Azure Active Directory authentication

<< Click to Display Table of Contents >>

Navigation:  Integration and authentication > Identity managers >

Azure Active Directory authentication


Bizagi Cloud supports integration with Identity Management services such as Azure Active Directory (Azure AD).

Bizagi Cloud integrates with Azure AD in order to provide secure sign-in and authorization services, while also offering a Single Sign-On experience, which uses the OAuth protocol with the OpenID extension.


This section describes how this integration works and how to configure it.




How Azure AD integration works

Bizagi Cloud supports the OpenID Connect protocol when connecting with Azure AD.


OpenID is an authentication protocol, built on top of OAuth to extend the authorization specification. It can be used to securely sign users into web applications (in this case, the Work portal).

By using this feature, you can outsource sign-up, sign-in, and other identity management experiences in your web applications to Azure AD.

This allows you to provide Single Sign-On capabilities while using OAuth.


This authentication mechanism introduces the concept of an id_token, which is a security token that allows for due verification of the identity of the user while obtaining some of his/her basic profile information.

Because OpenID extends OAuth 2.0, it also enables applications to securely acquire access_tokens.

Access_tokens allow you to access resources that are secured by an authorization server.


The following diagram illustrates the communication flow between Bizagi Cloud and Azure AD.




Currently supported standards in this mechanism are:

OpenID Connect v1.0, relying on the OAuth 2.0 authorization flow.


Though OAuth considers authorization aspects, these definitions apply to resources.

This means, that for access rights definitions in the Bizagi Work portal (i.e. which profiles can see, work or use certain Bizagi options), you will still need to input authorization definitions in Bizagi.


What you need to do

In order to configure Bizagi Cloud to sign in with Azure AD, please follow these steps:


1. Register your Bizagi Cloud service as an authorized app in your Azure AD.

2. Set the authentication type in Bizagi Studio to integrate with Azure AD.

3. Synchronize the users from your Azure AD into your Bizagi Cloud service.



The steps oriented toward configuring integration with Azure AD, will require specific technical details (e.g, endpoints, authorized credentials) which are usually managed by an IT admin.

Therefore, these steps will require a profile having expertise on this matter, and having access to the information mentioned above.


1. Register your Bizagi Cloud service as an authorized app in your Azure AD.

The first step is to set up the configuration needed to Register Bizagi Cloud in Azure AD. This includes inputting Bizagi endpoints while using the proper access keys for an entitled connection.


1.1 Log in to your Azure services

Access your Azure subscription with the Azure AD service. To do so, you will need to sign in to Azure's classic portal at




Note that you may also log in to the new portal and switch to the classic view:




1.2. Go into your Active Directory.

Click on Active Directory option at the left panel and click your configured active directory to add a new application to it.




1.3. Add a new app.

Go to the Applications tab and click on Add located in the lower ribbon.





1.4. Input the app's basic details

Give this application a name, and select Web Application and/or Web API for its type.





Click Next (the AzureAD_icon1 icon).


1.5 Input the app's URL properties

Add details as described below:

Sign-on URL: This should correspond to the base URL, where your end users access Bizagi Cloud's production environment (the Work portal).

This URL is specified as https://[your_company][your_project_name]

APP ID URL:  You may use the same URL as above.


Consider replacing [your_company] and [your_project_name] for your subscription's values accordingly.



Click Finish (the AzureAD_icon2 icon).

At this point Azure takes a moment to create your new app:




1.6 Create a valid access key for the app

In order to do this, go into the Configure tab of the newly added app.




Scroll down to the keys section and create a new key to be used solely for the Bizagi Cloud service by specifying an expiration date (duration).



Note that the above access keys may must have an expiration date, and you are therefore, in charge of managing and looking after its validity.


Note you will need to copy the Client ID value (for later use in Bizagi's configuration) and click Save in order for the new key to be generated.

Once it has been generated, ensure you copy as well the new key and safe keep it (it may no longer be shown once you exit this window):





1.7 Configure Bizagi endpoints in Azure AD

Scroll down to the single sign on section to configure a Reply URL, so that Azure AD sends out the authorization code to this URL.

For this parameter use the following URL: https:/[your_company][your_project_name]/oauth/client/callback


Consider replacing [your_company] and [your_project_name] for your subscription's values accordingly as used in the app's main URL properties, and add the /oauth/client/callback suffix.




Click Save when done.



Adequate authorization settings are usually set Ok by default, which means you should not need to configure this setting.

By default the new applications and their keys are granted with Sign in and read user profile.


Finally, make sure you click View Endpoints in order to gather URLs that you will need to configure in Bizagi:






Once you set this up, you can verify adequate access rights for this app.



2. Configure the authentication type in Bizagi Studio.

At this point, after having verified access in Azure AD is adequate, you will now need to input the Azure AD details into Bizagi.


2.1 Open your Bizagi Studio project.

Open Bizagi Studio and load your project (development environment).




2.2 Go to the security settings.

Click on the Expert view, and select the Security module.




Click on Authentication in the middle panel, and use the following settings for the parameters in the rightmost panel:

Type: OAuth2.

Client: Azure AD.

Click Update.




Once OAuth2 and AzureAD are chosen, you will notice that new parameters for such Authentication are displayed.

To configure these specific parameters, consider the detail as described below:




Client ID

Should match the Client Id as registered in Azure AD.

Client Secret

Should match the Client Key as registered in Azure AD.

Redirect Uri

Should match the Response URI as registered in Azure AD, which should correspond to the Reply URL (https:/[your_company][your_project_name]/oauth/client/callback).

OAuth2 Authorization Endpoint

Should match the OAuth 2.0 Authorization endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/authorize



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

Token Endpoint

Should match the OAuth 2.0 Token endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/token



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

Logout Endpoint

Should match the OAuth 2.0 Logout endpoint as per your Azure AD.

Use the following URL:[tenant]/oauth2/logout?post_logout_redirect_uri=[homeRedirect]



[tenant]: Should specify your Tenant id (based on your Azure's subscription).

[homeRedirect]: Should specify the URL used to direct after a log-out.

Usually, you use the same login URL, which is: https://[your_company][your_project_name]


3. Synchronize the users from your Azure AD into your Bizagi Cloud service.

At this point, the configuration is complete.

However, before using or testing the integrated authentication, you will need to explicitly import users from Azure AD into Bizagi Cloud.


After this, authentication is set for runtime.



Note it is your responsibility to manage users, and therefore you will also need to consider synchronizing users from your Azure AD into Bizagi Cloud.


Authentication in runtime

Once these steps are carried out, authentication will be set for your end users in runtime.

End users will be able to sign-in, and you can verify them by using a browser to access Bizagi Work portal (using https://[your_company][your_project_name]):




When the Bizagi Work portal loads, it redirects you to your Azure AD login page:




After you sign in successfully to Azure AD, you are redirected back to Bizagi Work portal with a valid session:





If you are already logged in with a valid session, you will not need to input credentials.

SSO capabilities are kept at the browser's level while having an authenticated valid session (for instance, idle session settings are also taken from your configuration in Azure AD).