HaloCRM Guides
Microsoft Entra ID Integration (Formerly: Azure Active Directory)
This integration enables you to generate Users and/or Agents directly from your Azure Active Directory User list, and subsequently enables single sign-on with Azure. To start this process, you must register a new application in Azure. You have the option to create a distinct application for both the import and single sign-on if desired.
Azure Connection Configuration
App Registration
To register a new application in Azure, navigate to your Azure Active Directory page and select "App Registrations > New Registration." Provide a meaningful name for your application before proceeding to specify which account types should have access to your application.
If you are configuring the application for user imports or single sign-on for a specific Azure tenant, choose the first option. If you want your application to be accessible across multiple Azure tenants, allowing users from different tenants to log in to Halo via single sign-on, then opt for the second option Multitenant. Keep in mind that multi-tenanted apps cannot be used to import users from multiple Azure tenants. In such cases, you must configure a separate application in each Azure tenant.
The redirect URI can be left blank for now, as multiple redirects can be configured later in the application setup process.
API Permissions
Now that an application has been registered, you must give it the relevant permissions required by the integration. In your new application, go to the API Permissions tab to get started. You should see your list of current permissions will be listed, along with options to manage these. Select the option to add a new permission, and choose Microsoft Graph from the available APIs.
The necessary Graph API Permissions are listed below, with notes detailing their essential functions for the integration to work correctly:
User.Read.All
- Allows the app to access the full set of profile properties, reports, and managers of other users within your organization.
- Facilitates a comprehensive view of user information, ensuring effective user profile management.
- Necessary for the app to act on behalf of the signed-in user in reading extensive user data.
Group.Read.All
- Enables the app to list groups, read their properties, and access all group memberships on behalf of the signed-in user.
- Essential for reading calendar, conversations, files, and other group content for all groups accessible to the signed-in user.
- Supports effective group management within the Halo ITSM/PSA Solution.
Openid
- Allows users to sign in to the app with their work or school accounts.
- Permits the app to access basic user profile information, enhancing the authentication process.
- A fundamental permission for enabling secure and seamless user access to Halo ITSM/PSA Solution.
offline_access
- Grants the app the ability to see and update data even when users are not actively using the app.
- Does not provide additional permissions but ensures continuous access to data previously granted.
- Essential for maintaining data synchronization and system functionality during periods of user inactivity.
DeviceManagementManagedDevices.Read.All
- (Only necessary if intending to synchronize device-related information, such as from Intune.)
- Permits the app to retrieve information on all managed devices within the device management scope.
- Essential for accessing detailed data about managed devices, including properties, status, and configurations.
- Necessary for effective device management and monitoring within the Halo ITSM/PSA Solution.
Once all permissions have been chosen, click the "Add Permissions" button to incorporate them into your application. Please be aware that certain permissions, namely DeviceManagementManagedDevices.Read.All, Group.Read.All, and User.Read.All, mandate Admin consent before they can be utilized. To grant admin consent, press the "Grant admin consent for {COMPANY NAME}" button next to 'Add a permission'. Following this step, the Status column should display as blank.
Redirect URLs and Authorization
In the Authentication tab of App Registration, add valid redirect URIs. Begin by selecting "Web" as the platform, and register your Halo web application URL as the initial redirect URI. This registration allows you to include additional redirect URIs based on your specific requirements.
For integration functionality, specific redirect URIs are required:
- User Portal Single Sign-On (SSO):
- <Halo Web App User Portal URL>/auth/account/azureresponse
- Agent Portal Single Sign-On (SSO):
- <Halo Web App URL>/auth/account/azureresponse
- User/Agent Import:
- <Halo Web App URL>/azure/auth
Note: URLs starting with <URL>/auth assume a commonly used authorization URL. Keep in mind that this URL may vary for on-premise installations of Halo. If experiencing issues with SSO functionality, double-check and confirm the correct authorization URL, accessible in the Agent portal under Configuration > Integrations > Halo API.
If you have any difficulty obtaining your authorization server URL, please contact the Halo Support Team.
After adding the redirect URIs, please ensure both ID and Access Tokens are available for the Azure application. ID Tokens are essential for single sign-on, while Access Tokens are used for the user/agent import. If you prefer to create two separate applications—one for each process—simply choose ID Tokens for single sign-on and Access Tokens for imports. This ensures the correct functionality for your specific needs.
Generating a Secret
You will also need to generate a secret against your App Registration for Halo to use to connect. Navigate to the "Certificates & Secrets" tab of your App Registration in Azure. Add a new secret, providing a desired name and setting the expiration date. Save the changes. Take note of the secret value, as this will be used in Halo to access your App Registration. Store the secret value securely, as Azure only provides it once. It's advisable to keep this value in a secure location for reference by your Azure Admins if needed. Additionally, make a note of the expiration date, so you can proactively update the secret in time to avoid any unnecessary disruptions in SSO functionality for your agents and end users.
