Browse Guides

Loading list...
X
Supplier Import - CSV/XLS/Spreadsheet Method
Generating Agreement References
Introduction to Halo Guides
Ticket/Action Import - CSV/XLS/Spreadsheet Method
Client, Sites & Users Import - CSV/XLS/Spreadsheet Method
Pre-Pay V2
Deferring Project Revenue
Contents of Knowledge Base Guides
Iru Integration (Kandji)
Remote Support
Coralogix Integration
Start to Finish: Self-Service Portal
Grouping Tickets by Ticket Type in a Column Profile
Specifying Decimal Format in PDFs
Using Dollar Variables in Actions
Process Street Integration
SQL Imports - Licences and Subscriptions
HTML for 'Today's Date'
Runbook: Append a Recurring Invoice from Sales Order lines
Automated New Starter Requests into Microsoft Entra
Group Invoice Lines by Product Group
Managing a Recurring Invoice's Lines Quantity, Price and Cost for Subscriptions
Parent and Child Projects from Sales Orders
Project Task Creation Rules Based on a Multi-Select Field
Custom SQL Query for Licence/Subscription Count on Recurring Invoice Lines
Example Pay As You Go Client
Example Pre-Pay Client
Example All You Can Eat Agreement Client
Example Combination Client
Performing Ticket Approvals via API
Automated Tickets - Next Call Date
Linking one Appointment to a Ticket to Link all Appointments in the Same Series
Using QR Codes on PDF Templates
Annotating Images in Actions
Azure Actions
Custom Table Examples
Worked Example - Receiving & Delivering Stock with Assets Created at The Point of Consignment
How to change the colour of 'How can we help you today?' on the Portal
Ticket Category Defaults and Overrides
IronPDF Errors
3CX Integration
Email General Settings
Billing Templates
Asset Fields
Pax8 Integration
Agents
Importing Data
Asset Statuses
Asset Relationships
Syncing Exchange Calendars using the Microsoft Graph API
Using your Knowledge Base
Customer Types
CSV Templates
PDF Templates
Accounts Codes
Asset Types
Expenses
Actions
Google Mail Setup (Setting up Google Application)
Datto RMM Integration
Ticket Area Breakdown
Sites
Tax Rates
Using Category Group as Ticket Rule Criteria
Users
User Roles
Purchase Orders
Charge Types
Quotations General Settings
Approval Processes
TeamViewer Integration
Email Rules
A Step-by-Step Guide to Make a Bulk Change in the Halo Database Through the API Using JSON in Postman
Okta Integration
Open AI Integration
Active Directory Integration (LDAP)
Departments and Teams
Adding a Mailbox Without The Use of Azure or Google
Create Knowledge Base Articles using files/documents
GitHub Integration
Mail Processing FAQs
Populating Invoice Lines from $-Variables
Menu Buttons
PDF Templates
Notification Templates
Drag and Drop Tickets Onto a Calendar to Create Appointments
Email Threading
Agents
Holiday Management
ManageEngine Endpoint Central Integration
Canned Text
Chat Profiles
Organisational Chart
How To Bulk Update Tickets, Drag and Drop Tickets Into Different Queues, An Explanation of Ticket Symbols
Sales Mailboxes
Access Restrictions on Suppliers
Document Management
Automating Procurement
Custom Tables
Suppliers
An Introduction to Halo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Using and Configuring Halo
Using and Configuring Halo
Integrations
Integrations
Configuration Settings Guides
Configuration Settings Guides
On-Premises Guides
On-Premises Guides
About Halo
About Halo
Microsoft Entra ID Integration (Formerly: Azure Active Directory)
Reading mode
Copy Link
Link Copied!
Print
Feedback
This guide has multiple versions available:
<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><div><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><div><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style> <style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style> <style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style> <style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } </style> <style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } </style><p id="isPasted"><span style="font-size: 11pt;"><strong>In this guide we will cover:</strong></span></p><p><span style="font-size: 11pt;"><strong>- What is the Entra integration used for?</strong></span></p><p><span style="font-size: 11pt;"><strong>- Who Can set the integration up</strong></span></p><p><span style="font-size: 11pt;"><strong>- Connecting Entra to your Halo</strong></span></p><p><span style="font-size: 11pt;"><strong>- App Registration Setup</strong></span></p><p><span style="font-size: 11pt;"><strong>- Single Sign-On (SSO) Configuration</strong></span></p><p><span style="font-size: 11pt;"><strong>- Agent/User Import Configuration</strong></span></p><p><span style="font-size: 11pt;"><strong>- Advanced Configuration</strong></span></p><p><span style="font-size: 11pt;"><strong>- Licence Management&nbsp;</strong></span></p><p><span style="font-size: 11pt;"><strong>- Imports</strong></span></p><p><span style="font-size: 11pt;"><strong>- Halo Integrator</strong></span></p><p><span style="font-size: 11pt;"><strong>- Microsoft Entra ID Integration - Delta Queries</strong></span></p><p><span style="font-size: 11pt;"><strong>- Licence Management in Microsoft Entra ID</strong></span></p><p><span style="font-size: 11pt;"><strong>- Control who can manage the Entra integration</strong></span></p><p><span style="font-size: 11pt;"><strong>- Miscellaneous Settings&nbsp;</strong></span></p><p><br></p><p><br></p><p id="isPasted"><span style="font-size: 14pt;"><strong>What is the Entra Integration used for?</strong></span></p><p><span style="font-size: 11pt;">The Entra integration enables identity management within Halo by importing agent and user identities from Microsoft Entra; offering a streamlined identity management within Halo.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 12pt;"><strong>Who should use the Entra integration?</strong></span></p><p><span style="font-size: 11pt;">This integration is intended for organisations where Microsoft Entra is the <strong data-start="733" data-end="762" id="isPasted">primary identity provider</strong>, including those using hybrid environments with Entra Connect (formerly AD Sync). SSO providers or secondary sources of identities may also be configured.&nbsp;</span></p><p><br></p><p><strong><span style="font-size: 11pt;">HaloITSM and HaloCRM:</span></strong></p><p><span style="font-size: 11pt;">Clients using HaloITSM or HaloCRM will typically rely solely on the Entra integration when Microsoft Entra is their primary identity provider. These organisations generally operate within a single Azure tenant, so a single integration is usually sufficient. However, the integration supports multiple tenants&mdash;if relevant identities are distributed across multiple Azure tenants, the configuration steps in this guide can be repeated for each one.</span></p><p><br></p><p><span style="font-size: 11pt;"><strong>HaloPSA:</strong></span></p><p data-start="1436" data-end="1806" id="isPasted"><span style="font-size: 11pt;">HaloPSA clients should use the Entra integration to import staff identities from their own internal tenant where Microsoft Entra is the primary identity provider. For managed customer tenants under the Microsoft Cloud Solution Provider (CSP) program via Partner Center, the <a href="https://usehalo.com/halopsa/guides/1189/" target="_blank" rel="noopener noreferrer"><strong data-start="1714" data-end="1743">Microsoft CSP integration</strong></a> should instead be used to import managed licences, devices, and users.</span></p><p data-start="1808" data-end="2030"><br></p><p data-start="1808" data-end="2030"><span style="font-size: 11pt;">If a HaloPSA client manages customer tenants <strong data-start="1853" data-end="1864">outside</strong> of the CSP program, the Entra integration can still be used in a multi-tenant fashion as described above, by connecting directly to each managed tenant individually.