Skip to end of metadata
Go to start of metadata

The instructions on this page apply to the on-premise solution of Enterprise Studio. For instructions for the hosted solution, please refer to Configuring Azure AD for hosted Team Server and HoriZZon.

You need an AAD premium account for Azure AD to be able to perform the procedures below that are done in Microsoft Azure. 

The instructions on this page are based on a recent version of Azure AD. However, if you notice any changes to the interface causing issues with respect to your Azure AD configuration, please contact BiZZdesign Support.


The Team Server can be configured to use Azure Active Directory as an identity provider. Using user synchronization and authentication with Azure Active Directory, allows you to configure your user groups and assign users in Azure AD.

To enable registering users from Azure Active Directory in the Team Server, and have them sign in using single sign-on, the connection with Azure Active Directory needs to be configured. For enabling single sign-on, the OpenID Connect protocol is used.

Before you start configuring the connection in Azure AD, determine which user groups with specific permissions you will need in the Team Server, define the needed groups in Azure AD and assign the users.

After configuration, when the groups and users are in the Team Server, their roles can be set. The users assigned to each group automatically receive the roles of the group, so you do not have to assign roles to the users individually, unless you want to individually assign them specific roles.

Configuring the connection with Azure Active Directory should only be done by application administrators who are familiar with installing and configuring software and databases.

Configuration can only be done by users who have the System Administrator role in the Team Server.


On this page:


Configuring a BiZZdesign authentication app for Azure AD

Register the Team Server with Azure AD. Create a BiZZdesign authentication app in Microsoft Azure for authentication of the Team Server client.

  1. In the Microsoft Azure portal menu, click Azure Active Directory.

  2. In the Manage menu, click App registrations, and then click New registration.



  3. Specify the application details:



    Name: Type a name for the application, for example BiZZdesign Authentication App.

    Supported account types: Do not change the selected option, unless you want to include other (external) accounts.

    Redirect URI: Select the option Web, and type the URI of your Team Server client:

    https://<name:port>/auth/callback/AzureAdClient

    Replace <name:port> with the name of the computer and port on which your Team Server is running.

  4. Click Register. The result is a new application registration:



  5. Click Certificates & secrets, and under Client secrets, click New client secret to create a new client secret.



  6. Under Add a client secret, enter the specifications for the client secret.



    Description: Enter a description for the client secret.

    Expires: Select an expiration duration for the client secret. Recommended option is Never. If you choose to set a different value, make sure that your public key gets renewed before expiring. If the public key expires, users cannot sign in anymore and provisioning will stop working. BiZZdesign does not keep track of the validity of the secret key nor are any warnings sent out. Preventing the key from expiring is your own responsibility.

  7. Click Add. A client secret value is generated and shown on the page:

Activating Azure AD authentication

  1. Open the Team Server and sign in as System Administrator.

  2. In the sidebar menu, click Settings > Authentication.

  3. On the authentication settings page, in Authentication, select identity provider Azure Active Directory.

    Leave HoriZZon URL empty.



  4. Under Single sign-on with Azure AD , set the properties needed for single sign-on. Register the client secret value, Application ID and Directory ID from the Azure AD authentication app.

     
    Tenant ID: Enter the value from "Directory ID" in Azure AD.

    Client application ID
    : Enter the value from "Application ID" in Azure AD.

    Both values can be found via Azure Active Directory > App registrations. If you do not see your application in the app registrations list, change the list filter from "My apps" to "All apps".

    Client application secret: Enter the key value that is assigned to the BiZZdesign authentication app registered with Azure AD. The key value is available in the Certificates & secrets section.

    If you hover the ID's in Azure AD, a copy button appears. Next to the secret value the copy button is directly visible. Use the button to easily copy the values and paste them in the Team Server settings. 

  5. Optional: Under User and group removal, in Hours before removal, set the number of hours the users and user groups must remain in the Team Server after they have been removed in Azure AD. Default value is 72 hours.



