Office365

Jump to: navigation, search

Note: You are currently viewing documentation for Moodle 3.0. Up-to-date documentation for the latest stable version of Moodle may be available here: Office365.

Contents

Introduction

Office 365 and Active Directory plugins for Moodle provide a more coherent and synchronous experience for teachers and students using both Moodle and Office 365. In order to be used, an Moodle administrator with Office 365 administrator privileges must configure the plugins for the Moodle site.

Requirements

To use the Office 365 plugins, you need the following:

  • An Office 365 subscription.
  • A Microsoft Azure subscription.
  • Moodle version 2.7 or above.

Please note no paid Azure services are required to use the plugins. In particular, Azure Active Directory (also known as Azure AD or AAD) comes in three editions: Free, Basic, and Premium. The Free edition is all that is needed for use of the plugins. You can access the Azure Active Directory associated with your Office 365 tenant from the Office 365 Admin Settings.

Plugins & Features

The Office 365 set of plugins contains 10 different plugins which provide a wide variety of features to enhance your Moodle instance.

  • Office 365 Local Plugin (local_office365)
    • This is a shell plugin which has dependencies on the current version of each of the 9 plugins that make up the complete set. Installing this plugin ensures you have the current version of each of the functional plugins installed.
  • OpenID Connect Authentication Plugin (auth_oidc)
    • This plugin allows users to log in to Moodle using their Office 365 accounts.
    • Users with existing Moodle accounts can switch to using this authentication plugin, and new users can log in with this plugin and have an account created for them.
    • If the administrator allows, users can also choose to disconnect from OpenID Connect and revert their previous login method, or to a username/password.
    • Features
      • Standards-Compliant OpenID Connect Authentication
      • Supports authorization code or resource-owner credentials grants
        • Users can log in to Moodle by clicking the identity provider on the login page, or by entering their OpenID Connect credentials.
      • Customizable Icon + Identity Provider name
        • The icon and identity provider name shown on the Moodle login page can be customized. A number of prechosen icons are available, as well as the ability to upload your own.
      • Provides hooks to link OpenID Connect accounts to Moodle accounts
        • If you do not want to change your users' login method, you can still connect to an OpenID Connect provider. The plugin provides code-level hooks to link a Moodle account to an OpenID Connect account without changing the Moodle user's authentication method. This means you can obtain tokens from an OpenID Connect service in the background.
      • Optional user-self-service connection and disconnection
        • A user-facing page is available for users to switch to and from OpenID Connect authentication. Access to this page and feature is controlled by a capability so administrators can disable it.
  • Microsoft Block (block_microsoft)
    • This block provides a user-facing menu to access various Office 365 integration features, resources, and settings.
    • Links to Office 365 Resources associated with Moodle Courses (including Course SharePoint sites and Course Office 365 Groups) as well as a user's personal Office 365 Resources (including OneDrive for Business, Sways, Docs.com, Delve, Forms & OneNote Notebook).
    • Contains Settings for settings such as Outlook Calendar sync preferences.
    • Shows connection status to Office 365 and user photo from Outlook.
  • Microsoft Office 365 Integration Local plugin (local_o365)
    • This plugin provides most of the Office 365 integration back-end. This provides shared code to communicate with Office 365, and powers the calendar sync.
    • Features
      • Calendar sync from/to Office 365 Outlook.
        • Users can sync site events, course events, assignment due dates, and their personal Moodle calendar to their Outlook calendar.
      • SharePoint sites for each Moodle course.
        • You can connect your Moodle instance to a SharePoint subsite. Sites below this will be created for each course in your Moodle instance, and the document library from each course subsite is accessible through the OneDrive for Business repository. The course subsite document library is accessible by course teachers, serving as a place for teachers to share documents.
      • Office 365 Groups for each Moodle course
        • You can create Office 365 groups for each course in your Moodle instance. Links to Office 365 group resources such as Files, Conversations, and Calendar will be accessible from the Microsoft Block in each course. Moreover, the group files from each course group is accessible through the Office 365 repository. The group files is accessible by course teachers and students, serving as a place for teachers and students to share documents.
  • OneNote Local plugin (local_onenote)
    • This provides supporting and shared code used by all other OneNote plugins. Does not have an user interface or configuration by itself.
  • OneNote Assignment Feedback (assignfeedback_onenote)
    • Allows teachers to leave feedback for students using OneNote.
  • OneNote Assignment Submission (assignsubmission_onenote)
    • Allows students to submit assignments using OneNote.
  • OneNote Repository (repository_onenote)
    • Allows access to a user's OneNote files from the Moodle repository view.
  • Office 365 Repository (repository_office 365)
    • This is a repository plugin that allows users to access Office 365 resources in Office 365 services such as OneDrive for Business, SharePoint, and Office Video directly from the Moodle file-picker.
    • Features:
      • Import files into Moodle from Office 365.
      • Upload files into Office 365 services from within Moodle.
      • Link to resources in Office 365 so users always get the most up-to-date version.
      • Embed Office 365 resources into Moodle courses so users can view them directly on the site.
  • oEmbed Filter (filter_oembed)
    • This filter converts links to a variety of sites into oembed-powered interactions.
    • Allows you to embed Office Mix, Sway, Docs.com, Office Video, Excel Power View, and Microsoft Forms content into your Moodle courses.

Resources

Azure Resource Manager Templates These can be used to set up a quick & easy test enviroment in Azure.

Setup

Server Requirements

This plugin suite supports the minimum system requirements for Moodle 2.7.

Client Requirements

This plugin suite supports the minimum client requirements for Moodle 2.7

Installation

The packages are available from:

When you log back in to your Moodle instance, you are presented with the all the plugin configuration options. Save the settings without configuring them for now, you will come back to them later.

For information on installing plugins in Moodle see Installing plugins

Configuration

After you have the plugins installed in your Moodle instance, you'll need to do a bit of setup before you can use and configure additional plugin settings including User Sync, SharePoint, etc. For more information on these additional settings see Microsoft Office 365 Integration Local plugin.

