<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><div data-pasted="true"><p data-pasted="true"><strong><span style="font-size: 11pt;">In this guide we will cover:</span></strong></p><p><span style="font-size: 11pt;"><strong>- What is the Microsoft CSP integration?</strong></span></p><p><span style="font-size: 11pt;"><strong>- Configuring CSP</strong></span></p><p><span style="font-size: 11pt;"><strong>- Partner Centre Connection (Single Tenant App Registration)</strong></span></p><p><span style="font-size: 11pt;"><strong>-&nbsp;Authorizing Connection in Halo</strong></span></p><p><span style="font-size: 11pt;"><strong>- GDAP Connection (Multi-Tenanted App Registration)</strong></span></p><p><span style="font-size: 11pt;"><strong>- Tenants</strong></span></p><p><span style="font-size: 11pt;"><strong>- Licenses &amp; Subscriptions</strong></span></p><p><span style="font-size: 11pt;"><strong>- Users &nbsp;</strong></span></p><p><span style="font-size: 11pt;"><strong>- Assets</strong></span></p><p><span style="font-size: 11pt;"><strong>- Halo Integrator</strong></span></p><p><span style="font-size: 11pt;"><strong>- Subscription Management</strong></span></p><p><span style="font-size: 11pt;"><strong>- Single Sign-On (SSO)</strong></span></p><p><span style="font-size: 11pt;"><strong>- Consumption Billing</strong></span></p><p><strong><span style="font-size: 11pt;">- Errors and Logging</span></strong></p><p style="box-sizing: inherit; margin: 0px; line-height: 1.4285em; color: rgb(0, 0, 0); font-family: Poppins, sans-serif, Roboto; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;"><br></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;"><strong>Related Guides:</strong></span></p><ul data-pasted="true"><li style="font-size: 11pt; font-weight: bold;"><strong><a href="https://usehalo.com/haloitsm/guides/2322" target="_blank" rel="noopener noreferrer" style="font-weight: bold; font-size: 11pt;">Single Sign On (SSO) For Entra/CSP Users and Agents</a></strong></li><li style="font-size: 11pt; font-weight: bold;"><strong><a href="https://usehalo.com/haloitsm/guides/1106" target="_blank" rel="noopener noreferrer" style="font-weight: bold; font-size: 11pt;">Microsoft Entra ID Integration</a></strong></li><li style="font-size: 11pt; font-weight: bold;"><strong><a href="https://usehalo.com/halopsa/guides/2290" target="_blank" rel="noopener noreferrer" style="font-weight: bold; font-size: 11pt;">Azure Deltas</a></strong></li><li style="font-size: 11pt; font-weight: bold;"><strong><a href="https://usehalo.com/halopsa/guides/2392" target="_blank" rel="noopener noreferrer" style="font-weight: bold; font-size: 11pt;">Azure Consumption Billing (via Halo CSP Integration)</a></strong></li><li style="font-size: 11pt; font-weight: bold;"><a data-fr-linked="true" href="https://usehalo.com/halopsa/guides/2481" target="_blank" rel="noopener noreferrer" style="font-weight: bold; font-size: 11pt;"><strong>Automated New Starter Requests into Microsoft Entra</strong></a></li></ul><p><strong><br></strong></p><p data-pasted="true"><strong><span style="font-size: 14pt;">What is the Microsoft CSP integration?</span></strong></p><p><span style="font-size: 11pt;">This integration is used to import user data from multiple Azure tenants managed via the Microsoft Cloud Reseller Program (CSP). The Microsoft Cloud Solution Partner (CSP) integration allows you to import all customers you have a Cloud Reseller relationship with and retrieve all license, user, and device information associated with each customer you additionally have a GDAP relationship with.This integration is typically used by HaloPSA customers as these organisations will typically manage/have access to their customer&#39;s Azure tenant through the CSP. Organisations using HaloITSM and HaloCRM will typically have a single (or a couple) of Azure tenants that store their internal users/staff and will not be members. of CSP. These organisations should use our Microsoft Entra integration to import their users. To import agents from Azure you will need to use our Microsoft Entra integration: <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/1106/" target="_blank" rel="noopener noreferrer" style="font-size: 11pt;">Microsoft Entra ID Integration (Formerly: Azure Active Directory)</a>.</span></p><p><br></p><p><strong><span style="font-size: 14pt;">Configuring CSP</span></strong></p><div><p><span style="font-size: 11pt;">To configure the CSP Integration, two separate app registrations must be registered in the CSP Partner&rsquo;s Azure Tenant. This is a change from the previous 1 app registration model due to the introduction of GDAP by Microsoft.</span></p><p><br></p><p><span style="font-size: 11pt;">The first (single tenanted) registration will connect to the Partner Centre and retrieve Reseller customers and their licenses.</span></p><p><span style="font-size: 11pt;">The second (multi-tenanted) application will be created as an Enterprise app in each managed customer tenant and will allow the reading of users and devices.</span></p><p><span style="font-size: 11pt;">This is a multi-tenanted integration, so you are able to connect more than one CSP-enabled tenant.</span></p><p><br></p><p><span style="font-size: 11pt;">To get started, navigate to Configuration &gt; Integrations &gt; Microsoft CSP, enable the module, and then click into the module to open the configuration screen.</span></p><p><span style="font-size: 11pt;">If a default connection exists, rename it to something recognizable and input your CSP - Enabled Azure tenant ID.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage101.png" style="width: 1206px; height: 249.713px;" width="1204" class="fr-fic fr-dii" height="250"><p><span style="font-size: 10pt;"><strong>Fig 1.</strong><strong>&nbsp;Part of CSP Details Tab</strong></span></p><p><br></p><h2><span style="font-size: 14pt;"><strong>Partner Centre Connection <span style="font-size: 14pt;" data-pasted="true"><strong>(Single Tenant App Registration)</strong></span></strong></span></h2><p><span style="font-size: 11pt;">To configure an Azure application:</span></p><ul><li style="font-size: 11pt;">Open the Azure Portal or Entra Admin Centre</li><li style="font-size: 11pt;">Navigate to App registrations &gt; New registration</li><li style="font-size: 11pt;">Give the application a recognizable name and select &quot;Accounts in this organizational directory only (Single Tenant)&quot;</li><li style="font-size: 11pt;">Enter the redirect URI, the URI needed will differ depending on the Halo version you are on, but the exact URI needed can be found on the CSP setup page.&nbsp;<ul style="font-size: initial;"><li style="font-size: 11pt;">On versions prior to v2.200 the following redirect URI will need to be used: <a data-fr-linked="true" href="https://YOURHALODOMAIN/authcallback" target="_blank" style="font-size: 11pt;">https://YOURHALODOMAIN/a</a>zure/auth</li><li style="font-size: 11pt;">On versions v2.200+ you the following redirect URI will need to be used: <a data-fr-linked="true" href="https://YOURHALODOMAIN/authcallback" target="_blank" style="font-size: 11pt;">https://YOURHALODOMAIN/authcallback</a></li></ul></li><li style="font-size: 11pt;">The API permission page should look like this once you are finished.<strong><br></strong></li></ul><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjBmOTY1NDIyLTUyYjgtNDIxMi05YzM5LTVkNGExZmZkMTk2OSJ9.iBQKzs9AkkyCejR79sLK6otbANn1RCC7xkSQbN5A5bM" class="fr-fic fr-fil fr-dib" width="785" style="width: 787px; height: 469.335px;" height="469"></p><p><span style="font-size: 10pt;"><strong>Fig 2.</strong><strong>&nbsp;App Registration Registration Page</strong></span></p><p><br></p><ul><li style="font-size: 11pt;">Once the application has been registered successfully, you will be on the overview page. Copy the &lsquo;Application (client) ID&rsquo; you see on the screen and store for use later.