HaloITSM

HaloITSM Guides

Documentation to assist with the setup and configuration of the HaloITSM platform

Guides > Azure Deltas

Azure Deltas

In this lesson we will cover:

- What is an Azure Delta?

- What are the benefits of using Azure Deltas?

- How does enabling Azure Deltas impact the functionality of Microsoft Entra ID/CSP?

- How to enable Azure Deltas?

- What to consider when enabling Azure Deltas?

- Using Azure Deltas with the Intune integration




What is an Azure Delta?

An Azure delta is a reference to a point in time for a certain Azure entity (e.g. Users/Groups). Deltas can be used when requesting data from the Microsoft Graph API so that records are only returned if they have been modified after the point in time that the delta corresponds to.


What are the benefits of using Azure Deltas?

The primary benefit of using Azure Deltas is that it allows a much more frequent import of users via the Halo Integrator, meaning user data is more up-to-date. 


It's best described with an example. Consider an Azure tenant with 10000 users, where a site mapping has been configured to import all 10000 users. Previously, all 10000 users would be processed on every Halo Integrator scan, which would take a long time. With deltas enabled, only users that have been updated since the previous scan will be processed, meaning you'd likely process very few users per scan if any at all.


How does enabling Azure Deltas impact functionality?

When deltas are disabled, the integrations use the site mapping configuration and the filters that are configured within them to retrieve users from the Graph API. Each user that is returned will be processed regardless of whether they have been updated in Microsoft Entra. Only users that match the criteria within the site mappings are processed.


When using deltas, the filters within the site mappings are no longer used when retrieving the users. Instead, any user that has been updated since the previous scan will be retrieved and processed by the integration, regardless of whether they match a site mapping. The calculation of whether the user matches a site mapping is now done during the processing of the user. If a site mapping is not matched, then the user will be ignored.


Other notable differences are as follows:


  • Changes to a user's groups are managed via a separate delta on the group entity. If you are using any functionality that uses groups (i.e. filtering a site mapping by a group, group-to-role mappings etc), the Halo Integrator will perform an additional part of the scan where it uses a delta to retrieve any groups that have been updated.
  • If you have enabled the functionality to delete users from Halo when they are no longer found in Microsoft Entra, then this works differently with deltas. If a DELETE change event is returned, then the user will be deleted. If the user does not match any of the site mappings, then they will also be deleted. 

Note: The functionality to deactivate users when they do not match a site mapping has been temporarily disabled. It will be re-introduced at a later date via a different setting.


How to enable Azure Deltas?

You do not need to make any modifications to the Azure application configured for either integration. In Halo, for the Microsoft Entra integration, Azure Deltas can be enabled on the Imports tab of an integration record. For the Microsoft CSP integration, the same setting can be found on the Halo Integrator tab.


Fig 1. Checkbox to enable Azure Deltas



What to consider when enabling Azure Deltas?

Because site mapping criteria are not used in the requests to retrieve users when deltas are enabled, the first Halo Integrator scan that runs when deltas are enabled will retrieve the entire directory of users/groups from the Azure tenant. If you are using deltas in the Microsoft CSP integration, every tenant that has a site mapping will have all of its users/groups processed.


Because of the volume of data that may need to be processed in this scenario, the initial sync can take a very long time to complete. To avoid this, it is recommended that you use the Reset Delta option that is available in both integrations as soon as the functionality is enabled.


Fig 2. Reset Deltas Option 


By fetching the latest delta queries, a delta will be created for the current point in time. That means that the first initial Halo Integrator sync won't need to process every user/group in the directory for every tenant that you are importing data from.


In the Microsoft CSP integration, this function can also be performed on a per-tenant basis on the Tenants tab:


Fig 3. Reset Deltas Option per Tenant


For anyone setting up the integration for the first time, a manual import is the recommended way of initially populating the user database in Halo. The manual import behaves the same way as the Halo Integrator would when deltas are disabled i.e. it retrieves and processes any user that matches the criteria of a site mapping.


It is recommended that you do not increase the frequency of Halo Integrator scans until you have confirmed that the current scan time has decreased to a sensible level after the delta functionality has been enabled. The recommended frequency afterwards is 30 minutes. 


Using Azure Deltas with the Intune integration

If you are using the Intune integration (or the Intune segment of the Microsoft CSP integration), you may be using the Microsoft Entra integration to assign users to devices. Unfortunately, the user deltas do not pick up changes to user-device relationships, so enabling deltas may cause some of these relationships to not be updated correctly.


This has been addressed as of version 2.166, where new functionality has been added so that the user-device relationship can now be established using the Intune integration.


Fig 4. Setting to establish user-device relationship using Intune 


Popular Guides

Pin It on Pinterest