Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Integration Summary
Our integration with Azure Active Directory creates a connection between the two platforms that automatically syncs user information stored in Azure AD to Learn Amp. This eliminates the need to import or regularly maintain user information in Learn Amp.


Main Features

By connecting your Azure AD account to Learn Amp:

  • You can specify the users you require to be synced from Azure AD to Learn Amp, via a Group within Active Directory.

  • New users added to this Azure AD group will automatically be added to Learn Amp.

  • Any changes to user details in Azure AD (Job Title, Department, etc.) will be reflected in Learn Amp.

  • You can choose when new users are invited to Learn Amp.


Information that can be synced

Our ‘Out of the box’ integration with Learn Amp is able to map information from a number of predefined standard mappable fields which have been detailed in the table below:

Field in Azure AD

Field in Learn Amp

id

n/a

accountenabled

n/a

givenname

first_name

surname

last_name

preferredLanguage

language

officeLocation

location

department

department 

jobTitle

job_title

userPrincipalName

email

department

primary_team_name

photo

avatar

directReports

managers/line managers


Syncing Additional Information

Yes, It is possible to sync additional or different data points from Azure AD in to Learn Amp. For example, You may decide to sync employeeId into a Learn Amp custom field to assign unique identifiers to your users.

Please Note: These requests will be handled by your Implementation Coach and will require custom development work to be undertaken by our technical team. The time taken to complete this work is chargeable or can be deducted from your Implementation budget at your Coaches' discretion.


Known Limitations/ Considerations

Team Managers: The Azure AD integration will sync each individual users' manager into Learn Amp if the data is available to do so (directreports field in Azure AD). This is what is known as an Override Manager in Learn Amp. The Integration does not have the ability sync Team/Department managers into Learn Amp. However, Team managers can be configured within Learn Amp to work in conjunction with Override Managers. Your Implementation Coach can provide further details on this.


Team Hierarchy: Azure AD will create a team for each of the individual departments that are stored in your Azure AD account. These will be presented as a flat structure in your Learn Amp account and will not consider any parent/child relationships between your departments.

However, once you have completed your initial sync, you will be able to easily create parent/child relationships with your teams in Learn Amp which will be saved moving forward. Your Implementation Coach can provide further details on this.


How the Platforms Connect

Learn Amp connects to Azure AD using the Graph API. You will be asked to provide your Azure AD Tenant ID and Group ID then authorize the integration with Learn Amp. You will perform an initial sync with Azure AD to create new user profiles in Learn Amp. When a change to user information is made in Azure AD, changes will then be synced automatically to Learn Amp.


Permissions/Scopes Required

For our integration with Azure AD to work effectively, the following permissions scopes are requested from Learn Amp:

 webhook.readwrite.all

This scope is required to subscribe to change notifications: When any user within the specified group is either added/removed/details changed, we receive a webhook notification, to that we can handle the change accordingly.

 Group.Read.All

This scope is required to fetch group details of any sub-groups, beneath the specified group. Some customers for example, choose to structure their AzureAD groups, so that there are sub-groups that have access to Learn Amp.

 User.Read

This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated.

 User.Read.All

This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated

 GroupMember.Read.All

This scope is only used if MS Teams integration is enabled.

 OnlineMeetings.Read

This scope is only used if MS Teams integration is enabled.

 OnlineMeetings.Read.All

This scope is only used if MS Teams integration is enabled.

 OnlineMeetings.ReadWrite

This scope is only used if MS Teams integration is enabled.

 OnlineMeetings.ReadWrite.All

This scope is only used if MS Teams integration is enabled.

 Read and write connector configurations

This scope is only used if MS Teams integration is enabled.


Required Stakeholders

To set up our Integration with Azure AD, you will need somebody with administrator level access to your Azure AD account. This person will also need administrator level access to your Learn Amp Live account for the period of time in which the Integration is being set up.