Enable the OpenID Connect Authentication Plugin

  1. Navigate to Site Administration > Plugins > Authentication and click Manage authentication
  2. Locate the OpenID Connect authentication plugin and click the eye icon to enable
  3. Click the Settings link for the plugin.
  4. Verify the Authorization and Token endpoints. These should be set by default but if not, set the endpoints to the following:
    1. Authorization Endpoint: https://login.windows.net/common/oauth2/authorize
    2. Token Endpoint: https://login.windows.net/common/oauth2/token
  5. Note the Redirect URI. This should be the URI of your Moodle instance followed by /auth/oidc. You will need to enter this value into Azure AD later, so note this value and put it aside.
    1. For example, https://www.example.com/auth/oidc/
    2. Notes:
      1. This is a fixed value that is derived from your Moodle site's configured URL (wwwroot). You cannot change this value directly. If you need to change it for any of the following reasons, you must change your Moodle site's configured domain name ($CFG->wwwroot).
      2. This URL must be a fully qualified domain name pointing to your Moodle instance.
      3. If your Moodle installation is configured with an IP address pointing to your instance, you must change $CFG->wwwroot in your config.php to a fully-qualified domain name.
      4. This domain name does not need to be publicly accessible (i.e. internet-wide), but does need to be accessible to users of your Moodle instance. So, for example, you can use a intranet-only domain name.

Prepare your Office 365 account for single sign-on with your Moodle installation

You will need an Azure subscription. If you do not have one, you can create one by visiting http://azure.microsoft.com/en-us/pricing/free-trial/ Microsoft Azure Sign Up

To use Moodle with Office 365 for SSO, you must configure Microsoft Azure to manage your Office 365 Microsoft Azure Active Directory:

  1. Create a new Active Directory.
  2. Select Use existing directory.
File:images/AddDirectory1.png
caption Add directory dialog with creation options
  1. Select I am ready to be signed out now and click the check mark.
File:images/AddDirectory2.png
caption Add directory dialog log out option
  1. Sign in with your Office 365 subscription credentials.
  2. Click Continue.
  3. Log out and sign back in to your Azure account.

Note: In order to sign-up for an Azure subscription, you are required to enter a credit card and phone number. If only use the subscription to access the Azure Active Directory associated with your Office 365 subscription and enable no other paid services such as Virtual Machines, you will not be charged for the subscription.

Register your Moodle instance as an Application in Azure Active Directory

  1. Sign in to the Microsoft Azure Management Portal.
  2. Click on the Active Directory icon on the left menu, and then click on the desired Office 365 connected Azure AD.
  3. On the top menu, click Applications. If no apps have been added to your directory, this page will only show the Add an App link. Click on the link, or alternatively you can click on the Add button on the command bar.
  4. On the What do you want to do page, click on the link to Add an application my organization is developing.
  5. On the Tell us about your application page, you must specify a name for your application and indicate the type of application you are registering with Azure AD. Click web application and/or web API (default) and then click the arrow icon on the bottom-right corner of the page.
  6. On the App properties page, provide the Sign-on URL and App ID URI for your Moodle instance.
    1. The Sign-on URI is the Redirect URI you from the OpenID Connect authentication plugin configuration. Ensure there is a trailing slash for this URL - i.e. https://example.com/auth/oidc/
    2. The APP ID URI is the main URI of the Moodle instance.
  7. Click the checkbox in the bottom-right hand corner of the page and then click Ok to add your app to Azure Active Directory.
  8. There are a couple more values and changes you need to make and write down some values which you will need in the next section.

Configure your Azure Active Directory Application

  1. In Azure, click on the Active Directory icon on the left menu, and then click on the desired Azure AD.
  2. Click the Applications tab at the top of the screen.
  3. Locate the application you created and click it's name in the list.
  4. Click Configure at the top of the screen.
  5. Locate the Client ID, note this value (write it down or copy it somewhere), and set it aside. You'll need it later.
  6. Create a client secret key.
    1. Locate the keys section of the page.
    2. Select a duration for the validity of the key.
    3. Click "Save" at the bottom of the screen. The page will reload and a key value will be shown in the keys section.
    4. Note this key value (copy it to a file on your computer, for example) and set it aside. You'll need later.
    5. fig:OpenID Connect Settings
  7. Locate the Permissions to other applications section.
  8. Click Add application click the plus sign to the right of Microsoft Graph, Office 365 Exchange Online, Office 365 SharePoint Online, and OneNote. Note, the plus will appear when you hover over each of the items.
  9. Click the check mark at the bottom right of the dialog.
  10. In the Delegated Permissions dropdown for Office 365 Exchange Online select the following permissions:
    1. Read user calendars.
    2. Read and write user calendars.
  11. In the Delegated Permissions dropdown for Office 365 SharePoint Online select the following permissions:
    1. Read items in all site collections
    2. Read and write items in all site collections
    3. Read and write items and lists in all site collections
    4. Have full control of all site collections
    5. Read user files
    6. Read and write user files
  12. In the Delegated Permissions dropdown for Windows Azure Active Directory select the following permissions:
    1. Read and write directory data
      • Note: Write permissions here are used by the Azure AD setup tool to automatically fix permissions. If you do not want to grant directory write access, the plugin suite will work with only the "Read directory data" permission.
    2. Read all users' full profiles
    3. Access the directory as the signed-in user.
  13. In the Delegated Permissions dropdown for OneNote select the following permissions:
    1. Create pages in OneNote notebooks
    2. View OneNote notebooks.
    3. View and modify OneNote notebooks.
  14. In the Delegated Permissions dropdown for Microsoft Graph select the following permissions:
    1. Have full access to user calendars.
    2. Access directory as the signed in user.
    3. Read and write directory data.
    4. Have full access to user files.
    5. Read and write all groups.
    6. Read and write notebooks that the user can access (preview).
    7. Read items in all site collections.
    8. Read and write all users full profiles.
    9. Sign users in.
  15. In the Application Permissions dropdown for Windows Azure Active Directory select the following permissions:
    1. Read directory data
  16. In the Application Permissions dropdown for Microsoft Graph select the following permissions:
    1. Read and write files in all site collections.
    2. Read and write all users' full profiles.
    3. Read directory data.
    4. Read and write all groups.
    5. Read and write calendars in all mailboxes.
  17. Click save at the bottom of the screen.

