Synchronising users between Moodle and Teams is not working (local_o365)

[gushagelberg2]

Moodle users are not being synchronised and added to the corresponding Teams Team.

One reason could be that our moodle users have email addresses with capital and lower-case letters (ie. firstName.LastName@Reutlingen-University.DE).

In our Azure AD the emails are all lower-case. My guess is that the plugin fails to match a moodle user with the email firstName.LastName@Reutlingen-University.DE with an Azure AD user with the email firstname.lastname@reutlingen-university.de

Thanks for the help.

[gushagelberg2]

I see that another issue addresses this same problem: https://github.com/microsoft/o365-moodle/issues/1836

I am running Moodle 3.11.5 and local_o365 3.11.2

[gushagelberg2]

This issue also related: https://github.com/microsoft/o365-moodle/issues/1819

[weilai-irl]

Hi @gushagelberg2,

Thank you for reporting the issue.

Could you confirm if the users you are missing in Teams have matching records in local_o365_objects tables please. If you know the Moodle user ID of the user, you can run some simple queries such as SELECT * FROM mdl_local_o365_objects WHERE type = 'USER' AND moodleid = [USERID];

Any user you want to sync to Teams will need to have a mapping record, which effectively maps a Moodle user with an Azure AD user. Without it, the integration wouldn't even try to add the user to the team.

Please confirm this and post back the results. The next steps of the investigation will depend on the outcomes.

BTW, in regarding to letter case in email address, as long as the mapping record exists, the letter case of the email addresses don't matter, as the mapping will be between Moodle user ID and Azure AD user GUID. Of course there's a chance that the user mapping records can't be created because of mismatch of email letter cases (technically Azure AD UPN [User Principle Name] field is used for mapping, not email address), but please confirm the existence of the user mapping records above so that we can move on to next steps.

Regards, Lai

[gushagelberg2]

Hi,

this ist he result I get.

It looks to me like the table mdl310_local_o365_objects

Contains the moodle courses or teams, not users.

What other ideas do you have?

Thanks

Gus

---

Gus Hagelberg, M.A.

Reutlingen University

Rechen- und Medienzentrum

Alteburgstraße 150

72762 Reutlingen

Tel.: +49 (0)7121 271-1327

@.***

www.reutlingen-university.de/rmz

From: Lai Wei @.> Reply to: microsoft/o365-moodle @.> Date: Wednesday, 23. February 2022 at 15:44 To: microsoft/o365-moodle @.> Cc: "Hagelberg, Gus" @.>, Mention @.***> Subject: Re: [microsoft/o365-moodle] Synchronising users between Moodle and Teams is not working (local_o365) (Issue #1987)

Hi @gushagelberg2,

Thank you for reporting the issue.

Could you confirm if the users you are missing in Teams have matching records in local_o365_objects tables please. If you know the Moodle user ID of the user, you can run some simple queries such as SELECT * FROM mdl_local_o365_objects WHERE type = 'USER' AND moodleid = [USERID];

Any user you want to sync to Teams will need to have a mapping record, which effectively maps a Moodle user with an Azure AD user. Without it, the integration wouldn't even try to add the user to the team.

Please confirm this and post back the results. The next steps of the investigation will depend on the outcomes.

BTW, in regarding to letter case in email address, as long as the mapping record exists, the letter case of the email addresses don't matter, as the mapping will be between Moodle user ID and Azure AD user GUID. Of course there's a chance that the user mapping records can't be created because of mismatch of email letter cases (technically Azure AD UPN [User Principle Name] field is used for mapping, not email address), but please confirm the existence of the user mapping records above so that we can move on to next steps.

Regards, Lai

— Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.***>

[kinnectus]

Do your users log in using the "OpenID Connect" button on the login page?

Have you configured your Moodle users to have "OpenID Connect" authentication method in their profile?

This can be done manually or using the o365 tickbox to match Moodle users with o365 users.

The matching should populate the objects table with users. Essentially, you need users in the table so that the plugin can add your users to their require Teams group using the o365 object ID (their Azure user GUID).