Set up Instructions

Full instructions on how to set up the Azure AD integration can be found within your Learn Amp account. Please go to yourdomain.learnamp.com/en/integrations/azure_ad


Other Frequently Asked Questions

 What authentication protocol does Learn Amp's integration with Azure AD use?

Learn Amp’s integration uses the Microsoft Graph API. It does not use SCIM or SAML.

 Can I choose which group of users in Azure AD are synced with Learn Amp?

You can sync users from a single tenant and group in Azure AD. We recommend creating a Learn Amp group in your Azure AD tenant. This should be a group that contains the users they’d like to have access to the Learn amp platform, whoever is in this group will by synced over to the Learn amp platform. Anyone who is removed from this group at any point will be deactivated.

 Can I create user accounts in Learn Amp without sending invitation emails?

Yes. When setting up the Azure AD integration you will have the option to either send invitation emails or don’t invite automatically. Invitation emails can be issued at any time from the Individuals page in Learn Amp.

 I have updated a user's information in Azure AD but the changes have not been reflected in Learn Amp?

Azure AD syncs with Learn Amp every 24hrs automatically, however, if someone is removed from the Active Directory group, or their details change etc., then Learn Amp will be notified via webhook, and re-fetch details for that user - these notifications can take 30 minutes to propagate to Learn Amp. Should the updated information still not appear in Learn Amp, press the ‘Sync users’ button on the Azure Active Directory integration page within your Learn Amp account.

 Should I update Azure AD or Learn Amp if a user's information changes?

You should always create new users or update existing users information in Azure AD, not In Learn Amp. Newly created or updated user information in Azure AD will automatically be synced to Learn Amp.

 How often does Learn Amp sync with Azure AD?

Azure AD syncs with Learn amp every 24hrs automatically, however, if someone is removed from the Active Directory group, or their details change etc., then Learn Amp will be notified, and re-fetch details for that user - these notifications can take 30 minutes to propagate to Learn Amp.

 Does the Azure AD integration sync team managers?

Azure AD won’t sync team managers but can translate line management relationships using override managers in Learn Amp. When setting up the Azure AD integration, tick the box. ‘Assign override managers/Direct reports in Azure AD’.

 How does Azure AD sync a user's primary and secondary team?

AzureAD syncs users into Primary Teams (i.e. from Department in Azure AD). This will override any manual changes to primary team membership in Learn Amp.

Azure AD does not sync users to Secondary Teams. Users can be assigned to Secondary Teams in Learn Amp. The Azure AD integration will not override secondary team membership.

AzureAD does NOT delete any teams. Teams can be deleted in Learn Amp.

 Does Azure AD integration sync a user's timezone?

Timezone is not a standard mappable field in the Azure AD integration with Learn Amp. The default company timezone can be set in Learn Amp’s Company Settings. All individuals can set their own timezones in user profile settings.

It is possible to sync additional or different data points from Azure AD in to Learn Amp. These requests will require custom development work to be undertaken by our technical team. The time taken to complete this work is chargeable.

 What information from Azure AD is stored within Learn Amp to setup the integration?

Tenant ID

We store the tenant ID of your AzureAD.
This is stored in an encrypted field (not in plain text) within our production database.
The tenant ID is not kept in any file or other shareable/downloadable format.

Security Group Object ID

We must store the Object ID of the Security Group within AzureAD, which defines which users should be created/updated/deactivated automatically by the integration.

This object ID is stored in plain text within the primary database.

 Can we use Azure AD for single sign on (SSO)?

Yes. Learn Amp can also integrate with Azure AD to permit Single Sign On. This uses the OAuth2 protocol against your Azure AD tenant. Users are authenticated by the UserPrincipalName field in Azure AD. For full information, please see our integration page on Azure Active Directory Integration for Single Sign On.

 Can we use this integration without MS Teams?

Yes. You can integrate Learn Amp with Azure AD for user provisioning without enabling the MS Teams integration for events and activity feeds.

  • No labels