Microsoft Entra ID Technical Reference
Overview
This page provides technical details about Learn Amp's Microsoft Entra ID integration for IT administrators and security teams who need to understand what data is accessed, stored, and how the integration works at a technical level.
Pre-requisites
This technical reference is intended for IT administrators and security teams who need detailed information about the integration.
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin (to configure integrations) |
Microsoft Entra ID | Administrator (to review and approve permissions) |
Integration Use Cases
Learn Amp's Microsoft Entra ID integration via the Microsoft Graph API supports the following use cases:
Use Case | Protocol | Description |
|---|---|---|
Single Sign-On | OpenID Connect (OAuth2) | Authenticates users against your Microsoft Entra ID tenant |
User Provisioning | Microsoft Graph API | Syncs user details for a subset of users defined by a Security Group |
MS Teams Integration | Microsoft Graph API | Schedules MS Teams meetings and fetches attendance data |
Data Stored by Learn Amp
Tenant ID
Purpose: Identifies your Microsoft Entra ID tenant
Storage: Encrypted field in the production database
Format: Not stored in any downloadable or shareable format
Security Group Object ID
Purpose: Defines which users should be synced via User Provisioning
Storage: Plain text in the primary database
Used by: User Provisioning only
Permission Scopes Requested
The integration requests different permission scopes depending on which features are enabled:
User Provisioning Scopes
Scope | Purpose |
|---|---|
Subscription.ReadWrite.All | Subscribe to change notifications when users are added, removed, or updated in the specified group |
Group.Read.All | Fetch group details including sub-groups beneath the specified security group |
User.Read | Fetch user details for automatic account creation and updates |
User.Read.All | Fetch user details for all users in the specified group |
MS Teams Integration Scopes
Scope | Purpose |
|---|---|
GroupMember.Read.All | Check whether a user is a member of the specified security group |
OnlineMeetings.Read | Fetch attendance data for MS Teams meetings linked to Learn Amp events |
OnlineMeetings.Read.All | Fetch meeting details for MS Teams meetings |
OnlineMeetings.ReadWrite | Schedule MS Teams meetings and retrieve meeting URLs |
OnlineMeetings.ReadWrite.All | Schedule meetings on behalf of users |
Read and write connector configurations | Set up notification channels in MS Teams |
User Properties Fetched
For User Provisioning, the integration requests only the following user properties from the Microsoft Graph API:
id
accountEnabled
givenName
surname
preferredLanguage
officeLocation
jobTitle
mail
department
usageLocation
userPrincipalName
employeeId
companyName
employeeType
employeeHireDate
city
country
Full documentation of these properties is available in Microsoft's Graph API documentation.
Email Field Matching
By default, Learn Amp uses the userPrincipalName field from Microsoft Entra ID to match users. In some cases, organisations may need to use the mail field instead.
Field | When Used |
|---|---|
userPrincipalName (default) | When UPN matches user email addresses |
When UPN differs from email (requires custom configuration) |
⚠️ Note: Custom email field mapping requires development work. Contact your Implementation Coach to discuss requirements.
Webhook Subscriptions
Learn Amp maintains webhook subscriptions with Microsoft Graph API to receive real-time notifications when users are added, updated, or removed from your security group.
Aspect | Details |
|---|---|
Subscription Type | Microsoft Graph change notifications |
Renewal | Automatic renewal before expiry |
Events | User added, updated, or removed from group |
Propagation | Changes typically appear within 30 minutes |
Additional User Properties
Beyond the standard fields, some organisations sync additional properties through custom configuration:
Property | Usage |
|---|---|
employeeOrgData.division | Can be synced for organisational structure |
onPremisesExtensionAttributes | Custom attributes from on-premises AD |
employeeId | Employee identifier |
employeeType | Employment type classification |
companyName | Company name (for multi-company tenants) |
photo | User profile photo |
💡 Tip: Custom field mappings require development work. Contact your Implementation Coach to discuss your requirements.
Nested Security Groups
The integration supports nested security groups in Microsoft Entra ID through the Group.Read.All permission scope. Users who are members of sub-groups within your designated security group will also be synced to Learn Amp.