Assign Users to your Azure Active Directory Application

  1. Click on the Active Directory icon on the left menu, and then click on the desired Azure AD.
  2. Click the Applications tab at the top of the screen.
  3. Select your app.
  4. Click the Users tab at the top of the screen.
  5. Select an Office 365 User to assign to assign to the App.
  6. Click Assign at the bottom of the screen.
  7. When prompted whether you are sure you want to enable access, click Yes.

The application will appear in the My apps page of the application launcher on the Office 365 portal for the users which have been assigned. Unless "User assignment required to access app" setting is enabled in the application, assignment is not necessary for users to use the Moodle integration.

Configure the Setup tab in the Microsoft Office 365 Integration plugin

Navigate to Site Administration > Plugins > Local plugins. Click Microsoft Office 365 Integration. Under the Setup tab, complete each of the following steps:

  1. Register Moodle with Azure AD (process outlined above).
    1. Copy the client ID and key you noted earlier from Azure AD into the appropriate fields in step 1.
    2. Click save changes at the bottom of the page.
  2. Set a System API User
    1. This should report "No user set". Click "Set User"
    2. You will be taken to an Office 365 login screen. Log in as a user that has administrator access in your Office 365 subscription.
    3. This user is used for system operations that are not specific to a single user - i.e. user sync operations. This user needs to have administrator access to be able to access all needed information.
    4. You can change this user later if needed.
  3. Detect additional information and verify your setup.
    1. Azure AD Tenant. This is the domain name that identifies your Office 365 subscription, for example "contoso.onmicrosoft.com". If you know it, enter it in this box, if not, click the "Detect" button to attempt to detect the correct value.
    2. OneDrive for Business URL. This is the URL that your users use to access OneDrive for Business. This can usually be determined from your AzureAD tenant, for example, if your tenant is "contoso.onmicrosoft.com", your OneDrive for Business URL is "contoso-my.sharepoint.com.". If you know the URL, enter it here, otherwise click "Detect" to attempt to detect the correct value. Only enter the domain name, do not include "http://%22, "www." or any trailing slashes. For example "contoso-my.sharepoint.com", not "https://contoso-my.sharepoint.com/%22
    3. Azure Setup. This tool verifies that Azure has been correctly set up. Click the "Update" button to check setup. If the tool reports any missing permissions, return to Azure and ensure that all required permissions have been added to your configured application for Moodle.
  4. Click Save changes.

Setting up your users.

To use any Office 365 features, a Moodle user must be connected to an Office 365 user that has an active Office 365 subscription. The plugin suite provides several different ways to set up user accounts in Moodle to use Office 365 features.

Importing Azure AD users into Moodle

If you have users in Azure AD that do not already have an account in Moodle, you can import users into Moodle in a few ways. If your Azure AD users already have a separate account in Moodle and you want to link them, see the next section.

User sync.

User sync will sync the Moodle user list with Azure AD and can perform various different operations on the Moodle user list depending on a few settings you can select. This method is useful if you want to create users in Moodle that match your users in Azure AD, and have user accounts created ahead of user access. If you would like to populate your Moodle site with users from Azure AD and be able to enrol the users in various courses before users start using Moodle, this is the best solution. See the full documentation on user sync for more information on how to use this feature.

On-demand user creation.

The OpenID Connect authentication plugin will create a Moodle user from an Azure AD user that tries to log in to Moodle using Azure AD, successfully authenticates, and does not have an existing linked Moodle account. The Moodle user will be created on the fly as the user logs in. This is useful for a more on-demand Moodle setup where users do not need to be created and pre-enroled ahead of time, but instead allow users to self-select their courses. You can disable this function by going to the common Moodle authentication settings (Site Administration > Plugins > Authentication > Manage authentication), and checking the "Prevent account creation when authenticating" setting.

Connecting existing Moodle users to Office 365

There are four ways to connect existing Moodle users to Office 365 users. Two admin-driven methods, and two end-user-driven methods. The admin methods require a Moodle administrator to configure a setting or run a tool, and the end-user methods require the Moodle user you want to link to perform some operation.

Admin: Using user sync auto-matching.

If your existing Moodle users have the same usernames as your users in Azure AD, the user sync process can match users automatically. This process will match, case-insensitively, the beginning part of the Azure AD username (before the [[mailto:"@"|"@"]]) against any Moodle user with the same username and can link the users either by switching the Moodle user's authentication method to OpenID Connect, or link the Moodle user in the background - leaving the Moodle authentication method unchanged. Please see the user sync documentation for more information about user sync.

Admin: User matching tool

If your users in Moodle have different usernames from the users in Azure AD, there is a user matching tool that will allow you to upload a CSV file containing a list of Moodle usernames and their corresponding Azure AD usernames.

To access this tool, go to the integration local plugin settings page (Site administration > Plugins > Local plugins > Microsoft Office 365 Integration), and click the "Tools" tab, then the "User Matching" link. This page provides a description of the CSV format, and a file picker to upload the file.

To run the user matching tool:

  1. Upload a CSV, matching the displayed format, using the file picker on this page.
  2. Click the "Add Data File to Match Queue" button.
  3. The CSV will be processed and you will see a list of usernames in "Step 2". This is the processing queue.
  4. Every time your Moodle cron runs, a batch of users in the queue will be processed. The results will be shown in the queue.

End User: Migrate the user to using their Office 365 credentials to log in to Moodle.

With this method, the user will log in to Moodle using their Office 365 account credentials.

