Overview: User provisioning allows organizations to automate the process of managing user identities and access across various applications. By integrating Buddy Punch with a SCIM endpoint, administrators can streamline the creation, updating, and deletion of user accounts, ensuring efficient and secure user management.
Prerequisites:
Before you begin, ensure you have the following:
A Microsoft account with at least an Application Administrator role for the Azure Directory.
A Buddy Punch account with the Administrator role.
References
Microsoft App Creation Guide
Steps to Set Up User Provisioning
Sign in to the Microsoft Azure admin center with an account that has at least an Application Administrator role.
Navigate to Identity > Applications > Enterprise applications:
Select + New application > + Create your own application.
Enter a name for your application, choose the option "integrate any other application you don't find in the gallery" and select Create to create an app object:
You'll be taken to the app management screen, where you'll want to select Provisioning in the left panel and ensure Provisioning Mode is set to Automatic:
Enter the Tenant URL of the application's SCIM endpoint: https://webapi.buddypunch.com/scim/v2/
The SCIM endpoint requires an OAuth bearer token; please enter it into the Secret Token field.
Don't have a security/secret token yet? Please contact [email protected] for further assistance.
8. Click Test Connection to ensure Microsoft Entra can connect to the SCIM endpoint. If the attempt fails, error information is displayed.
9. If the attempts to connect to the application succeed, then select Save to save the admin credentials.
10. In the Mappings section, select the attributes you wish to sync: either user objects or group objects.
Review the attributes synchronized from Microsoft Entra ID to your app. Adjust as needed for update operations.
11. Under Settings, set the Scope field to either:
Sync only assigned users and groups (recommended), or
Sync all users and groups.
12. Set the Provisioning Status to On and Save to start the Microsoft Entra provisioning service.
13. If syncing only assigned users and groups, select the Users and groups tab to assign them. If syncing all, this step is not necessary.
Once the initial cycle has started, you can select Provisioning logs in the left panel to monitor progress, which shows all actions done by the provisioning service on your app. For more information on how to read the Microsoft Entra provisioning logs, see Reporting on automatic user account provisioning.
Note: The initial cycle takes longer to perform than later syncs, which occur approximately every 40 minutes as long as the service is running.