Skip to content
Go to Timeneye.com
  • There are no suggestions because the search field is empty.

SCIM Provisioning of Users with Azure AD with non-gallery app

Easily manage your team in Timeneye, leveraging the Azure AD provisioning capabilities.

This guide explains how to configure SCIM user provisioning from Microsoft Entra ID (Azure AD) to Timeneye.

SCIM (System for Cross-domain Identity Management) is a standard protocol used to automatically manage users across applications. It allows Azure AD to automatically:

  • Create users in Timeneye

  • Update user details

  • Disable users when they are removed from Azure AD 

🌟 This feature is included in the ENTERPRISE Plan

Prerequisites

Before starting, ensure you have:

  • Administrator access to Microsoft Entra ID (Azure AD)

  • Administrator access to Timeneye

  • Permission to create Enterprise Applications in Azure

The setup requires actions in both Timeneye and Azure AD.

Step 1 — Create the Timeneye Enterprise Application in Azure

  1. Open the Microsoft Entra admin center.
  2. Navigate to Applications → Enterprise Applications
  3. Click New application.

    Add enterprise application

  4. Then click on the "+ Create your own application" button in the top bar
  5. Insert a name for the application (e.g. Timeneye Provisioning)
  6. Select the option "Integrate any other application you don't find in the gallery (Non-gallery)"
  7. click on the "Create" button at the bottom of the side dialog.

Step 2 — Generate the Timeneye SCIM Access Token

You now need a SCIM access token from Timeneye.

  1. Log in to Timeneye.

  2. Click your user name at the bottom of the sidebar.

  3. Open Personal Settings.

  4. Go to the Third-party apps tab.

  5. Click: Issue new personal access token

  6. Copy the generated token

⚠️ Important:

  • The token is shown only once.

  • The token expires after 1 year.

Step 3 — Configure Provisioning in Azure

Return to the Enterprise Application created earlier.

  1. Open the application.

  2. Go to: Manage → Provisioning

  3. Click Get started.

  4. Set Provisioning Mode to: "Automatic"

  5. In the "Admin Credentials" section, enter the following:

    1. Tenant URL: https://api.timeneye.com/scim/v2

    2. Secret Token: the token generated in Step 2

  6. Click Test Connection button to verify the credentials that are authorized for provisioning:
    Schermata 2023-08-01 alle 11.56.55

  7. If the connection succeeds, click Save.

 

Step 4 — Create Application Roles in App Registration

Before assigning users to the application, you must first create the application roles that will be used during provisioning.

Azure displays the following message in the Users and groups section:

“Assign users and groups to app-roles for your application here. To create new app-roles for this application, use the application registration.”

These roles correspond to Timeneye roles and are required for the SCIM attribute mapping.

Open the App Registration

  1. In the Enterprise Application, go to: Manage → Users and groups

  2. Click the Application registration link shown in the message.

This opens the App Registration associated with the Enterprise Application.

Create the App Roles

  1. In the App Registration, navigate to: App roles

  2. Click Create app role.
    Create roles

  3. Create the following roles.

Role 1 — Admin

Configure the role with the following values:

Field

Value

Display name

Admin

Allowed member types

Users/Groups

Value

admin

Description

Timeneye administrator

Enable role

Checked

Click Apply.

Role 2 — Member

Create another role with the following values:

Field

Value

Display name

Member

Allowed member types

Users/Groups

Value

member

Description

Standard Timeneye user

Enable role

Checked

Click Apply.

Role 3 — Owner

Create the final role with the following values:

Field

Value

Display name

Owner

Allowed member types

Users/Groups

Value

owner

Description

Timeneye workspace owner

Enable role

Checked

Click Apply.

Note: it is important to check the spelling of the Display name and Value of the roles to be correct, otherwise the role won't be correctly provisioned.

Once these roles are created, they will become available in the Enterprise Application → Users and groups page and can be assigned to users.

Step 4 — Restrict Provisioning Scope (Recommended)

Caution: For security measures, we recommend that you verify that the Scope is set to "Sync only assigned users and groups" before starting provisioning. This will ensure that the provisioning will be limited to assigned users/groups only, and that no other Azure AD users will have access to timeneye.com unintentionally.