  • Users who do not yet have a Moodle account can simply follow the normal OpenID Connect login process (see: OpenID Connect Authentication Usage. If a Moodle account is not found for a user logging in with OpenID Connect, an account will be created for them.
  • You can migrate existing Moodle users to Azure AD login by following the steps below:
  1. Ensure the user you want to migrate has the "auth/oidc:manageconnection" or "auth/oidc:manageconnectionconnect" capability. Regular users do not have this capability by default.
    • The "auth/oidc:manageconnectionconnect" capability will allow users to link an account, while the "auth/oidc:manageconnectiondisconnect" capability will allow them to unlink. It is therefore possible to give users the capability to link, but not unlink.
  2. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  3. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  4. Click the Connect to Office 365 link in the Microsoft block.
  5. You will be brought to the Office 365 / Moodle Control Panel.
  6. Click the Office 365 Connection link under Office 365 Features
  7. Click the "Start using Office 365 to log in to Moodle." link.
  8. You will be redirected to Office 365 to log in. Log in to the Office 365 account you'd like to link the Moodle user to.
    1. NOTE: If you are already logged in to Office 365, you will not have to enter your credentials on the Office 365 login page - the account you are logged in to will be linked to the Moodle account. Ensure you are logged in to the correct account, use a private browser window, or log out of Office 365 first to show the Office 365 login screen.
  9. You will be redirected back to Moodle to the Office 365 / Moodle control panel. The Connection status box on the side of the page should indicate that you are connected to Office 365 and that you are using Office 365 to log in to Moodle.
  10. The Moodle account will now use Office 365 to log in. The previous Moodle login method will not work..
  11. The Moodle user can now use any of the Office 365 features in Moodle.

End user: Link a Moodle user to an Office 365 user.

This will allow you to connect a user to Office 365, enable all Office 365 features with this user, but not have to change their Moodle login method.

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. Ensure the user you want to migrate has the "local/o365:manageconnectionlink" capability. Regular users do not have this capability by default.
    • The "local/o365:manageconnectionlink" capability will allow users to link an account, while the "local/o365:manageconnectionunlink" capability will allow them to unlink. It is therefore possible to give users the capability to link, but not unlink.
  3. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  4. Click the Connect to Office 365 link in the Microsoft block.
  5. You will be brought to the Office 365 / Moodle Control Panel.
  6. Click the Office 365 Connection link under Office 365 Features
  7. Click the link that says Link your Moodle account to an Office 365 account.
  8. You will be redirected to Office 365 to log in. Log in to the Office 365 account you'd like to link the Moodle user to.
  9. NOTE: If you are already logged in to Office 365, you will not have to enter your credentials on the Office 365 login page - the account you are logged in to will be linked to the Moodle account. Ensure you are logged in to the correct account, use a private browser window, or log out of Office 365 first to show the Office 365 login screen.
  10. You will be redirected back to Moodle to the Office 365 / Moodle control panel. The Connection status box on the side of the page should indicate that you are connected to Office 365 and that you are linked to an Office 365 account.
  11. The Moodle account is now linked to the Office 365 account and can use Office 365 features as that user.
  12. The Moodle user's login method will not change, the user will log in to Moodle as they always have.
  13. If the user experiences any problems using Office 365 features, it's possible the token generated during this initial linking process has expired. Return to the Office 365 / Moodle Control Panel and click the Refresh Connection link in the Connection Status box. This will generate a new token.

Microsoft block

The Microsoft block provides the ability for users to quickly link off to Office 365 services.
- Course SharePoint site
- Course Group
- My Delve
- My Docs.com
- My OneNote Notebook
- My OneDrive
- Settings
- Outlook Calendar Sync settings
- Office 365 Connection settings

You can configure which of the following items show up in the plugins using the configuration settings under Site Administration > Plugins > Blocks > Microsoft. A few important items to note:
- All settings besides Course Group and Course SharePoint site are evergreen, meaning they can be accessed at any time from any page on which the Microsoft block has been added to a page in Moodle
- If enabled, Course SharePoint site and Course Group only appear once the user is inside a Moodle course for which they are enrolled
- Course SharePoint site and Course Group cannot be disabled from the Microsoft block. They can only be enabled/disabled from the the Microsoft Office 365 Integration plugin.

Outlook Calendar sync

This feature allows users to sync their Moodle calendars with Office 365. Users can have events in their Moodle calendar events appear in any Office 365 calendar, and have events created in Office 365 synced back to Moodle.

To use this feature:

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. As a user connected to Office 365, visit a page where the Microsoft block is visible.
  3. Click the "Outlook Calendar Sync settings" link in the Microsoft block.
  4. From here, you should see a list of your available Moodle calendars. Click the checkmark next to the ones you'd like to sync.
    1. fig:Calendar sync selection page
    2. By default, the calendars will sync with your Office 365 "primary" calendar typically named "Calendar". You can choose a different calendar to sync with using the "Sync with" select box.
    3. fig:Calendar sync options
  5. You can also choose to sync from Office 365 in to Moodle (or both from Moodle to Office 365 and from Office 365 to Moodle). This is done using the "Sync behavior" select box.
  6. Once you're subscribed to a calendar, wait for the site's cron function to run to sync older calendar events. However, new events should sync right away.

Microsoft Office 365 Integration Local Plugin

This plugin contains several configuration options and can be located under Site Administration > Plugins > Local plugins. It is organized into four tabs:

  1. Setup. Configuration settings are outlined under the Setup section.
  2. Options Contains various configuration options. Includes:
    1. User Sync
    2. Integration Settings
    3. Advanced Settings
  3. Tools
    1. Health Check
    2. User Matching Tool
  4. School Data Sync

User Sync

This controls how users are synced from Azure AD to Moodle. This can create or delete users in Moodle, match them with Azure Active Directory users, and assign them to Azure Active Directory applications.

Sync users with Azure AD

Users from Azure AD can be automatically created in Moodle using the user sync option. This creates a Moodle account for every user in the connected Active Directory allowing you to manage and enrol users in Moodle without the user having to log in first. When the user does log in using the OpenID Connect authentication plugin and their Office 365 account, they will be logged in to the account created for them during the user sync.

To enable:

  1. Check the checkbox beside each user sync option that you want to use.
  2. Click Save Changes.
  3. Run the Moodle cron to run the user sync process.

Notes:

  • The sync job runs in the Moodle cron, and syncs 1000 users at a time.
  • By default, this runs once per day at 1:00 AM in the time zone local to your server.
  • To sync large sets of users more quickly, you can increase the frequency of the Sync users with Azure AD task using the Scheduled tasks management page. See Scheduled_tasks.

There are several options that affect user sync:

Create accounts in Moodle for users in Azure AD

This will create users in Moodle from each user in the linked Azure Active Directory. Only users which do not currently have Moodle accounts will have accounts created. New accounts will be set up to use their Office 365 credentials to log in to Moodle (using the OpenID Connect authentication plugin), and will be able to use all the features of the Office 365 plugin set.

