Setting Up Microsoft Entra User Provisioning
Overview
The Microsoft Entra ID User Provisioning integration creates a connection between Microsoft Entra ID and Learn Amp that automatically syncs user information. Using the Microsoft Graph API, this integration eliminates the need to manually import or maintain user data in Learn Amp—when you add, update, or remove users in Microsoft Entra ID, those changes flow through to Learn Amp automatically.
Functionality Breakdown
By connecting your Microsoft Entra ID account to Learn Amp via the Graph API:
Automatic user creation – New users added to your designated Microsoft Entra ID group are automatically created in Learn Amp
Synced user details – Changes to user information (job title, department, etc.) in Microsoft Entra ID are reflected in Learn Amp
Automatic deactivation – Users removed from the Microsoft Entra ID group are deactivated in Learn Amp
Manager relationships – Direct Reports from Microsoft Entra ID can be synced as Override Managers in Learn Amp
Profile photo sync – User profile photos from Microsoft Entra ID can be synced to Learn Amp
Flexible invitations – Choose when new users receive their Learn Amp invitation emails
Webhook notifications – Changes in Microsoft Entra ID trigger real-time notifications to Learn Amp
Nested group support – Users in sub-groups within your security group are also synced
Note: This integration uses the Microsoft Graph API. It does not use SCIM or SAML for user provisioning.
Pre-requisites
Requirement | Details |
|---|---|
Microsoft Entra ID Admin Access | Administrator-level access to your Microsoft Entra ID tenant |
Learn Amp Admin Access | Owner or Admin role in Learn Amp during setup |
Microsoft Entra ID Tenant ID | Your organisation's unique Microsoft Entra ID identifier |
Security Group Object ID | The ID of the Microsoft Entra ID group containing users who should access Learn Amp |
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin |
Microsoft Entra ID | Administrator (to grant Graph API permissions) |
💡 Tip: We recommend creating a dedicated "Learn Amp Users" security group in Microsoft Entra ID before starting the integration.
Quick Start Guide
From the Learn Amp homepage, click the Settings cog in the left-hand navigation
Select Integrations
Find Microsoft Entra ID and click Configure
Enter your Microsoft Entra ID Tenant ID
Enter your Security Group Object ID
Authorise the integration with Learn Amp (this grants Graph API permissions)
Configure your sync preferences:
Choose whether to send invitation emails immediately
Choose whether to sync manager relationships
Perform the initial sync to create user profiles in Learn Amp
Information That Can Be Synced
The standard integration maps the following fields from the Graph API:
Field in Microsoft Entra ID | Field in Learn Amp |
|---|---|
givenName | first_name |
surname | last_name |
userPrincipalName | |
jobTitle | job_title |
department | department & primary_team_name |
officeLocation | location |
preferredLanguage | language |
directReports | override manager |
employeeHireDate | hire date |
photo | avatar |
Note: Department maps to both the department profile field and the user's primary team in Learn Amp.
Profile Photo Sync
Learn Amp can automatically sync user profile photos from Microsoft Entra ID. When a user's photo is updated in Microsoft Entra ID, it will be reflected in their Learn Amp profile during the next sync.
💡 Tip: Profile photos help create a more personalised and engaging learning environment.
Syncing Additional Information
It's possible to sync additional or different data points from Microsoft Entra ID to Learn Amp. For example, you may want to sync employeeId into a Learn Amp custom field.
Please Note: Custom mapping requests require development work by our technical team. This work is chargeable or can be deducted from your Implementation budget at your Coach's discretion.
Known Limitations
Team Managers
The Microsoft Entra ID integration syncs individual users' managers as Override Managers in Learn Amp (using the directReports field). It does not sync Team/Department managers. However, Team managers can be configured within Learn Amp to work alongside Override Managers—your Implementation Coach can provide guidance.
Team Hierarchy
Microsoft Entra ID creates a team for each department in your directory. These appear as a flat structure in Learn Amp without parent/child relationships. After your initial sync, you can manually create team hierarchies in Learn Amp, which will be preserved going forward.
FAQs
Q: What API does this integration use?
Learn Amp's Microsoft Entra ID integration uses the Microsoft Graph API. It does not use SCIM or SAML for user provisioning.
Q: How do I create new users?
Always create new users or update existing user information in Microsoft Entra ID, not in Learn Amp. Changes will automatically sync to Learn Amp.
Q: How quickly do changes sync?
Microsoft Entra ID syncs with Learn Amp every 24 hours automatically. User changes (additions, removals, updates) trigger webhook notifications that typically propagate within 30 minutes. You can also use the "Sync users" button to force an immediate sync.
Q: Can I control invitation emails?
Yes. When setting up the integration, you can choose to send invitation emails immediately or disable automatic invitations. Invitations can be sent manually at any time from the Individuals page.
Q: Will Microsoft Entra ID sync team managers?
No. Microsoft Entra ID syncs individual manager relationships (Override Managers) but not Team/Department managers. Team managers can be configured separately in Learn Amp.
Q: What happens to primary team membership?
Microsoft Entra ID syncs users into Primary Teams based on their Department field. This will override any manual changes to primary team membership in Learn Amp.
Q: What about secondary teams?
Microsoft Entra ID does not sync users to Secondary Teams by default. You can assign Secondary Teams manually in Learn Amp, and the integration will not override these.
Q: Does Microsoft Entra ID delete teams?
No. Microsoft Entra ID does not delete any teams. Teams can be deleted manually in Learn Amp.
Q: Can I sync timezone?
Timezone is not a standard mappable field. The default company timezone is set in Learn Amp's Company Settings, and individuals can set their own timezone in their profile settings.
Q: Can I disable manager sync?
Yes. Uncheck the option "Assign override manager using Manager/Direct Reports in Microsoft Entra ID" in the integration settings.
Q: Can I also use Microsoft Entra ID for SSO?
Yes. Learn Amp can integrate with Microsoft Entra ID for both User Provisioning and Single Sign-On. See the SSO integration article for details.
Q: Can I use User Provisioning without MS Teams integration?
Yes. You can enable User Provisioning independently of the MS Teams integration.
Q: Does the integration support nested security groups?
Yes. Users who are members of sub-groups within your designated security group will also be synced to Learn Amp.
Troubleshooting
Issue | Solution |
|---|---|
Users not appearing in Learn Amp | Verify the user is in the correct Microsoft Entra ID security group. Wait up to 30 minutes for webhook propagation, or use the "Sync users" button. |
User details not updating | Changes propagate via webhooks within 30 minutes. Try the manual "Sync users" button if updates aren't appearing. |
Manager relationships not syncing | Confirm "Assign override managers" is enabled in the integration settings and that Direct Reports are populated in Microsoft Entra ID. |
Teams appearing without hierarchy | This is expected behaviour. Create parent/child relationships manually in Learn Amp after the initial sync. |
Custom fields not syncing | Custom field mappings require development work. Contact your Implementation Coach to arrange this. |
Profile photos not syncing | Ensure photos are set in Microsoft Entra ID and wait for the next sync cycle. Use the "Sync users" button to force an immediate sync. |
Last Reviewed: 27/11/2025