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 14pt;"><strong>Who Can S</strong><strong>et T</strong><strong>he Integration Up</strong></span></p><p><span style="font-size: 11pt;">You can give non-administrator agents permission to setup the Entra integration in addition to Administrators. This is useful when you have separate teams that manage your Azure to those who manage your Halo instance. Rather than having to give your Azure managers admin permissions in Halo, or split the setup between the two teams, you can give the Azure managers permission to access and setup the Entra integration in your instance, but no other integrations/admin capabilities. This also means these agents can manage the integration in your Halo instance, useful when there are changes to Azure tenants/groups that require the integration in Halo to be updated.&nbsp;</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">To give an agent permission to setup new connections for the integration head to Configuration &gt; Teams &amp; Agents &gt; Agents &gt; select an agent &gt; Permissions &gt; enable &#39;Can Configure Microsoft Entra ID (formerly Azure Active Directory) Access Control&#39;.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc1ZjhjNmRkLTZkMjItNDA2Yi1hOTM0LTY5ZTNjN2ZjMGU0NyJ9.Fq5VLvuJnL-pURaL0DvpgLSWzZfH0LIOM056-Vys5Wo" class="fr-fic fr-fil fr-dib" width="695" style="width: 697px; height: 362.238px;" height="362"></p><p><strong>Fig 1. Permission to allow agent to create Entra connections for Halo/Entra integration</strong></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Now this agent will be able to create and edit connections for the integration.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">If you would like selected agents to be able to manage selected connections on a per-tenant basis, access control can be granted to additional agents, this means you can choose which tenant connection agents have access to. For more information on this see the section &#39;Control who can manage the Entra integration&#39;, however, we recommend reading through the rest of the setup first.&nbsp;</span></p><p><br></p><p><strong><span style="font-size: 14pt;">Connecting Entra to your Halo</span></strong></p><p><span style="font-size: 11pt;">To enable the Azure Active Directory integration in Halo, navigate to Configuration &gt; Integrations, and enable the module. After enabling, click the module&#39;s menu icon to start configuring it.</span></p><p><br></p><p><span style="font-size: 11pt;">Make sure to enable the module on the integrations page.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZiODFiODU1LTdkNjAtNDYzYi04OGIyLTdlMmU1NTMyZDRjNCJ9.eRfue4nkX68BWEMWdSATgFmgkCzexsxtbulZwDYgew0" class="fr-fic fr-fil fr-dib" width="97" style="width: 99px; height: 162.871px;" height="163"></p><p><strong><span style="font-size: 10pt;">Fig 2. Enabling the module.</span></strong></p><p><br></p><p><span style="font-size: 11pt;">This integration supports multi-tenancy, which means you can configure connections for multiple Azure tenants, connection and configuration is done on a per-tenant basis. To start connecting a tenant click &#39;Add/edit tenants&#39; and create a new connection.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">When connecting to this integration you will see there are a number of authentication methods and credential types to choose from on the integration setup page in Halo. If you are unsure which authentication method and credential type to use, check out our article here: <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/2446" id="isPasted" target="_blank" rel="noopener noreferrer"><strong>Authentication Methods for Microsoft Integrations</strong></a>.</span></p><p><br></p><p><span style="font-size: 11pt;">The simplest and lowest overhead option is to use Application permissions (Client Credentials) as your authentication method and &#39;Client Secret&#39; as your credential type.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">To configure a connection, you should navigate to the Entra integration within your instance, click &#39;Add/Edit Tenants&#39; button and click &#39;New&#39; in the top right of your screen.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjUzZDgxODg0LTkwODEtNDllMC04ZTU2LWE4ZDUwMWVmMjc4YSJ9.8-Rozo_B2lDl8nz22Uok5QuiKvI183pfDpj-hHqMmiM" class="fr-fic fr-fil fr-dib" width="1581" style="width: 1583px; height: 391.707px;" height="392"></span></p><p><strong>Fig 3. Add tenant</strong></p><p><br></p><p><span style="font-size: 11pt;">You should then name your connection and choose your authentication method and credential type.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImRjMjk0NWZmLTVkNWItNDIyYi1hMmJmLWIxNTRjOTEwMTMxOSJ9.ktfkFKNXvMNBHT1bi6ccvbhaA1NqIXlCkmjX3gW5m9A" class="fr-fic fr-fil fr-dib" width="1207" style="width: 1209px; height: 614.568px;" height="615"></p><p><strong>Fig 4. Choose authentication method and credential type</strong></p><p><br></p><p><span style="font-size: 11pt;">You will then be presented with the permissions that need to be configured. At the time of writing, these are the permissions (whether application or delegated) that can be used in the integration.&nbsp;</span></p><p><br></p><table style="width: 100%;" class="grid"><tbody><tr><td style="width: 25.0000%;">Name</td><td style="width: 25.0000%;">Purpose</td><td style="width: 25.0000%;">Mandatory?</td><td style="width: 25.0000%;">Authentication Method(s) used in</td></tr><tr><td style="width: 25.0000%;">User.Read.All</td><td style="width: 25.0000%;">Read User Data</td><td style="width: 25.0000%;">Yes</td><td style="width: 25.0000%;">ALL</td></tr><tr><td style="width: 25.0000%;">Group.Read.All</td><td style="width: 25.0000%;">Read Group Data</td><td style="width: 25.0000%;">Yes</td><td style="width: 25.0000%;">ALL</td></tr><tr><td style="width: 25.0000%;">offline_access</td><td style="width: 25.0000%;">Maintain access</td><td style="width: 25.0000%;">Yes</td><td style="width: 25.0000%;">Authorization Code (Delegated) Only</td></tr><tr><td style="width: 25.0000%;">AuditLog.Read.All</td><td style="width: 25.0000%;">Access sign-in data; required if you wish to import last sign in date</td><td style="width: 25.0000%;">No</td><td style="width: 25.0000%;">ALL</td></tr><tr><td style="width: 25.0000%;">Organization.Read.All</td><td style="width: 25.0000%;">Read Organization data to enable licence assignment: required if you wish to manage licence assignment from Halo</td><td style="width: 25.0000%;">No</td><td style="width: 25.0000%;">ALL</td></tr><tr><td style="width: 25.0000%;">LicenseAssignment.ReadWrite.All</td><td style="width: 25.0000%;">Read and Write Licence Assignments: required if you wish to manage licence assignment from Halo</td><td style="width: 25.0000%;">No</td><td style="width: 25.0000%;">ALL</td></tr></tbody></table><p><br></p><p><span style="font-size: 11pt;">Once you have chosen the authentication method, credential type and understand which permissions you need, you can proceed to create an App Registration within your Azure Tenant by following the instructions in <span style="font-size: 11pt;" id="isPasted"><a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/2446" target="_blank" rel="noopener noreferrer"><strong>Authentication Methods for Microsoft Integrations</strong></a>.