Skip to end of metadata
Go to start of metadata

The instructions on this page apply to the cloud solution of Enterprise Studio. For instructions for the on-premise solution, please refer to Configuring user synchronization and authentication with Azure Active Directory.

You need an AAD premium account for Azure AD to be able to perform the procedures on this page.

The instructions on this page are based on a recent version of Azure AD. However, if you notice any changes to the interface causing issues with respect to your Azure AD configuration, please contact BiZZdesign Support.

Required roles

System Administrator

Follow the procedures on this page to configure Azure Active Directory so that it can communicate with your hosted Team Server and HoriZZon web portal (if applicable) for single sign-on.

During configuration a BiZZdesign authentication app is created in Azure AD for authentication of the Team Server and HoriZZon clients, and a BiZZdesign application server is created for user synchronization with SCIM.

On this page:

Azure AD user groups for the Team Server and HoriZZon

Before configuring the connection with Azure AD to register users from Azure AD in the Team Server, determine which user groups with specific permissions you will need in the Team Server and in the HoriZZon web portal. Define them in Azure AD and assign the users.

When configuring the connection with Azure AD, the groups and users are pushed to the Team Server via user provisioning. Once they are in the Team Server, their roles can be set by an Administrator user. The users in each group automatically receive the roles of the group, so you do not have to assign roles to the users individually, unless you want to individually assign them specific roles. For more information about roles and rights in the Team Server, please refer to User roles and permissions.

HoriZZon users

If you are working with HoriZZon, and have users that only need to view data in HoriZZon, create a separate group in Azure AD for HoriZZon users, and assign the users. Once the group is pushed to the Team Server, you only need to specify the Consumer role for this group.

Users in the group have access to sites in HoriZZon if these sites have been shared with this group. Viewing site data in HoriZZon requires the Consumer role for a user group and its users. If your users need to be able to perform specific operations in HoriZZon like creating and deleting sites, they must have the Lead Designer role.

Configuring a BiZZdesign authentication app for Azure AD

During configuration in Microsoft Azure, a BiZZdesign authentication app is created for authentication of the Team Server and HoriZZon clients.

  1. In the menu, click Azure Active Directory > App registrations, and then click New registration.

  2. Specify the application details:

    Name: Type a name for the application, for example BiZZdesign Authentication App.

    Supported account types: Do not change the selected option, unless you want to include other (external) accounts. 

    Redirect URI: Select the option Web, and type the URI of your Team Server client:


    Replace <name> with the name of the Team Server you want to connect with.

  3. Click Register. The result is a new application registration:

  4. Click Certificates & secrets, and under Client secrets, click New client secret to create a new client secret.

  5. Under Add a client secret, enter the specifications for the client secret.

    Description: Enter a description for the client secret.

    Expires: Select an expiration duration for the client secret. Recommended option is NeverIf you choose to set a different value, make sure that your public key gets renewed before expiring. If the public key expires, users cannot sign in anymore and provisioning will stop working. BiZZdesign does not keep track of the validity of the secret key nor are any warnings sent out. Preventing the key from expiring is your own responsibility.

  6. Click Add. A client secret value is generated and shown on the page:

  7. Do not leave the page yet. First copy the client secret value, and save it somewhere in a safe place.

Connecting Azure AD and Team Server

In order to connect Azure AD and your Team Server and HoriZZon portal (if applicable), BiZZdesign needs the client secret value, Application ID and Directory ID from you. Additionally, you may want to use a secret token for user provisioning and assign default roles to users. Please send the client secret value, Application ID and Directory ID to BiZZdesign Support, and request a SCIM token if needed. If you want to assign default roles, please include this too in your support ticket when contacting BiZZdesign.

BiZZdesign will inform you when the connection has been established, and send you the SCIM token if requested.

Client secret value, Application ID and Directory ID

The client secret value and the IDs can be found in the following locations in Microsoft Azure:

Client secret value: on the page you just visited to create the secret.

Application ID and Directory ID: via Azure Active Directory > App registrations . If you do not see your application in the app registrations list, change the list filter from "My apps" to "All apps".

