SCIM Setup

To enable provisioning from Microsoft Entra ID to eHour you will need to create a new Enterprise application in your Microsoft Entra admin center. This guide helps you set up the Enterprise Apps using the new Entra admin UI at https://entra.microsoft.com/


This guide is written for IT administrators who manage Entra ID. You’ll need:

  • An Entra ID P1 or P2 license (for custom mappings)
  • Admin access to your Entra tenant
  • An eHour SCIM token (available in your eHour Admin panel)

Follow the steps below to connect Entra ID to eHour and start provisioning automatically.


Configuring eHour

Before setting up provisioning in Microsoft Entra ID, you first need to enable SCIM in eHour.


Enable SCIM provisioning

  1. Go to AdminSingle Sign-onSCIM Provisioning
  2. Enable SCIM provisioning

Copy the SCIM token

You will need this token when configuring provisioning in Microsoft Entra ID.

  • Copy the Secret token
  • You will use it later in the Entra ID setup

Configure team derivation

eHour can automatically assign users to teams based on your Entra setup.

You have two options:

Entra ID Groups → eHour Teams

  • Teams in eHour are created from Entra groups
  • Recommended if you already manage groups in Entra

Department attribute → eHour Teams

  • Teams are derived from the department  field on the user

Choose the option that matches how your organization manages teams.


Configuring Microsoft Entra ID

1 Enterprise Application creation

  1. Go to Microsoft Entra IDEnterprise applications
  2. Click New application → Create your own application
  3. Name it something like “eHour SCIM”
  4. Choose “Integrate any other application you don’t find in the gallery”.

Avoid selecting the eHour gallery entry, as this only support SSO, not SCIM provisioning.

The Enterprise App

2 Configure Provisioning

  1. From the Getting Started list, select "3. Provision User Accounts"
  2. In the "Get started with application provisioning", select "Connect your application" in the Create Configuration section.
  3. Enter "https://ehourapp.com/scim/v2" as the tenant URL
  4. Enter the Secret token from eHour as the Secret Token.
  5. Click Test Connection. After a successfull test, click create
SCIM Connection setup

3 Attribute Mapping Configuration

In the sidemenu, click Attribute Mapping in the Manage section to change and validate the mappings.


Click the Provision Microsoft Entra ID Users mapping.

eHour uses the following SCIM (customappsso) attributes, make sure they are mapped to your relevant Entra ID Attributes. By default, core SCIM attributes (like userName    , emails    , etc.) are already mapped. Please remove (default) attributes that are not in this list.

Usage in eHour SCIM (customappsso) Attribute Entra ID Attribute
Primary user identifier userName userPrincipalName
Active flag for restore / archive active accountEnabled
User firstname name.givenName givenName
User lastname name.familyName surname
Email address for notifications emails[type eq "work"].value mail
Line manager urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager manager

First Day At Work mapping

You can map the hiring date in Entra to the First Day at Work field in eHour. This allows you to pre-create users. In eHour, users do not receive notifications and are excluded from reports until their first day at work. Instead of creating a custom schema, we reuse the existing costCenter attribute (which eHour does not use) to send the date.


  1. On the Attribute Mapping page, scroll to the bottom and enable Show advanced options.
  2. Click Edit attribute list for customappsso.
  3. In the attribute list, scroll to urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter attribute (likely the 2nd extension field).
  4. Set the type to DateTime.

  5. Click Save.

  6. Return to the Attribute Mapping page and click Add New Mapping.
  7. Select employeeHireDate from Entra ID as the source attribute and map it to the newly created urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter field.


Target Object Actions

On this page, make sure the Create, Update, and Delete actions are selected. This ensures Entra ID sends all user management actions to eHour.

Teams

This depends on the team derivation mode you selected in eHour.

When setting up provisioning, you can decide how teams in eHour are created. There are two options:


When you selected Entra ID Groups to eHour Teams


  1. Make sure Groups and Users are enabled.


  2. Make sure the urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department attribute is not mapped in the User mapping.

When you selected the Company/Department attribute:

Use this if you prefer teams to be based on departments instead of groups. Teams are created based on the department attribute in the user object.


To enable:

  1. Disable the group mapping by clicking the "Provision Microsoft Entra ID Groups" mapping and setting selected to false, click save.
  2. In the user mapping, make sure the department field is mapped:
Usage in eHour SCIM (customappsso) Attribute Entra ID Attribute default values
Team prefix (optional) urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization companyName
Team name urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department department

To add new mappings, use the Add new mapping link at the bottom of the attribute table. In the "Edit Attribute" screen, you only need to change the source attribute and target attribute fields. Leave the rest on their default values:

After validating the mapping, don't forget to click the Save button at the top of the screen. Close the attribute mapping to return ot the eHour enterprise application.


4 Selecting users and groups to provision

To explicitly assign which users and/or groups should sync to eHour, first ensure that Entra ID is not syncing all users:


  1. In the Manage sidebar, go to Provisioning.
  2. Expand the Settings.
  3. Ensure the Scope is set to "Sync only assigned users and groups".
  4. Click Save to store the setting.

To select the users to provision:


  1. In the Manage sidebar, go to Users and groups.
  2. Click Add user/group.
  3. In the blade that opens, click None selected.
  4. Choose the users and/or groups you want to provision.
  5. Click Select at the bottom.
  6. Finally, click Assign to confirm.

5 Testing the provisioning

You can test provisioning by syncing an individual user before enabling it for everyone.

Important: If you want a user’s manager to be included, you must provision the manager first. Otherwise, Entra cannot reference the manager’s eHour ID and will skip the attribute.

Steps:

  1. In the Enterprise App, open Provision on demand from the sidebar.
  2. Select a user and click Provision.
  3. After provisioning, you’ll see a list of all attributes sent. Use this to verify that your Entra attributes are correctly mapped to SCIM (eHour) attributes.

6 Start Automatic Provisioning

Once you’ve validated the mappings with test users, you can enable automated provisioning for everyone.

  1. Open Overview from the sidebar.
  2. At the top, click Start provisioning to turn on automatic sync.
  3. Use the Provisioning logs in the sidebar to monitor progress and troubleshoot any issues.

Still need help? Contact Us Contact Us