Azure

Azure AD Password Credential Validator

Password credential validators (PCVs) enable PingFederate administrators to define a centralized location for username or password validation, allowing various PingFederate configurations to reference PCV instances. The Azure AD Password Credential Validator uses the Microsoft Graph API for credential validation.

Features

  • Allows sign on with full usernames, such as john.smith@mydomain.com.

    Short usernames aren’t supported.

  • Returns an error message for failed sign-on attempts, such as one of the following:

    • invalid credentials

    • account is disabled

    • forced password change

  • Supports non-federated single and multi-tenant Azure AD user accounts.

  • Provides support for Azure AD Custom Properties (Directory Schema Extensions).

  • Responses include all user group memberships.

Review the Azure AD Password Credential Validator’s known issues and limitations before implementing these features.

Intended audience

This document is intended for PingFederate admins and application developers.

Learn more about the PCV setup process in the following PingFederate resources:

Learn more about the IdP adapter setup process in the following PingFederate resources:

Learn more about using PingFederate as an SP provider in the following PingFederate resources:

Learn more about Azure in the following Microsoft resources:

System requirements

  • PingFederate 11.3 or later.

    Make sure you’ve configured either an HTTP Basic or HTML Form IdP Adapter instance. Learn more in Associating the PCV with an IdP adapter instance.

  • A Microsoft Azure account with Active Directory or Active Directory B2C configured.

    Learn more about supported user account types in Known issues and limitations.

  • An Azure AD application with the following permissions:

    • Microsoft Graph > Delegated Permission

      • Sign in and read user profile

      • Read directory data

  • To allow PingFederate to make outbound connections to the Microsoft API, you might need to allow the following endpoints in your firewall:

    Token endpoint

    https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token

    User attributes endpoint

    https://graph.microsoft.com/v1.0/me/

    Group membership endpoint

    https://graph.microsoft.com/v1.0/me/memberOf