How can we help?
Searching in {{docApp.searchFilterBySpecificBookTitle}}
{{docApp.searchResultFilteredItems.length}} results for: {{docApp.currentResultsSearchText}}
in {{docApp.searchFilterBySpecificBookTitle}}
Search results have been limited. There are a total of {{docApp.searchResponse.totalResultsAvailable}} matches.
You have an odd number of " characters in your search terms - each one needs closing with a matching " character!
-
{{resultItem.title}}
{{resultItem.url}}
{{docApp.libraryHomeViewProduct.title || docApp.libraryHomeViewProduct.id}}
{{docApp.libraryHomeViewProduct.description}}
{{group.title || group.id}}
{{group.description}}
Setting up your Entra ID user import
- Article
- Wed Oct 01 2025
- 9 minutes to read
- 2 contributors
This Cloud Data Imports section of the documentation covers a feature coming soon that will be available in Hornbill Core UI builds higher than 2475.
Before you begin, make sure you understand the ways of filtering the data you import.
This article also covers the default fields Hornbill brings in for each user when you do an import.
For admins familiar with Mustache templating and Microsoft Graph User resource, this article also provides information about an advanced feature: mapping fields using the memberOf property.
Creating an import configuration
To find Cloud Data Imports:
Navigate to Configuration > Platform Configuration > Data > Cloud Data Imports.
To create an import configuration:
- At the top right of the configurations list, click + Add New.
Note
If this is your first import configuration, click the button that says No import configurations are set up. Click here to create your first import.
- Give your import a clear and unique name.
- Click Create.
- (Optional) Add a description in the Description field to explain what the import does.
To choose the data source:
- Click the Data Source tab.
- In the Data Source Settings area, in the Import field, click the edit icon.
- In the Hornbill Integration Bridge dialog, select Cloud Data Imports > Users > Entra ID.
- Click Apply.
- The Source / Import Options section appears, with settings you can customize. Use the information about options to make your choices.
Source/import options
Here’s a breakdown of the options available when setting up your Entra ID user import. These settings give you control over what gets imported, when, and how.
KeySafe Key
Choose the KeySafe Key you created earlier. This is what allows Hornbill to securely access your Entra ID account.
Query (Optional)
This is where you can enter a filter to limit which users are imported. Make sure you understand the ways of filtering the data you import.
Caution
If you leave this field empty, and do not provide any Group ID filters, then all users from your Entra ID account will be processed.
- Hornbill uses Microsoft’s Graph API to access Entra ID.
- You can write a query using OData to select specific users based on things like department, email domain, etc.
Resources to help you write queries:
Important
Not all properties from the Microsoft Graph User Resource type can be used in query filters, and a number of these properties do not support the full range of OData operators to query against. See the list of available user fields for a full list of properties, which details which of the properties can be used in the query filters, and which OData operators are supported by each.
For example:
- The value of
onPremisesDistinguishedName
can be returned and mapped into your Hornbill user records, but the field cannot be used in a query filter. - The value of
onPremisesUserPrincipalName
can be returned and mapped into your Hornbill user records, and does support filtering using the documented OData query operators.
Group ID filter
This is where you can provide additional Group IDs, to further filter the list of users returned by your optional Query (as detailed above).
This is a list of group identifiers, and if each user returned by the query is a member of at least one of the groups, then that user will be processed by the data import job. The following group properties are supported:
id
displayName
mail
Fields – Additional
If you need extra fields that aren’t included in the default list, you can enter them here. This is useful for pulling in custom or extension attributes.
Action
Choose what Hornbill should do with the users it finds:
- Create – Only adds new users who don’t already exist in Hornbill.
- Update – Only updates users who already exist in Hornbill.
- Create & Update – Adds new users and updates existing ones.
Account Status
Set the status of the users being imported (e.g. Active, Inactive), and choose when this status should be applied.
User Properties
Define how user data should map to Hornbill fields during import.
- Supports Mustache templates for custom formatting or combining data.
- Input fields offer auto-complete to help you select fields from your Entra ID source.
Memberships
This section lets you assign imported users to organizational groups in Hornbill.
- Action – When should the user be added to the group?
Create
– Add user only during Create actions.Update
– Add user only during Update actions.Create & Update
– Add user during both.Unassign if Assigned
– Remove user from the group if already assigned.
- Organization ID – The ID of the group you want to assign.
- Membership – Choose one:
Member
Team Leader
Manager
- Can View Tasks – Should this user be able to see tasks for the group?
- Can Action Tasks – Should this user be able to work on tasks?
- Single Assignment per Group Type – Ensures the user belongs to just one group per type, removing them from others of the same type.
Role Assignments
Assign roles to users as part of the import process.
- Action – When should the role be assigned or removed?
Create
– Assign role only when the user is newly created.Update
– Assign role only during updates.Create & Update
– Assign during both.Unassign if Assigned
– Remove role if the user already has it.
