Browse Guides

Loading list...
X
Barracuda RMM
Strety Integration
CIPP Integration
Nixtla TimeGPT Integration
Backing Up invoices with Data
Keeper Integration
ISL Online Integration
Zapier Integration
Eracent Integration
Kaseya VSA X Integration
Tickets in the Self-Service Portal
Prometheus Integration
Cloudflare Integration
Google Business Integration
DB integrator error: Decryption check failed - please install the API certificate on this server, or ensure that the Halo DB Integrator is running on the application server
Maintenance Windows
Quote Statuses
Benji Pays Integration
Nagios XI Integration
Agent Team, Department and Role Restrictions
Rapid7 Integration
CrewHu Integration
CyberCNS (Cyber CNS) Integration
Mail Campaigns
User Out of Office Detection
Invoice Approvals
Snipe-IT Integration
Distribution Lists
Importing Quotation Lines via XLS
Agent Access to Services
Cc and Bcc Email Configuration
Agent Cost Tracking and Profitability Reporting
KeyCloak Integration
Start to Finish: Project Dashboards
Tax Rates
Autotask Migration
Knowledge Base Article Feedback
(HH:MM) Conversion of a field in SQL to Hours and Minutes
AI Agents
Merging Invoices
Screen Layout Overrides
Notification Templates
Product Bundles
ArrowSphere Integration
Optional Services
Checking your DB Integrator Version
Double Line Spacing On Emails In Outlook
Barcode Scanning
Redact Sensitive Audit Logs on a Ticket
Custom HTML Banner on the Self-Service Portal
Start to Finish: Service Requests
Service Users
AI Abilities
Password hashing work factor
SailPoint Integration
Ticket Suggestions- without the use of AI
Vorboss Integration
Bills
Disallowing New Tickets via Email
Setting up Monaco SQL Editor On-Prem
Peppol e-Invoicing via Tickstar
Allow Suppliers to use the Portal
Batch Updating Asset Fields
Sage Business Cloud Integration
Asset Meters
Currency
Trigger a Microsoft Power Automate flow using Halo Webhooks
FAQ Lists
Zendesk Migration
Armis Integration
Execute Automation Runbooks from the Chatbot
Webhook and Integration Runbook Access Control
Acronis Integration
AI Article Summary and Article Duplication Detection
SyncroMSP Integration
Manually adjusting billable time and re-calculating billing for labour
Optimising Reports to Improve Efficiency
Zomentum Integration
Heimdal Integration
Linking Purchase Orders to Projects
Custom Field Value Storage
Tax
Halo Tab Customisation
Calculating Asset Quantities from SQL Query
Forethought AI Solve Integration
Report Online Repository
Email Templates and their System Use - A Basic Walkthrough
Google reCAPTCHA Integration
Incoming Webhook Processing Service
Windows Authentication
Project Setup Wizard
Google Maps Integration
Knowledge Base Articles in the User Portal
How to Create New Request Buttons within a Service
Site Address Lookup Custom Field
Ticket Sources
Use AI to Analyse Report Data
Halo AI - Frequently Asked Questions
AI Functionalities Available When Using Own Connection vs Default Connection
Making Reports Show Viewer Specific Information
An Introduction to Halo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Using and Configuring Halo
Using and Configuring Halo
Integrations
Integrations
Configuration Settings Guides
Configuration Settings Guides
On-Premises Guides
On-Premises Guides
About Halo
About Halo
Microsoft Entra ID: Single Sign On (B2B)
Reading mode
Copy Link
Link Copied!