<strong><br></strong></li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage103.png" style="width: 1194px; height: 319.314px;" width="1192" class="fr-fic fr-dii" height="319"><p><span style="font-size: 10pt;"><strong>Fig 3.</strong><strong>&nbsp;App Registration Overview Page</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Now navigate to the &quot;API permissions&quot; tab:</span></p><ul><li style="font-size: 11pt;">Remove the default <strong>&#39;User.Read&#39;</strong> permission</li><li style="font-size: 11pt;"><strong>Permissions for all</strong><ul style="font-size: initial;"><li style="font-size: 11pt;">Click <strong>&#39;Add a permission&#39;</strong>, then select <strong>&#39;APIs my organization uses&#39;</strong></li><li style="font-size: 11pt;">Search for <strong>&#39;fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd&#39;</strong> and select <strong>&#39;user_impersonation&#39;</strong> and then <strong>&#39;Add permissions&#39;</strong></li></ul></li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage104.png" class="fr-fic fr-dii"><p><span style="font-size: 10pt;"><strong>Fig 4.</strong><strong>&nbsp;App Registration API Selector</strong></span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage105.png" class="fr-fic fr-dii"><p><span style="font-size: 10pt;"><strong>Fig 5.</strong><strong>&nbsp;Partner Centre API Permission Selection</strong></span></p><p><br></p><ul><li style="font-size: 11pt;">Click &#39;Add a permission&#39;, then &#39;Microsoft Graph&#39;, then &#39;Application permissions&#39;, then choose &#39;<strong>&nbsp;DelegatedAdminRelationship.Read.All</strong>&#39; and finally &#39;Add Permission&#39;</li><li style="font-size: 11pt;">If you don&#39;t need to complete the below, then your API permissions page should look as follows:</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage107.png" style="width: 1200px; height: 490.3px;" width="1198" class="fr-fic fr-dii" height="490"><p><span style="font-size: 10pt;"><strong>Fig 6.</strong><strong>&nbsp;App Registration API Permissions (No Subscription Pricing Imports)</strong></span></p><p><br></p><ul><li style="font-size: 11pt;"><strong>Permissions for Subscription Pricing (Tier 1 /Direct Partners only)</strong><ul style="font-size: initial;"><li style="font-size: 11pt;">Click &#39;Add a permission&#39;, then select &#39;APIs my organization uses&#39;</li><li style="font-size: 11pt;">Search for <strong>&#39;4990cffe-04e8-4e8b-808a-1175604b879f&#39;</strong> and select <strong>&#39;user_impersonation&#39;</strong> and then &#39;Add permissions&#39;</li><li style="font-size: 11pt;">If you have completed this section, your API Permissions page should look like this:</li></ul></li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage106.png" style="width: 1201px; height: 525.315px;" width="1199" class="fr-fic fr-dii" height="525"><p><strong><span style="font-size: 10pt;">Fig 7. App Registration API Permissions (Subscription Pricing Imports)</span></strong></p><p><br></p><p><strong><em><span style="font-size: 11pt;">Note: Failure to have your API permissions looking exactly as shown above will likely mean the integration will be unable to successfully authenticate.</span></em></strong></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">Lastly, navigate to the &lsquo;Certificates &amp; secrets&rsquo; tab down the left hand side. Click &lsquo;New client secret&rsquo;, give it a description and choose you expiry value. Once created, copy the &lsquo;value&rsquo; (NOT &lsquo;Secret ID&rsquo;) and store that with the Application ID we copied earlier. The single tenant app registration is now configured correctly in Azure.</span></p><p><br></p><h3><span style="font-size: 14pt;"><strong>Authorizing Connection in Halo<br></strong></span></h3><p><span style="font-size: 11pt;">Now that the App Registration is set up and the relevant details are stored, return to the Halo&rsquo;s CSP tenant configuration.</span></p><ul><li style="font-size: 11pt;">Enter the Application ID and Secret (tenant ID should have been populated earlier)</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage108.png" style="width: 1205px; height: 648.545px;" width="1203" class="fr-fic fr-dii" height="649"><p><strong><span style="font-size: 10pt;">Fig 8. CSP Details Tab</span></strong></p><p><br></p><ul><li style="font-size: 11pt;">Click <strong>Save</strong></li><li style="font-size: 11pt;">You will then see an &quot;Authorize Application&quot; button</li></ul><p><span style="font-size: 11pt;">For successful authorization, the following conditions must be met:</span></p><ul><li style="font-size: 11pt;">Must have access to the Partner Centre and the &lsquo;Customer List&rsquo; and &lsquo;Administer&rsquo; areas</li><li style="font-size: 11pt;">The account must have one of these GDAP roles for all managed customers:<ul style="font-size: initial;"><li style="font-size: 11pt;">Directory Reader</li><li style="font-size: 11pt;">Global Reader</li><li style="font-size: 11pt;">User Administrator</li><li style="font-size: 11pt;">Licence Administrator</li></ul></li><li style="font-size: 11pt;">Must complete Multi-Factor Authentication (MFA) using a strong method (TOTP/Authenticator App)</li></ul><p><span style="font-size: 11pt;">If successful, you will be redirected back to the CSP setup screen. All tabs should now be accessible and look <strong>Fig 9</strong>.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage109.png" class="fr-fic fr-dii" style="width: 1203px; height: 650.224px;" width="1201" height="650"><p><strong><span style="font-size: 10pt;">Fig 9. Post-Authorisation CSP Overview</span></strong></p><p><br></p><h2 data-pasted="true"><span style="font-size: 14pt;"><strong>GDAP Connection (</strong><strong>Multi-Tenanted App Registration)</strong></span></h2><ul><li style="font-size: 11pt;">Go to <strong>Entra Admin Centre</strong> and create a new App Registration (Do not modify the previously configured application)</li><li style="font-size: 11pt;">Choose a meaningful application name<ul style="font-size: initial;"><li style="font-size: 11pt;">When naming this app registration, it is important to note that this will be transferred into every managed/GDAP enabled customer&rsquo;s tenant as an Enterprise App which internal administrators and possibly users will be able to see. It is therefore advised to make sure the name will not confuse (a common choice is <em>MSP Name Service Sync</em>)</li></ul></li><li style="font-size: 11pt;">Ensure the app registration is multi-tenanted by selecting <strong>&quot;Accounts in any organizational directory (Multitenant)&quot;</strong></li><li style="font-size: 11pt;">Enter the provided redirect URI from the Halo CSP setup page</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage110.png" class="fr-fic fr-dii" style="width: 1201px; height: 839.558px;" width="1199" height="840"><p><strong><span style="font-size: 10pt;">Fig 10. GDAP App Registration Overview Page</span></strong></p><p><br></p><p><span style="font-size: 11pt;">Once registered, as with the previous app registration, note down the Application ID and store safely.</span></p><p><span style="font-size: 11pt;">Now navigate to the &quot;API Permissions<strong>&quot;</strong> tab, and remove the &lsquo;User.Read&rsquo; permission. Click &lsquo;Add a permission&rsquo; then head select <strong>Microsoft Graph</strong> &gt;&nbsp;</span><strong><span style="font-size: 11pt;">Application Permissions.</span></strong></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage111.png" class="fr-fic fr-dii"><p><strong><span style="font-size: 10pt;">Fig 11. Microsoft Graph API Selector</span></strong></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage112.png" class="fr-fic fr-dii"><p><strong><span style="font-size: 10pt;">Fig 12. Application Permission Selector</span></strong></p><p><br></p><span style="font-size: 11pt;">Here add the permissions listed on your setup page. If you plan on using our <a href="#section-11" style="font-size: 11pt;" target="_blank">Consumption Billing</a> functionality, you should additionally add &#39;PartnerBilling.Read.All&#39; (Application).