[weilai-irl]

Hi @gushagelberg2,

As explained in my previous note, and as @kinnectus pointed it out, in order for the users to be added to the connected Teams, there need to be mapping records of them in local_o365_objects table. The mapping records can be created in three different ways:

• In most common use cases, you can set up users who have Microsoft 365 accounts to use OpenID Connect authentication method. This would provide the best user experience as users can login using their Microsoft 365 accounts using SSO, and the mapping records can be created as part of this process.
• It's also possible to set up user sync to automatically create Moodle accounts for users from Microsoft 365 tenant, or map Microsoft 365 users with existing Moodle users. You can configure restrictions so that only users matching configured conditions are synced. Mapping records will be created when running the user sync task.
• For whatever reason, if you want to keep the existing authentication method of your Moodle accounts and don't update it to OpenID Connect, you can use the "Manage User Connections" tool in the "Advanced" tab on the integration configuration page to manually setup connections between Moodle and Microsoft 365 accounts. Users will need to login from the Microsoft block to complete the mapping.
• Note it's also possible to do this in bulk using the "User Matching" tool in the "Advanced" tab, which accepts a custom CSV achieving the same.

Please review options and see which one would suit your need best. If you have questions on why there are no existing user mapping records, please post more details (on how users are set up, what user sync options you are using etc), and I'd like to help too.

Regards, Lai

[gushagelberg2]

We use LDAP authentication for Moodle and Microsoft Azure AD for Teams. Are you saying that with this combination the sychronisation with Teams will not work?

[kinnectus]

You will need to use the last two options that lai has provided, if you wish to keep using LDAP authentication. however, you should consider allowing your users to log in to Moodle using their Azure accounts. it doesn't make sense to log your users in using on-prem AD (LDAP) and then they use Teams via their Azure accounts. You could just as easily convert their accounts (on Moodle) so that they sign in using their Azure accounts. They'll receive the same login screen as if they were logging in to office.com.

Personally, I'd create a test VM with Moodle installed. I'd then install the necessary M365 plugins. I'd then run the PowerShell script to configure an Azure Application Registration on your Azure tenant. Once you've then configured this and linked it to your Moodle you can then use the "OpenID Connect" login button on Moodle to sign in using one of your Azure accounts. This method will CREATE a user on your Moodle with the relevant "OpenID Connect" auth method in Moodle. You could then test, yourself, by creating another user manually in Moodle and then match the user with an existing Azure account. If you've configured the plugin to convert the user to use OIDC as their auth type then they will be also be able to use the "OpenID Connect" login button when using Moodle.

When the user signs in (or is synced between Moodle and Azure) they will get the required o365 object and you'll be able to use the Teams integration.

We went through precisely your same situation. We originally ran Moodle via LDAP as we hosted it on-prem. We then moved to Azure (we run a hybrid on-prem/cloud infrastructure) and, thus, all our users also have Azure accounts. It made perfect sense to move our Moodle auth to use OpenID Connect. It's worked very well for us.

[weilai-irl]

Hi @gushagelberg2,

It will work, but only if your Moodle users are CONNECTED to their Microsoft 365 accounts. See the last two points in my previous notes.

Simply put, Moodle needs to map a Moodle user ID, e.g. 2, with the GUID of a Microsoft 365 account, e.g. fe2d944e-3ea0-4059-aed2-2a4aa2eb0b72, to know that a Moodle user is the same Microsoft 365 user. Moodle will only try to add a Microsoft 365 user to a Team if it has this mapping record for the Moodle user. The mapping records can be created through many three ways:

1. If you add the Microsoft block to the user dashboard page, and give "Manage Connection Link" (local/o365:manageconnectionlink) capability to the "authenticated user" role, all authenticated users can set up connection themselves.
2. As site admin, you can go to the "Manage User Connections" tool in the "Advanced" tab on the integration configuration page to manually setup mappings.
3. You can use the "User Matching" tool also in the "Advanced" tab to upload a custom CSV file to bulk add mappings. The content format is described on the upload page.

In all cases, users will need to login to their Microsoft 365 accounts from the Microsoft block to finish the mapping setup (true as of time of writing 03/2022. This requirement will be removed using route 3 CSV upload in the near future for Moodle 3.10+). This will end up adding user mapping records in the local_o365_objects table, which the integration can use to add owners/members to teams.

I hope this explains it clearly.

Regards, Lai