Print
Feedback
This guide has multiple versions available:
<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}.fr-fic.fr-dii{ float: none; margin: 5px auto;}.fr-fic.fr-dii.fr-fil{ float: left; margin: 5px auto;}.fr-fic.fr-dii.fr-fir{ float: right; margin: 5px auto;}img.fr-dib.fr-fir { margin-right: 0; text-align: right;}img.fr-dib.fr-fil { margin-left: 0; text-align: left;}img.fr-dib { margin: 5px auto; display: block; float: none;}img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC;}img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc;}img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box;}</style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><style> p { margin: 0; } span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left: 0; padding-left: 5px; } blockquote blockquote { border-color: #00bcd4; color: #00bcd4; } blockquote blockquote blockquote { border-color: #43a047; color: #43a047; } table.grid { border-collapse: collapse; } table.grid td, table.grid th { border: 1px solid #ddd; } .fr-fic.fr-dib { display: block; margin: 5px auto; } .fr-fic.fr-dib.fr-fir { text-align: right; margin: 5px 0 5px auto; } .fr-fic.fr-dib.fr-fil { text-align: left; margin: 5px auto 5px 0; } .fr-fic.fr-dii { float: none; margin: 5px auto; } .fr-fic.fr-dii.fr-fil { float: left; margin: 5px auto; } .fr-fic.fr-dii.fr-fir { float: right; margin: 5px auto; } img.fr-dib.fr-fir { margin-right: 0; text-align: right; } img.fr-dib.fr-fil { margin-left: 0; text-align: left; } img.fr-dib { margin: 5px auto; display: block; float: none; } img.fr-bordered { box-sizing: content-box; border: solid 5px #CCC; } img.fr-shadow { box-shadow: 10px 10px 5px 0px #cccccc; } img.fr-rounded { border-radius: 10px; -moz-border-radius: 10px; -webkit-border-radius: 10px; -moz-background-clip: padding; -webkit-background-clip: padding-box; background-clip: padding-box; } </style><p id="isPasted"><strong>In this guide we will cover:</strong></p><p><strong>- Introduction</strong></p><p><strong>- Configuration Options</strong></p><p><strong>-</strong><strong>&nbsp;App Registration Configuration</strong></p><p><strong>- Halo Configuration</strong></p><style data-pasted="true">.pf0{}</style><p><strong>- Grant Consent for the Application</strong></p><p><strong>- Configure Additional SSO Behaviour&nbsp;</strong></p><p><br></p><p><br></p><p><strong>Related Guides:</strong></p><ul><li><strong><a href="https://usehalo.com/haloitsm/guides/1189" target="_blank" rel="noopener noreferrer">Microsoft CSP Integration</a>&nbsp;</strong></li><li><a href="https://usehalo.com/haloitsm/guides/1106" target="_blank" rel="noopener noreferrer"><strong>Microsoft Entra Integration (Formerly: Azure Active Directory)</strong></a></li><li style="font-weight: bold;" id="isPasted"><a data-fr-linked="true" href="https://usehalo.com/halocrm/guides/2443/" target="_blank" rel="noopener noreferrer"><strong>Single Sign-On (B2C)</strong></a></li></ul><p><strong><span style="font-size: 14pt;">Introduction</span></strong></p><p><strong><span style="font-size: 12pt;">What is B2B Single Sign-On (SSO)?&nbsp;</span></strong></p><p>Single Sign-On via a B2B connection allows your agents and users to sign in to Halo using their Entra-managed Microsoft credentials; allowing secure, centralised access management to Halo using existing identities.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Who can use B2B SSO?</span></strong></p><p>B2B SSO is appropriate when all users who need to log in to Halo already exist in one or more Microsoft Entra tenants. This model is commonly used by organisations running HaloPSA or HaloITSM, where internal staff and/or managed client users are already provisioned within an Entra ID tenant.&nbsp;</p><p><br></p><p>If you would like anyone to be able to log in and sign up to your Halo portal using various authentication sources including personal Microsoft accounts, you will need to use B2C SSO. This is typically used by organisations using HaloCRM.