Skip to content
English - United States
Get Support Now
Contact us
  • There are no suggestions because the search field is empty.

Getting Started: Part 2

Connect your IDP & HR Integrations

Published Date: May 1, 2026 | Last Updated: May 12, 2026

About: This article covers how to connect an Identity Provider (IDP) and HR system as the first two integrations in a new Tello IAM environment. Connecting an IDP is the required first step in setup — it imports Users and their organizational data into Tello and makes everything that follows possible.

Why the IDP comes first

Before any User can be provisioned, monitored, or assigned a Role Template, Tello IAM needs to know who those Users are. Connecting an IDP is how that happens.

When an IDP integration is connected and synced, Tello automatically:

  • Imports Users — every account in the connected directory is discovered and added to Tello.
  • Pulls organizational data — department, job title, and other directory attributes are imported alongside each User record.
  • Detects existing permissions — access already granted in the IDP surfaces in Tello, giving the Administrator a complete picture before any changes are made.

This imported data is the foundation for everything that follows — verifying User records, connecting additional integrations, and building Role Templates. Without it, none of those steps can be completed accurately.

Connecting an HR system

Connecting an HR system alongside the IDP enriches User records with additional organizational data — reporting structure, employment status, and other HR attributes — that may not be available from the directory alone. This step is recommended but not required to proceed. The HR system connection follows the same process as any other integration.

The Integrations page

All integration management takes place on the Integrations page, accessible from the left navigation. The page displays all connected integrations with their current status and last sync time.

The following controls appear in the top right of the Integrations page:

Control Function
Schedule: OFF / ON Configures the automatic sync schedule for all integrations. When enabled, the Administrator selects a sync frequency. When disabled, syncs run manually only.
Sync Now Triggers an immediate sync across all connected integrations.
+ Add Integration Opens the Add Integration catalog to connect a new integration.

Connecting an IDP integration

The steps below use Microsoft Entra ID as the primary example. The connection flow — and the specific fields and authorization steps required — differs for each IDP. Before proceeding, refer to the connection guide for the relevant IDP in the Integrations knowledge base section.

⚠ Domain admin authorization required

Connecting an IDP requires an administrator account with organization-level authorization privileges in the target directory — for example, a Global Administrator in Microsoft Entra ID. If the Administrator does not hold this role, coordinate with the appropriate person before proceeding. The connection cannot be completed without it.

Add the integration

  1. Navigate to Integrations in the left navigation.
  2. Select + Add Integration.
  3. Locate the IDP in the catalog. Use the Search integrations… field to filter by name if needed.
  4. Select Add next to the IDP.

Authorize the connection

The following steps are specific to Microsoft Entra ID. Steps differ for other IDPs — refer to the relevant connection guide in the Integrations knowledge base section.

  1. Enter the organization's Entra ID tenant domain in the Entra ID Tenant Domain field. The domain follows the format contoso.onmicrosoft.com or contoso.com.
  2. Select Login to Microsoft Entra ID. Tello redirects to Microsoft for authorization.
  3. Sign in with a Global Administrator account and grant the requested permissions on behalf of the organization.
  4. After authorization is complete, Tello redirects back to the Integrations page.

Assign a friendly name

Tello assigns a default name to each integration on connection. A friendly name makes it easier to identify the integration in lists and reports, particularly when multiple instances of the same application are connected.

  1. Select the integration row on the Integrations page to open the IAM Connection panel.
  2. Select Configure.
  3. Edit the name in the name field.
  4. Select Save.

Multiple instances of the same integration

More than 1 instance of the same application can be connected — for example, a production and development environment for the same tool. Assign distinct friendly names to each instance to keep them identifiable. For example: HubSpot – Prod and HubSpot – Dev.

Configuring the sync schedule

By default, the sync schedule is off. Tello supports automatic syncing on a configurable frequency so that User data and detected permissions stay current without requiring manual intervention.

  1. Select Schedule: OFF on the Integrations page.
  2. Toggle Enable auto-sync on.
  3. Select a sync frequency from the Frequency dropdown. Options are: Every 30 minutes, Every hour, Every 6 hours, Every 12 hours, and Daily.
  4. Close the schedule panel. The control updates to Schedule: ON.

Manual sync

Select Sync Now at any time to trigger an immediate sync across all connected integrations, regardless of the schedule setting. To trigger a sync for a single integration only, open the IAM Connection panel for that integration and select Sync Now.

Verifying a successful connection

After the IDP integration is connected and the first sync completes, verify that the connection is active and Users have been imported.

  1. Select the integration row on the Integrations page to open the IAM Connection panel.
  2. Confirm the following:
    • Status displays Active.
    • Sync Status displays Synced.
    • Users discovered shows the expected number of Users from the connected directory.
  3. Navigate to Users in the left navigation and confirm that User records are present.

Drift detection

Once an integration is connected and syncing, Tello begins tracking access changes that occur outside the platform. When a permission changes in a connected system without a corresponding action in Tello, that change is flagged as drift.

Drift detection is active as soon as integrations are connected. Drift notifications are routed to Team managers — configuring Teams is covered in Getting Started Part 7.

Connecting an HR system

Connecting an HR system follows the same process as connecting any other integration — locate it in the Add Integration catalog, select Add, and complete the authorization flow for that specific application.

Each HR system has its own connection requirements. Refer to the relevant connection guide in the Integrations knowledge base sectionbefore proceeding.

Next steps

This article is Part 2 of the Getting Started with Tello IAM series.

Next:  Getting Started Part 3: Verifying your user data

Previous: Getting Started Part 1 - Platform Overview

Getting Started series

  1. Platform Overview
  2. Connecting your IDP and HR integrations (current)
  3. Verifying your user data
  4. Connecting additional integrations
  5. Planning your Role Template structure
  6. Configuring Role Templates
  7. Configuring Teams
  8. Monitoring access with Change History, Access Overview, and Reports



tello-logo-color-1 Seasoft Security Solutions LLC | TelloIAM