Halo Connection Configuration
To enable the Azure Active Directory integration in Halo, navigate to Configuration > Integrations, and enable the module. After enabling, click the module's menu icon to start configuring it.
Make sure to enable the module on the integrations page
Single Sign-On (SSO) Configuration
Navigate to Configuration > Integrations > Azure Active Directory, where you'll find settings related to the tenant/application type for Single Sign-On (SSO). You can either edit the default connection or create a new one. If creating a new connection, select "New" and give it a unique name. In the details tab, choose the tenant type configured in Azure. For multi-tenanted apps in Single Sign-On, add the Azure tenant ID for each tenant you want to access the app. Enter credentials for the App Registration used in this connection. Key configurations to note:
- The "Published" checkbox activates SSO entirely. Enable this to use SSO once configuration is complete.
- The "Allow Single Sign-On for Agents and/or Users" dropdown lets you specify which Halo members can use SSO.
- The "Automatically redirect Agents and Users to Azure without showing the HaloITSM login screen." checkbox forces agents and users to use SSO instead of their Halo credentials.
NB: If you are connecting Azure Active Directory for just your organization meaning the "Tenant/Application Type is Single Tenant (HaloITSM in most cases). Then you will be setting up a single tenancy app registration on azure. If you are connecting Azure Active Directory for multiple organizations (mainly used by HaloPSA customers if they are not connecting with CSP. CSP is recommended for syncing customer information to Halo as an MSP - CSP Guide) you should be using a multi tenancy app registration.
Agent/User Import Configuration
Navigate to Configuration > Integrations > Azure Active Directory > Click "Add/Edit Tenants." If you're adding a new connection, click "New." Provide a unique name for the tenant and input the credentials for connecting to your App Registration. Enter the Tenant ID, Application ID, and Azure Application Secret (Value) noted previously and click "Save".
Authorizing your connection
Before proceeding with any further configuration, you are required to provide authorization to Azure. Click the "Authorize" button under the "Details" tab. This action redirects you to the Microsoft Login screen. After logging into Azure with a profile with proper permissions to the App Registration, you'll be redirected back to the current connection you're editing in Halo. At this point, the connection to your Azure Active Directory is complete and you can continue configuring how the integration behaves when a sync is actually started.
Halo Integration Configuration
Field Mappings
On the Field Mappings tab of each connection, you can map fields from an Azure User to Halo fields for both Users and Agents, including custom fields for Users. If you've created a new connection, some default mappings will be displayed. To remove any defaults during the initial configuration, save the connection first, or all defaults will be removed.
Click the add icon in the top right corner to add a new field mapping for Users or Agents. This will bring up a screen where you can choose which Azure field should map to which Halo field. Each field can only be used once for Users and Agents. For Users, custom fields must be created in advance; they cannot be created on this screen.
Note: If you are mapping the manager field from Azure to a field in Halo for the user mappings, the value of this field will show as unpopulated on the manual import screen but will be retrieved when the records are actually imported.
Site Mappings
The next tab, Agent/User Mappings, enables you to map subsets of users from your Azure Active Directory to correlating Sites (for users) or Roles (for agents). This is achieved by building mappings which filter on fields and/or security groups in Azure. To add a new mapping, hit the + symbol in the "Site Mappings" table.
This will prompt you to choose a mapping type.
- "Map to an existing Site"
- Allows you to manually correlate a subset of users from Azure Active Directory to an existing site in Halo
- Upon selection, you are are prompted to...
- select a Site to create user profiles against in Halo
- select a sequence the system will import the mapping in
- select a user role for users to assume
- if filtering on Azure group, the exact name of that group
- whether or not you would like to include external users
- if filtering on Azure fields, the criteria for matching on users
- screenshot shown below:
- Note, this site mapping type is used for importing agents. Simply select the site value of *agent* and fill out the mapping just as you would for the users. These Azure Active Directory users will be imported as Agents as well as users when the integration sync runs.
- "Map to an existing Organization based on an Azure field"
- Allows you to auto-generate a site in Halo against a set Organization based on a field in Azure Active Directory
- Upon selection, you are are prompted to...
- select the Organization in Halo to create the new site under
- select the filter field to group users by and create sites with (value of field will result in site name)
- select a sequence the system will import the mapping in
- select a user role for users to assume
- if filtering on Azure group, the exact name of that group
- whether or not you would like to include external users
- if filtering on Azure fields, the criteria for matching on users
- screenshot shown below:
Advanced Configuration
In the Advanced Configuration section, you can set up Agent Role mappings. This feature enables you to map Azure Active Directory groups to specific Agent Roles in Halo. When importing agents, if they are part of an Azure Group with a corresponding mapping, the assigned Agent Role from this mapping will be applied to their Agent account. This mapping works in conjunction with the role specified in the Site mapping undertaken in the previous steps.
