Halo's native Microsoft Entra ID integration gives your team SSO into the service desk, enforces MFA without extra configuration, and keeps your user list automatically in sync — all from the identity platform you already run.
✓ SSO for agents & end users✓ MFA enforcement✓ Automated user provisioning✓ Self-service portal auth✓ Continuous user sync✓ Native — included in every licence
What you get
Four ways Entra ID connects Halo to your Microsoft estate.
If your organisation runs Microsoft 365, you already have Entra ID. Halo's native integration uses it to handle identity, access, and provisioning — so your service desk works the same way as every other tool in your estate.
Single Sign-On
Sign in to Halo with your Microsoft identity
Agents and end users authenticate to Halo using their existing Microsoft 365 credentials — the same login they use for Teams, Outlook, and SharePoint. No separate Halo password. No additional account to manage. SSO can be applied to agent logins, the self-service portal, or both.
✓Agents sign in to Halo with their M365 account
✓End users authenticate to the self-service portal via Entra ID
✓One identity for every Microsoft tool — including Halo
Multi-Factor Authentication
Your MFA policy applies to Halo automatically
If you enforce MFA through Microsoft Entra ID conditional access policies, those controls extend to Halo at no extra configuration cost. When a user authenticates to Halo via SSO, they pass through the same MFA challenge as any other Microsoft 365 app — no separate MFA setup, no additional licences.
✓Consistent security posture across your entire Microsoft estate
Automated Provisioning
Users and technicians stay in sync automatically
Halo continuously syncs users and technicians from your Entra ID directory using Task Scheduler. New starters appear in Halo when they're added to your directory. Leavers lose access when their account is disabled. No manual user management, no stale records, no access drift.
✓Continuous sync via Task Scheduler — runs automatically
✓New starters provisioned in Halo without manual admin
✓Leavers de-provisioned when their Entra account is disabled
Self-Service Portal
End users access the portal with zero friction
The Halo self-service portal can be configured to authenticate via Entra ID — so end users open the portal and they're already logged in. No forgotten passwords, no separate account creation, no support calls about portal access. Works in-browser and when the portal is embedded inside Microsoft Teams.
✓Portal authenticates via Entra ID — no second login
✓Works in-browser and as an embedded Teams tab
✓User credentials protected to meet governance requirements
The detail
Everything the integration delivers.
The full feature set — active from day one, included in your Halo licence, no middleware, no extra subscriptions.
Agent SSO login
Agents sign in to Halo using their Microsoft 365 identity. No separate Halo password — Entra ID handles authentication end-to-end.
End user SSO login
End users access the Halo self-service portal with the same Microsoft 365 credentials they use every day. Frictionless from the first visit.
MFA enforcement
Halo inherits MFA from your existing Entra conditional access policies — no separate MFA setup needed inside Halo.
Automated user sync
End users in Entra ID are continuously synced into Halo via Task Scheduler. Your Halo user list always reflects your actual directory.
Automated technician sync
Technicians are provisioned and updated in Halo from your Entra directory. Role changes in Entra are reflected in Halo automatically.
Automatic de-provisioning
When a user's Entra account is disabled, their Halo access is removed in the next sync cycle — no manual offboarding required.
Self-service portal auth
The Halo self-service portal can use Entra ID for authentication — whether accessed via a browser or embedded inside Microsoft Teams.
Teams SSP integration
When the Halo SSP is embedded as a Teams tab, Entra ID SSO means end users are logged in automatically — no portal password, no friction.
Credential & governance compliance
User credentials are managed by Entra ID, meeting organisational requirements for privacy, security governance, and audit compliance.
Group-based access control
Assign Halo access and permissions by Entra ID group membership — so provisioning follows your existing organisational structure.
First-party integration
The Entra ID integration is built and maintained by Halo's own engineering team. No third-party middleware, no custom connector to manage.
No extra cost — ever
The full Entra ID integration — SSO, MFA, user provisioning, portal auth — is included in every standard Halo licence. No add-ons required.
Getting connected
How the integration is configured
Setup is handled from within Halo and your Microsoft Entra admin centre. No middleware, no third-party connectors, no software to install.
1
Create an App Registration in your Entra admin centre
In the Microsoft Entra admin centre (or Azure portal), create a new App Registration for Halo and grant the required API permissions. This gives Halo a trusted identity within your Microsoft 365 tenant.
2
Configure the Entra ID integration in Halo
In Halo, navigate to Configuration → Integrations → Azure Active Directory. Enter your tenant ID, client ID, and client secret from the App Registration. The integration ships with every Halo licence — nothing to download or install.
3
Set up user and technician provisioning
Configure the Halo sync to pull users and technicians from your Entra ID directory. Task Scheduler runs the sync automatically on a schedule you define — typically every 15–60 minutes — keeping Halo's user list current without any manual effort.
4
Enable SSO for agent logins
In Halo's authentication settings, switch agents to sign in via Entra ID SSO. From this point, agents visit the Halo login page and authenticate using their Microsoft 365 identity — no separate Halo password required.
5
Configure SSO for the self-service portal (recommended)
Enable Entra ID authentication for the Halo self-service portal so end users are signed in automatically using their Microsoft 365 identity. If you're embedding the portal inside Microsoft Teams, this step is essential for a seamless experience.
