Feature Request - Change how group membership restriction is processed

[vdiscipio]

We have over 35,000 users in Azure and only have 2600 that need to be in Moodle. We have created a dynamic group of users in Azure ( Active-FSS ) that contains the full set that we want to create in Moodle. We have set that Azure group in the plugin as a "User Creation Restriction-Microsoft Group Membership". Only members of the group are created. Is it possible to just read the membership of the Azure group and create them in Moodle if needed and not read all users in Azure, check if they are members of the restriction group, and create them in Moodle if they are in the group?

Thanks for considering this.

[mmulrthelp]

Hi @vdiscipio we are doing something very similar and have been for a good while, make sure you use the latest release from the end of October as it now correctly does what you require. if it comes across a user which does not match you will see this in your sync, it will show this for all Azure users... But that does not matter, we have 90,000 odd AD users.

......... Syncing user xxxxxxxx@ad.xxxx.ac.uk ......... User doesn't exist in Moodle Cannot create user because they do not meet the configured user creation restrictions.

[weilai-irl]

Hi @vdiscipio,

As @mmulrthelp pointed out, the existing user creation restriction feature would achieve the required outcome, which is to only create Moodle users for Azure AD users in the defined group. It still fetches the full list of users though, and perform the restriction check user by user. It was done this way so that the group membership restriction works similarly to all other restriction criteria.

Is there a reason why you don't want to fetch all users from Azure AD?

Regards, Lai

[vdiscipio]

Lai,

We use a dynamic group in Azure based off a value in extensionAttribute15 for our list of users that can access our Moodle instance. This group contains about 2500+- out of 35,000+- user objects in Azure. We are finding that just syncing 1000 a run into Moodle does not pick up the changes in a timely manner and we have users that cannot access the system when needed. To combat this we have been running a full sync each time and that process takes over 5 hours to complete. The solution is workable, but it feels like it would be much more efficient to just read the Azure group that is to be in Moodle and check Moodle to see if the account needs modified, created or disabled. I have done similar processes in PowerShell for Azure dynamic groups, but do not have any experience in PHP to know if similar functions exist.

Thanks for following up.

Vince DiScipio Director of Technology Services The College of Wooster P – 330.263.2612 F – 330.263.2666

From: Lai Wei @.> Sent: Thursday, December 2, 2021 10:25 AM To: microsoft/o365-moodle @.> Cc: Vince DiScipio @.>; Mention @.> Subject: Re: [microsoft/o365-moodle] User creation restriction - Feature Request (Issue #1893)

Email originated from an off campus address

Hi @vdiscipiohttps://github.com/vdiscipio,

As @mmulrthelphttps://github.com/mmulrthelp pointed out, the existing user creation restriction feature would achieve the required outcome, which is to only create Moodle users for Azure AD users in the defined group. It still fetches the full list of users though, and perform the restriction check user by user. It was done this way so that the group membership restriction works similarly to all other restriction criteria.

Is there a reason why you don't want to fetch all users from Azure AD?

Regards, Lai

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/microsoft/o365-moodle/issues/1893#issuecomment-984730338, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIIOQ7XWUNXFR4LNH4PRLNDUO6FUHANCNFSM5IIGUDPQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[weilai-irl]

@audrieMSFT,

The request in this issue is to change how the Group Membership user creation restriction is processed when running the user sync scheduled task.

Currently the full or delta list of users are retrieved from Graph API, and for each user received, the task tries to get the list list of groups that the user is a member of, and if the restriction appears on the list, the user is synced.

The proposed change is to run the sync from the other direction, so that if the group restriction is set, try to get the members of the group, and only try to sync members of the group.

The benefit of doing so is the user sync task may finish faster, while the risk is we will need to ensure it works with other user sync settings, such as full/delta sync.

Regards, Lai

[Tigger996]

I agree that this would be a great feature. We would have a smaller usersync based on the group based on the whole AAD.

[tafkey]

👍