Note: You are currently viewing documentation for Moodle 3.11. Up-to-date documentation for the latest stable version of Moodle may be available here: Microsoft 365.

Microsoft 365

From MoodleDocs
Revision as of 15:37, 5 May 2022 by Tim Bahula 2 (talk | contribs) (clean up, typos fixed: Github → GitHub, top level → top-level, a intranet → an intranet, ’s → 's (5))
Note: OAuth 2 authentication (enabling users to log in to Moodle with their Microsoft account) and the OneDrive repository are included in the standard Moodle, so require no additional plugins to be installed.

Introduction

Microsoft 365 services complement the Moodle learning platform to provide a more productive experience for teachers and students.

Differences from Moodle Core

Although Moodle core now provides Microsoft 365 authentication and basic OneDrive repository support, the Microsoft 365 plugin suite provides a much wider set of features.

A few key features only found in the Microsoft 365 plugin suite:

  • User sync from Microsoft 365/Azure AD to Moodle
  • Automatic and manual user matching from Microsoft 365/Azure AD to Moodle
  • Calendar sync
  • OneNote assignment submission and feedback types
  • Office document embedding using Office web apps
  • Fully customisable sign-in experience
  • Integration between Moodle courses and Microsoft Teams, with support for Teams Classes LTI
  • Integration with School Data Sync (SDS)

Requirements

To use the Microsoft 365 plugins, you need the following:

  • A Microsoft 365 subscription.
  • A Microsoft Azure subscription.
  • Moodle version 3.9 or above. (The plugins are available for Moodle versions 2.7 and above. Features available in each version, and the support status vary.)

Plugins & Features

The Microsoft 365 set of plugins contains 6 core plugins, and 3 optional plugins, which provide a wide variety of features to enhance your Moodle instance.

  • Microsoft 365 Local Plugin (local_office365)
    • This is a shell plugin which has dependencies on the current version of each of the 5 other core plugins that make up the complete set. Installing this plugin ensures you have the current version of each of the functional plugins installed.
  • OpenID Connect Authentication Plugin (auth_oidc)
    • This plugin allows users to log in to Moodle using their Microsoft 365 accounts.
    • Users with existing Moodle accounts can switch to use this authentication type.
    • New users can log in with this plugin and have an account created for them.
    • Features:
      • Standards-Compliant OpenID Connect Authentication.
      • Supports authorization code or resource-owner credentials grants.
        • Users can log in to Moodle by clicking the identity provider on the login page, or by entering their OpenID Connect credentials.
      • User profile field mapping
        • User profiles can be mapped and synced from IdP to Moodle.
      • Customizable Icon + Identity Provider name
        • The icon and identity provider name shown on the Moodle login page can be customized. A number of prechosen icons are available, as well as the ability to upload your own.
      • Provides hooks to link OpenID Connect accounts to Moodle accounts
        • If you do not want to change your users' login method, you can still connect to an OpenID Connect provider. The plugin provides code-level hooks to link a Moodle account to an OpenID Connect account without changing the Moodle user's authentication method. This means you can obtain tokens from an OpenID Connect service in the background.
      • Optional user-self-service connection and disconnection
        • A user-facing page is available for users to switch to and from OpenID Connect authentication. Access to this page and feature is controlled by a capability so administrators can disable it.
  • Microsoft 365 support plugin (local_o365)
    • This plugin contains most of the Microsoft 365 integration back-end, such as the functions to communicate with Microsoft 365 services.
    • It also contains sync feature of many Microsoft 365 services, e.g. users, courses, calendars, events, files, notes and SDS.
    • Features:
      • Calendar sync from/to Outlook.
        • Users can sync site events, course events, assignment due dates, and their personal Moodle calendar to their Outlook calendar.
      • User sync
        • Users can be synced from Azure AD, or matched with existing users.
      • Course sync
        • Teams can be automatically created for course in Moodle, and Team membership is kept up-to-date with Moodle enrolments.
        • Teams created in tenants with education license can also be embedded in Moodle using Teams Classes LTI.
      • School Data Sync (SDS) Integration
        • Moodle courses can be created from classes in SDS schools.
        • Bidirectional sync between SDS class owners/members with Moodle course teachers/students.
  • Microsoft Block (block_microsoft)
    • This block provides a user-facing menu to access various Microsoft 365 integration features, resources, and preferences.
    • Links to: Azure AD login preferences, Calendar sync preferences, OneNote notebooks, Teams, and the Microsoft 365 integration user control panel.
  • OneDrive for Business Repository (repository_office365)
    • This is a repository plugin that communicates with OneDrive for Business. If the SharePoint link is configured, this also provides access to Moodle course SharePoint sites' document libraries.
    • Features:
      • Import files into Moodle from OneDrive for Business
      • Upload files into OneDrive for Business from within Moodle
      • Link to files in OneDrive for Business so users always get the most up-to-date version.
      • Embed documents into Moodle courses so users can view documents directly on the site.
  • Microsoft 365 Teams Theme (theme_boost_o365teams)
    • This provides a theme to be used when opening the course page in Teams tab, and provides a seamless user experience for users in Teams.

