Table of Contents

2. Employee Master Setup

Yasuhiro Miyoshi Updated by Yasuhiro Miyoshi

Employee master setup will unleash ITMC’s full potential and allow you to determine any former employee accounts, guest accounts, etc., helping you gain complete visibility into your SaaS apps, in real-time.

ITMC currently supports the following SaaS as employee masters.

  • Google Workspace
  • Azure AD
  • Microsoft 365
  • Okta
  • Smart HR

Employee master can be configured from Settings > Organization > Setup employee master.

Google workspace

How to Integrate

This setup requires Google Workspace Super Admin role.
  • Go to Settings > Organization > Setup employee master.

  • Select Google Workspace and Click “Sign in with Google
  • Please make sure to sign in with an account with Super Admin role.
  • If a workspace has already been integrated, select it and click the "Integrate" button to complete the process.
  • If you want to integrate with a workspace that is not yet integrated, then select "Integrate new workspace" and then click "Integrate" to continue.

 

  • A screen for selecting access rights will appear. Check all items, then click Continue.

Labeling conditions after employee master integration
  • Obtain a domain name to identify the company as an employee of the company. Domain names also include subdomains and alias domains.
  • If the SaaS side finds an email address that is not in Google Workspace, it determines that the email address is an employee based on the domain.
  • User objects retrieved from Google Workspace are given the "Employee" label.
  • Group objects retrieved from Google Workspace will be given the "System" label.
  • All objects registered in domains other than the domain of the employee master will be assigned the "External" label.
  • IDs with employee labels that have been deleted or suspended will also be assigned the "Former Employee " label.
  • If for some reason an email address cannot be obtained, an "Unknown" label will be assigned.
  • Google Workspace will keep the ID for a certain period of time after deletion, and then it will disappear completely. While it remains, a retirement label is given and data is retrieved, but after it disappears completely, it also disappears from the list of accounts on the Google Workspace details screen.

AzureAD, Microsoft365

How to Integrate

This setup requires AzureAD or Microsoft365 Global Admin role.
  • Go to Settings > Organization > Setup employee master.
  • Select Azure AD or Microsoft 365 and Click “Integrate
  • If a workspace has already been integrated, select it and click the "Integrate" button to complete the process.
  • If you want to integrate with a workspace that is not yet integrated, click "Integrate new workspace" and then click "Integrate". The normal integration flow will be displayed, so please follow the integration procedure of AzureAD or Microsoft 365 to successfully integrate the workspace.

Attention

  • When inviting a user with administrative privileges to configure the employee master, please invite the user as "Admin", and not as a "Member".
    The "Settings" screen, which is a configuration item for the employee master, will not be displayed due to authority limitation.

 

Labeling conditions after employee master integration
  • Obtain a domain name to identify the company as an employee of the company. The domain name includes subdomains. However, if the Azure tenant itself is different, the domain name cannot be obtained. Only the primary tenant of the linked user's data will be acquired.
  • If an email address is found on the SaaS side that is not in AzureAD, Microsoft365, it is determined to be an "Employee" based on the domain.
  • User objects that can be retrieved in AzureAD, Microsoft365 include objects other than actual users. Specifically, resources such as meeting rooms, shared mailboxes, etc.
  • Of the user objects retrieved from AzureAD, Microsoft365
    • Group address objects will be given a "system" label.
    • Resource objects (e.g., meeting rooms) will be assigned the "system" label.
    • Shared mailbox objects (*) will be labeled "system"
    • The connector account (On-Premises Directory Synchronization Service Account ) used to connect AzureAD and On-premise AD is assigned a system label.
    • All other accounts are assigned the "Employee" label as regular accounts.
  • Accounts with employee-labeled IDs that are set to Login Disable will also be assigned the "Former Employee" label.
  • All objects registered in domains other than the domain of the employee master will be given the "External" label.
  • If for some reason an e-mail address cannot be obtained, an "Unknown" label will be assigned.
If you wish to exclude an account from billing, we recommend disabling login (Disable) or deleting the account

AzureAD, Microsoft365 will change the "PrincipleID" as soon as it is deleted, and it will be seen as a different user.

                    

Okta

How to Integrate

  • Go to Settings > Organization > Setup employee master.
  • Select Okta and input Workspace Key & Access Token and Click “Integrate
  • Please refer to the Okta integration guide for more details on how to integrate with Okta.

 

Labeling conditions after linking the employee master
  • Accounts that have an email address and exist in Okta will be given the "Employee" label. (There is no distinction by domain).
  • Accounts that have an email address but do not exist in Okta will be labeled as "External".
  • Accounts with a status of "Suspended" will be assigned the "On leave" label.
  • Accounts with a status of "Deactivated" will be labeled "Former Employee".
  • If for some reason an email address cannot be obtained, an "Unknown" label will be assigned.

SmartHR

How to Integrate

  • Go to Settings > Organization > Setup employee master.
  • Select SmartHR and input Workspace Name, Workspace Key & Access Token and Click “Integrate
  • Please refer to the SmartHR integration guide for more details on how to integrate with SmartHR

                   

Labeling conditions after employee master linkage

Synchronization targets are SmartHR email address accounts and accounts that exist in the employee list.

If an email address in the email address account and an account in the employee list are linked, they will be merged into a single employee.

In that condition,

  • Accounts that exist in SmartHR's "Employee List" will be given the "Employee" label.
  • Accounts with the "Employee" label that have an enrollment status in SmartHR of "On Leave" or "Retired" will be given the "Retired" label as well.
・ Accounts that are not linked to the SmartHR employee list and are "email address accounts" will be given the "Outside of company" label.
・ Accounts that do not have an email address in either of these categories will not be eligible for synchronization.
[Reference] Smart HR website: What is the difference between an email address account and an employee? 
This is in Japanese only.

            

About Roles in SmartHR

The following accounts are described as Crew or User in the IT Management Cloud

  • Accounts that exist in Smart HR's "Employee List": Crew
  • Accounts that exist in the "Email Accounts" section of Smart HR: User    

Next Step

Cost Management Setup

How did we do?

1. Account Creation and Initialization

3. Cost Management Setup

Contact