Microsoft Entra ID
Overview
Microsoft Entra ID (formerly Azure Active Directory) integration with Learn Amp enables seamless identity management and authentication for your organisation. By connecting Microsoft Entra ID to Learn Amp, you can automate user provisioning, enable single sign-on (SSO), and ensure your learning platform stays in sync with your company directory.
This integration is ideal for organisations already using Microsoft 365 or Microsoft Entra ID for identity management, reducing manual administration and providing a secure, streamlined experience for learners.
Functionality Breakdown
Learn Amp offers two primary integration options with Microsoft Entra ID:
User Provisioning
Automatically sync user accounts from Microsoft Entra ID to Learn Amp:
New users added to a designated Microsoft Entra ID group are automatically created in Learn Amp
User details (name, job title, department, etc.) stay in sync
Users removed from the Microsoft Entra ID group are deactivated in Learn Amp
Supports manager relationships via Direct Reports
Profile photos can be synced automatically
Single Sign-On (SSO)
Allow users to sign in to Learn Amp using their Microsoft Entra ID credentials:
Seamless authentication using OpenID Connect
Users sign in with their existing Microsoft credentials
Secure, enterprise-grade authentication
Can be used alongside or instead of email/password login
Both integrations can be used independently or together for a complete identity management solution.
Pre-requisites
To set up Microsoft Entra ID integration, you'll need:
Requirement | Details |
|---|---|
Microsoft Entra ID Admin Access | Someone with administrator-level access to your Microsoft Entra ID tenant |
Learn Amp Admin Access | Owner or Admin role in Learn Amp |
Microsoft Entra ID Tenant ID | Your organisation's unique Microsoft Entra ID identifier |
Security Group (for provisioning) | A Microsoft Entra ID group containing users who should access Learn Amp |
Role Requirements
Platform | Role Required |
|---|---|
Learn Amp | Owner or Admin |
Microsoft Entra ID | Administrator (to grant admin consent) |
💡 Tip: Create a dedicated "Learn Amp Users" security group in Microsoft Entra ID before starting the integration setup.
FAQs
Q: What's the difference between User Provisioning and SSO?
User Provisioning automatically creates and maintains user accounts in Learn Amp based on your Microsoft Entra ID directory. SSO allows users to sign in using their Microsoft Entra ID credentials. You can use either or both together.
Q: Does Learn Amp use SCIM or SAML?
No. Learn Amp's integration uses the Microsoft Graph API for user provisioning and OpenID Connect (OAuth2) for SSO authentication.
Q: Can I sync users from multiple Microsoft Entra ID tenants?
No. Learn Amp connects to a single Microsoft Entra ID tenant per subdomain. Organisations with multiple tenants may need additional subdomains.
Q: How often does user data sync?
Microsoft Entra ID syncs with Learn Amp every 24 hours automatically. Changes to users (additions, removals, updates) trigger webhook notifications that typically propagate within 30 minutes.
Q: Can I use SSO without User Provisioning?
Yes. You can enable SSO independently, but users must already have Learn Amp accounts (created manually, via CSV import, or sFTP).
Q: Can I use User Provisioning without SSO?
Yes. Users will be automatically created but can sign in using email/password or other enabled authentication methods.
Q: What user fields can be synced from Microsoft Entra ID?
Standard fields include: name, email, job title, department, location, language, manager, hire date, and profile photo. Custom field mappings are available—contact your Implementation Coach.
Q: Can I control when invitation emails are sent?
Yes. When setting up User Provisioning, you can choose to send invitations immediately or delay them for manual sending later.
Q: Can I deep link directly to the OAuth flow?
No. For security reasons, the authentication flow must be initiated from the Learn Amp homepage. Update any existing deep links to point to your Learn Amp homepage (https://[yoursubdomain].learnamp.com) instead.
Q: What data does Learn Amp store from Microsoft Entra ID?
Learn Amp stores your Tenant ID (encrypted) and, for User Provisioning, the Security Group Object ID. User profile data synced from Microsoft Entra ID is stored in Learn Amp user profiles.
Q: Can I disable manager sync from Microsoft Entra ID?
Yes. You can uncheck the option "Assign override manager using Manager/Direct Reports in Microsoft Entra ID" in the integration settings.
Q: Does the integration support nested security groups?
Yes. Users who are members of sub-groups within your designated security group will also be synced to Learn Amp.
Troubleshooting
Issue | Solution |
|---|---|
Users not syncing from Microsoft Entra ID | Verify the user is in the correct Microsoft Entra ID security group and wait up to 30 minutes for webhook propagation. Use the "Sync users" button to force a sync. |
SSO login not working | Ensure the user's Learn Amp email matches their Microsoft Entra ID UserPrincipalName (UPN). |
User details not updating | Changes sync via webhooks within 30 minutes, or every 24 hours automatically. Try the manual "Sync users" button. |
Manager relationships not appearing | Confirm "Assign override managers" is enabled and the Direct Reports field is populated in Microsoft Entra ID. |
Teams created as flat structure | Microsoft Entra ID creates teams from departments without hierarchy. You can manually create parent/child relationships in Learn Amp after initial sync. |
Can't complete SSO setup | Ensure you have Microsoft Entra ID administrator access to grant the required permissions. |