This guide shows how to configure Microsoft Entra ID (formerly Azure Active Directory) as a single sign-on identity provider (IdP) for your Honeydew account.
Optionally, it is possible to create a SCIM integration from Microsoft Entra ID to Honeydew and to sync user profiles to Honeydew using the SCIM 2.0 protocol. This is especially useful if you want users to be deactivated in Honeydew when they are deactivated in Entra ID. This integration will require two applications to be registered in Entra ID: the OpenID Connect integration and the SCIM integration.
1

Set up in Microsoft Identity Platform

  1. Follow this guide to register an application in the Microsoft identity platform.
  2. Leave the Redirect URI empty.
  3. Follow this guide to add a redirect URI.
  4. In the platform setting you need to select Web.
  5. Add a Redirect URI with this value: https://auth.honeydew.cloud/login/callback.
    If you are using an EU-based Honeydew instance, use the following URI instead of the above: https://auth.eu.honeydew.cloud/login/callback
  6. Create a Client Secret for the created application.
  7. Save the following information:
    • Application (client) ID
    • Client Secret Value
    This information will be needed once we configure the integration in Honeydew.
2

Configure Entra ID Integration in Honeydew

Now that we have our Entra ID integration application ready, we need to configure it in Honeydew.Please pass the following information to your Honeydew contact or to support@honeydew.ai:
  • Application (client) ID you have saved from the Entra ID application in the previous step
  • Client Secret Value you have saved from the Entra ID application in the previous step
  • Email domains used in your company’s email addresses
It you would like to create a SCIM integration, please ask to receive the following:
  • SCIM Endpoint URL
  • SCIM Bearer Token (a long string of characters)
3

Optional: Set up SCIM integration in Entra ID

The steps below are optional and only needed if you want to set up a SCIM integration from Entra ID to Honeydew. You can find this documentation also here.

Configuration

  1. Confirm that an application for Honeydew has already been registered to handle user authentication in the Microsoft Entra ID > App registrations section of the Azure portal.
  2. Confirm that the application registered for Honeydew has Assignment Required set to Yes in the Microsoft Entra ID > Enterprise applications > [your-app] > Manage > Properties section, and has users assigned in the Users and Groups tab.
  3. Next, register a new Non-gallery application in the Azure portal by browsing to Microsoft Entra ID > Enterprise applications > New application > Create your own application, entering an application name, and selecting Create.
  4. Go to the Users and Groups tab and assign the same Azure AD users and groups that are assigned to the Honeydew application registered in Step 1.
  5. Select the Provisioning tab, select Get started, and choose Automatic as the Provisioning Mode.
  6. Select Admin Credentials, then enter the SCIM Endpoint URL value you were provided by Honeydew as the Tenant URL. At the end of the URL, add ?aadOptscim062020 query parameter to fix known Azure AD issues described here.
  7. Paste the token value you were provided by Honeydew into the Secret Token field and select Save.
  8. Go to Mappings and select Provision Microsoft Entra ID Users, then go to Attribute Mappings and edit the attributes of the line containing externalId and mailNickname.
  9. In the Edit Attribute screen, change Source attribute to objectId, then choose OK.
  10. Go back to Attribute Mappings and select the line containing emails[type eq "work"].value and mail.
  11. In the Edit Attribute screen, change Match objects using this attribute to Yes, then set Matching precedence to 2 and choose OK. The attribute mapping screen looks like this as you continue to use the Attribute Mappings section to configure additional SCIM attributes: Attribute Mapping
  12. Save the attribute mappings, then select X in the upper-right corner to return to the Provisioning screen.

Testing

  1. On the Enterprise application overview screen, select Manage > Provisioning and then Provision on Demand to test the SCIM connection.
  2. Go to Select a user or group and type the name of a user that you assigned to the application, then select the user and choose Provision. This creates the user in Honeydew.
  3. Provision all assigned users by following the instructions to set the Provisioning Status to On.
4

Enabling Access

If your users are having trouble accessing the App Registration, either under Manage > API Permissions or Security > Permissions, you will likely need to “Grant Admin consent for Honeydew” for Microsoft Graph User.Read Sign in and read user profile permissions, as well as Microsoft Graph Directory.Read.All permissions. See screenshots below for example: API Permissions
5

Test the integration

Once the configuration is complete, you can test the setup by logging in to Honeydew. Any user with an email address that matches the domain you provided will be able to log in using Entra ID. Upon login they will be redirected to the Microsoft login page.