</span><p><span style="font-size: 11pt;"><em><strong>Note: Figure 13 cuts off the full name of the Permission, it should be: DeviceManagementManagedDevices.Read.All</strong></em></span></p><p><br></p><p><span style="font-size: 11pt;">Your page should now look like <strong>Fig 13</strong> (The highlighted permission being mandatory only when Consumption Billing is enabled).</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage113.png" style="width: 1184px; height: 516.566px;" width="1182" class="fr-fic fr-dii" height="517"><p><span style="font-size: 10pt;"><strong>Fig 13.</strong><strong>&nbsp;GDAP App Registration API Permissions</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Now click &lsquo;Grant Admin Consent for Tenant Name&rsquo; (requires Global or Privileged Role Administrator permissions as these are Application Permissions in the GraphAPI)</span></p><p><span style="font-size: 11pt;">Once successfully granted, generate a client secret using the instructions previously provided in the Partner Centre section of this guide and store it safely for later use.</span></p><p><br></p><p><span style="font-size: 11pt;">Now that your multi-tenanted application has been created, you must elevate the permissions of the application so that it can access data in your customers&#39; Azure tenants by adding it to the &lsquo;AdminAgents&rsquo; Security group. You should be able to do this via the Entra Admin Centre but for some tenants PowerShell will be required. Both methods are detailed below:</span></p><p><br></p><h4><span style="font-size: 12pt;"><strong>Entra Admin Centre</strong></span></h4><ul><li style="font-size: 11pt;">Sign in as a Group Owner, Group or Global Administrator</li><li style="font-size: 11pt;">Navigate to <strong>Groups &gt; All Groups</strong></li><li style="font-size: 11pt;">Search for and open the &lsquo;AdminAgents&rsquo; group</li><li style="font-size: 11pt;">Click &lsquo;Members&rsquo; and add the Application ID</li></ul><p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage114.png" class="fr-fic fr-dii" style="width: 1177px; height: 347.672px;" width="1175" height="348"><strong>Fig 14. Entra Group Member Selection</strong></p><p><br></p><p><span style="font-size: 11pt;">Once added, your screen should look like <strong>Fig 15</strong>.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage115.png" class="fr-fic fr-dii" style="width: 1161px; height: 498.589px;" width="1159" height="499"><p><strong>Fig 15. Entra Group Membership Confirmation</strong></p><p><br></p><span style="font-size: 11pt;">Now add the Application ID and Secret into the following Halo fields and go straight to the&nbsp;Tenants section of this guide</span>.<br><br><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage116.png" class="fr-fic fr-dii" style="width: 1165px; height: 616.822px;" width="1163" height="617"><p><strong>Fig 16. CSP Detail Tab with GDAP connection fields highlighted</strong></p><p><br></p><h4><span style="font-size: 12pt;"><strong>PowerShell</strong></span></h4><p><span style="font-size: 11pt;">If you have been unable to add the App Registration into the &#39;AdminAgents&#39; group via the Entra Admin Centre, then please use the following steps to do so via PowerShell.</span></p><ul><li style="font-size: 11pt;">On a windows machine, open the PowerShell App as an Administrator</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSP%2bIMAGE15.PNG" class="fr-fic fr-dii"><p><strong><span style="font-size: 10pt;">Fig 17. Opening PowerShell via start menu</span></strong></p><p><br></p><ul><li style="font-size: 11pt;">If you haven&rsquo;t used the GraphAPI via PowerShell before, run &lsquo;Install-module Microsoft.Graph&rsquo; ( you will need Powershell 7 or later to run this)</li><li style="font-weight: bold; font-style: italic; font-size: 11pt;"><strong><em>Note: This script was previously executed using the AzureAD PowerShell module, however, this has<a data-fr-linked="true" href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/important-update-deprecation-of-azure-ad-powershell-and-msonline-powershell-modu/4094536" target="_blank" rel="noopener noreferrer" style="font-size: 11pt;">&nbsp;since been deprecated</a> and the Microsoft.Graph module should be used instead.&nbsp;</em></strong></li><li style="font-size: 11pt;">Once that has been successfully installed, run the below script where &lsquo;{yourAppsID}&rsquo; needs to be replaced with the Application ID of the multi-tenanted App Registration you have just created<ul style="font-size: initial;"><li><pre>Connect-MgGraph $group = Get-MgGroup -Filter &quot;displayName eq &#39;Adminagents&#39;&quot; $sp = Get-MgServicePrincipal -Filter &quot;appId eq &#39;{yourAppsId}&#39;&quot; $body = @{ &quot;@odata.id&quot; = &quot;https://graph.microsoft.com/v1.0/directoryObjects/$($sp.Id)&quot;} New-MgGroupMemberByRef -GroupId $group.Id -BodyParameter $body </pre></li></ul></li><li style="font-size: 11pt;">You will be presented with a modal Microsoft Sign-in screen: you will need to sign in with an account that has the right to modify groups (Group Owner, Groups or Global Administrator)</li><li style="font-size: 11pt;">Once successfully signed in, the script will run. Various errors can occur, some of which are detailed in the FAQ section</li><li style="font-size: 11pt;">You will be able to verify the script has worked by navigating to the &lsquo;AdminAgents&rsquo; and seeing the App Registration in the members list as a service principal:</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage115.png" class="fr-fic fr-dii" style="width: 1201px; height: 516.79px;" width="1199" height="517"><p><strong><span style="font-size: 10pt;">Fig 18. Entra Group Membership Confirmation</span></strong></p><p><br></p><ul><li style="font-size: 11pt;">You can now input the Application ID and Secret into the fields into Halo:</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage116.png" class="fr-fic fr-dii" style="width: 1197px; height: 633.601px;" width="1195" height="634"><p><strong><span style="font-size: 10pt;">Fig 19. CSP Detail Tab with GDAP connection fields highlighted</span></strong></p><p><br></p><h2><span style="font-size: 14pt;"><strong>Tenants</strong></span></h2><p data-pasted="true"><span style="font-size: 11pt;">The Tenant&rsquo;s tab is used to map Azure Tenants to Halo Customers. You will also find the settings:</span></p><ul data-pasted="true"><li style="font-size: 11pt;"><strong>Automatically add the Azure tenant ID of any imported customer to the allowed list for single sign-on:</strong> Enables users to sign into the portal using their 365 credentials. <em>Recommendation: Enable</em><ul style="font-size: initial;"><li style="font-size: 11pt;">It should be noted that you can now bypass the tenant ID check when signing in with SSO so that all 365 users can use SSO by changing the &#39;Azure Tenant Sign-In Scope&#39; setting within SSO configuration. This is further detailed within the dedicated guide</li></ul></li><li style="font-size: 11pt;"><strong>Automatically create a site mapping for user imports when an Azure tenant is assigned:</strong> Automates user site mapping. Read the Users section of this guide before enabling</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage117.png" class="fr-fic fr-dii" style="width: 1196px; height: 509.037px;" width="1194" height="509"><p><span style="font-size: 10pt;"><strong>Fig 20.</strong><strong>&nbsp;CSP Tenants Tab</strong></span></p><p><br></p><p><span style="font-size: 11pt;">You must firstly choose the &#39;Status of Tenant Relationships&#39;; GDAP and DAP or GDAP only (If you are on a version below this you will not have this tenant relationship status selection). If you are GDAP only, you should choose this option as it is faster and bypasses the requirement to have a reseller relationship with that tenant (An Admin Relationship is still required).