microsoft / o365-moodle

Office 365 and Azure Active Directory plugins for Moodle
GNU General Public License v3.0
184 stars 138 forks source link

local_0365 defaulting to proxy/alias user account #2382

Open katcee opened 1 year ago

katcee commented 1 year ago

We have a problem using 4.1.1 on Moodle 4.1.2.

In Azure AD, some of our users have 2 usernames but the same email address - usually after the original account owner got married or changed the spelling of their name. There is one account but it has two IDs, so it could be Jane.Smith@smithtown.com as the original, first created account, then Jane.Jones@smithtown.com as the new alias/proxy email. In the past (3.9+), o365 authentication has always defaulted to the first created ID but absorbed both ids and created them as separate accounts with the same email address (it seems to bypass any unique email address settings). We usually suspend the unused one.

With this plugin's 4.1.1 version, the login process defaults to the alias or second email account, which means anyone who has two accounts logs in and finds they have completed nothing.

We don't want to try to merge accounts because a) it is messy and imprecise and b) what happens if someone experiences another email change? Will the log in process then default to that one as well?

How can we get it to work so that it is defaulting to the original account again and our users are not bothered by account changes?

katcee commented 1 year ago

The update to 3.1.3 has not corrected this issue.

weilai-irl commented 10 months ago

Hi @katcee

Sorry for not getting back to you sooner.

Let me clarify something first - when you say a user having "2 usernames", are they multiple email addresses belonging to a single Microsoft account, or are they separate accounts? I think your description is mixing a few things, so let me clarify.

When Azure admin needs to change the username of a Microsoft account for whatever reason, the most common practice is to change the UPN. After the change:

So to sum up - when a Microsoft account is renamed, its UPN and emails may change, but the GUID doesn't.

Assuming this is what happens in your organisation, the release from June 2023 (4.0.4, 4.1.2, 4.2.1) contains the fix. The releases added support to Microsoft UPN change. This is done by mapping Moodle users with Microsoft users using GUID, instead of UPN as in previous versions.

The feature is disabled by default, and in order to turn on the feature, you will need to log in to Moodle site using site admin account, go to the Microsoft 365 integration configuration page (local_o365 configuration page), go to "Sync settings" tab, and check the "Support Microsoft account UPN change" checkbox. The setting contains an explanation which describes the logic to use when enabled.

It worths highlighting that if you know there are multiple Moodle accounts matching to a same Microsoft account, it's best practice to get rid of the duplicate accounts by merging them, and keep the remaining account having the username matching the current UPN. The feature described above would take over from there. I have been using tool_mergusers for jobs like this, and it works perfectly for core Moodle data/plugins.

Hope this helps.

Regards, Lai