To create a new Role Mapping, click the "Add" button located in the top right corner of the table. Enter the name of the Azure Group you want to map, and then choose the desired Agent Role for the mapping.
The following section in the Advanced Configuration tab involves Change Advice Board mappings. This feature permits you to map Azure Active Directory groups to specific change advice boards in Halo. During agent imports, if agents are associated with an Azure Group with a mapping, they will be added to the designated change advice board from that mapping. Conversely, if they are no longer part of the group, they will be removed from the change advice board.
The last segment in the Advanced Configuration tab pertains to license management. Activating this feature enables you to update the status of an agent based on the roles they are assigned.
Imports
In the Imports tab, you have the option to manually import Users and Agents from Azure. Furthermore, you can set up the Halo Integrator application to perform these imports automatically.
By default, when importing from Azure, a User is matched to an existing User record in Halo based on their unique Azure ID. If your User list is already in your Halo database, but you haven't imported from Azure before, Users may not have a unique Azure ID assigned, leading to potential duplicate users during the import. To prevent this, choose at least one matching field to avoid duplicates by matching old records on different fields. The matching process follows the order in which you add fields to these boxes.
When you click the "Import Users" or "Import Agents" button, Halo retrieves your User list from Azure, organizes them based on the configured mappings, and displays the returned Users on the import screen. Note that without authorization or if your authorization has expired, you'll receive a 401 Unauthorized message, and you should reauthorize the application. Even if you do not want to import manually within the web app, it is still recommended that you click the Import Agents/Users buttons to check that your mappings are returning the correct subsets of users, before proceeding with an import via the Halo Integrator.
Halo Integrator
Once you’re happy with your configuration for the rest of the connection, you can then enable the connection to be synced via the Halo Integrator application.
Most customers using Halo Service Solutions have their Halo Integrator hosted for them. In such cases, there's no need for individual customers to host their Integrator for regular synchronization. If you have a specific preference to host your own Halo Integrator, please refer to the related guide for detailed instructions.
Note For Older Installations
For versions 2.13.1 and above, the integration allows connections to multiple applications/tenants. If you had configured the integration for Single Sign-On before v2.13.1, a default connection is added to maintain Single Sign-On functionality.
Using delta queries allows the Halo Integrator to retrieve recently updated records only from Microsoft Entra, thus allowing a much more frequent sync of the Halo Integrator.
Microsoft Entra ID Integration - Delta Queries
Azure delta queries can be activated on the Imports tab of the Microsoft Entra integration setup screen.
Using the Reset Deltas button you can also reset the current delta saved by the Halo Integrator by either clearing the delta, or getting the latest version of the delta.
Getting the latest delta means that you can instantly start processing the integration on the Halo Integrator much faster, whereas clearing it means the entire directory of users will be processed on the next sync.
For more information on Azure Deltas see our guide here.
Inbound Logging
Once the functionality is enabled, for each user update that is processed via the Halo Integrator, a more detailed log can be found on the Inbound Requests tab of each integration setup screen. This includes a more detailed log explaining which mappings have been matched, and the result of each individual update notification.
Additional Information
- Manual imports are not affected by this functionality. The processing of the user update notifications has been designed to align with the manual import, even though the way they are processed is different.
Licence Management in Microsoft Entra ID
This requires adding the "LicenseAssignment.ReadWrite.All" permission to your application and reauthorising your connection.
Once this is done, you will be able to configure the Licence import. A client must be specified for the licences to be imported to, which should match the client the users are imported to. Licences can then be imported manually or via the integrator. Once licences have been imported, subsequent user imports will link the users in Halo to the licences from Entra.
Additionally, you can enable "Allow licences to be managed from within Halo" to allow licences in Entra to be managed from within Halo. When assigning software to a user, you can specify a licence for the software. If this licence is from Entra, it will be added to their account upon saving. Similarly, removing a licence from a user that was imported from Entra will remove that licence in Entra.
NB: This feature should only ever be used with either the CSP integration or Microsoft Entra ID integration, you should never enable it for both integrations.
Popular Guides
- Asset Import - CSV/XLS/Spreadsheet Method
- Call Management in Halo
- Creating a New Application for API Connections
- Creating Agents and Editing Agent Details
- Departments and Teams
- Halo Integrator
- Importing Data
- Multiple New Portals with different branding for one customer [Hosted]
- NHServer Deprecation User Guide
- Organisation Basics
- Organising Teams of Agents
- Step-by-Step Configuration Walk Through
- Suppliers