&nbsp;</p><p><br></p><ul><li style="font-weight: bold;" id="isPasted"><a data-fr-linked="true" href="https://usehalo.com/halocrm/guides/2443" target="_blank" rel="noopener noreferrer"><strong>Single Sign-On (B2C)</strong></a></li></ul><p><strong><span style="font-size: 12pt;">SSO in Multiple Instances</span></strong></p><p>The Single Sign-On module is available to setup single sign on in your Halo instance. This allows you to create multiple SSO records for Entra. Each record can then be linked to one of your Halo instances to restrict which instance the sign on method can be used in (Prod/UAT/Dev), useful when using linked instances. This allows you to use SSO in additional instances, but impose restrictions on who can log into the instance with their SSO credentials. Such as only allowing developers/administrators to login to your Dev instance. For information on setting up single sign on using the dedicated module instead checkout: <a data-fr-linked="true" href="https://usehalo.com/haloitsm/guides/2667" id="isPasted" target="_blank" rel="noopener noreferrer">Single Sign-On in Halo</a>.</p><p><br></p><p><span style="font-size: 12pt;"><strong>Prerequisites</strong></span></p><p><br></p><p>While not explicitly required, we recommend the below are configured before SSO if they are relevant to yourselves:&nbsp;</p><ul><li><span style="font-size: 11pt;"><a href="https://usehalo.com/haloitsm/guides/1106/" target="_blank" rel="noopener noreferrer"><strong>Microsoft Entra ID Integration</strong></a>.</span></li><li><span style="font-size: 11pt;"><a href="https://usehalo.com/haloitsm/guides/1189/" target="_blank" rel="noopener noreferrer"><strong>Microsoft CSP Integration</strong></a>&nbsp;</span></li></ul><p><span style="font-size: 11pt;"><br></span></p><p><span style="font-size: 14pt;"><strong>Configuration Options</strong></span></p><p>You will need to configure an App Registration within your own Azure tenant. Before you do, you need to consider the following points.&nbsp;</p><p><br></p><p><strong id="isPasted"><span style="font-size: 12pt;">Single or Multi Tenant Configuration</span></strong></p><p>The Halo SSO application can be single or multi tenant.&nbsp;</p><p><br></p><p>Single tenant only allows Entra uses who are members of the same tenant as the one where the app registration is configured to sign-in. Multi-tenant applications allow Entra users from multiple tenants to sign in (restrictions on tenants can be configured in Halo).&nbsp;</p><p><br></p><p>Our HaloITSM clients, which typically only have one Azure tenant will generally use a single tenant application.&nbsp;</p><p><br></p><p>Our HaloPSA clients who wish their managed users to be able to use SSO along with HaloITSM clients with more than one tenant should configure a multi-tenant application.&nbsp;</p><p><br></p><p><br></p><p><strong><span style="font-size: 12pt;">Redirect URLs and Authorization<br></span></strong></p><p>In the Authentication tab of App Registration, you will need to add valid redirect URIs. Depending on whether you intend to allow Agents, Users or both to use SSO will determine the Redirect URI(s) that are required to be registered.&nbsp;</p><p><br></p><p>The format for the Agent and User Redirect URIs are as follows:</p><p><br></p><ul><li>Agent Portal Single Sign-On (SSO):<ul style="list-style-type: disc;"><li>&lt;YOUR Halo Web App URL&gt;/auth/account/azureresponse</li></ul></li><li>User Portal Single Sign-On (SSO):<ul style="list-style-type: disc;"><li>&lt;YOUR Halo Web App User Portal URL&gt;/auth/account/azureresponse</li></ul></li></ul><p><br></p><p><strong><em>Note: If you have a UAT or Dev instance of Halo, and you would like to use SSO &nbsp;you can add the redirect URIs for this instance too. This will follow the format &lt;YOUR Halo UAT Web App URL&gt;/auth/account/azureresponse. This ensures that when your UAT/Dev is refreshed you will be able to sign in to this instance using SSO too. The same application can be used for SSO in both instances (the details of this application will be synced between instances) therefore you can add all required redirect URIs to the same Azure application.