Optional Plugins

These 3 plugins provide support for OneNote assignment submission and feedback. While they are not required, they provide a powerful way to submit and review assignments.

  • OneNote support plugin (local_onenote)
    • This provides supporting and shared code used by all other OneNote plugins. Does not have a user interface or configuration by itself.
  • OneNote Assignment Feedback (assignfeedback_onenote)
    • Allows teachers to leave feedback for students using OneNote.
  • OneNote Assignment Submission (assignsubmission_onenote)
    • Allows students to submit assignments using OneNote.

Setup

Plugin Installation

The packages are available from:

When you log back in to your Moodle instance, you are presented with the all the plugin configuration options. Save the settings without configuring them for now, you will come back to them later.

For information on installing plugins in Moodle see Installing plugins.

After you have the code installed in your Moodle instance, you'll need to do a bit of configuration before you can use the plugins.

Plugin auth_oidc configuration - part 1

Enable the OpenID Connect Authentication Plugin

  1. Navigate to Site Administration > Plugins > Authentication and click Manage authentication
  2. Locate the OpenID Connect authentication plugin and click the eye icon to enable
  3. Click the Settings link for the plugin.
  4. Verify the Authorization and Token endpoints.
    1. These should be set by default to the following values:
      • Authorization Endpoint: https://login.microsoftonline.com/common/oauth2/authorize
      • Token Endpoint: https://login.microsoftonline.com/common/oauth2/token
    2. It's also possible to replace the "common" part in the endpoints to be your tenant name or tenant GUID. By doing so, users who are redirected to Microsoft login pages (using the auth code login flow) will see the custom login page of your tenant if one is configured following instructions. e.g.
      • Authorization Endpoint: https://login.microsoftonline.com/sample.onmicrosoft.com/oauth2/authorize
      • Token Endpoint: https://login.microsoftonline.com/sample.onmicrosoft.com/oauth2/token
    3. Note the endpoints may be in different format for B2C tenants. Please verify it in your Azure AD portal.
    4. Also note if you plan to use the multi-tenant feature to allow users from other Microsoft 365 tenants to login to the Moodle site, the default endpoints need to be used.
  5. Note the Redirect URI. This should be the URI of your Moodle instance followed by /auth/oidc/. You will need to enter this value into Azure portal later, so note this value and put it aside.
    • For example, https://www.example.com/auth/oidc/
    • Notes:
      1. This is a fixed value that is derived from your Moodle site's configured URL (wwwroot). You cannot change this value directly. If you need to change it for any reason, you must change your Moodle site's configured domain name ($CFG->wwwroot).
      2. This URI must be a fully qualified domain name pointing to your Moodle instance.
      3. The Moodle site's configured URL must use HTTPS, even with a self signed SSL cert. Redirect URI using HTTP will not be acceptable when creating Azure app for the integration.
      4. If your Moodle installation is configured with an IP address pointing to your instance, you must change $CFG->wwwroot in your config.php to a fully-qualified domain name.
      5. This domain name does not need to be publicly accessible (i.e. internet-wide), but does need to be accessible to users of your Moodle instance. So, for example, you can use an intranet-only domain name.

