Skip to content
English
Submit a Ticket
  • There are no suggestions because the search field is empty.

Configure Azure SSO for Time Doctor

 

Note: 
  • Feature: Single Sign-On (SSO) with Microsoft Azure (OIDC)
  • Availability: Paid SSO add-on
  • Access: Owners and Admins via Settings / Company SettingsSingle Sign On (SSO)

 

TL;DR: 
 

  • Register a confidential OIDC app in Azure

  • Add Time Doctor web and desktop redirect URIs

  • Enable ID tokens and Access tokens

  • Add optional claims: email, verified email, acct

  • Grant permissions: openid, profile, email, offline_access, User.Read

  • Capture Client ID and Issuer from the app (Application ID and OAuth 2.0 endpoint)

  • (Optional) Specify Allowed Domains in Time Doctor

  • Assign users to the app in Azure

  • Add Azure as an SSO provider in Settings / Company Settings

 

Prerequisites

  • Azure tenant with permission to create app registrations.
  • Time Doctor account with Owners or Admins access and the SSO add‑on enabled.
  • (Optional) List of Allowed Domains to auto‑discover the company during SSO.

 

Register the Time Doctor application in Azure

  1. Log in to the Azure portal as an administrator.
  2. Open Azure Active Directory (Microsoft Entra ID) → App registrations.
  3. Select New registration.
  4. Enter Name: Time Doctor.
  5. Under Supported account types, select the option required by the organization.
  6. Click Register.

 

Add redirect URIs (Authentication)

  1. In the app’s Manage pane, open Authentication.
  2. Click Add a platformWeb.
  3. Add the web redirect URI:
    • https://2.timedoctor.com/login/oauth2/azure/callback
  4. Under Implicit grant and hybrid flows, select:
    • Access tokens
    • ID tokens
  5. Click Configure.
  6. In Platform configurationsWeb, click Add URI and add desktop redirect URIs:
    • https://desktop.timedoctor.com/login/oauth2/azure/callback
    • https://desktop.timedoctor.com/login/oauth2/azure/callback/desktop
  7. Click Save.

 

Configure token claims (Optional claims)

  1. In the app’s Manage pane, open Token configuration.
  2. Click Add optional claim.
  3. Select Token type: ID.
  4. Add the following claims:
    • email
    • verified_primary_email
    • acct
  5. When prompted, enable the Microsoft Graph email permission and save.

 

Verify API permissions

  1. In API permissions, click Microsoft Graph.
  2. Ensure these delegated permissions are present:
    • openid
    • profile
    • email
    • offline_access
    • User.Read

 

Set the Application ID URI (Expose an API)

  1. Open Expose an API.
  2. Click Set for Application ID URI, then Save.

 

Collect Time Doctor configuration values

  1. Open Overview.
  2. Copy Application (client) ID → use as Client ID in Time Doctor.
  3. Click Endpoints and copy OAuth 2.0 authorization endpoint (v2) → use as Issuer in Time Doctor.

 

Assign users to the Azure application

  1. Go to Azure Active DirectoryUsers (or Enterprise applicationsTime DoctorUsers and groups).
  2. Invite or assign the users and groups that require Time Doctor access.
  3. Complete the assignment.

 

Tip: If using domain-based auto‑discovery in Time Doctor (below), access must still be granted to the Azure app for those users.

 

Add Azure as an SSO provider in Time Doctor

  1. Sign in to the Time Doctor web app as Owner or Admin.
  3. Scroll to Single Sign On (SSO) and click Add Provider.
  4. Choose Azure.
  5. Enter:
    • Domain (optional) – Allowed domains for SSO company discovery.
    • Client ID – From Azure Application (client) ID.
    • Issuer – From Azure OAuth 2.0 authorization endpoint (v2).
  6. Click Save.

 

Important behavior of Allowed Domains
  • Any domain added here enables people with email addresses on those domains to find the company via SSO.
  • If those users are also granted access to the Azure app, they can join the Time Doctor company automatically and are provisioned with default settings, even if not invited manually.
  • If no domains are added, the company cannot be discovered via SSO; invite or add users manually instead.

 

 

 

 

FAQ

Which scopes are required?

openid, profile, email, offline_access, and User.Read (delegated) must be granted in Microsoft Graph.

 

Which values are needed in Time Doctor?

Client ID (Azure Application ID) and Issuer (OAuth 2.0 authorization endpoint v2).

 

Is domain configuration required?

No. Skip Domain to prevent public discovery and invite users manually; or add specific domains to enable discovery and self‑join.

 
 

 

 

Should there be any inconsistencies or concerns regarding the article, contact support@timedoctor.com for prompt assistance.