&nbsp;</em></strong></p><p><br></p><p><span style="font-size: 14pt;" id="isPasted"><strong>App Registration Configuration</strong></span></p><p>Once you have decided the application type and which redirect URIs you require, follow the following steps to configure the app registration with your Entra ID tenant.</p><p><br></p><p id="isPasted">Open the Entra Admin Center (or similar) and navigate to the App Registration section. Click &quot;New Registration&quot;.</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjI5NTEzMGQzLWNkMGMtNDBmMS1iYTkyLTAxMDRmYmI5MWE5ZCJ9.qeMlmRKVZbiEg4kJtdKQz2cF7ZkpPynF8nx8Ibhus3U" class="fr-fic fr-fil fr-dib" width="1686" style="width: 1688px; height: 555.62px;" height="556"></p><p><strong><span style="font-size: 10pt;">Fig 1. App registration creation screen</span></strong></p><p><br></p><p>On the registration screen you will want to fill out:</p><p><br></p><p>Name: <strong>Be aware this could be visible to end-users, so choose a sensible name</strong>.</p><p>Supported Account Type: Single or Multi depending upon your organisation&#39;s requirements</p><p>Redirect URI: Insert the needed RedirectURI if using one (if you need both steps are shown below to add the other)</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjU4ZTM3ZTk3LWYyMjctNDY4Mi1hYTY3LTUzMzk2NWQxMmUzYyJ9._YTHhtkaFKXllYNpbEYFQGmGEN0R8F564MXDB1Iyhgs" class="fr-fic fr-fil fr-dib" width="910" height="543"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 2. App registration registration screen</span></strong></p><p><br></p><p>Click &quot;Register&quot;. Once registered, copy the &quot;Application (client) ID&quot; and &quot;Directory (tenant) ID&quot; from the Overview tab and store them safely, as these will be needed later.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjQ3NTE3ZmZjLWI0NjMtNDQzZS05OWFkLWIzMmU0MWYzYWNiZiJ9.0Chat_kA4ASenSvvg4r7vKdEPriTBpT2bd7SbaRagmI" class="fr-fic fr-fil fr-dib" width="1762" style="width: 1764px; height: 485.844px;" height="486"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 3. App registration overview</span></strong></p><p><br></p><p>Navigate to the &#39;API permissions&#39; tab and remove the default &#39;User.Read&#39; permission.</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjIzMWFjODgwLWI2YTEtNDE1YS1iYTJjLThiOWNhZTRkNjVlMyJ9.BPNTH5TIPsAjOaTaFaXUIhaZ64YE-McCay9bwRm5sXI" class="fr-fic fr-fil fr-dib" width="1735" style="width: 1737px; height: 597.561px;" height="598"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 4. App registration default API permissions</span></strong></p><p><br></p><p>Now navigate to the &#39;Authentication&#39; tab and insert the second redirect URI if needed into the box entitled &#39;Web&#39; at the top. Then enable &#39;ID tokens&#39; under &#39;Implicit grant and hybrid flows&#39;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjM1MmMwZjUwLTZiMGQtNDMwMC05MDExLWNjMjU0NDQ2NTlmNSJ9.a5TZaX4PsLrgYe7zCaVwRoCcYM1dsmlYnSf_EuHFGVI" class="fr-fic fr-fil fr-dib" width="1748" style="width: 1750px; height: 1012.97px;" height="1013"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 5. App registration authentication configuration</span></strong></p><p><br></p><p><strong id="isPasted">Domain Verification (highly recommended if using the multi-tenanted option):</strong></p><p><br></p><p>Open the &#39;Token configuration&#39; tab and click &#39;Add optional claim&#39;:</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImM0MDlkOTA1LTRjYzAtNGMwZC05MjRkLTBlOTlhYTNkYzhhNyJ9.XjJiZq20alCxrLqyZYAk3Jr6AzNGGIVov2rCeSE1Odk" class="fr-fic fr-fil fr-dib" width="1419" height="653"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 6. Default &#39;Token configuration&#39; page</span></strong></p><p><br></p><p>Choose &#39;ID&#39; as your &#39;Token Type&#39;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjA2NTExMjI2LWU0NTgtNDIxNy1hYWE1LWM2ODYwMTRjMzBhZiJ9.M8uz-SUj8IoYWFotWLB9oSTvtEI1qTDys9_CyUVGvuQ" class="fr-fic fr-fil fr-dib" width="587" height="325"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 6a. ID