SCIM Provisioning of Users with Azure AD with non-gallery app

Easily manage your team in Timeneye, leveraging the Azure AD provisioning capabilities.

Lorenzo Santi
Written by Lorenzo SantiLast update 2 months ago

System for Cross-domain Identity Management (also known as "SCIM") is a protocol for user management across multiple applications. It allows an IT or Operations team to easily provision (add), de-provision (deactivate), and update user data across multiple applications at once.

To set up SCIM provisioning in Azure AD you will need to have the involvement of both the admin and the manager of your Azure AD account.

SCIM capabilities supported in

  • Provisioning of Users

  • De-provisioning of Users

  • Updating User Details


  • Step 1 - Create a Timeneye Provisioning enterprise app

Go to your Azure AD homepage and click "Enterprise Applications" on the left pane.

Then, click the New application button:

Add enterprise application

Then click on the "+ Create your own application" button in the top bar; insert a name for the application (e.g. Timeneye Provisioning) and select the option "Integrate any other application you don't find in the gallery (Non-gallery)"; click on the "Create" button at the bottom of the side dialog.

  • Step 2 - Go to Provisioning

Go to the Provisioning section and click "Get Started".

On the following page, select the "Automatic" Provisioning Mode.

In the "Admin Credentials" section, enter the following:

  • Tenant URL:
    This should be:

  • Secret Token:
    This should be taken from your user settings (see instructions below)

You can go to App & User settings section to get the provisioning token.

  • Open up your account

  • Click on Profile > App & User settings

  • Go to the Third-party apps tab

  • Click on "+ Issue new personal access token"

  • Give it a name, for example, "SCIM access token"

  • Copy the obtained access token (it won't be available anymore after you leave the page)

  • Paste it in Azure AD

Click Test Connection button to verify the credentials that are authorized for provisioning:

Schermata 2023-08-01 alle 11.56.55

Click "Save" on the left-hand side of the page to save the configuration.

Under Settings, make sure to set the scope to "Sync only assigned users and groups":

Important Note: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to unintentionally.

Under Mappings, select Provision Azure Active Directory Groups, disable the provisioning, and click Save; Timeneye does not currently support the groups provisioning.

Set Up User Provisioning

Go back to the application main page, and then go to "Users and groups":

Click "Add user":

Add users

Then, click "Users and groups":

Select users

Search for users and select them from the list, and then click the "Select" button at the bottom of the screen.

Select a role for the selected users (see section below for details on how to create roles):

Select role

all the selected users will be assigned to the selected role. If you plan to provision users with different roles, you'll have to select them in different batches.

Click the "Assign" button at the bottom-left side:

Note: If you deprovision a user from the app, the user will exist in as an inactive user and will not be counted towards your user count.

User Attributes

These fields are supported for mapping user attributes:

  • Name (can’t contain special characters)

  • Email (must be lowercase)

  • Job Title (user’s position in the company)

  • Active (whether or not a user is enabled or disabled)

  • Microsoft ID

  • Role (owner, admin, or member)

Edit attribute mapping

In order for the provisioning to work correctly, you'll need to edit the attribute mappings. This step is needed to map the Azure AD attributes to the SCIM attributes supported by Timeneye.

  1. In the Azure AD provisioning section, click on "Provision Azure Active Directory Users" in the Mappings section.

    Use the "Add new mapping" button to add the attribute mappings.

  2. The mapping should be exactly like the table below:

    Azure Active Directory Attribute

    customappsso Attribute

    Mapping Type




    Switch([IsSoftDeleted], , "False", "True", "True", "False")









    Join(" ", [givenName], [surname])



    Switch([IsSoftDeleted], , "False", "True", "True", "False")









    The settings for the objectId attribute must be the following:
    • Mapping type: Direct
    • Source attribute: objectId
    • Target attribute: urn:ietf:params:scim:schemas:core:2.0:User:microsoftId
    • Match objects using this attribute: Yes
    • Matching precedence: 1
    • Apply this mapping: Always

    The settings for the userPrincipalName attribute must be the following:
    • Mapping type: Direct
    • Source attribute: userPrincipalName
    • Target attribute: userName
    • Match objects using this attribute: Yes
    • Matching precedence: 2
    • Apply this mapping: Always

  3. Once done, click the Save button in the top bar.

Notice: take particular care in the settings of userPrincipalName and objectId. These parameters are essential for matching the users in your Timeneye account.

Provisioning role

  1. Go to Azure AD and click on "App registrations" and search for the application.

  2. After selecting the app, navigate to "App roles" where you can view all roles and then click on "Create app role":
    Create roles

  3. Insert "Mmber" as Display name, "member" as Value and select Users/Groups as Allowed member types. Check "Do you want to enable this app role?" checkbox.
    Edit role

  4. Repeat the step 3 for roles "Owner" and "Admin"

Note: it is important to check the spelling of the Display name and Value of the roles to be correct, otherwise the role won't be correctly provisioned.

Now you can select the role when selecting the users to be provisioned.

Start provisioning

To start provisioning, set Provisioning Status to "On":

Start provisioning

Click "Save" on the left-hand side of the page to save the Provisioning Status.

Note: Provisioning sync is done every 40 minutes.


  • What happens if the admin who set up the initial SCIM token is no longer admin (their role changed or they were deactivated)?

    The access token generated by the admin will still be valid until its expiration (1 year), the SCIM sync will continue to work.

  • What happens if I change my personal attributes in my account?

    The sync with Azure AD is a one-way sync, and any changes made to a user profile in the profile or teams page will be overwritten the next time Azure AD syncs with your account.

    This means that to change any attributes of the user profile, you will need to update them in Azure AD.

Did this answer your question?