Prepare Azure AD integration

This article is from before the rebranding to SelfGuide. Text and images can include the old product name ProductivityPerformer or its abbreviation PP.

The SelfGuide integration with Microsoft Azure Active Directory (Azure AD) adds the ability to use a Microsoft work- or schoolaccount to get access to SelfGuide. For the user, no additional account is needed, for the organization security is improved by support for multi-factor authentication. Enabling the integration just changes the way users authenticate, existing data like Instructions, trainingen and user guides are kept.

Using Azure AD as identity provider is optional and requires some preparation in Azure AD. After following the steps below, get in touch with support to enable the integration.


  1. After contacting support, a moment will be scheduled to configure the integration. While configuring the integration, SelfGuide is temporary not available.
  2. Existing accounts created in SelfGuide can't be used anymore after enabling the Azure AD integration

Single-tenant vs Multi-tenant

Azure AD integration can be configured in two ways:

  • Single-tenant: Accounts defined in one Azure AD tenant get access to SelfGuide. Use this option if the organization uses one Azure AD tenant and no external users need access to SelfGuide
  • Multi-tenant: Accounts defined in several Azure AD tenants get access to SelfGuide. Use this option if the organization uses more then one Azure AD tenant or users from other organizations need access to SelfGuide.

This article explains the required steps for a single-tenant Azure AD integration, for multi-tenant Azure AD integration see this kb article.

Required steps

  1. Open a browser and navigate to
  2. Sign-in with an account having permissions to create an Azure AD app registration
  3. Open Azure Active Directory

  1. Open App registrations and choose New registration

  1. Give the new application a name, select Accounts in this organizational directory only, choose Single-page application (SPA) for the redirect url and specify the SelfGuide tenant URI. The Redirect URI always follows the syntax https://<tenant>, where <tenant> must be changed to the name of the SelfGuide tenant. Final, press Register to create the application.
  1. The new application is created and will be opened. Navigate to Expose an API and press Add a scope.
  1. An application ID URI will be generated with the syntax api://<guid>, don't change this default value and press Save and continue.
  1. The new created scope must be configured, always use user_impersonation as name for the scope. All other fields must be filled based on the organization policies. Finally, press Add scope.

  1. Navigate to API permissions and choose Add a permission.
  1. Add the created scope by pressing My APIs and selecting the created scope. If the created scope is not shown, verify if you are the owner of the application.
  1. After selecting the API, you need to specify how the API is used. Select Delegated permissions, make sure user_impersonation is selected and press Add permissions.
  1. With the current configuration, all users will need to consent personally when using SelfGuide for the first time. By giving admin consent for the tenant, consent is given once for all users. Press Grant admin consent for <tenant name> and press Yes to confirm the action.  
  1. The app registration is finished, to be able to configure the integration some information is need. Navigate to Overview and copy the Application ID and Directory ID. Get in touch with, request to enable the Azure AD integration and include the application id, directory id and SelfGuide tenant name in the request.