Type</span></strong></p><p><br></p><p>Choose &#39;xms_edov&#39; as your claim and click add</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjFkMmJmN2IxLThkOTctNDdkYS05N2Q5LWZmNTRmZjRhYzIyZiJ9.pDNlmiZinGDbQUE8uNOe5oaJGc9MdYAPUpldyWTEW14" class="fr-fic fr-fil fr-dib" width="572" height="1176"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 6b. The &#39;xms_edov&#39; claim</span></strong></p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImUwY2Y3ODI5LTE1YjItNDJiMi05YjMwLWRiYTQ0ZjUwNjJjOSJ9.3mRpIxkcyOTJ4KFzpdNu7Fjz3SUeuNBEcLk4WEBWTc8" class="fr-fic fr-fil fr-dib" width="2275" height="627"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 7. Claim successfully added</span></strong></p><p><br></p><p><span style="font-size: 14pt;" id="isPasted"><strong>Halo Configuration</strong></span></p><p id="">Once the App Registration is successfully configured, navigate to Configuration &gt; Integrations &gt; Entra ID &gt; Single Sign On, where you&#39;ll find settings related to the tenant/application type for Single Sign-On (SSO).&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjE4MjBhM2RjLTgwMDgtNGVlZC04MGY2LTFjZTk3YTM5MWQ2MyJ9.Gikd8vR7wmiW7yeCEiJTnwxDSFgd7aO_iNduEM_RnQ4" class="fr-fic fr-fil fr-dib" width="1760" style="width: 1762px; height: 886.256px;" height="886"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 8. SSO blank configuration screen</span></strong></p><p><br></p><p><span style="font-size: 11pt;">The configuration options are as follows:</span></p><p><span style="font-size: 11pt;"><br></span></p><ul><li style="font-size: 11pt;"><strong>Tenant/Application Type</strong> - Allows you to choose between single or multi tenanted configuration as discussed in &#39;Configuration Options&#39;</li><li style="font-size: 11pt;"><strong>Azure Tenant ID</strong> - Enter the Tenant ID you copied from the App Registration configuration</li><li style="font-size: 11pt;"><strong>Azure Application ID</strong> - Enter the Application ID you copied from the App Registration configuration</li><li style="font-size: 11pt;"><strong>Federated Domain&nbsp;</strong>- This can be used if Azure authentication requests in your tenant are forwarded to an ADFS server to streamline the SSO procedure in Halo. You will need to enter the fully qualified domain name for your ADFS server in the field here.&nbsp;</li><li style="font-size: 11pt;"><strong>Azure Tenant Sign-In Scope&nbsp;</strong>- <em>Only required if your application is multi-tenanted</em>. This determines which users can sign in with SSO. We recommend setting this to &lsquo;allow users from a restricted list&rsquo; as this is more secure. When this option is selected, you will need to enter the tenant IDs of the tenants that are allowed to use SSO. Only users/agents in these tenants will then be able to use SSO. Alternatively you can allow all Azure tenants without listing the tenants allowed.<ul><li style="font-size: 11pt;">If using the <a href="https://usehalo.com/halopsa/guides/1189/" target="_blank" rel="noopener noreferrer">CSP integration</a>, the tenants you manage can automatically be added here for provided you have &quot;Automatically add the Azure tenant id of any imported Client to the allowed list for single sign-on&quot; enabled.&nbsp;</li></ul></li><li style="font-size: 11pt;"><strong>Graph Endpoint&nbsp;</strong>- &nbsp;Here choose which graph endpoint you are using, this will be the default for the vast majority of clients</li><li style="font-size: 11pt;"><strong>Published&nbsp;</strong>- This checkbox activated SSO. Enable this once configuration is complete.&nbsp;</li><li style="font-size: 11pt;"><strong>Allow Single Sign-On for Agents and/or Users</strong> - Determines who can use SSO, agent and/or users.&nbsp;</li><li style="font-size: 11pt;"><strong>Automatically create unmatched users that login with Azure AD but aren&#39;t present in Halo</strong>- When this is enabled, new users can be created using SSO. If a user logs into the Halo portal with an account that does not currently exist as a user account in Halo, a new Halo user account will be made for them. This is only available when using a single tenanted application.