</span></p><p><span style="font-size: 11pt;">&nbsp;</span></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage118.png" class="fr-fic fr-dii" style="width: 1201px; height: 491.766px;" width="1199" height="492"><p><span style="font-size: 10pt;"><strong>Fig 21.</strong><strong>&nbsp;Tenant Relationship Configuration Options</strong></span></p><p><br></p><p><span style="font-size: 11pt;">You can now add mappings into the table by selecting the Halo&rsquo; customer (or *Do not Import*&rsquo; if you have tenants you do not wish to bring into Halo) and then the corresponding Azure Tenant. You have the option to override the Relationship Type and Licence Import Type (see licence tab section below for more info) at this point.</span></p><p><span style="font-size: 11pt;">You may map more than one tenant to a Halo customer.</span></p><p><span style="font-size: 11pt;">It is recommended that you manually map all customer to tenants unless you are sure the names match those already existing in Halo.</span></p><p><span style="font-size: 11pt;">You can choose to exclude a particular tenant from Intune imports when creating a mapping for them. This means when importing assets from Intune via the CSP integration, all other tenants will have their assets imported except those marked as excluded.&nbsp;</span></p><p><br></p><h3><span style="font-size: 12pt;"><strong>Granting Admin Consent</strong></span></h3><p><span style="font-size: 11pt;">For all GDAP customers, a &lsquo;Grant Admin Consent&rsquo; button will appear on the mapping table once saved.</span></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage119.png" class="fr-fic fr-dii"><p><span style="font-size: 10pt;"><strong>Fig 21.</strong><strong>&nbsp;Admin Consent Button</strong></span></p><p><br></p><p><span style="font-size: 11pt;">This is an essential part of the process and is what will allow you to pull out the users and devices from your customer&rsquo;s tenants.</span></p><p><span style="font-size: 11pt;">In order to successfully complete a GDAP grant, the following requirements must be met:</span></p><ul><li style="font-size: 11pt;">The Admin account used must be <strong>native</strong>to the tenant (not externally invited)<ul style="font-size: initial;"><li style="font-size: 11pt;">For example, native means were created within and is owned by that tenant, so GlobalAdmin@managedcustomerdomain.com, NOT GlobalAdmin@mspdomain.com</li></ul></li><li style="font-size: 11pt;">Must have permissions to create an enterprise app</li><li style="font-size: 11pt;">Must complete MFA authentication</li></ul><p><span style="font-size: 11pt;">When ready, click on button and you will be redirected to the Microsoft Sign-In screen, where you will need to use the credentials meeting the above criteria.</span></p><p><span style="font-size: 11pt;">Once you sign in you will see a Permissions Acceptance screen. &nbsp;</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage129.png" class="fr-fic fr-dii"><p><strong>Fig 22. Expected Enterprise App Permissions Acceptance Screen</strong></p><p><br></p><p><span style="font-size: 11pt;">Click accept and you should be re-directed into Halo. The button will remain regardless of whether the grant was successful. Testing the grant will require you to complete the steps in the Users section.</span></p><p><span style="font-size: 11pt;">It is recommended to grant consent to one tenant, complete the setup on the Users tab, test, resolve issues with admin consent (if they occur) and once happy with the process, repeat the admin consent for all relevant customers.</span></p><p><br></p><p><strong><span style="font-size: 14pt;">Licenses &amp; Subscriptions</span></strong></p><p><span style="font-size: 11pt;">On this page, you will find configuration options for licenses and subscriptions.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage120.png" class="fr-fic fr-dii" style="width: 1197px; height: 290.014px;" width="1195" height="290"><p><strong>Fig 23. CSP Licences &amp; Subscriptions Tab</strong></p><p><br></p><p><span style="font-size: 11pt;">There are two types of entity that we import from Microsoft; SKUs and Subscriptions. The broad differences are as follows:</span></p><ul><li style="font-size: 11pt;"><strong>SKUs:&nbsp;</strong>SKUs are accessible to Tier 1 and 2 partners and contain a quantity and the users currently assigned to the licences. Used for invoice calculations and licence management (see below)<ul style="font-size: initial;"><li style="font-size: 11pt;">Additionally, when <strong>Allow licenses to be managed from within Halo</strong> is enabled, adding or removing a user from a SKU in Halo will action that in Microsoft 365.</li></ul></li><li style="font-size: 11pt;"><strong>Subscriptions:</strong> For Tier 1 (Direct) Partners only. Contains quantity, start and end dates, billing cycle, commitment period and pricing. Used for Invoice calculations and automated pricing changes.&nbsp;</li></ul><p><span style="font-size: 11pt;">We offer importing in the following configurations with the following target audiences in mind:</span></p><ul><li style="font-size: 11pt;"><strong>All Subscribed SKUs:</strong> Default: all Tier 2 (Indirect) Partners must use this option</li><li style="font-size: 11pt;"><strong>Your Subscriptions:</strong> For Tier 1 (Direct) Partners with no indirect licence relationship customers and have no desire to manage licence assignment within Halo</li><li style="font-size: 11pt;"><strong>Your Subscriptions and SKUs:</strong> For Tier 1 Partners with indirect customer(s) or who wish to manage licence assignment within Halo</li></ul><p><span style="font-size: 11pt;">For Subscriptions only, it is possible to import the pricing information. In order to do this, you need to ensure you have:</span></p><ul><li style="font-size: 11pt;">Added the relevant permission as described in the <a href="#section-2" target="_blank" style="font-size: 11pt;">Partner Centre Connection</a> section</li><li style="font-size: 11pt;">Enable &#39;Subscription Pricing&#39; and chosen the relevant Marketplace within the <a href="#section-8" target="_blank" style="font-size: 11pt;">Halo Integrator</a> section</li></ul><p><span style="font-size: 11pt;">Pricing data is imported on a weekly basis and stored: as subscriptions are created/updated the data will be queried and the relevant price and cost added to the subscription.</span></p><p><br></p><p><span style="font-size: 11pt;"><em><strong>Note: If a licence is imported from CSP it will only be able to be removed in the UI by an administrator. You will also not be able to edit information about the licence, except for additional data such as the install date.</strong></em></span></p><p><br></p><p><strong><span style="font-size: 12pt;">Import Products and Create Invoice Lines (Tier 1 Partners only)&nbsp;</span></strong></p><ul><li style="font-size: 11pt;">For Tier 1 (Direct) Partners only, you can have subscriptions create products in Halo when they are imported. This facilitates the ability to have new lines added to recurring invoices in Halo automatically, when a new subscription is purchased for a customer in CSP.&nbsp;</li><li style="font-size: 11pt;">When the &quot;Licence Import Type&quot; is set to import subscriptions you will be given an additional drop down &quot;Import Products and create Invoice lines&quot;. This setting will control if subscriptions create products in Halo and if lines will be added to recurring invoices when a new subscription is added in CSP.&nbsp;</li></ul><p style="margin-left: 20px;"><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjhkZTUwYjY3LTY2ZDYtNDM1Ny1iYmY1LWFmMTJiYTZjYmMzYyJ9.Wtk6aXaerPLTZfZmuqEPysXE8GmyNHlisu96IMxn1PU" width="1160" style="width: 1162px; height: 429.148px;" height="429" class="fr-fic fr-dii"></p><p><span style="font-size: 10pt;"><strong>Fig 24.&nbsp;</strong><strong>Import Products and create invoice lines</strong></span></p><p><span style="font-size: 11pt;"><br></span></p><ul><li style="font-size: 11pt;"><strong>Do not import:&nbsp;</strong>Subscriptions will not create products in Halo.