local_0365 defaulting to proxy/alias user account

[katcee]

We have a problem using 4.1.1 on Moodle 4.1.2.

In Azure AD, some of our users have 2 usernames but the same email address - usually after the original account owner got married or changed the spelling of their name. There is one account but it has two IDs, so it could be Jane.Smith@smithtown.com as the original, first created account, then Jane.Jones@smithtown.com as the new alias/proxy email. In the past (3.9+), o365 authentication has always defaulted to the first created ID but absorbed both ids and created them as separate accounts with the same email address (it seems to bypass any unique email address settings). We usually suspend the unused one.

With this plugin's 4.1.1 version, the login process defaults to the alias or second email account, which means anyone who has two accounts logs in and finds they have completed nothing.

We don't want to try to merge accounts because a) it is messy and imprecise and b) what happens if someone experiences another email change? Will the log in process then default to that one as well?

How can we get it to work so that it is defaulting to the original account again and our users are not bothered by account changes?

[katcee]

The update to 3.1.3 has not corrected this issue.

[weilai-irl]

Hi @katcee

Sorry for not getting back to you sooner.

Let me clarify something first - when you say a user having "2 usernames", are they multiple email addresses belonging to a single Microsoft account, or are they separate accounts? I think your description is mixing a few things, so let me clarify.

• Each Microsoft account has a User Principle Name (UPN), a GUID, and one or more email addresses.
• UPN is normally in email form, e.g. jane.smith@smithtown.com. Note this may be referred as username in many cases.
• GUID is a global unique identifier, e.g. 487be493-4f8d-425c-b178-6198a4f8bc94.
• Each account would have the UPN as the default email address at the time of creation, but may have other email addresses (alias) added, e.g. jane.e.smith@smithtown.com.

When Azure admin needs to change the username of a Microsoft account for whatever reason, the most common practice is to change the UPN. After the change:

• The account will still be the same account, i.e. the GUID of the account is not changed.
• The UPN of the account will be changed to, e.g. jane.jones@smithtown.com.
• The new username will be added as an email address linked to the account, and the old username will be made an alias.

So to sum up - when a Microsoft account is renamed, its UPN and emails may change, but the GUID doesn't.

Assuming this is what happens in your organisation, the release from June 2023 (4.0.4, 4.1.2, 4.2.1) contains the fix. The releases added support to Microsoft UPN change. This is done by mapping Moodle users with Microsoft users using GUID, instead of UPN as in previous versions.

The feature is disabled by default, and in order to turn on the feature, you will need to log in to Moodle site using site admin account, go to the Microsoft 365 integration configuration page (local_o365 configuration page), go to "Sync settings" tab, and check the "Support Microsoft account UPN change" checkbox. The setting contains an explanation which describes the logic to use when enabled.

It worths highlighting that if you know there are multiple Moodle accounts matching to a same Microsoft account, it's best practice to get rid of the duplicate accounts by merging them, and keep the remaining account having the username matching the current UPN. The feature described above would take over from there. I have been using tool_mergusers for jobs like this, and it works perfectly for core Moodle data/plugins.

Hope this helps.

Regards, Lai