- Role – The name of the role to assign.
Filtering: Import only the users you need
You don’t have to import everyone. You can choose who to bring in by setting up simple filters (also called “queries”).
Here are a few examples:
Filter by department
To import only users from the Application Development department:
department eq 'Application Development'
Filter by email domain
To import users whose email address ends with @hornbill.com:
endswith(mail,'@hornbill.com')
Combine filters
You can also combine filters. For example, to bring in users who both:
- Have an email address ending in @hornbill.com and
- Work in the Application Development department:
endswith(mail,'@hornbill.com') and department eq 'Application Development'
About default fields
When you connect to Entra ID to import users, the system brings in a standard set of information (called fields) for each person. These fields are available for mapping and filtering. Here’s what gets included by default:
- accountEnabled – Is the account active?
- businessPhones – A comma-separated list of the business phone numbers stored against the user
- city – City location
- companyName – Name of the company
- country – Country location
- createdDateTime – When the user was created
- department – Department name
- displayName – Full name
- employeeHireDate – Date they were hired
- employeeId – Internal employee ID
- employeeType – Type of employee (e.g., full-time, contractor)
- givenName – First name
- id – Unique ID (system-generated)
- jobTitle – Job title or role
- mail – Email address
- mailNickname – Short name used in email
- manager.id - The ID of the user’s manager
- manager.displayName - The display name of the user’s manager
- manager.mail - The email address of the user’s manager
- manager.userPrincipalName -
- memberOf – An array of groups that the user belongs to. See memberOf field mapping for more information.
- memberOfNames – A comma-separated list of the display names of the groups that the user belongs to.
- mobilePhone – Mobile number
- officeLocation – Office address or location
- onPremisesDistinguishedName – Internal system path
- onPremisesDomainName – Local network domain name
- onPremisesSamAccountName – Network username
- onPremisesUserPrincipalName – Network login name (e.g. email)
- otherMails – A comma-separated list of extra email addresses stored against the user
- postalCode – ZIP/postal code
- securityIdentifier – Security ID from the system
- state – State or region
- streetAddress – Street address
- surname – Last name
- userPrincipalName – Main login name (often their email)
- userType – Type of user (e.g., member or guest)
Advanced field mapping with the memberOf property
Warning
This section describes an advanced feature. Before using these examples, ensure you are familiar with:
- Mustache templating (for building dynamic mappings)
- Microsoft Graph User resource (to understand available fields and their structure)
A solid understanding of both is strongly recommended, as incorrect mappings may result in unexpected data imports.
When importing users from Entra ID (via the Microsoft Graph API), each user includes a memberOf
property. This property contains an array of group objects that the user belongs to.
Each group object provides the following fields:
Field | Type | Example Value | Description |
---|---|---|---|
id | string (GUID) |
a1b2c3d4-e5f6-7890-1234-56789abcdef0 |
Unique identifier for the group in Entra ID |
displayName | string |
HR Team |
Human-readable name of the group |
mailEnabled | boolean |
true |
Indicates if the group is mail-enabled |
securityEnabled | boolean |
false |
Indicates if the group is security-enabled |
uniqueName | string |
contoso.com/Groups/HR |
Unique path-like name of the group |
visibility | string |
Private |
Group visibility (Public , Private , HiddenMembership ) |
string (email) |
hr-team@contoso.com |
Group’s email address, if available |
Accessing memberOf data in templates
Since memberOf
is an array, you can access its values using Mustache template iteration. For example:
{{#memberOf}}
Group ID: {{id}}
Group Name: {{displayName}}
Group Email: {{mail}}
{{/memberOf}}
This will output details for every group the user is a member of.
Mapping examples
Example 1: Mapping a single group name
If you want the first group name:
{{memberOf.0.displayName}}
Example 2: Mapping all group names as a comma-separated list
{{#memberOf}}{{displayName}},{{/memberOf}}
Example output:
HR Team,Finance,IT,
Example 3: Filtering by group type
Map only mail-enabled groups:
{{#memberOf}}
{{#mailEnabled}}{{displayName}}{{/mailEnabled}}
{{/memberOf}}
Example 4: Mapping all group IDs
{{#memberOf}}{{id}};{{/memberOf}}
Best practices for mapping using memberOf
- Decide if your field should contain one value (e.g. the first group) or multiple values (e.g. a list).
- Use iteration (
{{#memberOf}}...{{/memberOf}}
) for handling multiple groups. - Be aware of trailing separators (commas, semicolons) when concatenating multiple values.
- Some fields (like
mailEnabled
andsecurityEnabled
) are boolean flags —- useful for filtering, not direct mapping.
With these patterns, you can flexibly map group membership information from Entra ID into your Hornbill user fields.
- Version {{docApp.book.version}}
- Node {{docApp.node}} / {{docApp.build}}