Skip to main content

Azure Active Directory (Azure AD) integration

How to set up Haystack's Microsoft Entra ID (formerly Azure AD) integration. This guide assumes you have a Haystack Premium subscription.

Nir Heimann avatar
Written by Nir Heimann
Updated over 3 weeks ago

IMPORTANT NOTICE: Microsoft has changed the name of "Azure AD" to "Microsoft Entra ID". For clarity, this article refers to this system as "Azure AD".

Requirements:

  • Azure AD (now "Microsoft Entra ID"); or

  • Hybrid Active Directory - Haystack connects through Azure

  • Haystack Pro, Business, or Enterprise subscription

The integration in a nutshell:

The Haystack integration with Azure AD is simple to set up and test, while also being powerful and flexible enough to meet your needs. The key steps are:

  • STEP 1 - Send your Tenant ID to Haystack

  • STEP 2 - Grant Haystack "read-only" permissions using the provided link

  • STEP 3 - Create groups using the provided naming conventions in Azure AD and assign users as members of these groups

STEP 1 - GRANT AZURE AD PERMISSIONS TO HAYSTACK

Please follow the steps below:

  1. Send your Tenant ID to your Haystack Account Manager. You can find it in the Azure Portal by navigating to Azure Active Directory > Properties, or by following this link.

  2. Your Haystack Account Manager will send you a URL to approve the necessary permissions. This step must be completed by one of your Azure AD admins.
    The permissions requested by Haystack are:
    * Read all users' full profiles (User.Read.All)
    * Read all group memberships (GroupMember.Read.All)
    * Sign in and read user profile (default permission)

  3. After the Azure AD admin has granted consent to the requested permissions, contact your Haystack Account Manager to activate the integration.

STEP 2 - HAYSTACK ACCOUNT SETTINGS

After completing the registration process described in Step 1, your Haystack Account Manager will help configure your account settings within Haystack's Admin Dashboard based on your requirements.

These settings include:

  1. Default Template - The default template used when a user is not assigned to a specific template group

  2. Invite Message - The message included in the invitation emails your employees will receive

STEP 3 - AZURE AD SET UP

In this step, you define the filters and rules that determine which employees should receive a digital business card and which should not. You can also manage which employees are assigned to each template, in case you're using multiple card templates.

Please note: This step is to be completed by your Azure AD Admin

To set up the required filtering, you will need to create dedicated Azure AD groups to manage the filtering criteria. Haystack will provide your Azure AD admin with the required group names.

There are two group types:

  1. Filter group - tells Haystack which employees should receive digital business cards.

    Group name format: haystack_bc_filter_in.

  2. Template type group - tells Haystack which template the business card should use. If a user is not assigned to a template group, the default template type ID will be applied.

    Group name format: haystack_bc_templateTypeId_<value>[_<comment].
    The value for each template will be provided by your Haystack Account Manager. Each value corresponds to one of the templates set up in Haystack's system. The comment is optional and can contain any text.

Note: A card is created based solely on the filter group. The template type group is only applicable for cards that are being created.

We support group inheritance, meaning a user's relationship to a group can be direct or indirect.

Please see the diagram below as a topology example

In the example above, let's assume the default template is the Management template.

Based on the topology above, the following will occur:

  1. Marketing employees will have their cards created using the Marketing template, since they belong to both the filter_in group and the Marketing template type group.

  2. Sales employees will have their cards created using the Sales template, since they belong to both the filter_in group and the Sales template type group.

  3. QA employees will not receive business cards, as the default setting is not to create cards for all users, and they are not included in a filter_in group. In this case, the template type group is irrelevant.

  4. Management employees will have their cards created using the Management template, as they are included in the filter_in group, and the default template is set to Management.

When the relationship between users and groups changes, the integration will automatically update card behavior to reflect the new settings.

Did this answer your question?