&nbsp;</li><li style="font-size: 11pt;"><strong>Import Products:</strong> When subscriptions are imported a product will be created for each subscription (as well as a subscription in Halo).</li><li style="font-size: 11pt;"><strong>Import Products and create Invoice lines:</strong> When subscriptions are imported a product will be created for each subscription (as well as a subscription in Halo). In addition, when a subscription is added for a customer in CSP, the product linked to that subscription in Halo will be added to a recurring invoice for that customer. Pro-rata will be calculated accordingly.&nbsp;</li><li style="font-size: 11pt;">&nbsp;Products that have been created from a CSP subscription will have the product and subscription linked in Halo, this will be visible under a &quot;Subscription&quot; tab against the product.&nbsp;</li><li style="font-size: 11pt;"><strong>Which Recurring Invoice will the new subscription will be added to?&nbsp;</strong><ul style="font-size: initial;"><li style="font-size: 11pt;">The subscription will only be added to a recurring invoice that matches the billing period of the subscription. For example, if the subscription is billed monthly starting on the 1st of each month, it will only be added to a recurring invoice that is scheduled to create for this same period.&nbsp;</li><li style="font-size: 11pt;">If there are multiple recurring invoices it can be added to, the subscription will be added to the newest recurring invoice for that customer.&nbsp;</li></ul></li></ul><p><br></p><p><strong><span style="font-size: 14pt;">Users</span></strong></p><p><span style="font-size: 11pt;">All configuration for user imports is stored in the Users tab.&nbsp;</span></p><p><span style="font-size: 11pt;">Site mappings allow for control over which sites within Halo users are imported too. There are two different methods to set these up; generate or manually creating the mappings.</span></p><p><br></p><p><span style="font-size: 11pt;">The &rsquo;Generate Mappings&rsquo; button allows a speeder setup of User imports but allows for less control (filtering and advanced mapping).In most cases, generating the mappings and then manually modifying the few more complicated customers (with multiple sites for example) if necessary is the best method. In edit mode, you will see a &lsquo;Generate Mappings&rsquo; button. When pressed this will generate a mapping for every Azure tenant to import all users against the main site to which the tenant was linked. For example, If I map an Azure Tenant ABC Limited to customer &lsquo;ABC Ltd&rsquo; in Halo, it would generate a mapping which would import all users from ABC Limited into the &lsquo;ABC Ltd/Main&rsquo; site.&nbsp;</span></p><p><br></p><p><span style="font-size: 11pt;">For customer that have multiple site, Azure Tenant or a large number of service accounts, you may wish to create the mappings manually.</span></p><ul><li style="font-size: 11pt;">Click the &lsquo;Add&rsquo; button on the top right of the mappings table</li><li style="font-size: 11pt;">Site Mapping Type:<ul style="font-size: initial;"><li style="font-size: 11pt;"><strong>&lsquo;Map to an existing Site&rsquo;</strong> is most common and below you will be presented with a list of sites to map to. Generally this will be &lsquo;customername/Main&rsquo;</li><li style="font-size: 11pt;"><strong>&lsquo;Map to an existing Customer based on an Azure field&rsquo;:</strong> Allows for automatic site creation. When chosen, you will be prompted to pick the customer name only</li><li style="font-size: 11pt;"><strong>&#39;Do not import&#39;:</strong> Mappings will not be automatically created for cases when the Users are not within the scope of a specific tenant permissions.</li><li style="font-size: 11pt;" data-pasted="true"><strong>&#39;Map to an existing site by matching on a field&#39;</strong><strong>:</strong> This allows Users to be mapped to Sites dynamically. When chosen you will be able to select a Halo Site and User field to match values on. For User fields, you will likely need to map a value from CSP to the field in Halo. You can also choose to prevent the import or set a default Site for Users who do not match a Site.</li></ul></li><li style="font-size: 11pt;">Click Save</li><li style="font-size: 11pt;">Once saved, you will be presented with various options:<ul style="font-size: initial;"><li style="font-size: 11pt;"><strong>Filter Field</strong>: Only applicable to the &lsquo;Map to an existing Customer based on an Azure field&rsquo;; allows you to pick an user property that will create sites. I.e. &lsquo;officelocation&rsquo;; so when users are imported every unique &lsquo;officelocation&rsquo; value will be created as a site under the customer and the user placed at their &lsquo;officelocation&rsquo;</li><li style="font-size: 11pt;"><strong>Apply filters to this Azure tenant</strong>: only relevant if you are mapping more than one tenant to a single Halo customer. If you are, you can use this to filter this mapping to only users contained within one of those tenants. Else, &lsquo;All&rsquo;</li><li style="font-size: 11pt;"><strong>Sequence</strong>: This controls the order in which the site mappings will be processed for import: the lower the number, the earlier it will be processed. Best Practice: set all mapping to the same number (50) initially and if you do need to process some mappings earlier than others, numbers can be adjusted either up or down</li><li style="font-size: 11pt;"><strong>Description</strong> Short description of this mapping; could be used to explain why you have mapped this customer in this way if multiple people administer these mappings</li><li style="font-size: 11pt;"><strong>Role for Users</strong>: Allows you to provision a user role against users in this mapping. See the separate guide on user roles for use cases and configuration instructions of these</li><li style="font-size: 11pt;"><strong>Azure Group Name</strong>: This allows you to filter the users imported to this mapping to a particular Azure group. A good use case is sorting users into their locations; a mapping to ABC Limited/London would be filtered to &lsquo;Loc-London&rsquo; to ensure only users based in London appear at this site</li><li style="font-size: 11pt;"><strong>Include External Users</strong> allows you to include external users in the sync. Defaulted to unchecked</li><li style="font-size: 11pt;"><strong>Filters</strong> Alternative to Azure group filtering, you can instead uses properties on the user&rsquo;s profile to evaluate if they should be imported. For example, &lsquo;officelocation&rsquo; equals &lsquo;London&rsquo;. You can use filters in addition to Azure groups to filter users.&nbsp;</li><li style="font-size: 11pt;"><strong>Value</strong> allows you to set values for user fields if they are successfully mapped here. You can filter which users this value will be applied to based on Azure Group. When setting up the value mapping choose which Azure group you would like this value to apply to, if no group is selected the value will apply to all users imported in this mapping.&nbsp;</li></ul></li><li style="font-size: 11pt;"><strong>Role for Users:</strong> Assigns roles based on mappings</li><li style="font-size: 11pt;"><strong>Include External Users:</strong> Enables synchronization of external users (disabled by default)</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage121.png" class="fr-fic fr-dii"><p><strong>Fig 25. Exemplar Mappings for all users located at the &#39;Stowmarket Office&#39; for a given Azure Tenant</strong></p><p><br></p><p><span style="font-size: 11pt;">When it comes to sequencing mappings, it is important to note that the most specific mappings should have a higher precedence (lower sequence number) than &lsquo;Catch-all&rsquo; mappings without filters. One way to avoid this problem is to ensure your mappings do not overlap, i.e. each user can only belong to one mapping at any one time (dynamic Azure groups based on office location field value is a good example here).