&nbsp;</span></span></p><p><br></p><p><span style="font-size: 11pt;"><span id="isPasted">Instructions to configure the integration with a Secret are included below as this is most commonly used method:&nbsp;</span></span></p><p><span style="font-size: 11pt;"><br></span></p><p><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;" id="isPasted"><strong style="box-sizing: inherit; font-weight: bolder;"><span style="box-sizing: inherit; font-size: 14pt; color: rgb(0, 0, 0);">App Registration Setup</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Open the Entra Admin Center (or similar) and navigate to the App Registration section. Click &quot;New Registration&quot;.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU1N2I1ZTRhLTA2MGEtNDEyNS1iMWI1LWM1MzE1ZDY2NzgwMSJ9.kcbjRwxmXuY1wiBG6ctW6acxVSFdPfT5WneYpzfi_3E" width="1435" height="473" style="box-sizing: inherit; border-style: none; text-align: left; width: 1437px; height: 473.229px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 5. Create new app registration in Azure&nbsp;</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="font-size: 11pt; color: rgb(0, 0, 0);">On the registration screen you will want to fill out:</span></p><ul style="box-sizing: inherit; margin-bottom: 1rem; margin-top: 0px;"><li style="box-sizing: inherit; font-size: 11pt; color: rgb(0, 0, 0);">Name: Choose something sensible; this won&#39;t be visible to users unless used as an SSO provider.</li><li style="box-sizing: inherit; font-size: 11pt; color: rgb(0, 0, 0);">Supported Account Type: Single tenant</li><li style="box-sizing: inherit; font-size: 11pt; color: rgb(0, 0, 0);">Redirect URI: The integration setup page/guide will tell you if you need one and the value required under the heading &#39;Redirect uri to register in Azure application for imports&#39;. The platform is &quot;Web&quot;. The redirect required will differ based on the Halo version you are on (prior/after v2.200+), therefore be sure to check the integration setup page for the exact URI needed.&nbsp;</li></ul><p id="isPasted"><span style="font-size: 11pt;"><em><strong>Note: If you have disconnected to the integration and are reconnecting, if your Halo instance is on v2.200+ you will need to use the new redirect URI (https://YOURHALODOMAIN/authcallback).</strong></em></span></p><p><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRjYTIxNmY5LTI3ZjAtNDBiMi04MWNhLTkwNzBiN2I5NGRkNCJ9.CmzlY1PZn4RBDniYJIBNgbJhyJIvTo8EGjcVtoAtiOw" class="fr-fic fr-fil fr-dib" width="646" style="width: 648px; height: 394.664px;" height="395"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 6. New application screen</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Click &quot;Register&quot;. Once registered, copy the &quot;Application (client) ID&quot; and &quot;Directory (tenant) ID&quot; from the Overview tab and store them safely, as these will be needed later.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjM1NmQ4ZTk1LTQ0YmQtNDNlNC1iZDczLTBhZDBmNzBkMWM4NCJ9.JtFyLWODHWS058C1jQvdxZHB9Wscc3OAHEPMn9tTcns" width="1431" height="395" style="box-sizing: inherit; border-style: none; text-align: left; width: 1433px; height: 394.858px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 7. Application ID and secret</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Remove the default &#39;User.Read&#39; permission.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjhjNTc3NTRkLWVjZmYtNGRmMC1hNGJhLWMwYzYwNGU3OGIwMyJ9.tDk6imlfazzQ-0IBoVgqYnkK3CelX4Fkl7_AohkuvXQ" width="1386" style="box-sizing: inherit; border-style: none; text-align: left; width: 1388px; height: 477.55px;" class="fr-fil fr-dib" height="478"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 8. Remove permission</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Click &#39;Add a permission&#39;, choose the Microsoft Graph API and choose your permission(s). If the permissions on the integration&#39;s configuration page and the guide differ, use what the integration page in Halo gives and report this difference to our support team.&nbsp;</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjIwMTI1YWVmLWY3OWItNDAyNy1hMDMwLTFlZjNlYmM4ZmMwNSJ9.EpPBovgkqGq3zuyIOvT-o2HgULpPraNM5RvBzyNmVGI" width="1433" height="650" style="box-sizing: inherit; border-style: none; text-align: left; width: 1435px; height: 650.011px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 9. Add permission</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="font-size: 11pt; color: rgb(0, 0, 0);">Grant admin consent.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjNlOWEzYWM1LWFlYWYtNDRiNC04NDM5LTNkN2IzM2UxNGMxYSJ9.gezXFfsroTYpnRVsH0qUsR91-7CLqPsE9O16RhgrnUc" width="1431" height="733" style="box-sizing: inherit; border-style: none; text-align: left; width: 1433px; height: 733.263px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 10. Grant admin consent in Azure for permissions</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">The &#39;Status&#39; column will change if consent has been successfully granted:&nbsp;</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijk1NjE4ZDEzLWYzZDAtNDBmMy1hNmVlLTE4ODViM2ZkNGIzMSJ9.xGKsixI-iwWcrJdjIuAoWlE9I7XcH3tp7_NGVJyLlAQ" width="1430" height="694" style="box-sizing: inherit; border-style: none; text-align: left; width: 1432px; height: 693.675px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 11. Admin consent granted successfully</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="font-size: 11pt; color: rgb(0, 0, 0);">Once completed,&nbsp;</span><span style="color: rgb(0, 0, 0); font-size: 11pt;">navigate to the &quot;Certificates &amp; secrets&quot; tab, and open the &quot;Client secrets&quot; tab if not already. Click &quot;New client secret&quot;, fill out the description and choose an expiry. Microsoft limits this to a maximum of 2 years from creation. Once this generates, copy the &quot;Value&quot; (not Secret ID) and store it securely. It will no longer be visible once you leave this screen.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJkNjU3MmQzLTBjN2UtNGQ1Ny05MjdjLTIwYTAxODRhM2I3MyJ9.VUXFd_YkwMY43pQtqqYBVJzjniSP8o-ON4twC8sUtvs" width="1442" height="484" style="box-sizing: inherit; border-style: none; text-align: left; width: 1444px; height: 483.867px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 12. Generate secret</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImRkYTFhMjI2LTI3OTktNDUyYi04OTljLTQ5NWExZDZlY2M5NSJ9.RVxb4nCM6ebCzzdkYHcnx7-sDSVZzQu0kFz0EQmhQlE" width="1443" height="644" style="box-sizing: inherit; border-style: none; text-align: left; width: 1445px; height: 643.559px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 13. Secret value</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="font-size: 11pt; color: rgb(0, 0, 0);">Return to Halo, add this secret to the secret field along with the Tenant and Application IDs and &#39;Save&#39;.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p><span style="font-size: 11pt; color: rgb(0, 0, 0);">If you have connected instances, you will find the &quot;</span><span style="font-size: 11pt;">Enabled for Instances</span><span style="font-size: 11pt; color: rgb(0, 0, 0);">&quot; drop-down. Here you can choose which instances the integration is allowed to run in.&nbsp;</span><span style="font-size: 11pt;">This allows you to easily prevent imports in UAT environments as you no longer need to disable these integrations in UAT each time it is restored. By default this will be set to &quot;Production only&quot;.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;"><strong><em>Note: When updating the Instances the Integration is enabled in, the config change must be synced to the other instances before taking effect in the linked instances.