  6. Optional: If you use group authentication, user access is configured via these groups. If you do not use group authentication or are not able to upon user provisioning, you can specify one or more default roles for all users to provide them access. If you do not define any default role, users will initially have minimal access.

    Under Default roles, select the roles that the provisioned users need to have when signing in to the Team Server. The selected roles will be assigned to all users upon provisioning. For more information about roles, please refer to User roles and permissions.



  7. Optional: By default the Azure AD configuration for the Team Server uses Azure AD tokens for user provisioning. It has the advantage that it will be rotated by Azure AD automatically. If you prefer to use a secret token for authentication instead of Azure AD tokens, you need to request a SCIM token before provisioning users and groups in Azure AD. Both authentication options are equally save, and it is always the possibility to return to using Azure AD tokens for authentication by removing the SCIM token from the Team Server authentication settings, and from the Azure AD configuration.

    1. On the Authentication settings page, under SCIM token, click Request SCIM token, and click once again Request SCIM token.



    2. The requested token appears in SCIM token. Save a copy of this token somewhere in a save place. After that, close the page. Once you leave the page, the token is gone.



  8. Click Apply to save the changes.

  9. Restart the Team Server for the configuration changes to take effect.


The configuration of the BiZZdesign authentication app is now completed. Next step is provisioning users and groups in Azure AD.

Provisioning users and groups in Azure AD

After the Team Server has been restarted and the connection with the Team Server has been established, start user provisioning in Azure AD. During configuration, a BiZZdesign application server will be created for synchronizing users and user groups with SCIM.

  1. In the Manage menu in Azure AD, click Enterprise applications.

  2. Click New application, and then click Non-gallery application.



  3. In Name, type the name of the BiZZdesign application, and then click Add.



  4. In the Manage menu, click Users and groups, and then click Add user.



  5. Click Users and groups, select the users and/or groups who need to have access to the Team Server, and then click Select.

    Nested groups (groups in groups) are not synchronized by Azure AD. When selecting a group, only users directly member of this group will be synchronized.

  6. Click Assign.

  7. In the Manage menu, click Provisioning, click Get started, and then set Provisioning Mode to Automatic.



  8. In the section Admin Credentials, in Tenant URL enter the following tenant URL of your Team Server. Make sure that this URL is accessible by Azure AD.

    https://<name:port>/provisioning/scim

    Replace <name:port> with the name of the computer and port on which your Team Server is running.



  9. Only if you are using a secret token, enter in Secret Token the SCIM token that you have requested before, and click Save. If you do not use a secret token, leave it empty and click Save.

  10. Under Mappings, click Synchronize Azure Active Directory Users to customappsso.



    1. Under Attribute Mappings, click the mapping mailNickname, and in Source attribute, change it to objectId, and click OK.



    2. Delete all attribute mappings until only the following mappings remain: userPrincipalName, Switch(...), displayName, mail, givenName, surname, objectIdYour attribute mappings should look as follows:



      If your mappings look different, please 
      contact BiZZdesign Support. If you continue to use alternative settings, it is possible that users will not be able to sign in to the Team Server. 

    3. Click Save, click Yes, and close the attribute mapping.

  11. Under Settings, set Provisioning Status to On, and click Save to start automatic provisioning.

After provisioning

After the groups and users have been pushed to the Team Server, their roles need to be defined by an administrator user.

The users do not receive an e-mail notification (like manually added users do), and also do not need to register with the Team Server. Their user accounts are immediately ready for signing in, and can be used directly for invitations to model packages and projects.

Accessing Team Server/HoriZZon via the My Apps portal?

If your organization uses the Microsoft Office My Apps portal to access the Team Server/HoriZZon, you need to define the homepage URL of the Team Server/HoriZZon Azure AD Client in the authentication app. Otherwise your will not be able to access the Team Server/HoriZZon.

  1. In the Microsoft Azure portal menu, click Azure Active Directory.

  2. In the Manage menu, click App registrations, and then open the BiZZdesign authentication app.

  3. In the menu, click Branding, and then enter the homepage URL of the Team Server/HoriZZon Azure AD Client. Example:



  4. Save the changes.