IMPORTANT NOTICE: Microsoft has changed the name of "Azure AD" to "Microsoft Entra ID". For clarity, this article refers to this system as "Azure AD".
Requirements:
Azure AD (now "Microsoft Entra ID"); or
Hybrid Active Directory - Haystack connects through Azure
Haystack Pro, Business, or Enterprise subscription
The integration in a nutshell:
The Haystack integration with Azure AD is simple to set up and test, while also being powerful and flexible enough to meet your needs. The key steps are:
STEP 1 - Send your Tenant ID to Haystack
STEP 2 - Grant Haystack "read-only" permissions using the provided link
STEP 3 - Create groups using the provided naming conventions in Azure AD and assign users as members of these groups
STEP 1 - GRANT AZURE AD PERMISSIONS TO HAYSTACK
Please follow the steps below:
Send your Tenant ID to your Haystack Account Manager. You can find it in the Azure Portal by navigating to Azure Active Directory > Properties, or by following this link.
Your Haystack Account Manager will send you a URL to approve the necessary permissions. This step must be completed by one of your Azure AD admins.
The permissions requested by Haystack are:
* Read all users' full profiles (User.Read.All)
* Read all group memberships (GroupMember.Read.All)
* Sign in and read user profile (default permission)After the Azure AD admin has granted consent to the requested permissions, contact your Haystack Account Manager to activate the integration.
STEP 2 - HAYSTACK ACCOUNT SETTINGS
After completing the registration process described in Step 1, your Haystack Account Manager will help configure your account settings within Haystack's Admin Dashboard based on your requirements.
These settings include:
Default Template - The default template used when a user is not assigned to a specific template group
Invite Message - The message included in the invitation emails your employees will receive
STEP 3 - AZURE AD SET UP
In this step, you define the filters and rules that determine which employees should receive a digital business card and which should not. You can also manage which employees are assigned to each template, in case you're using multiple card templates.
Please note: This step is to be completed by your Azure AD Admin
To set up the required filtering, you will need to create dedicated Azure AD groups to manage the filtering criteria. Haystack will provide your Azure AD admin with the required group names.
There are two group types:
Filter group - tells Haystack which employees should receive digital business cards.
Group name format:haystack_bc_filter_in
.
Template type group - tells Haystack which template the business card should use. If a user is not assigned to a template group, the default template type ID will be applied.
Group name format:haystack_bc_templateTypeId_<value>[_<comment]
.
The value for each template will be provided by your Haystack Account Manager. Each value corresponds to one of the templates set up in Haystack's system. The comment is optional and can contain any text.
Note: A card is created based solely on the filter group. The template type group is only applicable for cards that are being created.
We support group inheritance, meaning a user's relationship to a group can be direct or indirect.
Please see the diagram below as a topology example
In the example above, let's assume the default template is the Management template.
Based on the topology above, the following will occur:
Marketing employees will have their cards created using the Marketing template, since they belong to both the filter_in group and the Marketing template type group.
Sales employees will have their cards created using the Sales template, since they belong to both the filter_in group and the Sales template type group.
QA employees will not receive business cards, as the default setting is not to create cards for all users, and they are not included in a filter_in group. In this case, the template type group is irrelevant.
Management employees will have their cards created using the Management template, as they are included in the filter_in group, and the default template is set to Management.
When the relationship between users and groups changes, the integration will automatically update card behavior to reflect the new settings.