</em></strong></span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImVkNTlmOWVlLWVhZDYtNGQ0MC05NTc2LWVmY2Q1YWFjOWIwZCJ9.Au7EjrSq3y4a0OzLRL6twVnd6Dw-MJvRmVv0ywYZLF8" class="fr-fic fr-fil fr-dib" width="1444" style="width: 1446px; height: 770.503px;" height="771"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 14. Enter application details in Halo</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong style="box-sizing: inherit; font-weight: bolder;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Using delegated permissions</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">There will be a &quot;Sign in with Microsoft&quot; button. Once pressed, you will be directed to the Microsoft Sign-In screen where you can sign in before being re-directed back to Halo. You will need to sign in with an account with appropriate permissions to access the resources you wish to import; so access to read all users, groups as a minimum and potentially audit logs, organisation data and ability to modify licences if you wish to use those features.&nbsp;</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg4ODZlNjg3LTdlNTItNGIzZC04YWEzLTVhNGRhNzk2NmUwMCJ9.xUZhYv4yfll4onZOGZI-EvcGfeF8QVjgZK_UCU127eM" width="494" height="377" style="box-sizing: inherit; border-style: none; text-align: left;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 15. Sign in with Microsoft to authorise connection</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">If the authentication has been successful, the permissions/redirect URIs will have disappeared and the other tabs become accessible (if they weren&#39;t before). If unsuccessful, an error will appear in a model windows once re-directed back to Halo.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZlNDYxZTVkLTcxNjAtNDI3MS1iYmQwLTZhZjZhN2E4ZWFiMyJ9.jj2elVyQGKoamNA4EiYKP7dtBy6DwW3ExBV_tNqdeLM" width="1049" style="box-sizing: inherit; border-style: none; text-align: left; cursor: pointer; padding: 0px 1px; user-select: none; color: rgb(0, 0, 0); font-family: sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; width: 1051px; height: 694.411px; max-width: none !important;" class="fr-fil fr-dib" height="694"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 16. Successful connection</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong style="box-sizing: inherit; font-weight: bolder;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">Using application permissions</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="color: rgb(0, 0, 0); font-size: 11pt;">There will be an &quot;Authorise Application&quot; button. Once pressed, the application will attempt authorisation without leaving Halo.&nbsp;</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY1MmFhNTY2LTcwZGEtNGNiZS1hYTI0LTdmMThmNjg0MGZmZCJ9.HIxhpfn-_qkK6eOa69CZYdLE6kq5jWgMalbBI_jvErQ" width="643" height="432" style="box-sizing: inherit; border-style: none; text-align: left;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 17. Authorise application&nbsp;</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><span style="font-size: 11pt; color: rgb(0, 0, 0);">If successful, the button will disappear and relevant tabs will be unlocked. If unsuccessful, an error code will appear in a modal window.</span></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><br style="box-sizing: inherit;"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImFkZTI0ZDVhLTlmMDktNDMzNS1iOTFiLTQyYTQ0MDc0NjI0NCJ9.DSvLkGG4afqb9quod8ZjPloNy_H2mb0x_PPuzQn3VNc" width="1412" height="958" style="box-sizing: inherit; border-style: none; text-align: left; width: 1414px; height: 958.366px;" class="fr-fil fr-dib"></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(221, 221, 221) !important;"><strong><span style="color: rgb(0, 0, 0);">Fig 18. Successful connection</span></strong></p><p><br></p><p id="isPasted"><span style="font-size: 14pt;"><strong>Single Sign-On (SSO) Configuration</strong></span></p><p><span style="font-size: 11pt;">Single Sign-On (SSO) allows your users and/or agents to log into Halo using the Microsoft credentials.&nbsp;</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">For information on setting up single sign on checkout our dedicated guide: <a href="https://usehalo.com/haloitsm/guides/2322" target="_blank" rel="noopener noreferrer" style="font-size: 11pt;">Microsoft Entra ID: Single Sign On (B2B)</a>.</span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Agent/User Import Configuration</strong></span></p><p><span style="font-size: 12pt;"><strong>Field Mappings<br></strong></span></p><p id="isPasted"><span style="font-size: 11pt;">On the Field Mappings tab of, you can map fields from an Azure User to Halo fields for both Users and Agents, including custom fields for Users. If you&#39;ve created a new connection, some default mappings will be displayed. To remove any defaults during the initial configuration, save the connection first, or all defaults will be removed.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Click the add icon in the top right corner to add a new field mapping for Users or Agents. This will bring up a screen where you can choose which Azure field should map to which Halo field. Each field can only be used once for Users and Agents. For Users, custom fields must be created in advance; they cannot be created on this screen.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;"><em><strong>Note: If you are mapping the manager field from Azure to a field in Halo for the user mappings, the value of this field will show as unpopulated on the manual import screen but will be retrieved when the records are actually imported.</strong></em></span></p><p><span style="font-family: Calibri; font-size: 12pt;"><br></span></p><p><span style="font-family: Calibri; font-size: 12pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImRhN2M2NGYxLTFmNmMtNDZjMS04ZWNjLWE4MzJkOTY0NWQ0YiJ9.IFs0HvNwTrLYGArQzCVjEVMwKUqjeqOpX0JFdJg43jg" class="fr-fic fr-fil fr-dib" width="555" style="width: 557px; height: 334.375px;" height="334"></span></p><p><strong><span style="font-size: 10pt;">Fig 19. Field mappings</span></strong></p><p><br></p><p id="isPasted"><span style="font-size: 11pt;">An Agent&#39;s manager can be mapped here, using the Azure AD field &#39;manager&#39; and Halo &#39;linemanager&#39; field. The manager must be an agent in Halo, created from an Azure import, in order for the manager to populate. The &#39;linemanager&#39; field in Halo is only compatible with the &#39;manager&#39; field in Azure, other fields cannot be mapped to this field.</span></p><p><br></p><p><span style="font-size: 11pt;">You can map an Entra field to the Halo field &quot;team&quot;, this will populate the default team against the agent. This can be used to assign agents to teams automatically using information in Entra.The Entra field you are mapping must contain the name of the team in Halo you would like the agent to have, matching will be based on the team name. If the data in this field cannot be matched to a team, the default team for the agent will not change, for new agents, this will be set to not set. When a default team is set for an agent they will be granted the following membership to this team:</span></p><ul><li><span style="font-size: 11pt;">Can be assigned to</span></li><li><span style="font-size: 11pt;">Can see Unassigned Tickets for this Team</span></li><li><span style="font-size: 11pt;">Can see Tickets assigned to other Agents in this Team</span></li></ul><p><br></p><p><span style="font-size: 12pt;"><strong>Site Mappings</strong></span></p><p><span style="font-size: 11pt;">The next tab, Agent/User Mappings, enables you to map subsets of users from your Azure Active Directory to correlating Sites (for users) or Roles (for agents). This is achieved by building mappings which filter on fields and/or security groups in Azure. To add a new mapping, hit the + symbol in the &quot;Site Mappings&quot; table.