6
MFA is enforced automatically via your Entra policies
No additional configuration needed in Halo for MFA. If your Entra conditional access policies require MFA for app sign-ins, users authenticating to Halo via SSO are covered automatically — the same challenge they'd receive on any other Microsoft 365 app.
Before you start
What you'll need to do in your Microsoft tenant
The Entra ID integration requires activity inside your own Microsoft 365 tenant before Halo can connect. These steps need an Azure administrator — they can't be completed by Allied ESM on your behalf.
Azure admin
Create an App Registration
An Azure administrator must create a new App Registration in the Microsoft Entra admin centre. This registers Halo as a trusted application in your tenant and is the foundation for every other step.
Global admin
Grant API permissions and admin consent
The App Registration requires specific Microsoft Graph API permissions. A Global Administrator must grant admin consent — this cannot be delegated to a lower-privilege account.
Ongoing
Generate and manage a client secret
A client secret must be generated in the App Registration and entered into Halo. Client secrets expire (typically after 1–2 years) and must be rotated before expiry to prevent the integration from breaking. This is an ongoing responsibility for your Azure team.
Azure admin
Review conditional access policies
If your organisation uses conditional access policies, they will apply to Halo once SSO is active. Your Azure team should verify that existing policies won't block Halo access for the user groups that need it — particularly for end users accessing the self-service portal.
IT team
Configure Task Scheduler for user sync
Automated user provisioning uses Halo's Task Scheduler. This needs to be configured and kept running — if it stops, new starters won't appear in Halo and leavers won't be de-provisioned until the scheduler is restarted.
Real-world uses
Three ways this changes the day-to-day.
These are the most common ways organisations put the Entra ID integration to work from go-live.
01
A new starter is ready in Halo before their first day
HR provisions the new starter in Entra ID as part of the onboarding process. Within the hour, the Halo sync picks them up automatically — their user record is created, they're assigned to the right department, and they can log in to the self-service portal with their M365 credentials on day one. No manual user creation, no IT tickets about access.
Entra provisioned→Synced to Halo→Ready on day one
02
An agent logs in to Halo for the first time — no credentials to set up
A new service desk agent joins the team. They navigate to the Halo login page, click "Sign in with Microsoft," and they're in — their MFA challenge fires as normal, they pass it, and they land directly in their Halo queue. IT never had to create a Halo account or set a password. The Entra sync took care of it.
Click Sign in with Microsoft→MFA fires→In Halo
03
A leaver loses Halo access the moment their account is disabled
An employee leaves the business. IT disables their Entra ID account. At the next sync, Halo removes their access automatically. There are no lingering active accounts, no need to remember to disable users in a second system, and no audit findings about orphaned access. The directory is the single source of truth.
Entra disabled→Sync runs→Halo access removed
Common questions
Frequently asked questions
Is the Entra ID integration included in every Halo licence?
Yes. The full Entra ID integration — SSO, MFA enforcement, automated user provisioning, and self-service portal authentication — is a native, first-party Halo feature included in the standard monthly licence. There is no middleware, no third-party connector, and no add-on subscription required.
Does Entra ID SSO work for both agents and end users?
Yes. SSO via Entra ID can be configured for both agent (technician) logins and end user access to the self-service portal. Each can be enabled independently — so you can roll out SSO to agents first, then extend it to end users, or enable both at the same time.
Can I enforce MFA for Halo using my existing Entra policies?
Yes. When users authenticate to Halo via Entra ID SSO, your existing conditional access policies apply automatically. If your policy requires MFA for all app sign-ins, or for specific groups, that challenge fires when users log in to Halo — no additional MFA configuration is needed inside Halo itself.
How does automated user provisioning work?
Halo's Entra ID integration uses Task Scheduler to run a regular sync between your Entra directory and Halo. You configure the sync frequency (typically every 15–60 minutes), and Halo automatically creates, updates, and disables users and technicians to match your directory. New starters appear in Halo without any manual admin. Leavers lose access when their Entra account is disabled.
What access does my Azure admin need to set this up?
The App Registration itself can be created by any Azure administrator. However, granting admin consent for the required Microsoft Graph API permissions requires a Global Administrator — this step cannot be completed by a lower-privilege account. You'll also need someone with permissions to create and manage client secrets within the App Registration.
What happens when the client secret expires?
If the client secret expires without being rotated, the Entra ID integration will stop working — SSO will fail and the user sync will halt. Microsoft typically sets a maximum expiry of 24 months. Your Azure team should set a reminder to generate a new secret and update it in Halo's integration settings before the current one expires. Allied ESM recommends documenting this as a recurring calendar task.
Does this work with HaloPSA as well as HaloITSM?
Yes. The Entra ID integration is available across both HaloITSM and HaloPSA. The full feature set — SSO, MFA, user provisioning, and portal authentication — works identically regardless of which Halo product you run.
We're already live on Halo — can we add Entra ID SSO without disruption?
Yes. The Entra ID integration can be added to an existing live Halo environment. Allied ESM can scope and deliver the full setup — App Registration, sync configuration, and SSO rollout — without disrupting your current workflows. We typically phase it: configure and test in a subset of users first, then roll out broadly once everything is verified. Contact us to discuss what's involved for your setup.
Ready to connect Halo to your Microsoft identity?
Allied ESM can scope and configure the full Halo + Entra ID integration — whether you're starting a new implementation or adding SSO to an existing environment. Talk to us to find out what's involved.