Azure Active Directory
Overview
Azure Active Directory (Azure AD) integration with Learn Amp enables seamless identity management and authentication for your organisation. By connecting Azure AD to Learn Amp, you can automate user provisioning, enable single sign-on (SSO), and ensure your learning platform stays in sync with your company directory.
This integration is ideal for organisations already using Microsoft 365 or Azure AD for identity management, reducing manual administration and providing a secure, streamlined experience for learners.
Functionality Breakdown
Learn Amp offers two primary integration options with Azure Active Directory:
User Provisioning
Automatically sync user accounts from Azure AD to Learn Amp:
New users added to a designated Azure AD group are automatically created in Learn Amp
User details (name, job title, department, etc.) stay in sync
Users removed from the Azure AD group are deactivated in Learn Amp
Supports manager relationships via Direct Reports
Profile photos can be synced automatically
Single Sign-On (SSO)
Allow users to sign in to Learn Amp using their Azure AD credentials:
Seamless authentication using OpenID Connect
Users sign in with their existing Microsoft credentials
Secure, enterprise-grade authentication
Can be used alongside or instead of email/password login
Both integrations can be used independently or together for a complete identity management solution.
Pre-requisites
To set up Azure AD integration, you'll need:
Requirement | Details |
|---|---|
Azure AD Admin Access | Someone with administrator-level access to your Azure AD tenant |
Learn Amp Admin Access | Owner or Admin role in Learn Amp |
Azure AD Tenant ID | Your organisation's unique Azure AD identifier |
Security Group (for provisioning) | An Azure AD group containing users who should access Learn Amp |
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin |
Azure AD | Administrator (to grant admin consent) |
💡 Tip: Create a dedicated "Learn Amp Users" security group in Azure AD before starting the integration setup.
FAQs
Q: What's the difference between User Provisioning and SSO?
User Provisioning automatically creates and maintains user accounts in Learn Amp based on your Azure AD directory. SSO allows users to sign in using their Azure AD credentials. You can use either or both together.
Q: Does Learn Amp use SCIM or SAML?
No. Learn Amp's integration uses the Microsoft Graph API for user provisioning and OpenID Connect (OAuth2) for SSO authentication.
Q: Can I sync users from multiple Azure AD tenants?
No. Learn Amp connects to a single Azure AD tenant per subdomain. Organisations with multiple tenants may need additional subdomains.
Q: How often does user data sync?
Azure AD syncs with Learn Amp every 24 hours automatically. Changes to users (additions, removals, updates) trigger webhook notifications that typically propagate within 30 minutes.
Q: Can I use SSO without User Provisioning?
Yes. You can enable SSO independently, but users must already have Learn Amp accounts (created manually, via CSV import, or sFTP).
Q: Can I use User Provisioning without SSO?
Yes. Users will be automatically created but can sign in using email/password or other enabled authentication methods.
Q: What user fields can be synced from Azure AD?
Standard fields include: name, email, job title, department, location, language, manager, hire date, and profile photo. Custom field mappings are available—contact your Implementation Coach.
Q: Can I control when invitation emails are sent?
Yes. When setting up User Provisioning, you can choose to send invitations immediately or delay them for manual sending later.
Q: Can I deep link directly to the OAuth flow?
No. For security reasons, the authentication flow must be initiated from the Learn Amp homepage. Update any existing deep links to point to your Learn Amp homepage (https://[yoursubdomain].learnamp.com) instead.
Q: What data does Learn Amp store from Azure AD?
Learn Amp stores your Tenant ID (encrypted) and, for User Provisioning, the Security Group Object ID. User profile data synced from Azure AD is stored in Learn Amp user profiles.
Q: Can I disable manager sync from Azure AD?
Yes. You can uncheck the option "Assign override manager using Manager/Direct Reports in AzureAD" in the integration settings.
Q: Does the integration support nested security groups?
Yes. Users who are members of sub-groups within your designated security group will also be synced to Learn Amp.
Troubleshooting
Issue | Solution |
|---|---|
Users not syncing from Azure AD | Verify the user is in the correct Azure AD security group and wait up to 30 minutes for webhook propagation. Use the "Sync users" button to force a sync. |
SSO login not working | Ensure the user's Learn Amp email matches their Azure AD UserPrincipalName (UPN). |
User details not updating | Changes sync via webhooks within 30 minutes, or every 24 hours automatically. Try the manual "Sync users" button. |
Manager relationships not appearing | Confirm "Assign override managers" is enabled and the Direct Reports field is populated in Azure AD. |
Teams created as flat structure | Azure AD creates teams from departments without hierarchy. You can manually create parent/child relationships in Learn Amp after initial sync. |
Can't complete SSO setup | Ensure you have Azure AD administrator access to grant the required permissions. |