Delete previously synced accounts in Moodle when they are deleted from Azure AD

This will delete users from Moodle if they are marked as deleted in Azure AD. The Moodle account will be deleted and all associated user information will be removed from Moodle. Be careful!

Match preexisting Moodle users with same-named accounts in Azure AD

This will look at the each user in the linked Azure Active Directory and try to match them with a user in Moodle. This looks for matching usernames in Azure AD and Moodle. Matches are case-insensitive and ignore the Office 365 tenant. For example, "BoB.SmiTh" in Moodle would match [[mailto:"bob.smith@example.onmicrosoft.com"|"bob.smith@example.onmicrosoft.com"]]. Users who are matched will have their Moodle and Office accounts connected and will be able to use all Office 365/Moodle integration features. The user's authentication method will not change unless the setting below is enabled.

Switch matched users to Office 365 (OpenID Connect) authentication

This requires the "Match" setting above to be enabled. When a user is matched, enabling this setting will switch their authentication method to OpenID Connect. They will then log in to Moodle with their Office 365 credentials. Note: Please ensure the OpenID Connect authentication plugin is enabled if you want to use this setting.

Assign users to application during sync

This will assign Azure AD users to the Moodle application in Azure. This will add the Moodle tile to the user's app launcher, and enable Moodle access if the "User assignment required to access app" setting is enabled in the Azure application.

Sync Office 365 profile photos to Moodle in cron job

This will sync users' profile photos into Moodle and set the Moodle user's profile photo to that image. Note that this can increase the time it takes to run user sync significantly.

Sync Office 365 profile photos to Moodle on login

If enabled, the user's Office 365 profile photo will be synced upon their log in to Moodle. This can be a more performant solution than (6) but users may experience a slightly delay in seeing profile photo updates.

User Creation Restriction

During user sync, by default, all users from Azure AD will be created in Moodle. This setting allows you to set a required field and value that a user must have in Azure to have an account created in Moodle. For example, if you wanted to only have users from the "IT" department syncing into Moodle, you would choose the "Department" field, and enter "IT".

User Field Mapping

This controls how information is synced from Azure AD to Moodle. The first column lists Azure fields, the second column lists Moodle fields, and the third column controls when information is synced. To create mappings:

  1. Click "Add Mapping"
  2. In the row that appears, select an Azure field to bring into Moodle.
  3. In the second column on the same row, select a Moodle field to copy the value into.
  4. In the third column on the same row, choose whether this only happens on user creation, on user login, or both.
  5. Click "Save Changes" at the bottom of the page.

To Delete A Mapping

  1. Click the "X" button at the end of the row you want to delete.
  2. Click "Save changes" at the bottom of the page.
  3. Note this will only prevent future information syncing, it will not undo past operations.

Integration Features

This section controls the various main features of the plugin suite, including what kind of Office 365 resources you want to create and associate with a Moodle Course. You have the option to create either a SharePoint subsite for your course and/or an Office 365 Group.
Please Note If a SharePoint Site is not needed for your Course, and you are merely looking to have a SharePoint subsite for your course in order to have access to a document library accessible by all students and teachers associated with the course, it is recommended you enable only User Groups rather than the SharePoint connection.

SharePoint

SharePoint sites can be created for each course on your Moodle site. You will provide a parent SharePoint site and subsites for each course will be automatically created. The document library for each of these subsites can then be accessed by teachers using the Office 365 repository under "SharePoint (Courses)" . This provides a shared store of files for a course, allowing students and teachers the ability to collaborate on documents and share resources. In addition, this provides a SharePoint site that can be customized for the course and linked to from the Microsoft block.
Note Any Azure AD connected Moodle user with the moodle/course:managefiles capability in a course will be able to access the document library from the repository.

    • Setting up the SharePoint connection **
  1. In the SharePoint Link setting, type in the URL of the parent SharePoint site you'd like to use for the course subsites. As you type, Moodle will verify the URL.
  2. When you are done typing in the URL, the URL will be checked for suitability.
    1. If the valid is invalid, you will see a red box and the text "This is not a usable SharePoint site."
    2. If the site already exists, you will see a blue box and the text "This site is usable, but already exists". You can use this site, but conflicts can arise. It's recommended to use a URL to a SharePoint site that doesn't yet exist. The site will be created during initialization.
    3. If the site does not exist but can be created, you will see a green box and the text "This SharePoint site will be created by Moodle and used for Moodle content.". This SharePoint site will be created by Moodle during initialization.
  3. Choose which courses you want to sync.
    1. Beneath the SharePoint link setting, you will see a "SharePoint course selection" setting. This allows you to choose which courses will have a SharePoint site created.
      • "None" will not create any SharePoint sites.
      • "Custom" will allow you to choose which courses have a SharePoint site created. A "customize" link will appear after you choose this link and click "Save changes".
      • "Sync All" will create a SharePoint site for every Moodle course.
  4. Click Save changes at the bottom of the settings page.
  5. You will see a spinning icon below the SharePoint Link setting, and the text "Moodle is setting up this SharePoint site.". This will not automatically update - refresh the page to check if the connection has been set up..
  6. The SharePoint Link is set up during the Moodle cron, so ensure your Moodle cron is set up and running.

User Groups

User Groups (i.e. Office 365 groups) can be created for each course on your Moodle site giving users the ability to access Group resources such as Conversations, Group Files, and Calendar directly from the Microsoft Block via the Course Group link. The Group Files for each of these of these Office 365 groups can then be accessed by members using the Office 365 repository under "Groups (Courses)". Similar to the SharePoint link, this provides a shared store of files for a course, allowing students and teachers the ability to collaborate on documents and share resources.
- Once enabled, new groups will be created every cron run for any course that doesn't have an Office 365 group set up for it.
- Office 365 groups created will have their membership maintained automatically whenever someone joins or leaves a Moodle course.
- By default the Office 365 group will be set as "Private" and the Moodle Admin will be set as an owner of the group.
- The Office 365 group Calendar is automatically synced with the Moodle Course calendar

    • Setting up User Groups (i.e. Office 365 groups) **
  1. In the User Groups setting select from the following choices:
    • Disable This is the default setting. Leaving this box check will mean no Office 365 groups will be created.
    • Custom. This allows you to select which Moodle courses for which you create a Moodle course and which group resources (i.e. Conversations, Group Files, Calendar etc.) are displayed in the Microsoft block. Once an Office 365 groups is created for a Moodle course, it is not deleted when a Course is unselected. Moreover, unselecting items such as Conversations, Group Files, etc. only remove links to those resources from the Microsoft block. They remain accessible from Office 365 for members of the group.
    • All Features Enabled This enables Office 365 groups for all Moodle courses and lists all group resources (i.e. Conversations, Group Files, Calendar, etc.) in the Microsoft block from the Course Group link.

