HaloCRM Guides

Important: If you are using the Microsoft Entra ID (Azure active Directory) along with the Intune integration ensure the application configured for MS Entra has the following permission: DeviceManagementManagedDevices.Read.All (Delegated). If this permission is not assigned to your Entra application you will not be able to import assets from Intune. 

1. Open your Azure portal and select App registrations > New registration.

2. Give your application a sensible name.

3. Ensure that supported account types is set to Single Tenant.

4. If you are using the authorisation code authentication method, configure a redirect URI with the type of Web. The redirect URI used will differ depending on the version of Halo you are using.

• On versions prior to v2.200 the following redirect URI will need to be used:
• https://YOURHALODOMAIN/azure/auth
• On versions v2.200+ you the following redirect URI will need to be used:
• https://YOURHALODOMAIN/authcallback
• But the exact redirect URI you need can be found on the setup page for the integration in Halo.
  

Note: If you have disconnected to the integration and are reconnecting, if your Halo instance is on v2.200+ you will need to use the new redirect URI (https://YOURHALODOMAIN/authcallback).

5. Generate and store a client secret securely.

Fig 2. Generating a new secret

6. Ensure your redirect URI is setup with the type of Web and is using the correct endpoint (/azure/auth or /authcallback). 

Fig 3. Finding your redirect URI

7. Note down your App Registration's "Application (client) ID" and "Directory (tenant) ID" for Halo configuration detailed later in this article.

Fig 4. Finding your Application ID

Configuring the integration in Halo

Once you have registered your application in Azure, you can configure the integration in Halo:

Click "New" to create a new connection, and enter a name for your connection. Here you can also select your preferred authentication method and credential type. If you are unsure which credential type to use check out our article Authentication Methods for Microsoft Integrations. The primary difference between the two authentication methods is the permission type to be applied to permissions against your App Registration.

Fig 6. Choosing an Authentication Method  

• Required API Permissions (Application):
  • DeviceManagementManagedDevices.Read.All
  • User.Read.All

• Required API Permissions (Delegated):
  • DeviceManagementManagedDevices.Read.All
  • User.Read.All
  • offline_access

Adding permissions to an App Registration in Azure:

Fig 7. Setting permissions in Azure

Make sure you have saved this using the "Save" option. 

The authorization process will differ based on your chosen authentication method:

Fig 9. Authorising the application  

Note: Client Credentials is simpler to maintain as it doesn't depend on any specific user's permissions, but some organizations may have security policies that require user-based authentication through the Authorization Code flow.

For Client Credentials Authentication:

• Clicking "Authorize Application" will validate your client ID and secret.
• No user interaction is required - this is a non-interactive flow.
• The system will verify that the credentials can obtain an access token with the required permissions.

For Authorization Code Authentication:

• Clicking "Authorize Application" will redirect you to Microsoft's login page.
• An Intune administrator must sign in and consent to the requested permissions.
• The administrator must maintain their permissions for the integration to continue working.

Asset Types 

Under the Asset tab you can configure how assets are imported. When assets are imported from Intune into Halo they will create Halo assets. As assets in Halo are grouped by type and group, how groups and types are assigned to these assets will need to be configured. 

Fig 10. Asset type configuration 

Determining an Asset's type  

If you would like all imported assets to have the same asset type when imported set the 'Determining an Asset's type' field to be 'use the same type for all Assets' then set the 'Default Asset Type' field to be the asset type you would like assets from Intune to be.

If you would like all imported assets' types to be determined by a particular field, set the set the 'Determining an Asset's type' field to be 'Use a field to determine each Asset's type'. Then in 'Field for determining an Asset's type' choose the field you would like the type to depend on. The field you choose must contain the name of the desired asset type, if this name can be matched to an existing asset type in Halo, it will be assigned this asset type. If the name is not the same as an asset type in Halo, a new asset type will be created. Note that the names must be identical in order to match. This setting is used if you have a field in Intune that already determines an asset's type and you would like the types to be consistent between Halo and Intune. 

If you would like asset types to be determined by asset rules set the set the 'Determining an Asset's type' field to be 'Determine asset type using rules'. Now you will be able to set an asset's types based on rules, These rules are based on field values, and if matched will assign an asset to the chosen asset type. When creating a rule first add criteria for the rule, select the Halo field that you would like to base the criteria on, then set the rule type and the outcome needed in the field to match the rule. If an asset matches this rule it will be imported as this asset type. 

You will also need to set the asset group that new asset types are created under.

If you do not want asset types to be updated by Intune, disable the setting 'Do not Update Asset Types', other asset data will still sync but the type will not change. 

Users

If assets have been imported using Microsoft Entra they can be linked to users upon import. 

Fig 11. Linking Users to assets

Under the 'Users' tab you can select which integration is used for user assignment, although you can still use Microsoft Entra to manage this but Intune is the recommended method as this will update relationship changes faster. 

You will then need to set the 'User Identifier' field, this is the field used to match the Halo user to the Intune user, this must be unique for each user. You can then choose if you would like Halo Assets to be Unlinked from Users if no User match is not found, by selecting the "Unlink Halo Assets from Users if an Intune User match is not found" checkbox.

Field Mappings

Configure how Intune device data maps to your Halo assets:

1. Select the "Field Mappings" tab.
2. Map Intune fields to corresponding Halo asset fields.
3. Configure any custom field mappings as needed.

Fig 12. Field mappings

Importing

Configure how assets are imported:

Under the "Imports" tab you can set the site allocation method, default site for assets without associated users, and choose an asset matching field to identify and match existing asset records. You can also set the imported software to match to licences based on name using the checkbox shown below. The final checkbox in the General Settings section allows you to exclude any assets that are managed by Microsoft Sense (Defender) from the import.

Fig 13. Asset allocation 

As of v2.186.1+, you can choose different methods of site allocation - whether by the user's site or the default. This can also be used so assets do not take the user's site upon sync for instance. When assets are imported from Intune, any software licences assigned to the assets will also be imported. These will be created as software licences against the asset in Halo. On versions prior to v2.214 software licences will match based on the ID of the software licence in Intune. On versions v2.214+ asset software from Intune will match to existing software based on name instead of ID. 

Fig 14.Site allocation for assets 

You can now set the status for imported assets under the statuses section. These can be set for new assets, assets when the managed device has been deleted from Intune, and assets when the managed device has been recovered (previously deleted).  

Fig 15. Status for imported assets

As of v2.182.1+, you can make assets inactive in Halo based on their last sync update to Halo. You can then set the Halo status they will be marked as once this day threshold is reached. For instance below, if not updated for 2 days the assets will be marked as "Inactive".

Halo Integrator

Assets can either be imported manually using the import button, or they can be imported/updated on a scheduled basis using the Halo integrator. 

To do this head to the 'Halo Integrator' tab within the integration setup page. Here you can enable the Halo integrator for each Organisations and Assets to have these entities import/update automatically on a schedule. 

Fig 17. Halo integrator for integration

Check Enable the Halo Integrator for this Intune connection' to enable the sync. Once enabled assets will be imported/updated on a daily basis. 

Note: If you are on premise or would like the integrator to run more regularly you will need to first download the integrator.