</li><li style="font-size: 11pt;"><strong>Automatically redirect Agents to Azure without showing the Halo login screen</strong>- Agents will not see the Halo Login screen when accessing the Halo agent app, they will automatically be re-directed to MS login.&nbsp;<ul style="font-size: initial;"><li style="font-size: 11pt;">Recommended if you want to enforce Entra SSO sign-in and use no other identity provider for agents</li></ul></li><li id="isPasted" style="font-size: 11pt;"><strong>Automatically redirect Users to Azure without showing the Halo login screen</strong>- Users will not see the Halo Login screen when accessing the Halo portal, they will automatically be re-directed to MS login.<ul style="font-size: initial;"><li id="isPasted" style="font-size: 11pt;">Recommended if you would like to enforce Entra SSO sign-in and use no other identity provider for users. You can enforce this on a client by client basis by enabling the following setting at the client&#39;s profile under Settings tab &gt; Self Service Porta<img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImFiNWIyODY1LTNlYjAtNGVlZC04YTM4LWU4ZDU3ZDdlMTAwOCJ9.BVxxRfMcPYy_7BDQUhkzD02oJXQ5kPEZNwq7LN0Qf-0" class="fr-fic fr-fil fr-dib" width="552" height="49"><strong id="isPasted">Fig 3. Redirect when logging in with Halo credentials.</strong></li></ul></li><li id="isPasted" style="font-size: 11pt;"><strong>Use the unique identifier of the Agent/User for single sign-on instead of their email address</strong> - Agents and users will only be able to login using their unique identifier instead of their email. This will only work for agents/users that have been imported from Entra or CSP as this is required to obtain their unique identifier.</li><li id="isPasted" style="font-size: 11pt;"><strong>Enable Single-Logout (SLO)</strong> - When this is enabled, logging out of their MS account anywhere, e.g. OneDrive will also log them out of Halo; conversely if you log out of Halo, this will log you out of 365 entirely. Useful if you would like to only have to log out once at the end of the day, but you may want to disable this if you would like to be able to log out of one application but remain signed in to another.</li><li id="isPasted" style="font-size: 11pt;"><strong>Verify that the User&#39;s email has been domain verified</strong> - Ensures that the Azure tenant in which the user is located in has verified they own the domain of the user&#39;s email address. For example, if <a href="mailto:john.smith@microsoft.com" style="font-size: 11pt;">john.smith@microsoft.com</a> is trying to sign in, we will verify that the tenant that user is associated too owns the &#39;microsoft.com&#39; domain. <strong>It is strongly recommended that all clients using the multi-tenanted option enable this unless they are using the &#39;<em>Use the unique identifier of the Agent/User for single sign-on instead of their email address&#39;&nbsp;</em>option above. Without this enabled, your instance could be at risk of unauthorised sign-ins by malicious actors which are manipulating the email address returned to Halo by Entra. Please see the instructions in the &#39;Domain verification&#39; heading under the &#39;App Registration Configuration&#39; section above.</strong></li></ul><p><span style="font-size: 11pt;">Your configuration should look something like the below, multi-tenanted example:&nbsp;</span></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImE3MDEwNDMyLThkMzYtNDIyYi1hMDQ4LWFmMjc4OTU4MTExNCJ9.aHm-YTIEZAUNSYIrpsiKICfwyTB_wYUsgLklgc4G93o" class="fr-fic fr-fil fr-dib" width="2158" height="1119"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 9. SSO configuration completed</span></strong></p><p><br></p><p><strong><span style="font-size: 14pt;">Grant Consent for the Application</span></strong></p><p>Now, users and agents will be able to sign into Halo using single sign on.