&nbsp;</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage122.png" class="fr-fic fr-dii" style="width: 1209px; height: 220.415px;" width="1207" height="220"><p><span style="font-size: 10pt;"><strong>Fig 26. Exemplar site mappings table. There should be one row per tenant who&#39;s users and devices you wish to import</strong></span></p><p><br></p><p><span style="font-size: 11pt;">Finally, based on how many manual mappings you did will indicate whether you want to enable &quot;Automatically create a site mapping for user imports whenever an Azure tenant is assigned to the customer&quot; setting discussed in the Tenants section.&nbsp;This setting allows for an automatic generation of a mapping (like the Generate Mappings) button every time a new customer is mapped in the table on the Tenants tab. If Generate Mappings worked well for you, you should consider enabling this setting. If you did most or all of your mappings manually and plan to do so for new customers, leave this setting off.</span></p><p><br></p><p><span style="font-size: 11pt;">It should be noted that customer&rsquo;s can be automatically mapped in the Tenants tab under certain conditions (see the Halo Integrator section for more details) which may also influence your decision.</span></p><p><br></p><p data-pasted="true"><span style="font-size: 11pt;">Below the Site Mappings section you will find Field Mappings. These define which Azure user properties are imported into Halo.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage123.png" class="fr-fic fr-dii" style="width: 1205px; height: 335.196px;" width="1203" height="335"><p><strong>Fig 27. Azure AD field mappings to their nearest Halo equivalents</strong></p><p><br></p><p><span style="font-size: 11pt;">Additional settings for user imports.</span></p><ul><li style="font-size: 11pt;"><strong>User Matching Fields:</strong> Default is Azure property ID, but email or network login can also be used.</li><li style="font-size: 11pt;"><strong>Set User/Agent status equal to Azure accountEnabled property:</strong> When enabled, ensures that disabled users in Azure are also disabled in Halo</li><li style="font-size: 11pt;"><strong>Import Users last sign-in date:</strong> Requires additional permissions (AuditLog.Read.All)</li><li style="font-size: 11pt;"><strong>Service Account Handling/Licence check type (v2.236+):</strong> Allows tagging users as service accounts (cannot have tickets logged against them nor be billed in user-calculated lines) unless they hold specific licenses. From v2.236+, this has been replaced with the &quot;Licence check type&quot; field where you can choose to include or exclude users from being imported based on their assigned licences.</li></ul><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage124.png" class="fr-fic fr-dii" style="width: 1202px; height: 538.73px;" width="1200" height="539"><p><strong>Fig 28. Exemplar User Import configuration</strong></p><p><br></p><h2><span style="font-size: 14pt;"><strong>Assets</strong></span></h2><p><span style="font-size: 11pt;">Controls how managed devices (Intune) are imported. Once enabled, all other configuration for Intune is enabled. Please move straight to the &#39;Halo Integrator&#39; section if you do not wish to utilise this functionality.</span></p><p><br></p><p><span style="font-size: 11pt;">To determine an Assets type in Halo you can choose to:</span></p><ul><li style="font-size: 11pt;"><strong>Use the same type for all assets:</strong> Assigns a single asset type to all devices from Intune</li><li style="font-size: 11pt;"><strong>Use an Intune field:</strong> Determines asset type dynamically from a specified Intune field</li><li style="font-size: 11pt;"><strong>Use rules:</strong> Classifies devices based on properties of your choosing with the option to fallback or exclude unmatched devices</li></ul><p><span style="font-size: 11pt;">For all of the above, you have the option to enable &lsquo;Don&rsquo;t update the Asset Type of existing Assets during import&rsquo; so that already existing assets type aren&rsquo;t changed. This can be useful if you have a primary RMM and only want Intune to add extra information like complianceState without re-classifying assets.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage125.png" class="fr-fic fr-dii" style="width: 1202px; height: 263.551px;" width="1200" height="264"><p><strong>Fig 29. Exemplar Asset Types Configuration</strong></p><h3><br></h3><p><span style="font-size: 11pt;">User matching can be used to controls how assets are linked to users.</span></p><ul><li style="font-size: 11pt;"><strong>Asset method (Recommended):</strong> Matches devices to users during import of assets. You are presented with a choice of which field on the Intune device to use to match to the user</li><li style="font-size: 11pt;"><strong>User method (Older, not recommended):</strong> Links devices during user import by querying the managed devices linked to the user</li></ul><p><span style="font-size: 11pt;">If you are using the Asset Import method you can provide a &quot;User Identifier&quot; which will be used to match the Asset to the User based on the identifier you set. You will also have the option to set the &quot;User Identifier override for mobile devices&quot;. This is useful if your mobile devices do not have the field specified as the &quot;User Identifier&quot;.</span></p><p><br></p></div><div><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage126.png" class="fr-fic fr-dii" style="width: 1200px; height: 234.698px;" width="1198" height="235"><p><strong><span style="font-size: 10pt;">Fig 30. Exemplar Asset Field Mappings (most customers will map more)</span></strong></p><p><br></p><p><span style="font-size: 11pt;">The following settings are used to control how assets are imported.</span></p><span style="font-size: 11pt;">Once saved, you will be presented with various options:<br></span><ul style="font-size: initial;"><li style="font-size: 11pt;"><strong>Asset site allocation (v2.242+):&nbsp;</strong>Determines if Assets are assigned to the Linked User&#39;s Site. This can be set to apply the Linked User&#39;s Site to all Assets, new Assets only or never.</li><li style="font-size: 11pt;"><strong>Default Site:</strong> When a device isn&#39;t match to a user during import, it will be placed at this site<strong><br></strong></li><li style="font-size: 11pt;"><strong>Asset Matching Field:</strong> The global asset matching field to ensure that multiple asset integrations update rather duplicate asset records. <strong>Recommendation</strong>: the field which contains asset serial numbers (generally &lsquo;Serial Number&rsquo;)</li><li style="font-size: 11pt;"><strong>Status of New Assets:</strong> The Halo asset status of new assets when they are imported</li><li style="font-size: 11pt;"><strong>Status of HaloPSA assets when the Managed Device has been deleted from Intune:</strong> When a device is deleted from Intune, the asset&rsquo;s status will be changed to this value</li><li style="font-size: 11pt;"><strong>Exclude Assets managed by Sense:</strong> Allows the exclusion of devices that are managed by Sense</li></ul><p><span style="font-size: 11pt;">Once all is configured and saved, the &lsquo;Import Managed Devices&rsquo; button will appear at the bottom of the screen. Just like the User import, you can pick the site you wish to process rather than all.</span></p><p><br></p><img src="https://s3.haloservicedesk.com/CustomerImages/halo/CSPImage127.png" class="fr-fic fr-dii" style="width: 1183px; height: 336.444px;" width="1181" height="336"><p data-pasted="true"><span style="font-size: 10pt;"><strong>Fig 31.</strong><strong>&nbsp;Exemplar Asset Imports Configuration</strong></span></p><p><br></p><p><span style="font-size: 11pt;">You need to have completed the Admin Consent section for the tenant(s) before attempting an import.