If the identity provider is Microsoft, a subset of Microsoft provider attributes can be used as the mapping attribute placeholder value.

The placeholder value must use the following syntax:

${providerAttributes.<Microsoft attribute name>}

When you create a new Microsoft identity provider entity, the POST request automatically maps the PingOne username attribute to the Microsoft id attribute. The username attribute is the core mapping attribute; the default Microsoft attribute value is id. It is also recommended that you map the PingOne email attribute to the Microsoft email attribute.

The request body for the email-to-email mapping looks like this, with the value attribute showing the Microsoft email attribute expressed using the placeholder syntax:

    "name": "email",
    "update": "EMPTY_ONLY",
    "value": "${providerAttributes.email}"

The POST /environments/{environmentId}/identityProviders operation adds a new identity provider resource to the specified environment.

When the type property value is set to MICROSOFT, Microsoft’s clientId and clientSecret property values are required in the request body.

Microsoft identity provider settings data model

Property Description
clientId A string that specifies the application ID from Microsoft. This is a required property.
clientSecret A string that specifies the application secret from Microsoft. This is a required property.

Microsoft core attributes

Property Description
id A string that specifies the core Microsoft attribute. The default value is ${providerAttributes.id} and the default update value is EMPTY_ONLY.

Microsoft provider attributes

Permission Provider attributes
OpenID Connect scopes: openid, email email
User:Read Options are: displayName, surname, givenName, id, userPrincipalName, businessPhones, jobTitle, mail, officeLocation, postalCode, mainNickname