</span></p><p><span style="font-family: Calibri; font-size: 12pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjhiYmM5NzhkLTNjZjctNDA1OC1iOTNiLWJiZjE2ZTllNDkwZSJ9.zmnShFXzv7k8uUJxO28e1IOPXvVCc0gzvfsnsBpOCUs" class="fr-fic fr-fil fr-dib" width="928" height="224"></span></p><p><strong><span style="font-size: 10pt;">Fig 20. Site mappings</span></strong></p><p><br></p><p><span style="font-size: 11pt;">This will prompt you to choose a mapping type.</span></p><p><br></p><p><span style="font-family: Calibri; font-size: 12pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc3NDNiYjZjLTM4YzgtNDMwNC05NjlmLTdmZTI5YTg4MzBmZiJ9.oMr1Ej1padFwbIOsRoXRTwX6Rf-O1qvGoiBXMkRTfJw" class="fr-fic fr-fil fr-dib" width="714" height="357"></span></p><p><strong><span style="font-size: 10pt;">Fig 21. Site mapping types</span></strong></p><p><br></p><span style="font-size: 11pt;"><strong>&quot;Map to an existing Site&quot;</strong></span><ul style="font-size: initial;"><li style="font-size: 11pt;">Allows you to manually correlate a subset of users from Azure Active Directory to an existing site in Halo</li><li style="font-size: 11pt;">Upon selection, you are are prompted to...&nbsp;<ul style="font-size: initial; list-style-type: disc;"><li style="font-size: 11pt;">Select a Site to create user profiles against in Halo.</li><li style="font-size: 11pt;">Select a sequence the system will import the mapping in.</li><li style="font-size: 11pt;">Select a user role for users to assume.</li><li style="font-size: 11pt;" data-pasted="true">If filtering on Azure group, the exact name of that group.</li><li style="font-size: 11pt;">Whether or not you would like to include external users. You can also choose to only import external users if they have an assigned licence.</li><li style="font-size: 11pt;">If filtering on Azure fields, the criteria for matching on users.</li></ul></li></ul><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRlMzZlMzVkLWUwNjYtNDE2Yy04Nzg2LTY5OTQ4ZTlmNjBlMyJ9.amPTw77Eo4O_-4BB1FI5nn5AnlavPkbJzdjVHvEWo1Y" class="fr-fic fr-fil fr-dib" width="678" height="599"></p><strong><span style="font-size: 10pt;">Fig 22. Site mappings configuration if mapping to an existing site<br></span></strong><br><span style="font-size: 11pt;"><em><strong>Note: This site mapping type is used for importing agents. Simply select the site value of *agent* and fill out the mapping just as you would for the users. These Azure Active Directory users will be imported as Agents as well as users when the integration sync runs.</strong></em></span><ul style="font-size: initial;"><li style="font-size: 11pt;">You can map &quot;creationtype&quot; to agents and users. This corresponds with the &quot;User Type&quot; in Entra.</li><li style="font-size: 11pt;">You can use this mapping type to map a &quot;License Type&quot; to Agents (referring to either named or concurrent licenses in Halo). By default, this is set to &quot;No Change&quot; which is the same behaviour as previously - make agents concurrent if new, do not change them if already existing.</li></ul><span style="font-size: 11pt;"><strong>&quot;Map to an existing Organization based on an Azure field&quot;</strong></span><ul style="font-size: initial;"><li style="font-size: 11pt;">Allows you to auto-generate a site in Halo against a set Organization based on a field in &nbsp;Azure Active Directory</li><li style="font-size: 11pt;">Upon selection, you are are prompted to...<ul style="font-size: initial; list-style-type: disc;"><li style="font-size: 11pt;">Select the Organization in Halo to create the new site under.</li><li style="font-size: 11pt;">Select the filter field to group users by and create sites with (value of field will result in site name).</li><li style="font-size: 11pt;">Select a sequence the system will import the mapping in.</li><li style="font-size: 11pt;" data-pasted="true">Select a user role for users to assume.</li><li style="font-size: 11pt;">If filtering on Azure group, the exact name of that group.</li><li style="font-size: 11pt;" data-pasted="true">Whether or not you would like to include external users. You can also choose to only import external users if they have an assigned licence.</li><li style="font-size: 11pt;">If filtering on Azure fields, the criteria for matching on users.&nbsp;</li></ul></li></ul><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQ2MmFhYjQzLWJlNTAtNGIzMC04OTU5LWRlMGFkY2FlY2M1YyJ9.zXepijG155YYOpwB1UfSa-iDxvVYhvdR8f1TVuQDKcc" class="fr-fic fr-fil fr-dib" width="681" height="672"></p><p data-pasted="true"><span style="font-size: 11pt;"><strong><span style="font-size: 10pt;">Fig 23. Site mappings configuration if mapping to an organisation</span></strong></span></p><p><br></p><p><span style="font-size: 11pt;"><strong data-pasted="true">&quot;Map to an existing site by matching on a field&quot;</strong></span></p><ul><li><span style="font-size: 11pt;">This allows Users to be mapped to Sites dynamically.&nbsp;</span></li><li><span style="font-size: 11pt;">You can also choose to prevent the import or set a default Site for Users who do not match a Site.</span></li><li><span style="font-size: 11pt;">You can then select a Halo Site and User field to match values on.&nbsp;</span></li><li><span style="font-size: 11pt;">For User fields, you will likely need to map a value from Entra to the field in Halo.&nbsp;</span></li><li style="font-size: 11pt;" data-pasted="true">Select a user role for users to assume.</li><li style="font-size: 11pt;" data-pasted="true">If filtering on Azure group, the exact name of that group.</li><li style="font-size: 11pt;" data-pasted="true">Whether or not you would like to include external users. You can also choose to only import external users if they have an assigned licence.</li><li style="font-size: 11pt;" data-pasted="true">If filtering on Azure fields, the criteria for matching on users.&nbsp;</li><li style="font-size: 11pt;" data-pasted="true">Finally, you can choose values to apply to any Users imported with this Site Mapping.</li></ul><br><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY1NTNlZDkwLTM3MjAtNDI3ZS04NWM5LTk1NDg4M2NlZDFiMiJ9.wLyra8YgbiSlrT2Pd6sf4EXydlPdbmVqpfiLoit1WIM" class="fr-fic fr-fil fr-dib" width="528" height="812"></p><p><br></p><p data-pasted="true"><span style="font-size: 11pt;"><strong><span style="font-size: 10pt;">Fig 24. Site mappings configuration if mapping an existing Site on matching field</span></strong></span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Advanced Configuration</strong></span></p><p id="isPasted"><span style="font-size: 11pt;">In the Advanced Configuration section, you can set up various mappings and management functionality. This allows you to map Azure Active Directory groups to specific agent/user roles, teams and CABs in Halo so when importing agents/users, if they are part of an Azure Group with a corresponding mapping, the assigned Halo role/team/CAB from this mapping will be applied to their agent/user account. This mapping works in conjunction with the role specified in the site mapping undertaken in the previous step.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">The following entities can be mapped:</span></p><ul><li><span style="font-size: 11pt;">Agent Roles</span></li><li><span style="font-size: 11pt;">User Roles</span></li><li><span style="font-size: 11pt;">Change advise board (CAB)</span></li></ul><p><span style="font-size: 11pt;"><strong>Licence Management (General Settings) (v2.238+)</strong></span></p><p><span style="font-size: 11pt;">From v2.238+ you can use Entra exclusively to manage roles. Useful when roles are directly related to azure groups as this allows agents permissions (roles) to automatically change when their roles change in Entra. This is enabled using the &quot;Enable full Role management via Microsoft Entra ID&quot; setting.