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImNkMTNhYmI4LTMxOGQtNDlhNS04OGE5LWFhNjQ5YWVjNGM5ZiJ9.MJbXaMyqVAhJEQMFnt_-NVeAK0lIj_jqalT_AIammfA" class="fr-fic fr-fil fr-dib" width="343" style="width: 345px; height: 411.212px;" height="411"></p><p><strong><span style="font-size: 10pt;">Fig 10. Sign into Halo using Single Sign On</span></strong></p><p><br></p><p>The first time each user signs in they will see the pop-up shown in figure 11.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImUxYjdlNzg0LTY4NDQtNDJhNi1hMzFkLTAwODNkMGYwMGI4OCJ9.zk3aKegTSKMBGUgZ0A5ub3Nmwc6tjKyxNt1Haxup5Fk" class="fr-fic fr-fil fr-dib" width="310" style="width: 312px; height: 419.724px;" height="420"></p><p><strong><span style="font-size: 10pt;">Fig 11. Permissions requested pop-up&nbsp;</span></strong></p><p><br></p><p>Once a user has accepted these permissions the pop-up will not appear for that user again.&nbsp;</p><p><br></p><p>To prevent this pop-up appearing to users in the first place (auto grant permission), admin consent will need to be granted for the enterprise application in Azure. There are two methods in which this can be done, depending on how your Azure is structured. The next two sub-sections outline how to do this based on whether you do/do not have an account that is a global administrator over all tenants.&nbsp;</p><p><br></p><p><strong><em>Note: Admin consent can only be granted in Entra after a user has attempted to log in using single sign on in Halo.&nbsp;</em></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">Auto Grant Consent when you have an Account that is a Global Administrator over all Tenants&nbsp;</span></strong></p><p>Only use this method when using a multi-tenanted application, and you have an account that is a global administrator over the tenants.</p><p><br></p><p>Head to &#39;Enterprise applications&#39; within Entra and search for the application you have created for single sign on in Halo &gt; click into the application &gt; permissions &gt; click &quot;Grant admin consent for YOURTENANT&quot;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjA1OTE5MDFlLWE0ZmItNDljMS05Y2RiLTdmMGI3NTU1YTAyNSJ9.fO3ECI9wMCvF6nwtZo2oUqRl10wTS3eRsTkKoSEOEN4" class="fr-fic fr-fil fr-dib" width="1286" style="width: 1288px; height: 458.982px;" height="459"></p><p><strong><span style="font-size: 10pt;">Fig 12. Grant admin consent for the application</span></strong></p><p><br></p><p>Only an administrator in Azure can grant admin consent. This must be the global administrator of all tenants allowed single sign on.&nbsp;</p><p><br></p><p>Once this is granted, users can log into Halo using single sign on and they will not be prompted to accept permissions.&nbsp;</p><p><br></p><p data-pasted="true"><strong><span style="font-size: 12pt;">Auto Grant Consent when you do not have an Account that is a Global Administrator over all Tenants&nbsp;</span></strong></p><p>Use this method when using a single-tenanted application. Or when using a multi-tenanted application and you do not have an account that is global administrator over all tenants.&nbsp;</p><p><br></p><p>Have an administrator of one of the Azure tenants log into Halo using single sign on. When logging in, they will see the pop-up shown in figure 13. Upon logging in they will need to select &quot;Consent on behalf of your organisation&quot;.&nbsp;</p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjZjYjk5YTA3LWRkNjYtNDI3Mi1hMjQ2LWRkMzVlMzAwOGVmNiJ9.cWjGBxFPoWw5XgCH7UFzNFg73XxDiK7vWJ8X900tq2s" class="fr-fic fr-fil fr-dib" width="326" style="width: 328px; height: 446.253px;" height="446"></p><p><strong><span style="font-size: 10pt;">Fig 13. Popup when logging into to Halo using Single Sign on for the first time&nbsp;</span></strong></p><p><br></p><p>This will grant permissions for all users under the tenant the person logging in is an administrator of. This means these users will not longer see this pop up.&nbsp;</p><p><br></p><p>If you are connecting single sign on for multiple tenants, so using a multi tenanted application, you will need to repeat this process for each of your tenants. An administrator from each tenant will need to log into Halo and grant consent for their organisation,.