Microsoft Entra ID Provisioning in Happeo

💼 Package availability: Microsoft Entra ID provisioning is available for all Happeo packages.

Before you begin

Make sure you:

• Have access to the Microsoft Entra ID portal for your organization.
• Have sufficient permissions in Entra ID to create and configure Enterprise Applications.
• Are a Happeo admin so you can access Admin Settings and the Integrations section.

Step 1: Create a Happeo Enterprise Application in Entra ID

1. Go to your Microsoft Entra ID Portal (portal.azure.com).
2. Click the Enterprise Applications category or type in “Enterprise Applications” in the search bar. 

3. In the All applications tab, click New application from the navigation bar.

   

4. In the Browse Microsoft Entra App Gallery window:
   1. Select Create your own application at the top-left of the navigation bar.
   2. Enter a name for your app (for example, “Happeo Sync”).
   3. Select Integrate any other application you don’t find in the gallery.
   4. Click Create.

Once the application is created, you will be taken to the Overview page of that Enterprise Application.

Step 2: Obtain provisioning credentials from Happeo

1. Log in to app.happeo.com with your Happeo account.
2. Click your avatar and go to Admin Settings.
3. Go to Integrations and click Setup for Entra ID Provisioning.
   • If Happeo cannot detect your Entra ID tenant, a modal will appear asking for your Entra ID tenant ID.
4. A modal will appear showing two fields: Tenant URL and Tenant secret.
   • You will copy these values into your Entra ID Enterprise Application in the next steps.

Step 3: Enable provisioning for the Enterprise Application

Admin credentials

1. In the Happeo Enterprise Application you created in Entra ID, go to the Provisioning tab on the left-hand menu.

2. From the Get started menu, click Connect your application.

   

3. Set the Authentication method as Bearer authentication.
4. Enter the Tenant URL and Secret Token that you obtained from Happeo.
5. Click Test Connection to verify the Tenant URL and Secret Token.

6. After a success notification appears, click Create.

   

Troubleshooting test connection

• If the test is not successful, retrace the steps above and verify the values you copied from Happeo.
• If the connection still fails after checking, please contact our support team.

Step 4: Configure user attribute mappings

To ensure users provision correctly from Entra ID into Happeo, two attribute mappings must be configured: one for externalId and one for userType.

Configure the mapping for externalId

1. In the Enterprise Application, go to the Get started tab.

2. Under Map attributes, click Edit attributes.

   

3. Then, click Provision Azure Active Directory Users. 

   

4. On this page, find the mapping for mailNickname and click Edit to update it:
   1. In the Edit Attribute window, change the source attribute from mailNickname to objectId.
   2. Verify that the target attribute is still externalId.

5. Click OK and confirm that the mapping now shows objectId mapped to externalId. 

   

If the original mapping (mailNickname) does not exist:

• Create a new mapping that maps the source attribute objectId to the target attribute externalId.

Configure the required mapping for userType

Entra ID must also pass a correct userType value to Happeo so users provision consistently and external accounts are properly identified.

If you do not see a mapping for userType:

1. In Provision Azure Active Directory Users, click Add new mapping. 

   

2. Set Mapping type to Expression.
3. In the Expression field, enter the following: 

   1. IIF(Instr(ToLower([originalUserPrincipalName], ), "#ext#", , )>"0", "external", "")

      

4. Set Target attribute to userType.
5. Set Match objects using this attribute to No.
6. Set Apply this mapping to Always.
7. Save the mapping.

After saving, your user mappings should now include:

• objectId → externalId
• Expression → userType

Step 5: Configure group attribute mappings

If groups are used in Entra ID and you want to provision them, two additional attribute mappings must be created.

1. In the Get Started → Map Attributes section → click Provision Entra ID Active Directory Groups.
2. Enable Show advanced options at the bottom of the page and click Edit attribute list for customappsso.
3. Create these two attributes:
   1. urn:ietf:params:scim:schemas:extension:happeo:2.0:Group:emailEnabled – Type: Boolean.

   2. urn:ietf:params:scim:schemas:extension:happeo:2.0:Group:email – Type: String.