</span></p><p><strong><br></strong></p><p style="margin-left: 20px;"><span style="font-size: 11pt;"><strong>Enable full Role management via Microsoft Entra ID -</strong> (v2.238+) When enabled, agent&#39;s roles will be fully managed by the Entra integration. Any roles manually assigned to an agent will be removed upon import and replaced in line with the &#39;Agent Role Mappings&#39; table. This means that when an agent is removed from an azure group, the roles mapped to this group will be removed from their agent account. If an agent does not have any roles (is not in a group with a mapped role) they will be made inactive in Halo.</span></p><p><br></p><p><strong><span style="font-size: 11pt;">Agent and User role mappings</span></strong></p><p><span style="font-size: 11pt;">Halo agent and user roles can be mapped to Azure groups. Any users in Azure that are a part of this group will be assigned to the mapped agent and user roles when imported into Halo.&nbsp;</span></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZjNWMwYjc3LTQyOWEtNDE4Mi05YmVjLWI5ODU5YzJlYTJjMCJ9.ywPDtqyxuuC8q5HYPpMTmN2LHPN4-Y0WAAGAOTjDm68" class="fr-fic fr-fil fr-dib" width="1629" style="width: 1631px; height: 926.292px;" height="926"></p><p><strong><span style="font-size: 10pt;">Fig 25. Agent and User role mappings&nbsp;</span></strong></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Add an entry to a table to configure a mapping. When adding a mapping you will need to type out the exact name of the Azure group then select which Halo agent/user role to map this group to.&nbsp;</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;"><strong>Role for Users with no manager&nbsp;</strong>- This setting can be used to have users that do not have a manager in Azure create in Halo with a chosen role. For example, more senior staff may not have a designated manager therefore will like need a role in Halo that gives then a high level of access. &nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;"><strong>Agent Team Mappings</strong></span></p><p><span style="font-size: 11pt;">Halo agent teams can be mapped to Azure groups. Any agents that are a part of this group will be assigned to the mapped Halo team when imported from Azure. This is done using the Team mappings table.&nbsp;</span></p><p><span style="font-size: 11pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY2NTliYzY2LTcyNzktNDk1Ny1iMGRjLTNhOGI2OGRkNmJmZiJ9.ouXlc0l5uN3ppp3uz9uPBS2C73cWhmYII7L4zQa7w94" class="fr-fic fr-fil fr-dib" width="1258" style="width: 1260px; height: 577.944px;" height="578"></span></p><p><br></p><span style="font-size: 10pt;"><p><strong>Fig 26. Agent team mappings</strong></p><p><br></p></span><span style="font-size: 11pt;"><p id="isPasted">Add an entry to a table to configure a mapping. When adding a mapping you will need to type out the exact name of the Azure group then select which Halo team to map this group to.&nbsp;</p></span><span style="font-size: 10pt;"><p><br></p></span><span style="font-size: 11pt;"><p>If you are using the Halo Integrator, you will be able to remove an agent from the team if they are not found on the import, by using the &quot;If a previously imported Agent exists in the Team, but isn&#39;t found on the import then remove the Agent from the Team (Halo Integrator only)&quot; checkbox.</p></span><span style="font-size: 10pt;"><p><br></p></span><p><span style="font-size: 11pt;"><strong>Change Advise Board Mappings</strong></span></p><p><span style="font-size: 11pt;">Here, you can have users in a particular Azure group automatically be added to a CAB in Halo when they are created in Halo.&nbsp;</span></p><p><span style="font-size: 11pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImM4OTZjNjNmLTViMWQtNGIxMy1iNWJiLWZhZjJlYjRiNTQxMCJ9.uDKYLVQD47NfvNgqui_bBdcsDP7taR3XZ265al8DLE8" class="fr-fic fr-fil fr-dib" width="546" style="width: 548px; height: 307.224px;" height="307"></span></p><p><strong>Fig 27. CAB mapping</strong></p><p><br></p><p><strong><span style="font-size: 11pt;">Add a CAB role:</span></strong><span style="font-size: 11pt;">&nbsp;If you check the option to add a CAB role to the mapping, you will be able to choose which CAB role users in this group are created with.</span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Licence Management&nbsp;</strong></span></p><p><span style="font-size: 11pt;">The last segment in the Advanced Configuration tab pertains to license management. Activating this feature enables you to update the status of an agent based on the roles they are assigned.</span></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImY1ZDFhMzM1LTJmZjUtNGFjMC1iZDczLTc4Mjk1MjE1ZTllMiJ9.7zS8T0d5NUxuOFDuhnn-I6wbsQ8lXkoFMLmS3msBaCw" class="fr-fic fr-fil fr-dib" width="1235" style="width: 1237px; height: 313.976px;" height="314"></p><p><span style="font-size: 10pt;"><strong>Fig 28</strong><strong>. Licence management.</strong></span></p><p><br></p><p><span style="font-size: 11pt;">When licence management is enabled, you will be able to select agent roles that make agent accounts inactive in Halo. If all Azure users that should not be active in Halo are in the same group, you can map this group to an agent role, then set this agent role to make agents inactive.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;"><em><strong>Note: If licence management is enabled and a group is removed from the list of &quot;Roles that give an Agent a named licence&quot;, those Agents will be assigned a <span style="color: rgb(226, 80, 65);">concurrent licence</span> instead upon the next sync.</strong></em></span><strong><em><br></em></strong></p><p><br></p><p><strong><em><span style="font-size: 11pt;">Note: The Agent account will be automatically disabled if the accountEnabled property of the Azure User is false.</span></em></strong></p><p><br></p><p><span style="font-size: 14pt;"><strong>Imports</strong></span></p><p id="isPasted"><span style="font-size: 11pt;">In the Imports tab, you have the option to manually import Users and Agents from Azure. Furthermore, you can set up the Halo Integrator application to perform these imports automatically.</span></p><p><br></p><p><span style="font-size: 11pt;">&quot;Re-assign Tickets to unassigned when the assigned Agent is made inactive&quot; can be enabled to re-assign Tickets assigned to an Agent deactivated by Entra.</span></p><p><span style="font-family: Calibri; font-size: 12pt;"><br></span></p><p><span style="font-family: Calibri; font-size: 12pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImI0OGNjNjYwLTFlMGUtNDZhMi04Mzg0LTM2ZGYzMWM1NjA1YyJ9.yixF3S-7ns_29fjzD7HCkCMfCJr1C53RG61xGUu6Pcg" class="fr-fic fr-fil fr-dib" width="1231" style="width: 1233px; height: 560.744px;" height="561"></span><strong><span style="font-size: 10pt;">Fig 29. Import configuration</span></strong></p><p><br></p><p id="isPasted"><span style="font-size: 11pt;">By default, when importing from Azure, a User is matched to an existing User record in Halo based on their unique Azure ID. If your User list is already in your Halo database, but you haven&#39;t imported from Azure before, Users may not have a unique Azure ID assigned, leading to potential duplicate users during the import. To prevent this, choose at least one matching field to avoid duplicates by matching old records on different fields. The matching process follows the order in which you add fields to these boxes.