Microsoft Azure portal.

Under App registrations, select your application.

On the left, click Overview.

For Redirect URIs, click Add a Redirect URI.

For Platform configurations, click + Add a platform.

Under Web applications, click Web.

For Redirect URIs, enter the value that you copied from PingOne.

Click Configure.

Enable the External Identity Provider.

Create a new Authentication Policy and add the newly created External Identity Provider to it.

Add the Authentication Policy to the application.