      

4. Click Save to return to the Attribute Mapping screen for Groups.
5. Click Add New Mapping above Show advanced options and add the following: 
   1. Mapping type: Direct.
   2. Source attribute: mailEnabled.
   3. Target attribute: urn:ietf:params:scim:schemas:extension:happeo:2.0:Group:emailEnabled.
   4. Match objects using this attribute: No
   5. Apply this mapping: Always.

6. Click OK.

   

7. Add a second mapping:
   1. Mapping type: Direct.
   2. Source attribute: mail.
   3. Target attribute: urn:ietf:params:scim:schemas:extension:happeo:2.0:Group:email.
   4. Match objects using this attribute: No
   5. Apply this mapping: Always.

8. Save your changes.

   

After saving, the mappings should include these two new group mappings.

Step 6: Specify which users and groups to provision

Provisioning is controlled by two layers:

1. The overall scope (sync all users and groups or not).
2. Scoping filters that narrow which users and groups are actually provisioned.

Sync all users and groups

1. In the Enterprise Application overview, go to the Provisioning tab under “Manage” from the left-hand menu.
2. Open the Settings dropdown and set the scope to Sync all users and groups.

🗒️ Note: External users invited to Entra ID cannot log in to Happeo even if they are provisioned successfully. These users must be invited from the Happeo Admin Settings > User Management > Invites page. 

🔍 You can read more about invited users in our dedicated article: Invited Users.

Scoping filters

Scoping filters let you control which users are provisioned into Happeo. Only users or groups who match the conditions you define will sync. This helps your organization keep Happeo clean, aligned, and relevant—for example, when onboarding only specific departments, regions, or pilot groups.

🗒️ Note: Scoping filters for users and groups are managed separately. 

How to add a scoping filter

In your Enterprise Application, go to Provisioning → Attribute Mapping → Provision Azure Active Directory Users → Source Object Scope → All Records → Add scoping filter.

What each section means

• Source attribute: The Entra ID user field used for filtering (e.g. department, country, jobTitle). When a source attribute is selected, only users whose attributes match your filter will be created and synced into Happeo.
• Operator: Defines how the attribute is evaluated. The operator choice determines how tightly you control who enters Happeo. Examples:
  • EQUALS = exact match.
  • CONTAINS, STARTS WITH, etc. = broader matching options.
• Clause value: The actual value the filter will look for (e.g., "Engineering", "EMEA"). Incorrect or inconsistent values mean users will not sync.
• Scoping filter title: A descriptive label admins can easily understand later. It doesn’t affect sync behavior, but improves governance—especially when multiple admins review or update provisioning settings.

The example below shows how to sync only Engineering users located in EMEA.

How to create a scoping filter (example)

1. Upon selecting Add scoping filter, a new filter form will appear. In the first row:
   1. Source attribute: Select department.
   2. Operator: Select EQUALS.
   3. Clause value: Enter "Engineering".
2. Add another row to refine the filter further.
3. In the second row:
   1. Source attribute: Select country.
   2. Operator: Select EQUALS.
   3. Clause value: Enter "EMEA".
4. In Scoping Filter Title, enter a clear name such as: User – EMEA Engineering
5. Click Apply to save the filter.

Your filter will now sync only users who:

• Belong to the Engineering department.
• Have a country value set to EMEA.

Step 7: Start provisioning

After all mappings and settings are configured:

1. Go back to the Provisioning menu in the Happeo Enterprise Application.
2. Confirm that the provisioning configuration looks correct.
3. Click Start provisioning to start automatic provisioning from Entra ID to Happeo.

🗒️ Note: The provisioning may take some time. You can view the provisioning logs in the Enterprise Application’s Overview section.

Step 8: Setting up user and sync group

Once your provisioning configuration is complete, you can define which users and groups should sync into Happeo. This helps you keep your user base clean, reduce unnecessary licenses, and ensure that groups used for Permissions, Pages, and Channels stay meaningful and well-governed.

Confirm your setup is successful

Before choosing your sync strategy, verify that provisioning was configured correctly.