Secret token (optional)

By default the Azure AD configuration for the Team Server uses Azure AD tokens for user provisioning. It has the advantage that it will be rotated by Azure AD automatically. If you prefer to use a secret token for authentication instead of Azure AD tokens, you need to request a SCIM token before provisioning users and groups in Azure AD. Both authentication options are equally safe, and it is always possible to return to using Azure AD tokens for  authentication by having the SCIM token removed from the Team Server authentication settings, and removing it from the Azure AD configuration.

Default roles (optional)

If you use group authentication, user access is configured via these groups. If you do not use group authentication or are not able to upon user provisioning, you can specify one or more default roles for all users to provide them access. If you do not define any default role, users will initially have minimal access. You can choose the following roles: Consumer, Contributor, Designer, and Lead Designer. The selected roles will be assigned to all users upon provisioning. For more information about roles, please refer to  User roles and permissions .

Provisioning users and groups in Azure AD

Once the connection to your hosted Team Server and HoriZZon portal has been established by BiZZdesign, you can start provisioning users and groups in Azure AD. During configuration, a BiZZdesign application server is created for synchronizing users and user groups with SCIM.

  1. In the menu, click Azure Active Directory > Enterprise applications.

  2. Click New application, and then click Non-gallery application.

  3. In Name, type the name of the BiZZdesign application, and then click Add.

  4. In the menu, click Users and groups, and then click Add user.

  5. Click Users and groups, select the users and/or groups who need to have access to the Team Server and/or HoriZZon portal, and then click Select.

    Nested groups (groups in groups) are not synchronized by Azure AD. When selecting a group, only users directly member of this group will be synchronized.

  6. Click Assign.

  7. In the menu, click Provisioning, and then set Provisioning Mode to Automatic.

  8. In the section Admin Credentials, in Tenant URL enter the following tenant URL of your Team Server.


    Replace <name> with the name of your Team Server.

  9. Only if you are using a secret token, enter in Secret Token the SCIM token that you have requested before, and click Save. If you do not use a secret token, leave it empty and click Save.

  10. Under Mappings, click Synchronize Azure Active Directory Users to customappsso.

    1. Under Attribute Mappings, click the mapping mailNickname, and in Source attribute, change it to objectId, and click OK.

    2. Delete all attribute mappings until only the following mappings remain: userPrincipalName, Switch(...), displayName, mail, givenName, surname, objectId. Your attribute mappings should look as follows:

      If your mappings look different, please contact BiZZdesign Support. If you continue to use alternative settings, it is possible that users will not be able to sign in to the Team Server.

    3. Click Save, click Yes, and close the Attribute mapping section.

  11. In the Provisioning section, under Settings, set Provisioning Status to On, and click Save to start automatic provisioning.

After provisioning

Once provisioning has run, users will be converted to Azure AD users. After conversion, signing in via e-mail and password will be disabled and users have to authenticate using Azure AD.

Users do not receive an e-mail notification (like manually added users do), and do not need to register with the Team Server to get access. Their user accounts are immediately ready for signing in and can be used directly for invitations to model packages and projects. For working with model packages and projects users must have been assigned the (Lead) Designer role.

User and group removal

When users and groups have been deleted by SCIM, they remain in the Team Server for 72 hours by default  to prevent data loss in case of mistakenly removed users and groups. After this time the users will be removed from the Team Server. If you prefer to use a different period before users and groups are removed from the Team Server, please contact BiZZdesign Support. See also Removing users and groups from the Team Server when using an external identity provider.

Accessing Team Server/HoriZZon via the My Apps portal?

If your organization uses the Microsoft Office My Apps portal to access the Team Server/HoriZZon, you need to define the homepage URL of the Team Server/HoriZZon Azure AD Client in the authentication app. Otherwise your will not be able to access the Team Server/HoriZZon.

  1. In the Microsoft Azure portal menu, click Azure Active Directory.

  2. In the Manage menu, click App registrations , and then open the BiZZdesign authentication app.

  3. In the menu, click Branding, and then enter the homepage URL of the Team Server/HoriZZon Azure AD Client. Example:

  4. Save the changes.