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">When you click the &quot;Import Users&quot; or &quot;Import Agents&quot; button, Halo retrieves your User list from Azure, organizes them based on the configured mappings, and displays the returned Users on the import screen. Note that without authorization or if your authorization has expired, you&#39;ll receive a 401 Unauthorized message, and you should reauthorize the application. Even if you do not want to import manually within the web app, it is still recommended that you click the Import Agents/Users buttons to check that your mappings are returning the correct subsets of users, before proceeding with an import via the Halo Integrator.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 14pt;"><strong>Halo Integrator<br></strong></span></p><p><span style="font-size: 11pt;">Once you&rsquo;re happy with your configuration for the rest of the connection, you can then enable the connection to be synced via the Halo Integrator application.</span></p><p><span style="font-family: Calibri; font-size: 12pt;"><br></span></p><p><span style="font-family: Calibri; font-size: 12pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU1NjA4YmMxLWNlYmQtNGU5OS04ZDZhLWZlMTQwYWEyODZhZiJ9.SwniKHUR-JB0s6WRTn4nqR1_MSTmgyWiDXbs-NWT5TQ" class="fr-fic fr-fil fr-dib" width="628" style="width: 630px; height: 279.171px;" height="279"></span><br></p><p><span style="font-size: 10pt;"><strong>Fig 30. Enabling the integrator</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Most customers using Halo Service Solutions have their Halo Integrator hosted for them. In such cases, there&#39;s no need for individual customers to host their Integrator for regular synchronization. If you have a specific preference to host your own Halo Integrator, please refer to the related guide for detailed instructions.</span></p><ul><li><span style="font-size: 11pt;"><strong><a href="https://usehalo.com/halopsa/guides/1062/" rel="noopener noreferrer" target="_blank">Halo Integrator Guide (PSA)</a></strong></span></li><li><span style="font-size: 11pt;"><a href="https://usehalo.com/haloitsm/guides/1062/" rel="noopener noreferrer" target="_blank"><strong>Halo Integrator Guide (ITSM)</strong></a></span></li></ul><p><br></p><p><span style="font-size: 11pt;"><strong>Deactivate Users in HaloPSA when they are not found in Azure (Halo Integrator only):&nbsp;</strong>When enabled users will be deactivated automatically in HaloPSA when they are not found in Azure. If you are using Azure deltas, users will be deactivated when they are deleted from Azure.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;"><strong>Setting up Multiple integrators</strong></span></p><p><span style="font-size: 11pt;">If you have/are setting up more than one Azure tenant, you can configure the Halo integrator to sync different entities (behave differently) for each tenant.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">To do this, enable the integrator for each tenant, on the setup page for each tenant, setting the entities you would like to sync for each tenant. Then in the &#39;Client ID&#39; field enter the tenant ID you would like this integrator configuration to apply to.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">If you would like the integrator to run for one tenant but not the other, enable the integrator against the tenant you would like it to run for, entering this tenant&#39;s ID in the &#39;Client ID&#39; field. Leave the integrator disabled against the other tenant.&nbsp;</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;"><strong>Note For Older Installations</strong></span></p><p><span style="font-size: 11pt;">For versions 2.13.1 and above, the integration allows connections to multiple applications/tenants. If you had configured the integration for Single Sign-On before v2.13.1, a default connection is added to maintain Single Sign-On functionality.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Using delta queries allows the Halo Integrator to retrieve recently updated records only from Microsoft Entra, thus allowing a much more frequent sync of the Halo Integrator.&nbsp;</span></p><p><span style="font-size: 11pt;"><br></span><span style="font-size: 14pt;"><strong>Microsoft Entra ID Integration - Delta Queries</strong></span></p><p><span style="font-size: 11pt;">Azure delta queries can be activated on the Imports tab of the Microsoft Entra integration setup screen.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImJiZmRlMmNkLTJlM2QtNDUzMS1hMjcyLTdhYjZmNTc1OTYxNSJ9.QYifQOtwWXGzm4088IKlzrgZpY6KrjGyFXvRT6deUT4" class="fr-fic fr-fil fr-dib" width="783" style="width: 783px; height: 147.96px;" height="147.96"></p><p><strong><span style="font-size: 10pt;">Fig 31. Enabling delta queries</span></strong></p><p><br></p><p><span style="font-size: 11pt;">Using the Reset Deltas button you can also reset the current delta saved by the Halo Integrator by either clearing the delta, or getting the latest version of the delta.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjhmOTBmODFlLTM1N2YtNDlkZS1hMTkyLTRmZjY0ODIyNTE0YiJ9.F7kjXv6HQrWlhqCjf_bgdSdUC--EZzTjDNj1q1OJ66k" class="fr-fic fr-fil fr-dib" width="446" style="width: 446px; height: 220.728px;" height="220.728"></p><p><span style="font-size: 10pt;"><strong>Fig 32. Resetting deltas</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Getting the latest delta means that you can instantly start processing the integration on the Halo Integrator much faster, whereas clearing it means the entire directory of users will be processed on the next sync.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">You can set a sync method. By default, this will be set to &quot;Listen to all changes&quot; to match the existing functionality. The new option will sync a delta query to only listen to system fields used within Halo and mapped user fields. This includes fields and filters used on site mappings that impact users.</span></p><p><br></p><p><span style="font-size: 11pt;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjllODk0MTgxLWZmMGItNGNmYy05M2E0LTU0MWJhZGE4ODdjNSJ9.N9X2ybY9bFQAZBR3rlKFXOBgecAreeYppdeOG-k4ICo" width="525" height="181" style="box-sizing: inherit; border-style: none; cursor: pointer; padding: 0px 1px; user-select: none; text-align: left; color: rgb(0, 0, 0); font-family: sans-serif; font-size: 14.6667px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; max-width: none !important;" id="isPasted" class="fr-fil fr-dib"></span><span style="font-size: 10pt;"><strong>Fig 33. Delta sync method.</strong></span></p><p><br></p><p><span style="font-size: 11pt;">This also impacts groups, only changes to the displayName and members property of groups will be listened to.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Some fields are not compatible with this Delta sync method and therefore will not be listened to. However, incompatible fields will be retrieved when a change for a compatible field occurs.</span></p><p><br></p><p><span style="font-size: 11pt;"><img data-fr-image-pasted="true" src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijg4Njc0YWVlLWUzYzItNDgwOC04MDg1LTY4ZTg1OGMwZDlhOSJ9.s0wceVCC8A4uFVXgQTXsDjQMtUzFT3iE1V-JVQrJXh4" width="504" style="box-sizing: inherit; border-style: none; cursor: pointer; padding: 0px 1px; user-select: none; max-width: calc(100% - 10px); min-width: 10px; color: rgb(0, 0, 0); font-family: sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; width: 506px; height: 182.467px;" id="isPasted" class="fr-fic fr-fil fr-dib" height="182"></span><br></p><p><span style="font-size: 10pt;"><strong>Fig 34. Incompatible Delta fields.</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Incompatible fields will be highlighted, alongside where the field is used, when changing to the new method.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">When modifying the sync method, user, or site field/filter mappings for the Microsoft Entra integration, the system will retrieve the latest delta queries and display a warning message to confirm this action.