Configure Azure SSO for Time Doctor

Register Time Doctor app

1. Log in to Azure portal as an admin 

2. In Azure Active Directory, select App registrations in the left-hand navigation menu.

3. Click on New registrations to start adding your app 

4. Input your tenant name “Time Doctor” 

5. Set who can use this application or access this API (depends on client requirement)

6. Click Register 

Add redirect URIs in authentication settings 

1. In your app directory’s Manage section, click Authentication in the left-hand navigation menu. 

2. Click Add platform 

3. A side panel will show on the right, click Web under Configure platforms 

4. Add redirect URI for web-app: https://2.timedoctor.com/login/oauth2/azure/callback

5. Tick the checkboxes under the implicit grant: 

  • Access tokens 
  • ID tokens

6. Click Configure to save the settings 

7. In Platform configurations, click on Add URI under the Web section to add more redirect URIs. 

8. Add the URl for the desktop app

9. Click the Save button at the top 

Check token configuration

  1. In your app directory, go to Token configuration in the left-hand navigation menu
  2. Click Add optional claim 
  3. A right-side panel will show, select ID for the token type

Add the following options below: 

  • acct 
  • email 
  • Verified_primary_email

Click Add, tick the checkbox in the banner popup to turn on Microsoft Graph email permission and click Add to save the settings completely.

Check API permissions

In your app directory, go to API permission in the left-hand navigation menu. Click Microsoft Graph link. 

Make sure you have added the following under Openid permissions: 

  • email 
  • offline_access 
  • openid 
  • profile 
  • User.Read

Add Application ID URI

  1. In your app directory, click Expose an API in the left-hand navigation menu
  2. Click Set in the Application ID URI at the top 
  3. Click Save

Obtain client ID and Issuer

  1. In your app directory, click Overview in the left-hand menu 
  2. Note the Application (client) ID under Essential section. You will use this for the Client ID field in Time Doctor. 
  3. Click Endpoints and take note of the OAuth 2.0 authorization endpoint (v2). You will use this for the Issuer field in Time Doctor. 

Assign users to application

  1. Go back to Azure Active Directory 
  2. Under the Manage section, click Users 
  3. Create/Invite users that you want to have access to the Time Doctor app
  4. Click Invite

Add Azure as a provider in Time Doctor

  1. Log into the Time Doctor web-app as admin 
  2. Navigate to the Settings and select Company Settings 
  3. Scroll down to Single Sign On 
  4. Click Add Provider and select Azure as a provider

Provide the following information and click Save: 

  • Domain - this is optional, you can specify which domain you’d like to allow to use SSO or if not, make sure that user’s identity exists in both Time Doctor and Azure. 

Understand that any domain you specify will allow anyone with that domain to find your company on Time Doctor. If you have also given them access to your app on Azure, then they can join your company on Time Doctor as well, even if you have not manually added/invited and provisioned them. They will be automatically provisioned with default settings.

However, if you do not add that allowed Domains, then nobody can find your Time Doctor company until you manually add/invite them.

  • Client ID - obtained from Azure 
  • Issuer - obtained from Azure

Click Save.