Azure Graph API

Use Cases

Learn Amp's AzureAD Graph API integration supports the following use cases.
One or more may be enabled for your account, as required.

1. Permits Single Sign On using the OAuth2 protocol against your Azure AD Tenant
   Documentation here: https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-oauth2

2. Keeps user details in sync, for a sub-set of users in your AzureAD defined by a specified AD Security Group.
   Related Graph API documentation: https://docs.microsoft.com/en-us/graph/api/resources/users?view=graph-rest-1.0

3. Permits scheduling of MS Teams Meetings (to retrieve a meeting link) and fetch attendance of the MS Teams meeting afterwards.

Information stored within Learn Amp

Tenant ID

We store the tenant ID of your AzureAD.
This is stored in an encrypted field (not in plain text) within our production database.
The tenant ID is not kept in any file or other shareable/downloadable format.

Security Group Object ID

For use case 2. we must store the Object ID of the Security Group within AzureAD, which defines which users should be created/updated/deactivated automatically by the integration.

This object ID is stored in plain text within the primary database.

Scopes requested by the integration

webhook.readwrite.all - only used if user provisioning is enabled

This scope is required to subscribe to change notifications: When any user within the specified group is either added/removed/details changed, we receive a webhook notification, to that we can handle the change accordingly.

Group.Read.All - only used if user provisioning is enabled

This scope is required to fetch group details of any sub-groups, beneath the specified group. Some customers for example, choose to structure their AzureAD groups, so that there are sub-groups that have access to Learn Amp.

GroupMember.Read.All - only used if MS Teams integration is enabled

This scope is users to check whether a given user is a member of the specified group. We do NOT fetch user details to any user who is not within the specified security group.

OnlineMeetings.Read - only used if MS Teams integration is enabled

This scope is used to fetch attendance of a specific MS Teams meeting that correspond to an Event on the Learn Amp platform.

OnlineMeetings.Read.All - only used if MS Teams integration is enabled

This scope is used to fetch messing details of any MS Teams meetings that correspond to an Event on the Learn Amp platform.

OnlineMeetings.ReadWrite - only used if MS Teams integration is enabled

This scope is used to schedule an MS Teams meeting and retrieve the URL link, to store with an Event on Learn Amp.

OnlineMeetings.ReadWrite.All - only used if MS Teams integration is enabled

This scope is used to schedule an MS Teams meeting and retrieve the URL link, to store with an Event on Learn Amp.

User.Read - only used if user provisioning is enabled

This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated.

User.Read.All - only used if user provisioning is enabled.

This scope is used to fetch user details, so Learn Amp users can be automatically created/updated/deactivated

Read and write connector configurations - only used if MS Teams integration is enabled

This scope is used to setup a Notification channel into MS Teams.

User details fetched by the integration for User Provisioning

The GraphAPI exposes many attributes of objects in the directory.

However the Learn Amp integration only requests the following properties that are required for user provisioning, and populating the user's profile on Learn Amp namely:

• id 

• city 

• country 

• givenName

• surname 

• preferredLanguage

• officeLocation 

• jobTitle 

• mail

• department

• accountEnabled

• usageLocation

• userPrincipalName 

• employeeId 

• companyName

• employeeType

• employeeHireDate

These are documented in full here: https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0#properties