After you have registered your PIM application in Azure AD, you then configure PIM with the details of the application to enable single sign-on.

1. In PIM, on the header bar, click Admin.
2. In the Search Admin Zones field, enter Single Sign-On Configuration, and then click the link that displays.
3. On the Single Sign-On (SSO) screen, use the Identity Provider list to select Azure AD.
4. In the Tenant ID and Client ID fields, paste the respective details that you copied when you registered the PIM application in Azure AD.
5. If you created a client secret, paste the value into the Client Secret field.
6. For each user, check that their identity email address matches their active email address configured in Azure AD.
   If there are any user email addresses that do not match the new Azure AD email address, you may have either changed your email construct when you transitioned to Azure AD since you first implemented PIM and set up your users, or certain users' identity email addresses have changed since you created the users.

   For any user that has an identity email address that does not match their active email address in Azure AD, you must correct their email address in PIM. You do this via Admin > System Security > Users and Licenses.

7. When all identity email addresses match the corresponding Azure AD usernames, click Auto-populate in the top-right corner of the Setup SSO User Identities screen to automatically populate the SSO username for each user, and then click Save.
8. Once you are ready to roll out the new single sign-on logon method to your user base, on the Single Sign-On (SSO) page, select the Enable Azure AD Provider check box to enable it, and then click .
   Users now have the option to log onto PIM via Azure AD on the main PIM logon page.