Advanced Settings

Office 365 for China

Office 365 in China differs slightly in some technical aspects. If you are using Office 365 for China, select this box to ensure everything will work properly.

Enable Microsoft Graph API

The Microsoft Graph API is a new API that provides some new features like the "User groups" setting. It will eventually replace the existing Office APIs, however some features used are still in preview and are subject to change without notice, which may break some functionality. It is enabled by default in the latest versions of the plugin.

To enable the Microsoft Graph API (for older installations of the plugins where the Microsoft Graph was not enabled by default):

  1. Enable this setting and click "Save changes" at the bottom of the page.
  2. Add the "Microsoft Graph" to your application in Azure.
  3. Return to Moodle and run through the steps in this plugin's "Setup" tab.

Enable application permission access

This allows Moodle to use "Application permissions" rather than the system API user when available. If you have added all the "Application Permissions" outlined in setup, you should leave this enabled.

Record debug messages

If you experience problems using any Office 365 features in Moodle, enable this setting. Once enabled, errors will be recorded to the Moodle log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administration > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".

Profile photo refresh time

The number of hours to wait before refreshing a user's profile photo.

Tools

Health Check

If you are experiencing problems with any Office 365 / Moodle features, click the Health Check link to run tests on your system and look for potential problems.

User Matching

This is a tool that allows an administrator to link Moodle and Office 365 users by uploading a CSV containing Moodle usernames and Office 365 usernames.

Maintenance Tools

This link provides access to various tools that can help automatically solve problems with your integration. Do not run these tools unless you are familiar with the effects, or are instructed by a developer or support technician.

OpenID Connect Authentication Plugin

Basic Usage

Once configured, you should see a link named "OpenID Connect" on the Moodle login page. Clicking this link will redirect the browser to the identity provider. Users will log in there, and will be redirected back to Moodle. If they have logged in to Moodle using OpenID Connect before, they will be logged in to their existing Moodle account. If they have not logged in to Moodle with OpenID Connect before, an account will be created for them.

Note: If the "Prevent account creation when authenticating" setting is enabled in Moodle, new accounts will not be created.

Settings

There are a number of options you can use to customize how the plugin behaves. To configure the plugin, visit the plugin's settings page. (Site Administration > Plugins > Authentication > OpenID Connect)

Provider Name

The name entered here will be used through the OpenID Connect plugin and the Office 365 plugins to refer to the system used to log users in. For example, if your users are used to calling their Azure AD account their "School" account, you enter "School account" here, and all references to authentication will be "Log in with your School account".

Client ID:

Enter the Client ID obtained from Azure when you created the application for your Moodle installation.

Client Secret:

Enter the Key obtained from Azure when you created the application for your Moodle installation.

Authorization Endpoint and Token Endpoint:

You can use the default values for these.

Resource:

You can use the default value for this.

Auto-Append

When using the "Username/Password" login flow, this setting with automatically append a given string to an entered username. This is useful in Azure AD usernames, where a single domain name is often used for every user - i.e. [user]@contoso.onmicrosoft.com. Users would normally have to enter this entire username to successfully log in to Moodle, but in this example, entering "@contoso.onmicrosoft.com" here means users would only have to enter their unique username, i.e. "bob.smith", instead of "bob.smith@contoso.onmicrosoft.com".

Domain Hint

If users have several different Azure AD accounts with different tenants (i.e. @contoso.onmicrosoft.com, @example.onmicrosoft.com), but Moodle only uses one of these tenants, you can enter that tenant in this box to have the Azure AD login screen only ever suggest accounts from that tenant.

Login Flow

This setting changes how users log in to Moodle using the plugin. You can redirect users to the OpenID Connect provider's login page, or have users enter their credentials directly into Moodle. See the "Login Flows" section below for further information.

User Restrictions

This setting allows you to restrict the users that can log in to Moodle using OpenID Connect (Azure AD).

Once you've entered at least one user restriction, users logging in to Moodle must match at least one entered pattern.

How to use user restrictions:

  1. Enter a regular expression pattern that matches the usernames of users you want to allow.
  2. Enter one pattern per line
  3. If you enter multiple patterns a user will be allowed if they match ANY of the patterns.
  4. The character "/" should be escaped with "\".
  5. If you don't enter any restrictions above, all users that can log in to the OpenID Connect provider will be accepted by Moodle.
  6. Any user that does not match any entered pattern(s) will be prevented from logging in using OpenID Connect.

Record debug messages

If you experience problems using OpenID Connect, enable this setting. Once enabled, errors will be recorded to the Moodle log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administation > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".

Custom Icon

This setting allows you to choose from a selection of predefined icons to appear next to the identity provider link on the login page. You can also upload your own icon.

  1. Visit the plugin settings page (Site Administration > Plugins > Authentication > OpenID Connect)
  2. Locate the "Icon" section of the settings page.
  3. There are several predefined icons to choose from, clicking an icon will use that icon on the login page.
  4. To use a custom icon, use the file picker below the "Icon" setting.
    1. This image will not be resized on the login page, so we recommend uploading an image no bigger than 35x35 pixels.
    2. If you have uploaded a custom icon and want to go back to one of the stock icons, click the custom icon in the file picker and click "Delete", then "OK", then "Save Changes" at the bottom of the settings page. The selected stock icon will now appear on the Moodle login page.

Login flows

This plugin supports two different methods for users to log in: Authorization Request and Username/Password Authentication

Authorization Request

This flow redirects the user to Office 365 to log in and are then brought back to Moodle logged in.

