This article applies to TeamViewer customers with a Tensor license.
With SCIM (System for Cross-domain Identity Management), it is possible to synchronize users from Azure AD to TeamViewer. This requires an Azure Premium license subscription. It allows administrators to create, update and delete users within Azure AD and keep their TeamViewer accounts automatically updated within 1h (the current Azure update interval).
To be able to use this feature, you must meet the following requirements:
- a valid Tensor license for TeamViewer
- Azure Premium license subscription
- follow manual below to setup SCIM
Create TeamViewer Script Token
- Login to TeamViewer: https://login.teamviewer.com
- Select Edit Profile and navigate to the Script Tokens section
- Add a new script token with the rights "View, create and edit users" (optionally also admins)
Setup Azure AD Enterprise Application
The following steps are closely based on the official documentation provided by Microsoft:
- Open the Azure portal: https://portal.azure.com
- Navigate to the Azure Active Directory section.
- Select in the navigation menu on the left side.
- Press the button on the top
- Select Non-gallery application.
- Specify a name for the application. For example "TeamViewer User Provisioning"
- After the application has been created, navigate to the Provisioning section and switch the Provisioning Mode to Automatic
- Set the Tenant URL to https://webapi.teamviewer.com/scim/v2
- Enter the TeamViewer Script token that has been created before in the Secret Token field
- Press Test Connection to test that the token and endpoint are valid
- Press Save
Configure Attribute Mappings
The user attribute mappings need to be configured before activating the user provisioning application.
Details about how TeamViewer maps SCIM attributes to TeamViewer users can be found in the SCIM API Documentation.
- In the Provisioning section of the Azure AD application, select Synchronize Azure Active Directory Users to customappsso
- De-select the checkbox Delete under Target Object Actions, as (this operation is not supported by the TeamViewer SCIM API)
- Modify the Attribute Mappings entries such that it includes:
- All other entries can be removed
The screenshot below shows an example configuration where userPrincipalName holds the email address of the user. Here, also attributes like "mail" can be used.
- Edit the userName attribute mapping
- Set Match objects using this attribute to Yes
- Set the Matching precedence to 1
Optional Single Sign-On Attribute Mapping
- On the Attribute Mappings dialog check the Show advanced options box and click on Edit attribute list for customappsso
- Add a new attribute
- Name: urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId
- Type: String
- Press Save
- Add a new entry to the Attribute Mappings table.
- Mapping type: Constant
- Constant value: Your generated TeamViewer customer identifier
- Target attribute urn:ietf:params:scim:schemas:extension:teamviewer:1.0:SsoUser:ssoCustomerId