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">For more information on Azure Deltas see our guide <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/2290/" id="isPasted" target="_blank" rel="noopener noreferrer"><strong>here</strong></a>.&nbsp;</span></p><p><br></p><p><strong><span style="font-size: 11pt;">Inbound Logging</span></strong></p><p><span style="font-size: 11pt;">Once the functionality is enabled, for each user update that is processed via the Halo Integrator, a more detailed log can be found on the Inbound Requests tab of each integration setup screen. This includes a more detailed log explaining which mappings have been matched, and the result of each individual update notification.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Ijc1MmVhNDRiLTEyYzgtNGFkZC05NzZiLTk5Nzc1ZThkOGFhMyJ9.lDt3wOBA9DrI2lTXbeOV3cqrbjyuYUO9YkLR6koBeHc" class="fr-fic fr-fil fr-dib" width="808" style="width: 808px; height: 235.733px;" height="235.733"></p><p><strong><span style="font-size: 10pt;">Fig 35. Log example</span></strong></p><p><br></p><p><span style="font-size: 11pt;">Manual imports are not affected by this functionality. The processing of the user update notifications has been designed to align with the manual import, even though the way they are processed is different.</span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Licence Management in Microsoft Entra ID</strong></span></p><p><span style="font-size: 11pt;">This requires adding the &quot;LicenseAssignment.ReadWrite.All&quot; permission to your application and reauthorising your connection.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Once this is done, you will be able to configure the Licence import. A client must be specified for the licences to be imported to, which should match the client the users are imported to. Licences can then be imported manually or via the integrator. Once licences have been imported, subsequent user imports will link the users in Halo to the licences from Entra.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Additionally, you can enable &quot;Allow licences to be managed from within Halo&quot; to allow licences in Entra to be managed from within Halo. When assigning software to a user, you can specify a licence for the software. If this licence is from Entra, it will be added to their account upon saving. Similarly, removing a licence from a user that was imported from Entra will remove that licence in Entra.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;"><span style="color: rgb(226, 80, 65);"><em><strong>Note:&nbsp;</strong></em></span></span><span style="color: rgb(226, 80, 65); font-size: 11pt;"><strong><em>This feature should only ever be used with either the CSP integration or Microsoft Entra ID integration, you should never enable it for both integrations.</em></strong></span></p><p><br></p><p><strong><span style="font-size: 14pt;">Control who can manage the Entra integration<br></span></strong></p></div></div><p><span style="font-size: 11pt;">If you would like selected agents to be able to manage selected connections on a per-tenant basis, access control can be granted to additional agents, this means you can choose which tenant connection agents have access to.</span></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">To do this head to the Azure connection you would like to grant access for and use the &#39;Access control&#39; button.</span></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImZhMDQyZTJjLWE3MTctNDk3Zi1iOTRhLWVkZjJkYTUzMGI1YyJ9.IvzRkFF5-602U2SZRgSn7XQPrRwj_qzzxs26UvINERc" class="fr-fic fr-fil fr-dib" width="858" style="width: 860px; height: 449.834px;" height="450"></p><p><strong><span style="color: rgb(0, 0, 0); font-size: 10pt;">Fig 36. Give access to connection</span></strong></p><p><br></p><p><span style="font-size: 11pt;">Here, choose who to give access to and the level of access they have.</span></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjRlNjQzMzMwLTc2ODctNDY5NC1hYzdlLWZjZmQzNzQ2ZmM0YiJ9.dXwiwCpLNNRHDM43jFTv2woon-j0DqLeqWPyQf5xAOI" class="fr-fic fr-fil fr-dib" width="497" style="width: 499px; height: 318.757px;" height="319"></p><p><strong><span style="font-size: 10pt;">Fig 37. Granting access control</span></strong></p><p><br></p><p><span style="font-size: 11pt;">If &#39;Read and Modify&#39; access if granted to &#39;James Brown&#39; this means this agent will be able to view and make changes to any of the setup for this connection, but they will not be able to create new connections or see/modify others.&nbsp;</span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Miscellaneous Settings</strong></span></p><p><span style="font-size: 11pt;">A new tab is available within the main page configuration. Here, you can now allow Azure distribution groups to be added as followers on a ticket, allowing easy access to tickets with information that may be relevant to a large group of people.</span></p><p><br></p><p><span style="font-size: 11pt;">Enable &quot;Allow groups to be added as Ticket followers&quot;, and enable the same per Entra connection. A default connection can then be set.</span></p><p><br></p><p><span style="font-size: 11pt;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImFmODNkZGFmLWE3M2YtNDkzOS1iMDExLTE5MmVkMDM4NjAzMCJ9.K545vRyxylmEL6w_qRkcx7m97s5DmBhgVtBUxz9rD9Y" class="fr-fic fr-fil fr-dib" width="587" height="532"></span></p><p><span style="font-size: 10pt;"><strong>Fig 38. Adding followers to a ticket based on Azure distribution group</strong></span><strong><span style="font-size: 10pt;"><br></span></strong></p><p><br></p><p>There are two options for how the followers are added to tickets:</p><p><br></p><table style="width: 100%;" class="grid"><tbody><tr><td style="width: 20%;"><strong>Option</strong></td><td style="width: 20%;"><strong>How the Followers are Added</strong></td><td style="width: 20%;"><strong>Automatic Updates?</strong></td><td style="width: 20%;"><strong>Access to Tickets?</strong></td><td style="width: 25.0000%; width: 20.0000%;"><strong>Extras?</strong></td></tr><tr><td style="width: 20%;"><strong>Add the distribution list email address<br></strong></td><td style="width: 20%;">The email address for the list will be CC or BCC&#39;d into actions based on the setting at action level.</td><td style="width: 20%;">Adding or removing users from the list will immediately add or remove them from the email chain.</td><td style="width: 20%;">This option does not grant followers access to the tickets.</td><td style="width: 25.0000%; width: 20.0000%;">N/A</td></tr><tr><td style="width: 20%;"><strong>Add the distribution list members as individual User followers<br></strong></td><td style="width: 20%;">This will add each user in the list as a follower. If the user has been imported into Halo, they will be made a follower. If not, their email address will be added as a follower.</td><td style="width: 20%;">Changes to the distribution list will not be reflected in Halo automatically.</td><td style="width: 20%;">Agent/user followers can be allowed access to the ticket.</td><td style="width: 25.0000%; width: 20.0000%;">A maximum number of distribution members can be selected. This defaults to 100.</td></tr></tbody></table><p><br></p>
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Platform
Platform Capabilities >
Use Cases
View all Use Cases >
Resources
Halo
Subscribe to Halo for latest news

By submitting, you are agreeing to our privacy policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Follow
© 2026 Halo Service Solutions. All Rights Reserved.
Terms & ConditionsPrivacy PolicySecurityTrust CentreGDPRAccessibilityModern Slavery StatementService Status