Go to your Microsoft Entra ID Portal (portal.azure.com) → Enterprise applications. You should see two Happeo-related applications:

1. The enterprise application you created (for example, Happeo Sync).
   • The icon will display the first letter of the name on a colored background.
2. The built-in Happeo application, which uses the Happeo logo.

Seeing both confirms that:

• Your custom provisioning app is ready to manage user and group sync.
• The standard Happeo app remains in place for authentication.

Decide how users and groups will sync

You now have two options for controlling who appears in Happeo:

Option 1: Assign specific users or groups to the enterprise application

Use this when:

• You want a smaller pilot group.
• You’re rolling out Happeo gradually.
• Only certain departments or locations should get access.

This is the most controlled and governance-friendly approach.

Option 2: Sync all users

Use this when:

• Happeo is available to the entire organization.
• You want everyone to appear in the People directory.

If you choose this option, use scoping filters to exclude service accounts, contractors, test accounts, or groups you don’t want in Happeo.

How group sync affects permissions in Happeo

Happeo uses groups to assign key permissions, including the ability to create Pages and Channels.

Keep these points in mind:

• By default, all synced groups have permission to create Pages and Channels.
• If a user belongs to any group with that permission enabled, the user will inherit it.
• This can unintentionally give many users creation rights—especially if you sync many groups.
• To avoid this, you may need to turn off creation permissions for certain groups in Happeo.
  • You can manage specific permissions (e.g. permission to create Pages OR Channels) in Happeo → Admin Settings → Group Management → Click the three dots → Permissions. Read more.

Because this is currently a manual action per group, we recommend:

• Sync only the groups you actually intend to use for permissions.
• Avoid syncing all groups unless necessary.

This helps your organization maintain strong governance and avoids clutter or accidental over-permissioning.

How group membership counts appear in Happeo

When a group syncs:

• Happeo shows only the number of members who were actually provisioned.
• If a group has 50 members in Entra ID but only 40 match your provisioning scope, Happeo will show 40 members.

This ensures Happeo reflects the users who can actively access and contribute to your platform.

Understanding Microsoft group types

Different Microsoft group types behave differently when synced. Here’s what matters for Happeo:

Security groups

• Commonly used for permissioning.
• Do not have an email address in Microsoft.
• Happeo automatically generates an email address for them.

💡 Useful for: Access control, Page permissions, Channel permissions.

Microsoft 365 groups

• Created for collaboration in Microsoft 365.
• Always have an email address.
• Can be org-wide, department-wide, or custom.

💡 Useful for: Broad distribution groups that map well to Happeo audiences.

Teams groups

• Creating a Team automatically creates a Microsoft 365 group.
• You can create M365 groups without creating a Team.
• Entra ID does not clearly show whether an M365 group is linked to a Team.
• Public Teams allow any employee to join, which means they also gain access to Happeo content shared with that group.

💡 Useful for: Teams where the same collaboration structure should exist in Happeo.

Why this step matters for your Happeo environment

Choosing your sync strategy ensures your organization:

• Keeps user data clean, aligned, and searchable.
• Maintains meaningful groups for permissions and governance.
• Avoids syncing unnecessary or duplicate groups.
• Controls who can create Pages and Channels.
• Ensures Happeo stays an accurate reflection of your real organizational structure.

Troubleshooting

Provisioning connection issues

If testing the connection in the Provisioning tab is not successful:

• Verify the Tenant URL and Secret Token you copied from Happeo.
• Make sure you saved the configuration correctly.
• If the issue persists, contact Happeo’s support team.

If the connection test fails due to an invalid or expired token, regenerate the Entra ID provisioning token in Happeo and update it in your Entra ID Enterprise Application. This resolves most authentication-related provisioning errors.

User’s group membership is not synced to Happeo

There could be unknown situations when Entra ID does not send a user’s group membership to Happeo. In this case, please follow the following workaround in Entra ID to resync the user’s group membership:

1. Remove the user from affected group in Entra ID.
2. Provision the user on demand in the Happeo application.
3. Add the user back to the group.
4. Provision the user on demand again in the Happeo application.