Disable JIT account from HaloPSA with API call

Overview

Technicians can request Entra ID JIT accounts right from HaloPSA with our existing iFrame integration.

Request JIT accounts from HaloPSA tickets

In this guide we will integrate idemeum just-in-time accounts for Entra ID with Halo PSA. Right from a customer ticket in HaloPSA technicians will be able to request JIT Entra ID accounts and view credentials.

idemeum docsNik Pot

However, requested JIT accounts will be disabled after a certain period of time, by default it is 4 hours. If you want to immediately disable these requested JIT accounts, you can leverage idemeum APIs.

Obtain access credentials

In order to call idemeum APIs for your tenant, you need to obtain access credentials.

• Access your MSP portal admin dashboard
• Navigate to Settings → Integrations and click Add oAuth2 client

• Create a new set of oAuth credentials by providing the name, and you will be presented with client id and secret to be used for API calls

• Copy these credential as client secret is only presented once

Configure HaloPSA

• In HaloPSA navigate to Configuration → Integrations → Custom integrations
• Click New

• Create an integration and provide the following details:
  • Provide an integration name
  • Base resource → https://<yout_tenant>.idemeum.com/api/integrations and replace your actual tenant name
  • Authorization → oAuth2
  • Authorization header name → Authorization
  • Header prefix → Bearer
  • Grant type → Client credentials
  • Access token URL → https://<yout_tenant>.idemeum.com/api/oauth2/v1/token and replace your actual tenant name
  • Enter client ID and secret that you obtained in the previous step

• Save the configuration
• Now in the same tab click on Methods to create an HTTP POST method

• Configure the following:
  • Provide method name
  • HTTP method → POST
  • Path → /entrajitaccounts
  • Headers:
    • Content-Type: application/vnd.dvmi.entra.app.user.disable+json
  • Body provided below

{
    "customerDisplayName" : "<your_customer_display_name>",
    "technicianEmailAddress" : "<user's email address>"
}

As an example here is what we used:

{
    "customerDisplayName" : "Demo PAM tenant",
    "technicianEmailAddress" : "nik@nikpot.com"
}

• Once you Save the configuration you can test the API call for this integration. You should see the success response.

• Now you can navigate to Integrations → Custom integrations → Integration runbooks and create a run-book to call idemeum API when the ticket is closed.