Integration Summary
Our integration with Azure Active Directory creates a connection between the two platforms that automatically syncs user information stored in Azure AD to Learn Amp. This eliminates the need to import or regularly maintain user information in Learn Amp.
Main Features
By connecting your Azure AD account to Learn Amp:
All of your users that are stored in Azure AD will automatically be synced in to Learn Amp
New users added to your Azure AD account will automatically be added to Learn Amp
Any changes to user details in Azure AD (Job Title, Department, etc.) will be reflected in Learn Amp
You can choose when new users are invited to Learn Amp
Information that can be synced
Our ‘Out of the box’ integration with Learn Amp is able to map information from a number of predefined standard mappable fields which have been
Field in Azure AD | Field in Learn Amp |
|---|
id | n/a |
accountenabled | n/a |
givenname | first_name |
surname | last_name |
preferredLanguage | language |
officeLocation | location |
department | department |
jobTitle | job_title |
userPrincipalName | email |
department | primary_team_name |
photo | avatar |
directReports | managers/line managers |
Syncing Additional Information
Yes, It is possible to sync additional or different data points from Azure AD in to Learn Amp. For example, You may decide to sync employeeId into a Learn Amp custom field to assign unique identifiers to your users.
Please Note: These requests will be handled by your Implementation Coach and will require custom development work to be undertaken by our technical team. The time taken to complete this work is chargeable or can be deducted from your Implementation budget at your Coaches' discretion.
Known Limitations/ Considerations
Team Managers: The Azure AD integration will sync each individual users' manager into Learn Amp if the data is available to do so (directreports field in Azure AD). This is what is known as an Override Manager in Learn Amp. The Integration does not have the ability sync Team/Department managers into Learn Amp. However, Team managers can be configured within Learn Amp to work in conjunction with Override Managers. Your Implementation Coach can provide further details on this.
Team Hierarchy: Azure AD will create a team for each of the individual departments that are stored in your Azure AD account. These will be presented as a flat structure in your Learn Amp account and will not consider any parent/child relationships between your departments.
However, once you have completed your initial sync, you will be able to easily create parent/child relationships with your teams in Learn Amp which will be saved moving forward. Your Implementation Coach can provide further details on this.
How the Platforms Connect
Learn Amp connects to Azure AD using the Graph API. You will be asked to provide your Azure AD Tenant ID and Group ID then authorize the integration with Learn Amp. You will perform an initial sync with Azure AD to create new user profiles in Learn Amp. When a change to user information is made in Azure AD, changes will then be synced automatically to Learn Amp.
Permissions/Scopes Required
For our integration with Azure AD to work effectively, the following permissions scopes are requested from Learn Amp:
webhook.readwrite.all
This scope is required to subscribe to change notifications: When any user within the specified group is either added/removed/details changed, we receive a webhook notification, to that we can handle the change accordingly.
Group.Read.All
This scope is required to fetch group details of any sub-groups, beneath the specified group. Some customers for example, choose to structure their AzureAD groups, so that there are sub-groups that have access to Learn Amp.
User.Read
This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated.
User.Read.All
This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated
GroupMember.Read.All
This scope is only used if MS Teams integration is enabled.
OnlineMeetings.Read
This scope is only used if MS Teams integration is enabled.
OnlineMeetings.Read.All
This scope is only used if MS Teams integration is enabled.
OnlineMeetings.ReadWrite
This scope is only used if MS Teams integration is enabled.
OnlineMeetings.ReadWrite.All
This scope is only used if MS Teams integration is enabled.
Read and write connector configurations
This scope is only used if MS Teams integration is enabled.
Required Stakeholders
To set up our Integration with Azure AD, you will need somebody with administrator level access to your Azure AD account. This person will also need administrator level access to your Learn Amp Live account for the period of time in which the Integration is being set up.
Set up Instructions
Full instructions on how to set up the Azure AD integration can be found within your Learn Amp account. Please go to yourdomain.learnamp.com/en/integrations/azure_ad
Other Frequently Asked Questions
Can I choose which group of users in Azure AD are synced with Learn Amp?
You can sync users from a single tenant and group in Azure AD. We recommend creating a Learn Amp group in your Azure AD tenant. This should be a group that contains the users they’d like to have access to the Learn amp platform, whoever is in this group will by synced over to the Learn amp platform. Anyone who is removed from this group at any point will be deactivated.
Can I create user accounts in Learn Amp without sending invitation emails?
Yes. When setting up the Azure AD integration you will have the option to either send invitation emails or don’t invite automatically. Invitation emails can be issued at any time from the Individuals page in Learn Amp.
I have updated a user's information in Azure AD but the changes have not been reflected in Learn Amp?
Azure AD syncs with Learn Amp every 24hrs automatically, however, if someone is removed from the Active Directory group, or their details change etc., then Learn Amp will be notified via webhook, and re-fetch details for that user - these notifications can take 30 minutes to propagate to Learn Amp. Should the updated information still not appear in Learn Amp,
Should I update Azure AD or Learn Amp if a user's information changes?
You should always create new users or update existing users information in Azure AD, not In Learn Amp. Newly created or updated user information in Azure AD will automatically be synced to Learn Amp.
How often does Learn Amp sync with Azure AD?
Azure AD syncs with Learn amp every 24hrs automatically, however, if someone is removed from the Active Directory group, or their details change etc., then Learn Amp will be notified, and re-fetch details for that user - these notifications can take 30 minutes to propagate to Learn Amp.
Does the Azure AD integration sync team managers
Azure AD won’t sync team managers but can translate line management relationships using override managers in Learn Amp. When setting up the Azure AD integration, tick the box. ‘Assign override managers/Direct reports in Azure AD’.
Does Azure AD integration with Learn Amp use SCIM?
No, user provisioning uses Graph API.
What information from Azure AD is stored within Learn Amp to setup the integration?
Tenant ID
We store the tenant ID of your AzureAD.
This is stored in an encrypted field (not in plain text) within our production database.
The tenant ID is not kept in any file or other shareable/downloadable format.
Security Group Object ID
We must store the Object ID of the Security Group within AzureAD, which defines which users should be created/updated/deactivated automatically by the integration.
This object ID is stored in plain text within the primary database.
Can we use Azure AD for single sign on (SSO)?
Yes. Learn Amp can also integrate with Azure AD to permit Single Sign On. This uses the OAuth2 protocol against your Azure AD tenant. Users are authenticated by the UserPrincipalName field in Azure AD. For full information, please see our integration page on Azure Active Directory Integration for Single Sign On.
Can we use this integration without MS Teams?
Yes. You can integrate Learn Amp with Azure AD for user provisioning without enabling the MS Teams integration for events and activity feeds.