</span></p><p><br></p><p><span style="font-size: 14pt;"><strong>Halo Integrator</strong></span></p><p><span style="font-size: 11pt;">The Halo integrator configures automatic synchronisation between Microsoft and Halo. &nbsp;<br></span>&nbsp; <span style="font-size: 11pt;"><br>We recommend you only enable this once you are happy with your configuration.</span></p><ul><li style="font-size: 11pt;">Enable the Halo Integrator: Enables synchronisation</li><li style="font-size: 11pt;">Select Modules to Import:Determines whether Tenants, Licences, Users, Assets,Consumption Billing and Subscription Pricing are Included. &#39;Azure Tenants&#39; includes tenants and their licences - The track (Stable or Beta) will determine which of these options you see.</li><li style="font-size: 11pt;">Marketplace to import: Only relevant for importing subscription pricing. Choose the Marketplace pricing to import from the options: GB, US, AU (v2.242+), CA (v2.242+), and NZ (v2.242+).</li></ul><h3><span style="font-size: 12pt;"><strong>Azure Deltas</strong></span></h3><p><span style="font-size: 11pt;">Deltas allow for incremental syncs (just the changes since last sync) instead of full directory syncs; thereby allowing far more frequent syncing of changes from Microsoft. The main functionality is explained briefly below, but we strongly recommend you read our dedicated guide on <a href="https://usehalo.com/halopsa/guides/2290" target="_blank" rel="noopener noreferrer" style="font-size: 11pt;">Azure Deltas</a>.</span></p><p><span style="font-size: 11pt;">This functionality only works for users and groups: assets are excluded and will continue with a full directory sync.</span></p><p><span style="font-size: 11pt;">This can be enabled by using the checkbox next to &lsquo;Use Azure delta queries in the Halo Integrator (Users and Groups only)&#39;. The bottom option replicates the functionality of the full directory sync.</span></p><ul><li style="font-size: 11pt;"><strong>Delta sync method:</strong> By default, this will be set to &quot;Listen to all changes&quot; to match the existing functionality. The new option will sync a delta query to only listen to system fields used within Halo and mapped user fields. This includes fields and filters used on site mappings that impact users. This also impacts groups, only changes to the displayName and members property of groups will be listened to. Some fields are not compatible with this Delta sync method and therefore will not be listened to. However, incompatible fields will be retrieved when a change for a compatible field occurs. Incompatible fields will be highlighted, alongside where the field is used, when changing to the new method. You will be notified that resetting the delta queries for each tenant is required for the changes to take effect.</li><li style="font-size: 11pt;"><strong>Deactivate Users:</strong> Sets the functionality for when Users are deactivated.</li></ul><p><span style="font-size: 11pt;">Deltas can be reset if changes are missed or are otherwise causing issues. There are two method to do this</span></p><ul><li style="font-size: 11pt;"><strong>Reset Now:</strong> Forces a full sync on next run</li><li style="font-size: 11pt;"><strong>Get Latest Changes:&nbsp;</strong>Will get fresh Deltas when next syncing (so any changes between sync before and after reset will be lost)</li></ul><p><span style="font-size: 11pt;">Delta&#39;s can be reset by pressing the &#39;Reset Deltas&#39; button on the integrator screen to apply to all tenants or for a specific tenant on the Tenants tab.</span></p><p><br></p><p><span style="font-size: 11pt;">Under the Miscellaneous section you will find the option to &quot;Create new customers from tenants (Halo Integrator only)&quot;. If enabled, when a new tenant is detected during a sync, rather than ignoring it the Integrator can create and customer with that name and add a mapping into the Tenants tab. If using &lsquo;Automatically create a Site mapping for User imports whenever an Azure tenant is assigned to a Customer&rsquo;, then it can &nbsp;also create the site mapping after this, thereby making CSP setup semi-autonomous (Admin Consent is still manually). Caution should be exercised: customer will be given the name of the Azure Tenant which may not be desired. Additionally, if the customer has already been created (by CRM process/other integration etc), this may create a duplicate. Here you will also find the option to &quot;Deactivate Users in HaloPSA when they are not found in CSP&quot;. This will get fresh Deltas when next syncing (so any changes between sync before and after reset will be lost).</span></p><p><br></p><h2><strong><span style="font-size: 14pt;">Subscription Management</span></strong></h2><h3><span style="font-size: 12pt;"><strong>Adjusting Quantities</strong></span></h3><p><strong><span style="font-size: 11pt;"><em>Note: You must be a direct reseller to use this option.&nbsp;</em></span></strong></p><p><span style="font-size: 11pt;">When enabled, an extra button titled &#39;Adjust Quantity&#39; is shown on subscriptions from CSP. Using this will action the change in the Partner Centre and will be reflected there after a short delay. Separate guides exist explaining the functionality and usage of subscriptions.</span></p><p><br></p><h3><strong><span style="font-size: 12pt;">Webhooks</span></strong></h3><p><span style="font-size: 11pt;">By enabling webhooks, Halo will accept updates to licence quantities (not enacted from Halo) from the Partner Centre, rather than waiting until the next Halo Integrator sync.<br>There will be a delay as processing within the Partner Centre is not instantaneous.</span></p><p><br></p><h2><strong><span style="font-size: 14pt;">Single Sign-On (SSO)</span></strong></h2><p data-pasted="true"><span style="font-size: 11pt;">Single Sign-On (SSO) allows your users and/or agents to log into Halo using the Microsoft credentials.&nbsp;</span></p><p><br></p><p data-pasted="true"><span style="font-size: 11pt;">For information on setting up single sign on checkout our dedicated guide: <a href="https://usehalo.com/halopsa/guides/2322/" target="_blank" rel="noopener noreferrer">Microsoft Entra ID: Single Sign On (B2B).</a></span></p><p><br></p><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 11pt;">If you have configured your SSO such that Azure Tenant Sign-In Scope is restricted to a list of specified Azure tenants, tenants can automatically be added to this list when you are using CSP.&nbsp;</span></p><p><span style="font-size: 11pt;"><br>Provided you have checked &lsquo;Automatically add the Azure tenant id of any imported customer to the allowed list for single sign-on&rsquo; (under the Tenants tab), any tenant imported using CSP will be added to this list automatically. When you onboard a new tenant in Azure, they will be created in Halo automatically, and their tenant ID added to this list, allowing them to automatically be provisioned for single sign on too.&nbsp;</span></p><p><br></p><h2><strong><span style="font-size: 14pt;">Consumption Billing</span></strong></h2><p><span style="font-size: 11pt;">Consumption Billing functionality allows you to import usage data (VM hours/GB used) from your customer&#39;s tenants and map it onto Halo Recurring Invoice lines for automated billing.</span></p><p><span style="font-size: 11pt;">If you are using this functionality, please ensure you added the relevant permission within the GDAP Connection setup. All further configuration for consumption billing is contained within its own <a href="https://usehalo.com/halopsa/guides/2392" target="_blank" rel="noopener noreferrer" style="font-size: 11pt;">article</a>.</span></p><p><br></p><h2><strong><span style="font-size: 14pt;">Errors and Logging</span></strong></h2><p><span style="font-size: 11pt;">The Inbound Requests tab tracks some of the incoming requests and changes (changes from Microsoft to Halo). Individual requests, their processing record and outcome can be viewed from here.