How can we help?
Searching in {{docApp.searchFilterBySpecificBookTitle}}
{{docApp.searchResultFilteredItems.length}} results for: {{docApp.currentResultsSearchText}}
in {{docApp.searchFilterBySpecificBookTitle}}
Search results have been limited. There are a total of {{docApp.searchResponse.totalResultsAvailable}} matches.
You have an odd number of " characters in your search terms - each one needs closing with a matching " character!
-
{{resultItem.title}}
{{resultItem.url}}
{{docApp.libraryHomeViewProduct.title || docApp.libraryHomeViewProduct.id}}
{{docApp.libraryHomeViewProduct.description}}
{{group.title || group.id}}
{{group.description}}
Authentication
- Article
- Fri Feb 20 2026
- 2 minutes to read
- 2 contributors
The User Import - Azure utility uses API keys to authenticate all API calls into Hornbill instances. It uses KeySafe to store Microsoft Entra ID credentials securely.
API keys
The User Import - Azure utility requires specific permissions to interact with your Hornbill instance. You must configure your API Key rules to include the following Hornbill Platform APIs. You can also add IP rules to increase security.
Required API key rules
activity:profileImageSetadmin:keysafeGetKeyadmin:sysOptionGetadmin:userAddGroupadmin:userAddRoleadmin:userCreateadmin:userDeleteGroupadmin:userProfileSetadmin:userSetAccountStatusadmin:userUpdatedata:entityAddRecorddata:entityGetRecorddata:entityUpdateRecorddata:queryExecsession:getSystemLicenseInfo
KeySafe
The import utility requires authentication credentials stored in KeySafe to access Microsoft Entra ID data.
Review the KeySafe documentation before you store credentials.
Register an Entra ID application
Before you create a KeySafe key, you must obtain details from an App Registration in your Microsoft Entra ID tenant. If you do not have administrative access to Azure, contact your Microsoft Entra ID administrator for assistance.
Registration steps
- Sign in to the Azure portal.
- Go to Microsoft Entra ID.
- Select App registrations from the side menu.
- Select New Registration.
- Enter a name for the application.
- Select the appropriate account type.
- Select Register.
- Select API permissions from the menu to apply the required permissions.
- Grant the following Application Permissions:
Group.Read.AllGroupMember.Read.AllTeam.ReadBasic.AllTeamMember.Read.AllUser.Read.All
- Grant the following Delegated Permission:
User.Read
- Select Grant admin consent to confirm the permission settings.
- Go to the Overview section.
- Copy the Application (client) ID and the Directory (tenant) ID.
- Select Certificates & secrets from the menu.
- Select New client secret.
- Enter a description, select an expiry date, and select Add.
- Copy the Value of the client secret.
Create a KeySafe key
Use the Client ID, Tenant ID, and Client Secret from your Microsoft Entra ID app registration to create the KeySafe key in Hornbill.
KeySafe creation steps
- In Hornbill, go to Configuration > Platform Configuration > KeySafe.
- Select + Create New Key.
- Select Azure Imports as the key type.
- Enter a Title for the KeySafe key.
- Optional: Enter a Description.
- Enter the Tenant ID, Client ID, and Client Secret values you copied from the Azure portal.
- Select Create Key.
Expected Result
The key appears in your KeySafe list. You can now restrict access to this key so only the API key created for your service account can use it. For more information, see the KeySafe documentation regarding access control.
- Version {{docApp.book.version}}
- Node {{docApp.node}} / {{docApp.build}}