Using this flow:

  1. The user clicks the name of the identity provider (What you entered in the "Provider Name" box at the top of the settings page.) on the Moodle login page.
  2. The user is redirected to Office 365 to log in.
  3. Once successfully logged in, the user is redirected back to Moodle where the Moodle login takes place transparently.

Username/Password Authentication

This login flow works like a classic username and password, except the user uses their Office 365 account information.

Using this flow:

  1. The user enters their Office 365 username and password directly into the Moodle login form.
  2. Their credentials are securely sent to Office 365 for verification.
  3. If the credentials are verified, the user is logged in to Moodle.

Switching existing Moodle users to use Office 365 to log in

If a user logs in to Moodle using OpenID Connect but does not have a Moodle account, one will be created for them. However, existing Moodle users can be migrated to use OpenID Connect and provide a connection to Office 365.

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  3. Click the Connect to Office 365 link in the Microsoft block.
  4. You will be brought to the Office 365 / Moodle Control Panel.
  5. Click the Office 365 Login link under Office 365 Features'
  6. Click the "Start using Office 365 to log in to Moodle." link.
  7. You will be redirected to Office 365 to log in. Log in with the account you'd like to link to the Moodle account you're using.
    1. NOTE: If you're already logged in to Office 365, you will not have to enter your credentials on the Office 365 login page. This Office 365 account will be linked to the Moodle account. Ensure you are logged in to the correct account, or log out of Office 365 first to show the Office 365 login screen.
  8. The Moodle account will now use Office 365 to log in. The previous login method will not work.
  9. The Moodle user can now use any of the Office 365 features in Moodle.

Connecting existing Moodle users to Office 365 without changing login method

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  3. Click the Connect to Office 365 link in the Microsoft block.
  4. You will be brought to the Office 365 / Moodle Control Panel.
  5. There will be a "Connection Status" indicator box on the right side of the screen, click the "Click here to connect" link.
  6. You will be brought to the AzureAD authentication screen. Log in with the Office 365 user's credentials you'd like to connect to the Moodle user you are logged in as.
    1. NOTE: If you're already logged in to Office 365, you will not have to enter your credentials on the Office 365 login page. This Office 365 account will be linked to the Moodle account. Ensure you are logged in to the correct account, or log out of Office 365 first to show the Office 365 login screen.
  7. If login was successful, you will be brought back to the Office 365 / Moodle Control Panel page, where the Office 365 connection indicator should now read Active.
  8. The Moodle account is now linked to the Office 365 account and can use Office 365 features as that user.
  9. The Moodle user's login method will not change, the user will log in to Moodle as they always have.

Manage access to configure OpenID Connection

There are three capabilities used to provide access to the connection options.

  1. Allow OpenID Connection and Disconnection
    1. The user has access to choose their connection option and disable their connection option
  2. Allow OpenID Connection
    1. The user has access to choose their connection options
  3. Allow OpenID Disconnection
    1. The user has access to disable using their connection option

Office 365 Repository

The Office 365 repository allows users using the Office 365 integration plugins to connect to various file stores within Office 365, including their personal OneDrive for Business, as a Moodle repository. You can configure which Office 365 services are available via the Moodle file-picker in the Office 365 repository settings page. Currently the services available are:

OneDrive contains all documents in your personal OneDrive for Business
SharePoint (Courses) will list all SharePoint document libraries associated with Moodle Courses that you have access to.
Group Files (Courses) will list all the Office 365 Group File folders associated with Moodle Courses that you have access to.
fig:Office 365 repository

Downloading and linking files

  1. When using a file-picker anywhere in Moodle, you'll see a list of repositories on the left side of the popup. Look for and click on "Office 365".
  2. If you are a regular user within Moodle, you will see folders for the services that have been enabled for you.
  3. You will now see a list of all the files and folders in your OneDrive. If you want to download files from the "SharePoint (Courses)" or "Groups Files(Courses)", you'll click on the respective folder then click the folder for the course you want to access.
  4. Navigate and click the file you want to download into Moodle.
  5. Choose to "Make a copy of the file", or "Create an alias/shortcut to the file."
    1. If you want to download a copy of the file as it is now, choose "Make a cope of the file". This will copy the file into Moodle, and will then use the local Moodle copy when the file is accessed from within Moodle. Any changes to the file in OneDrive will not be seen in Moodle.
    2. If you want to link a file choose "Create an alias/shortcut to the file". This will create a link in Moodle to the file in OneDrive, and the file will be accessed from OneDrive directly. Any changes to the file in OneDrive will be seen when accessing the file from Moodle.
  6. You can change other file information like the filename or author name using the respective text fields. This information is only applicable to the Moodle side of the file, and will not transfer to OneDrive.
  7. Click "Select this file".

Uploading files

You can upload files into Office 365 from the Moodle file-picker interface.

  1. When accessing a Office 365 folder (for example, OneDrive) from a file picker, you will see an "Upload New File" item in the list of files and folders.
  2. Click the "Upload new file" item.
  3. Choose the file you want to upload and click "Upload this file".
  4. The file will be uploaded to OneDrive and selected for the file picker.

Embedding Office documents

This repository allows users to embed Office documents from OneDrive into a course and have the live version viewable using Office web apps.

  1. Start as a user connected to Office 365 and who has access to modify a course.
  2. Turn on editing for the course and choose "Add an activity or resource" for the section of the course you want to add the document.
    1. fig:Adding a course activity
  3. Choose the "File" resource to add to the course.
    1. fig:Adding a file resource to a course
  4. In the "Content" section of the file resource settings page, click the "Add" button in the filepicker
    1. fig:File resource settings page
  5. Choose the "OneDrive for Business" repository and choose your Office document.
  6. When you select a file, make sure "Create an alias/shortcut to the file" is selected, the click "Select this file"
    1. fig:Selecting a file
  7. Expand the "Appearance" section, and choose "Embed" for the "Display" select box.
    1. fig:Display option for a file resource
  8. Click "Save and display"
  9. You should see the file embedded into the page.
    1. fig:Office document embedded into page

OneNote

If you have installed all the plugins (for example, by installing 1) then you already have the OneNote plugins installed. To access OneNote using your Office 365 subscription, add OneNote to the list of applications in your Azure application. This is done the same way you configured Azure permissions, above. Note that OneNote is still in preview, and may not be available to everyone yet. If you don't see OneNote in the list of applications to add to your Azure application, you can try logging in to a desktop OneNote application using an administrator account in your Office 365 tenant. This sometimes expedites to the process of adding the OneNote preview to your tenant. For more information on OneNote, see MicrosoftServices#Configuring_OneNote

Instructions for setting up OneNote Class Notebook as an External Tool

Register your Moodle installation with OneNote Class Notebook

  • Go to https://www.onenote.com/lti.
  • If you are not already signed in, you will need to sign in with an appropriate account.
  • On the "Register Your LMS" page, enter a name to describe your Moodle installation.
  • Click "Register".
  • Make note of the Consumer Key, Shared Secret, and Launch URL that will be displayed on the page. You will need these in the subsequent steps below.
  • To retrieve these at a later time, you can return to https://www.onenote.com/lti/ and click View/Manage Your Registration.