To avoid accidentally provisioning all Azure users:

  1. In the Provisioning settings, locate Scope.

  2. Select: Manage → Users and Groups

  3. Click Add user/group.
    Add users

  4. Select the users or groups to provision.
    Select users

  5. Select a role (owner, admin, or member).
    Select role

  6. Click Assign.

Note: If you deprovision a user from the timeneye.com app, the user will exist in timeneye.com as an inactive user and will not be counted towards your timeneye.com user count.

Step 6 — Configure Attribute Mapping

Azure must map Microsoft Entra ID user attributes to the SCIM attributes used by Timeneye.

Open the Attribute Mapping Page

  1. Open the Enterprise Application created for Timeneye.

  2. Navigate to Provisioning.

  3. Select Mappings.

  4. Click Provision Azure Active Directory Users.

Mappings

Create Custom Attributes (if they do not exist)

Some attributes required for the mapping may not exist yet.

To create them:

  1. In the Attribute Mapping page click Show advanced options.

  2. Click Edit attribute list for customappsso.

  3. Add the attributes required for the mappings.

  4. Save the configuration.

Once the attributes are created, return to the Attribute Mapping page.

Configure the Attribute Mappings

Click Add new mapping and create the mappings listed below.

Use the "Add new mapping" button to add the attribute mappings.

  1. The mapping should be exactly like the table below:

    Microsoft Entra ID Attribute

    customappsso Attribute

    Mapping Type

    userPrincipalName

    userName

    Direct

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    active

    Expression

    displayName

    displayName

    Direct

    jobTitle

    title

    Direct

    Join(" ", [givenName], [surname])

    name.formatted

    Expression

    Switch([IsSoftDeleted], , "False", "True", "True", "False")

    urn:ietf:params:scim:schemas:core:2.0:User:active

    Expression

    objectId

    urn:ietf:params:scim:schemas:core:2.0:User:microsoftId

    Direct

    SingleAppRoleAssignment([appRoleAssignments])

    urn:ietf:params:scim:schemas:core:2.0:User:role

    Expression

    manager
    urn:ietf:params:scim:schemas:core:2.0:User:managerId

    Direct

     

  2. The settings for the objectId attribute must be the following:
    • Mapping type: Direct
    • Source attribute: objectId
    • Target attribute: urn:ietf:params:scim:schemas:core:2.0:User:microsoftId
    • Match objects using this attribute: Yes
    Matching precedence: 1
    • Apply this mapping: Always

  3. The settings for the userPrincipalName attribute must be the following:
    • Mapping type: Direct
    • Source attribute: userPrincipalName
    • Target attribute: userName
    • Match objects using this attribute: Yes
    • Matching precedence: 2
    • Apply this mapping: Always

  4. Once done, click the Save button in the top bar.

Notice: take particular care in the settings of userPrincipalName and objectId. These parameters are essential for matching the users in your Timeneye account.

Step 7 — Start provisioning

After completing the configuration, you can start the provisioning process.

Test the Integration with Manual Provisioning

You can verify the configuration immediately by running a manual provisioning test.

  1. Assign a test user to the application.

  2. Navigate to Provisioning → Provision on demand.

  3. Select the user.

  4. Click Provision.

Azure will immediately attempt to create or update the user in Timeneye. This allows you to confirm that the integration is working correctly without waiting for the scheduled provisioning cycle.

Enable Automatic Provisioning

  1. Open the Enterprise Application.

  2. Navigate to Provisioning.

  3. Set Provisioning Status to On.

  4. Click Save.

Start provisioning

Click "Save" on the left-hand side of the page to save the Provisioning Status.

Note: Provisioning sync is done every 40 minutes.

FAQs

  • What happens if the admin who set up the initial SCIM token is no longer admin (their role changed or they were deactivated)?

    The access token generated by the admin will still be valid until its expiration (1 year), the SCIM sync will continue to work.

  • What happens if I change my personal attributes in my timeneye.com account?

    The sync with Azure AD is a one-way sync, and any changes made to a user profile in the timeneye.com profile or teams page will be overwritten the next time Azure AD syncs with your account.

    This means that to change any attributes of the user profile, you will need to update them in Azure AD.