Setting Up Azure AD User Provisioning
Overview
The Azure AD User Provisioning integration creates a connection between Azure Active Directory and Learn Amp that automatically syncs user information. Using the Microsoft Graph API, this integration eliminates the need to manually import or maintain user data in Learn Amp—when you add, update, or remove users in Azure AD, those changes flow through to Learn Amp automatically.
Functionality Breakdown
By connecting your Azure AD account to Learn Amp via the Graph API:
Automatic user creation – New users added to your designated Azure AD group are automatically created in Learn Amp
Synced user details – Changes to user information (job title, department, etc.) in Azure AD are reflected in Learn Amp
Automatic deactivation – Users removed from the Azure AD group are deactivated in Learn Amp
Manager relationships – Direct Reports from Azure AD can be synced as Override Managers in Learn Amp
Profile photo sync – User profile photos from Azure AD can be synced to Learn Amp
Flexible invitations – Choose when new users receive their Learn Amp invitation emails
Webhook notifications – Changes in Azure AD trigger real-time notifications to Learn Amp
Nested group support – Users in sub-groups within your security group are also synced
Note: This integration uses the Microsoft Graph API. It does not use SCIM or SAML for user provisioning.
Pre-requisites
Requirement | Details |
|---|---|
Azure AD Admin Access | Administrator-level access to your Azure AD tenant |
Learn Amp Admin Access | Owner or Admin role in Learn Amp during setup |
Azure AD Tenant ID | Your organisation's unique Azure AD identifier |
Security Group Object ID | The ID of the Azure AD group containing users who should access Learn Amp |
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin |
Azure AD | Administrator (to grant Graph API permissions) |
💡 Tip: We recommend creating a dedicated "Learn Amp Users" security group in Azure AD before starting the integration.
Quick Start Guide
From the Learn Amp homepage, click the Settings cog in the left-hand navigation
Select Integrations
Find Azure AD and click Configure
Enter your Azure AD Tenant ID
Enter your Security Group Object ID
Authorise the integration with Learn Amp (this grants Graph API permissions)
Configure your sync preferences:
Choose whether to send invitation emails immediately
Choose whether to sync manager relationships
Perform the initial sync to create user profiles in Learn Amp
Information That Can Be Synced
The standard integration maps the following fields from the Graph API:
Field in Azure AD | Field in Learn Amp |
|---|---|
givenName | first_name |
surname | last_name |
userPrincipalName | |
jobTitle | job_title |
department | department & primary_team_name |
officeLocation | location |
preferredLanguage | language |
directReports | override manager |
employeeHireDate | hire date |
photo | avatar |
Note: Department maps to both the department profile field and the user's primary team in Learn Amp.
Profile Photo Sync
Learn Amp can automatically sync user profile photos from Azure AD. When a user's photo is updated in Azure AD, it will be reflected in their Learn Amp profile during the next sync.
💡 Tip: Profile photos help create a more personalised and engaging learning environment.
Syncing Additional Information
It's possible to sync additional or different data points from Azure AD to Learn Amp. For example, you may want to sync employeeId into a Learn Amp custom field.
Please Note: Custom mapping requests require development work by our technical team. This work is chargeable or can be deducted from your Implementation budget at your Coach's discretion.
Known Limitations
Team Managers
The Azure AD integration syncs individual users' managers as Override Managers in Learn Amp (using the directReports field). It does not sync Team/Department managers. However, Team managers can be configured within Learn Amp to work alongside Override Managers—your Implementation Coach can provide guidance.
Team Hierarchy
Azure AD creates a team for each department in your directory. These appear as a flat structure in Learn Amp without parent/child relationships. After your initial sync, you can manually create team hierarchies in Learn Amp, which will be preserved going forward.
FAQs
Q: What API does this integration use?
Learn Amp's Azure AD integration uses the Microsoft Graph API. It does not use SCIM or SAML for user provisioning.
Q: How do I create new users?
Always create new users or update existing user information in Azure AD, not in Learn Amp. Changes will automatically sync to Learn Amp.
Q: How quickly do changes sync?
Azure AD syncs with Learn Amp every 24 hours automatically. User changes (additions, removals, updates) trigger webhook notifications that typically propagate within 30 minutes. You can also use the "Sync users" button to force an immediate sync.
Q: Can I control invitation emails?
Yes. When setting up the integration, you can choose to send invitation emails immediately or disable automatic invitations. Invitations can be sent manually at any time from the Individuals page.
Q: Will Azure AD sync team managers?
No. Azure AD syncs individual manager relationships (Override Managers) but not Team/Department managers. Team managers can be configured separately in Learn Amp.
Q: What happens to primary team membership?
Azure AD syncs users into Primary Teams based on their Department field. This will override any manual changes to primary team membership in Learn Amp.
Q: What about secondary teams?
Azure AD does not sync users to Secondary Teams by default. You can assign Secondary Teams manually in Learn Amp, and the integration will not override these.
Q: Does Azure AD delete teams?
No. Azure AD does not delete any teams. Teams can be deleted manually in Learn Amp.
Q: Can I sync timezone?
Timezone is not a standard mappable field. The default company timezone is set in Learn Amp's Company Settings, and individuals can set their own timezone in their profile settings.
Q: Can I disable manager sync?
Yes. Uncheck the option "Assign override manager using Manager/Direct Reports in AzureAD" in the integration settings.
Q: Can I also use Azure AD for SSO?
Yes. Learn Amp can integrate with Azure AD for both User Provisioning and Single Sign-On. See the SSO integration article for details.
Q: Can I use User Provisioning without MS Teams integration?
Yes. You can enable User Provisioning independently of the MS Teams integration.
Q: Does the integration support nested security groups?
Yes. Users who are members of sub-groups within your designated security group will also be synced to Learn Amp.
Troubleshooting
Issue | Solution |
|---|---|
Users not appearing in Learn Amp | Verify the user is in the correct Azure AD security group. Wait up to 30 minutes for webhook propagation, or use the "Sync users" button. |
User details not updating | Changes propagate via webhooks within 30 minutes. Try the manual "Sync users" button if updates aren't appearing. |
Manager relationships not syncing | Confirm "Assign override managers" is enabled in the integration settings and that Direct Reports are populated in Azure AD. |
Teams appearing without hierarchy | This is expected behaviour. Create parent/child relationships manually in Learn Amp after the initial sync. |
Custom fields not syncing | Custom field mappings require development work. Contact your Implementation Coach to arrange this. |
Profile photos not syncing | Ensure photos are set in Azure AD and wait for the next sync cycle. Use the "Sync users" button to force an immediate sync. |
Last Reviewed: 27/11/2025