Adding OneNote Class Notebook as an External Tool in Moodle

  • Log in to Moodle using your administrator account.
  • Go to Site Administration.
  • Go to Plugins > Activity modules > LTI > Manage external tool types.
  • Select Active.
  • Click Add external tool configuration.
  • In the Tool name box, type an appropriate name, such as "OneNote Class Notebook".
  • In the Tool base URL box, enter the Launch URL obtained above.
  • In the Consumer key and Shared secret boxes, enter the values obtained above.
  • Check the "Show tool type when creating tool instances" checkbox.
  • Configure Privacy settings according to your requirements.
  • Click Save changes.

Now that OneNote Class Notebook has been configured, teachers or admins can follow the instructions in the next section to embed a Class Notebook into course content.

Embedding a Class Notebook into course content

  • Log in to Moodle as a Teacher or Admin.
  • Select the course you'd like to work with.
  • Click Turn editing on.
  • Locate the section that you'd like to modify and click Add an activity or resource.
  • Select External tool.
  • Click Add.
  • In the General settings:
  • In the Activity name box, type a name for your activity.
  • Select "OneNote Class Notebook" from the External tool type list.
  • Set your Privacy and Grade settings.
  • Click Save and display. At this point, you should see a placeholder for your activity.
  • At this point, you should see the Notebook embedded within your course.
  • You will be guided through a sequence of dialogs to set up your notebook. Unless you want to change something, you can simply click Next on each one of them.
  • At the end, a notebook will be added to your course.

Additional Resources

You may also refer to this Office Mix presentation for more information: https://mix.office.com/watch/hg1qya375vxx

Instructions for setting up a Moodle deployment including the Office 365 plugins

This document describes how to deploy Moodle and the Office 365 plugins quickly and easily on Microsoft Azure using an Azure Resource Manager (ARM) template.

  • Azure Resource Manager (ARM) templates are declarative templates written in JSON that can be used to quickly create entire deployments consisting of VM's, databases, load balancers, network configuration etc.
  • We have developed ARM templates for single VM as well as clustered deployments of Moodle that you can use to create development or test setups quickly.
  • You need to have an Azure subscription to create these deployments. If you don't already have a subscription, you can get a free trial subscription here: https://azure.microsoft.com/en-us/pricing/free-trial/
  • Go to the appropriate template on Github:
  • The readme describes the layout of the deployment that will be created and additional services you can set up after the deployment is done.
  • Click on the "Deploy to Azure" button in the readme
  • This will take you to the Azure portal with the template ready to be customized and deployed.
  • You will need to enter the required parameters, specify a resource group, accept the legal terms, and start your deployment.
  • When the deployment is complete, Moodle will already be set up with the Office 365 plugins (if selected).

Instructions for setting up Office Mix as an External Tool

Register your Moodle installation with Office Mix

  • Go to https://mix.office.com/lti/.
  • Click Register an LMS.
  • If you are not already signed in, you will need to sign in with an appropriate account.
  • Type a name to describe your Moodle installation.
  • Select the checkbox indicating that you agree to allow Office Mix to pass data to your Moodle installation.
  • Click Save.
  • Make note of the Consumer Key, Shared Secret, and Launch URL that will be displayed on the page. You will need these in the subsequent steps below.
  • To retrieve these at a later time, you can return to https://mix.office.com/lti/ and click Manage Your Registrations.

Adding Office Mix as an External Tool in Moodle

  • Log in to Moodle using your administrator account.
  • Go to Site Administration.
  • Go to Plugins > Activity modules > LTI > Manage external tool types.
  • Select Active.
  • Click Add external tool configuration.
  • In the Tool name box, type an appropriate name, such as "Office Mix".
  • In the Tool base URL box, enter the Launch URL obtained above.
  • In the Consumer key and Shared secret boxes, enter the values obtained above.
  • Check the "Show tool type when creating tool instances" checkbox.
  • Configure Privacy settings according to your requirements.

    Note: Sending the Name of the user will allow Office Mix to display rich analytics and question responses. If you do not send any user information, then Office Mix will not be able restore a student's answers if they view the content on a subsequent visit.

  • Click Save changes.

Now that Office Mix has been configured, teachers or admins can follow the instructions in the next section to embed a Mix into course content.

Embedding a Mix into course content

  • Log in to Moodle as a Teacher or Admin.
  • Select the course you'd like to work with.
  • Click Turn editing on.
  • Locate the section that you'd like to modify and click Add an activity or resource.
  • Select External tool.
  • Click Add.
  • In the General settings:
  • In the Activity name box, type a name for your activity.
  • Select Office Mix from the External tool type list.
  • Set your Privacy and Grade settings.
  • Click Save and display. At this point, you should see a placeholder for your activity.
  • In the embedded activity, use one of these methods to select a mix:
    • Using URL: A simple way to select a mix is to visit the Office Mix website, select the mix you want to include in the course, copy the URL from the browser address bar and paste it in the dialog. This method makes it easy to include mixes that have been created by other people.
    • Using My Mixes: You can also select a mix from your My Mixes page from the Office Mix website. In order to prevent students from having to sign in to view a mix, only those mixes with permissions set to Unlisted or Public are shown.
  • After you have selected a mix, click Yes to confirm that this is the mix you'd like to use.
  • At this point, you should see the mix embedded within your course.

Additional Resources

You may also refer to these Office Mixes for more information