&nbsp;The Outbound Requests tab tracks some of the outgoing requests and changes (changes from Halo to Microsoft). Individual requests and their response from Microsoft can be viewed from here.</span></p><h3><strong><span style="font-size: 12pt;">Common Errors</span></strong></h3><table style="height: 832px; width: 100%;"><colgroup><col style="width: 4.1283%;"><col style="width: 31.1016%;"><col style="width: 22.9503%;"><col style="width: 41.8199%;"></colgroup><thead><tr><th>Element of Integration</th><th>Error</th><th>Cause</th><th>Solution</th></tr></thead><tbody><tr style="height: 107px;"><td>Tenants</td><td>Unable to authenticate Single Tenant Azure application in Halo and receives an error stating that the requested permissions do not match those setup against the application in Azure, or they are immediately redirected back to the Azure login screen after authorizing.</td><td>The permissions added to the Azure application are not correct. This is commonly setup incorrectly for the user_impersonation scope.</td><td>There are two very similar looking but actually different permissions to the partner centre. Make sure that the user_impersonation scope is for the Microsoft Partner Center, and has a description of &#39;Access Partner Center&#39;.<br><br>The most reliable method to get the correct permissions is to search by the ID of the API. To do this click, &#39;Add a permission&#39; within the App Registration, click &#39;APIs my organisation uses&#39; and search using this ID: &#39;fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd&#39;</td></tr><tr style="height: 30px;"><td>Tenants</td><td><p data-pasted="true">AADSTS7000119: Client Application &#39;{Name of Multi Tenanted Azure Application}&#39; with identifier &#39;{Application ID}&#39; is not allowed to be used by tenant &#39;{Y}&#39; with identifier of &#39;{Tenant ID of Tenant Y}&#39;</p><p><br></p><p>(Occurring when attempting to grant admin consent for a specific tenant)&nbsp;</p></td><td>The Tenant you are attempting to grant admin consent for does not have access to the multi-tenanted application you created. The application has restrictions on which tenants can access it.</td><td>In Azure, go to the app registration configuration of the multi-tenanted Azure Application. In &#39;Authentication (Preview)&#39; &gt; &#39;Supported Accounts&#39;, there is the ability to restrict which tenants have access to the application. It is most likely the case that either the tenant (Y) is not listed and/or it is not set to allow all tenants.&nbsp;<p><br></p><p data-pasted="true">The app registration will need to be updated to have the supported account types be set to &#39;Allow all tenants&#39;. Or have this tenant (and any other tenants you would like to sync) added to the allowed tenants list.&nbsp;</p><p><br></p></td></tr><tr><td>Tenants</td><td>&#39;Error - Forbidden&#39; or customer records missing from the sync.</td><td>The account you authorised the Partner Centre connection with does not have access to customers or the Cloud Reseller Relationship has been requested/has expired.</td><td><strong>All Tenants Missing:</strong> Log into the Partner Centre directly with the credentials you authorised with in Halo and try to load the &#39;Customer List&#39; section. If it loads, this isn&#39;t the issue. If it doesn&#39;t, you need to modify this users permissions, log out and back in and check again.<br><strong>Some Tenants Missing:</strong> Your Cloud Reseller Relationship is either missing or expired. Please review and try syncing again when the relationship has been re-established.</td></tr><tr><td>Licences</td><td>&#39;Error - Forbidden&#39;</td><td>The account you authorised the Partner Centre connection with does not have access to licences against the tenants.<br>Or<br>The user that has authorised your connection to the partner centre has been flagged as a &#39;risky user&#39; by Azure.<br>Or<br>You are using the incorrect redirect URI.</td><td>Check the tenant that you have used to create a (multi-tenanted) application to authorise the CSP integration with, has access to your customer&#39;s licences. &nbsp;Alternatively, contact Microsoft support to have your permissions elevated.<br>Or<br>Log into your Azure (the parent tenant) and navigate to the user account you used to authorise Halo&#39;s connection to the Partner centre, check if the user has been flagged as a risky user. If they have you will need to complete the steps to remove the risky user flag.&nbsp;<br><span style="font-size: 10pt;">Or&nbsp;</span><p data-pasted="true"><span style="font-size: 10pt;">Check the correct redirect URI is assigned to your single tenanted Azure application, once changed you will need to disconnect and re-authorise the integration:</span></p><ul><li style="font-size: 10pt;">On versions prior to v2.200 the following redirect URI will need to be used: <a data-fr-linked="true" href="https://YOURHALODOMAIN/azure/auth" style="font-size: 10pt;" target="_blank">https://YOURHALODOMAIN/azure/auth</a></li><li style="font-size: 10pt;">On versions v2.200+ the following redirect URI will need to be used: <a data-fr-linked="true" href="https://YOURHALODOMAIN/authcallback" style="font-size: 10pt;" target="_blank">https://YOURHALODOMAIN/authcallback</a></li></ul></td></tr><tr><td>Tenants</td><td>Redirect URI specified does not match redirect configured</td><td>The redirect URI specified in the app registration has not been correctly configured</td><td>Please refer to the instructions and correct the Redirect URI within your Azure application(s)</td></tr><tr><td>Users &amp; Devices</td><td>Insufficient Privileges</td><td>Multiple</td><td>Check you have used Application (and not delegated) permissions on your Multi-Tenanted Azure Application.<br>Please also review the GDAP relationship with that tenant: ensure that it is active, with the relevant Admin roles and the &#39;Adminagents&#39; group has access to those roles.</td></tr><tr><td>Users &amp; Devices</td><td>The identity of the calling application could not be established&#39;.<br>OR<br>Failed to retrieve users - Token refresh failed - invalid_client - AADSTS7000229: The client application X...X is missing service principal in the tenant Y...Y.<br>OR<br>AADSTS700016 Application not found in the directory when logging in</td><td>Admin Consent has not been successfully granted.<br>More formally, an Enterprise Application has not been correctly provisioned within the tenant.</td><td>Please re-read the Admin Consent section of the guide and ensure that you have correctly:<ul><li>Granted Admin Consent for that tenant.</li><li>Granted that consent with an Admin account with the correct role that is native to the tenant.</li><li>The permissions granted in the Multi-Tenanted Azure Application are exactly as described.</li><li>Review the GDAP relationship with that tenant: ensure that it is active, with the relevant Admin roles and the &#39;Adminagents&#39; group has access to those roles.</li><li>If you have mapped more than one tenant to one Halo customer, please grant admin consent to all tenants before attempting import or use Tenant filter described in User mappings to limit the import on only relevant tenants.</li></ul>Please also review the GDAP relationship with that tenant: ensure that it is active, with the required Admin roles and the &#39;Adminagents&#39; group has access to those roles.<br>You can also try logging into the tenant directly with the admin account you are trying to authorise with and grant Admin Consent to the Enterprise App manually</td></tr><tr><td>ALL</td><td>Token Expiry</td><td>Your secret has expired</td><td>Your will need to use the instructions provided in this guide to generate a new secret and replace it within the correct section of the integration. If related to your Single-Tenanted app registration, you will ned to disconnect to replace the secret and then re-connect.</td></tr></tbody></table></div></div>