The Microsoft Entra ID Integration in Timus Manager allows you to synchronize users and groups from your Entra ID (formerly Azure Active Directory) environment into Timus. This enables centralized identity provisioning, secure remote access, and group-based policy management aligned with your organization’s identity infrastructure.

Important Note:

Timus syncs users based on their Primary Email Address in Entra ID. However, Entra ID APIs and SSO use the Username for authentication. 

On Entra Example:

• Primary Email: timus@test.com
• Username: timus@example.com

• Because Timus only allows login via the Primary Email, SSO with the Username will not work.

• To avoid this issue, the Primary Email and Username in Entra ID must be the same. 
• This ensures that SSO authentication works correctly with Timus.

What This Integration Enables

• Synchronize Entra ID users and groups into Timus
• Automatically assign synced users to the Microsoft Entra ID Users team
• Control access to specific sites by group
• Enable Remote Access (VPN-style connectivity) for authorized groups
• Maintain automated, secure sync using Microsoft Graph API integration
• Only one Entra account can be integrated per tenant. You can sync as many security groups as necessary within this account. Each group name will be applied as a static Tag.

After successful setup, the Preferences tab will be unlocked for managing group sync and site access.

Prerequisites

Before starting, ensure the following:

• Administrator access to your Microsoft Entra ID tenant
• A registered application in Entra ID with required API permissions
• A valid Tenant ID, Client ID, and Client Secret

Register an Application in Microsoft Entra ID

1. Sign in to the Microsoft Entra Admin Center
2. Go to Microsoft Entra ID → App registrations

3. Click + New registration

4. Enter a display name (e.g., Timus Integration)
5. Under Supported account types, choose one of the following (based on your directory needs):
   • Single-tenant
   • Multitenant (recommended for broader org access)
6. For Redirect URI, select Web and enter: https://auth.timuscloud.com/user/external
7. Click Register

After registration, copy:

• Client ID
• Tenant ID

Create a Client Secret

1. In the app registration screen, navigate to Certificates & secrets

2. Click + New client secret

3. Enter a description and set the expiration to 24 months (maximum allowed by Entra ID)

4. Click Add

5. Copy the Client Secret Value immediately—this is shown only once

⚠️ Microsoft limits client secret lifetime to a maximum of 730 days. You must renew the secret before expiry to prevent service disruption.

Assign API Permissions

⚠️ Important — Do NOT remove the default User.Read (delegated) permission

Timus and common Microsoft sign-in flows rely on the default delegated scope User.Read (Sign in and read user profile) for interactive sign-ins and to populate basic profile information. Removing this permission can break SSO and prevent users from signing in. If User.Read is removed, please re-add it and re-grant admin consent.

1. In the same app registration, navigate to API Permissions
2. Click + Add a permission → Microsoft Graph → Application permissions

3. Under User, check: User.Read.All

4. Under Group, check: Group.Read.All

5. Click Add Permissions

   • Permission	Type	Required by Timus?	Admin consent required?
     User.Read	Delegated	Yes — do not remove	No (delegated; user consent) — but re-grant if removed
     User.Read.All	Application	Yes (read all users)	Yes — must Grant admin consent.
     Group.Read.All	Application	Yes (read groups)	Yes — must Grant admin consent.

     User.Read is a delegated permission that allows the application to sign users in and read basic profile properties (name, id, email). Many Microsoft sign-in samples and MSAL libraries assume this scope by default; removing it will cause token/profile issues during interactive sign-in flows. For machine-to-machine read operations (no interactive user), Timus uses application permissions like User.Read.All — but the delegated User.Read must remain for SSO.

6. Click Grant admin consent for your tenant

These permissions allow Timus to retrieve users and groups from your Microsoft Entra ID tenant.

Configure the Integration in Timus Manager

1. Navigate to Settings → Integrations
2. Click ⚙️ → Manage on the Microsoft Entra ID card
3. Enter the following values:
   • Tenant ID
   • Client ID
   • Client Secret
4. Click Save

Once saved, the Preferences tab will become available.

Configure Group Mapping & Site Access

1. Go to the Preferences tab
2. Toggle Synchronization Status to ON
3. Under Groups on Entra ID, select the groups to sync
   • Users in these groups are assigned to the Microsoft Entra ID Users team in Timus
   • Their original group name will be tagged on each user
4. Under Allowed Sites, choose the Cloud Gateways these users can access
5. Optionally, enable Remote Access per site

⚠️ Group names in Entra ID must not exceed 29 characters. Longer names will not be tagged in Timus Manager.

Post-Sync Behavior

• Synced users appear under Users & Teams → Users
• Users are automatically added to the Microsoft Entra ID Users team
• Group assignments are re-evaluated during each sync cycle
• Manual team changes remain unless overwritten by group sync logic

Disable the Integration

To turn off the integration:

1. Go to Settings → Integrations
2. Click ⚙️ → Disable on the Microsoft Entra ID card

Disabling the integration will:

• Stop all synchronization jobs
• Retain already synced users and their team memberships
• Remove group-based mappings until re-enabled

🔐 Security & Data Handling

• Communication with Microsoft Graph API is secured via OAuth 2.0
• Tenant ID, Client ID, and Client Secret are stored encrypted
• Timus performs read-only operations on your Entra ID directory
• No users, groups, or settings are modified in your Microsoft environment
• You can revoke API access at any time from the Entra Admin Center

Updated January 30, 2026 17:50