Azure Graph API
- Taylor Williams
- Richard Larcombe
Use Cases
Learn Amp's AzureAD Graph API integration supports the following use cases.
One or more may be enabled for your account, as required.
Permits Single Sign On using the OAuth2 protocol against your Azure AD Tenant
Documentation here:Â https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oauth2Keeps user details in sync, for a sub-set of users in your AzureAD defined by a specified AD Security Group.
Related Graph API documentation:Â https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0Permits scheduling of MS Teams Meetings (to retrieve a meeting link) and fetch attendance of the MS Teams meeting afterwards.
Information stored within Learn Amp
Tenant ID
We store the tenant ID of your AzureAD.
This is stored in an encrypted field (not in plain text) within our production database.
The tenant ID is not kept in any file or other shareable/downloadable format.
Security Group Object ID
For use case 2. we must store the Object ID of the Security Group within AzureAD, which defines which users should be created/updated/deactivated automatically by the integration.
This object ID is stored in plain text within the primary database.
Scopes requested by the integration
webhook.readwrite.all -Â only used if user provisioning is enabled
This scope is required to subscribe to change notifications: When any user within the specified group is either added/removed/details changed, we receive a webhook notification, to that we can handle the change accordingly.
Group.Read.All - only used if user provisioning is enabled
This scope is required to fetch group details of any sub-groups, beneath the specified group. Some customers for example, choose to structure their AzureAD groups, so that there are sub-groups that have access to Learn Amp.
GroupMember.Read.All - only used if MS Teams integration is enabled
This scope is users to check whether a given user is a member of the specified group. We do NOT fetch user details to any user who is not within the specified security group.
OnlineMeetings.Read - only used if MS Teams integration is enabled
This scope is used to fetch attendance of a specific MS Teams meeting that correspond to an Event on the Learn Amp platform.
OnlineMeetings.Read.All - only used if MS Teams integration is enabled
This scope is used to fetch messing details of any MS Teams meetings that correspond to an Event on the Learn Amp platform.
OnlineMeetings.ReadWrite - only used if MS Teams integration is enabled
This scope is used to schedule an MS Teams meeting and retrieve the URL link, to store with an Event on Learn Amp.
OnlineMeetings.ReadWrite.All - only used if MS Teams integration is enabled
This scope is used to schedule an MS Teams meeting and retrieve the URL link, to store with an Event on Learn Amp.
User.Read - only used if user provisioning is enabled
This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated.
User.Read.All - only used if user provisioning is enabled.
This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated
Read and write connector configurations - only used if MS Teams integration is enabled
This scope is used to setup a Notification channel into MS Teams.
User details fetched by the integration for User Provisioning
The GraphAPI exposes many attributes of objects in the directory.
However the Learn Amp integration only requests the following properties that are required for user provisioning, and populating the user's profile on Learn Amp namely:
idÂ
cityÂ
countryÂ
givenName
surnameÂ
preferredLanguage
officeLocationÂ
jobTitleÂ
mail
department
accountEnabled
usageLocation
userPrincipalNameÂ
employeeIdÂ
companyName
employeeType
employeeHireDate
These are documented in full here: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties
Â
Â