How to Set Up O365 Single Sign On

Summary

Integrating Microsoft 365 into your Moodle platform will allow your users to seamlessly sign into the platform using their O365 credentials. Alongside this, the integration can also allow for the creation of users that exist within your Microsoft Azure Active Directory directly in Moodle. This guide will show you how to set up the Microsoft 365 integration on your platform.

Step 1 - Account creation

In order to perform the integration a member of your organisation with global Administrator access within Microsoft Azure will need to have an Administrator account setup in Moodle. To create a new Administrator account on the platform you’ll first need to create a new user account by going to:

Site Administration > Users > Accounts > Add a new user 

Once the user account has been created, you can go to:

Site Administration > Users > Permissions > Site Administrators

Within this page you’ll need to search for your new user account using the panel on the right and add this user to the list of Administrators in the panel on the left.

Step 2 - Navigation

In order to perform the integration within Moodle, you’ll need to go to the following page on your platform, whilst logged in to your site administrator account:

Site Administration > Plugins > Local plugins > Microsoft 365 integration

Step 3 - Integration

Within the Microsoft 365 integration page they’re are a sequence of steps to be completed, with each step unlocking the next. When you first access the page, you’ll only be able to see the first step of the integration. We'll cover each of the key integration steps below:

Register Moodle with Azure AD (Step 1)

• The first step requires you to create a new app integration within Azure for Moodle. 
• You’ll then need to input the Application ID and Client secret into the boxes shown in step 1 of the integration page.
• Once complete, click “Save changes” to unlock the next step.

Choose connection method (Step 2)

• In step 2 of the integration you can use the recommended setting for “Application access”. This setting uses the application token to call Graph APIs as an application.
• Once complete, click “Save changes” to unlock the next step.

Admin consent & additional information (Step 3)

• In step 3 you’ll need to add in all of the required permissions to Azure in order for the integration to work. The full list of application permissions and delegated permissions can be found within the Microsoft 365 documentation. 
• Once all of the required permissions have been added and confirmed within Microsoft Azure you can return to the Microsoft 365 integration page within Moodle and click “Provide Admin Consent”, the Administrator will then need to sign into Microsoft Azure to confirm the permissions into the Moodle system.
• Following on from the above you can now click “Detect” for the “Azure AD Tenant” and “OneDrive for Business URL”.
• Once complete, click “Save changes” to unlock the final step.

Verify setup

• Once all of the above steps have been completed a final verification step will appear on the integration page and you can click “Update”.
• This step will confirm if all of the required permissions have been added or if any have been missed, if permissions are missing then you may need to repeat step 3 in order to add these permissions in.
• Finally, if all of the permissions have been correctly added, you can click “Save changes” to complete the integration. 

Step 4 - Sync settings

Once you’ve completed the above steps your users will be able to access your Moodle platform via the O365 login button on your sign in page. If you wish for the user creation process to be managed by the records you have for users in your Microsoft Azure Active Directory then you can set up sync settings within Moodle to automatically create new users. 

In order to set up the user sync, go to the “Sync settings” tab within the Microsoft 365 integration page. Within this page you’ll see a number of different settings available, below are the recommended settings we advise you use:

We’ll explain in more detail how each of the selected settings work below:

• Create accounts in Moodle for users in Azure AD - This will create users in Moodle from each user in the linked Azure Active Directory. This only applies to users which do not currently have an account on your platform. 
• Update all accounts in Moodle for users in Azure AD - This allows basic user details to be updated automatically when changes are made in Azure.
• Suspend previously synced accounts in Moodle when they are deleted from Azure AD - When a user is deleted in Azure, their account will automatically be suspended in Moodle following the next sync.
• Re-enable suspended accounts for users in Azure AD - If a suspended Moodle users account is made active in Azure, the Moodle account will be unsuspended.
• Sync Microsoft 365 profile photos to Moodle in cron job - This updates the Moodle users profile to show their profile image from Azure.
• Sync Microsoft 365 profile photos to Moodle on login - This updates the Moodle users login page profile to show their profile image from Azure.
• Perform a full sync each run - Selecting this option will force a full user sync each time the sync runs.

Important: Before you save any changes within the sync settings page, it’s important to ensure that a “User Creation Restriction” is in place to ensure that only users within a specified group will be added to the platform. Typically, this would be using a restriction as shown below:

This would ensure that only users in Azure Active Directory that are part of the specific Microsoft 365 Group Membership will have an account created in Moodle. 

Step 5 - Mapping settings

If you’ve opted for the O365 sync option above, then you will benefit from making a few changes to your data mapping settings to ensure user data appears correctly within Moodle. The two changes you should make are highlighted below:

• Data mapping (First name) - Given Name
• Data mapping (Last name) - Surname