&nbsp;</p><p><br></p><p><strong><span style="font-size: 14pt;">Configure Additional SSO Behaviour&nbsp;</span></strong></p><p><strong><span style="font-size: 12pt;">Remembering Agent/User Logins</span></strong></p><p>To streamline the log in process, you can allow agents and users to have their login details &#39;remembered&#39; so they need not enter their password to log in each time. To enable this functionality, head to Configuration &gt; Advanced Settings, and enable &#39;Remember Me when using a SSO method&#39;.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjVjNTk2N2IxLTQyYjgtNDdiZS05OTk4LTg5ZDIyNzA2ZDI0MSJ9.j55yu9izq7juOPUYewHoOP3UGyCfYSo7xRzz3NySZVg" class="fr-fic fr-fil fr-dib" width="1577" style="width: 1579px; height: 229.104px;" height="229"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 14. Enabling Remember Me for SSO</span></strong></p><p><br></p><p>When enabled, a &#39;Remember Me&#39; setting will appear on the login screen so agents/users can choose to have their login details remembered for next time.&nbsp;</p><p><br></p><p><strong><span style="font-size: 12pt;">Bypass 2FA with SSO</span></strong></p><p id="isPasted">To allow agents/users using SSO to bypass Halo 2FA head to Configuration &gt; Advanced Settings and enable &#39;Bypass Halo 2FA if logging in with Single Sign-On&#39;.</p><p><br></p><p id="isPasted">When enabled, 2FA procedures will be automatically bypassed when agents/users are using SSO to log in.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQzNzA2ZjdkLTM5MzItNGQxNS1hMWZkLWYxMGMwZTAwYmFhMCJ9.d3gA4TlAsV_twf1cIidj0crKP5SfR9UaLQxraY5rEVM" class="fr-fic fr-fil fr-dib" width="1489" height="417"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 15. Enable Halo SSO bypass when using SSO</span></strong></p><p><br></p><p><strong><span style="font-size: 12pt;">Don&#39;t ask for 2FA again when using SSO</span></strong></p><p>When using 2FA with Halo login credentials, agents/users will have an option to check &#39;Don&#39;t ask again&#39; when completing 2FA so they need not complete 2FA once more when logging in with the same device.&nbsp;</p><p><br></p><p>This functionality can be expanded to include SSO. You first need to ensure you have enabled Halo 2FA procedures (forced for everyone or enabled per agent). You will also need to enable the &#39;Don&#39;t ask again on this browser&#39; option, enabled under Configuration &gt; Advanced Settings.&nbsp;</p><p><br></p><p><img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImMzMTIxNDI0LTlhNTgtNDZiYy04YzFkLTYyNTMxZGY0NDIxNyJ9.Xf0qru4qXnfGbsuCaNb7Tj71Y2B9Tn5aKhn-ndAHmrM" class="fr-fic fr-fil fr-dib" width="1253" height="346"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 16. Enabling Don&#39;t ask again</span></strong></p><p><br></p><p>Once setup, then enable &#39;Allow Halo 2FA if logging in with Azure Single Sign-On&#39; under Configuration &gt; Advanced Settings.&nbsp;</p><p>&nbsp;<img src="https://halo.haloservicedesk.com/api/attachment/image?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImU3N2RlYzA4LTUwM2EtNDE2YS1hM2Y2LTUwNzA1ZTRkMTcwMyJ9.GjuwLH6hdp6NOO1AM_x6TBXli19DpT5gDBt34ATK8i4" class="fr-fic fr-fil fr-dib" width="1467" height="319"></p><p><strong id="isPasted"><span style="font-size: 10pt;">Fig 17. Enabling 2FA bypass if previously provided 2FA</span></strong></p><p><br></p><p>When this is enabled, an additional cookie will be stored to allow agents/users to skip 2FA if they have checked &#39;Don&#39;t ask again&#39; when logging in previously.&nbsp;</p>
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Platform
Platform Capabilities >
Use Cases
View all Use Cases >
Resources
Halo
Subscribe to Halo for latest news

By submitting, you are agreeing to our privacy policy.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Follow
© 2026 Halo Service Solutions. All Rights Reserved.
Terms & ConditionsPrivacy PolicySecurityTrust CentreGDPRAccessibilityModern Slavery StatementService Status