Azure App Creation and Configuration

Prerequisite

You will need an Azure subscription. If you do not have one, you can create one by visiting Microsoft Azure Sign Up.

To use Moodle with Microsoft 365 for SSO, you must configure Microsoft Azure to manage your Microsoft 365 Microsoft Azure Active Directory. A guide is available at this link.

Note: During the setup, you are required to enter a credit card and phone number. If you do not setup virtual machines or use paid services on the subscription, and only use it to access the Azure Active Directory, you will not be charged for the subscription.

Register Application in Azure using PowerShell script

The easiest way to register application in Azure is to run the PowerShell script downloaded from the plugin configuration page. Go to Site Administration > Plugins > Local plugins > Microsoft 365 Integration, it's the Download PowerShell Script button in the Setup tab.

Instructions on how to the PowerShell script to create Azure app using the downloaded file is available at https://github.com/microsoft/o365-moodle/blob/master/local/o365/scripts/README.md, or the /local/o365/scripts/README.md path of your Moodle installation.

You should only follow the manual process if you are unable to setup the AzureAd app via PowerShell script, or you need to verify some specific settings.

Register Application in Azure manually

The following steps are involved in the manual setup:

  1. Sign in to the Microsoft Azure Management Portal.
  2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
  3. Click New registration on the top menu.
  4. Enter a name for your application (can be anything you want, but should let you know this is for Moodle).
  5. Choose option applicable to your organisation in Supported account types section.
  6. In Redirect URI (optional) section, select Web and put the redirect URI from the OpenID Connect authentication plugin configuration. Ensure there is a trailing slash for this URI - i.e. https://example.com/auth/oidc/
  7. Click Register.
  8. You now have an application registered in Azure for Moodle. Move on to the next section to properly configure it.

Configure application

  1. Locate the App.
    • If you followed steps above to create the Azure app, you should be redirected to the app settings page already.
    • Otherwise:
      1. Sign in to the Microsoft Azure Management Portal.
      2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
      3. Click on the App you created for Moodle. Note you may need to change the dropdown from "My apps" to "All apps" if the App was not created by you.
      4. Locate the Application ID, note this value (write it down or copy it somewhere), and set it aside. You'll need it later.
      5. Click on the display name of the App to open its settings.
  2. Enable implicit grant flow.
    1. From the menu on the left, go to Authentication link in the Manage section.
    2. In the Implicit grant section, check both "Access tokens" and "ID tokens".
    3. Save the changes.
  3. Create client secrets.
    1. From the menu on the left, go to Certificates & secrets link in the Manage section.
    2. Create a new client secret by clicking New client secret button.
    3. Enter a description, and select a duration for "Expires".
    4. Click Add.
    5. A value will appear under Value, note this value (write it down or copy it somewhere) and set it aside. You'll need it later.
  4. Expose an API - only required if Teams sync feature is used.
    1. From the menu on the left, go to Expose an API link in the Manage section.
    2. Click the Set link next to Application ID URI.
    3. This should open a Set the APP ID URI prompt, with a default value such as "api://00000000-0000-0000-0000-000000000000", where the GUID is the same as your Application ID.
    4. Replace this value with "api://URL.TO.MOODLE/00000000-0000-0000-0000-000000000000", where URL.TO.MOODLE is the wwwroot of your Moodle site, and the GUID is the same was default value, i.e. your Application ID.
    5. Click Save to create the Application ID URI.
    6. Click Add a scope.
    7. Enter access_as_user as scope name.
    8. Set Who can consent? to Admins and users.
    9. Set Admin consent title to Teams can access the user’s profile.
    10. Set Admin consent description to Allows Teams to call the app’s web APIs as the current user.
    11. Set User consent title to Teams can access the user profile and make requests on the user's behalf.
    12. Set User consent description to Enable Teams to call this app’s APIs with the same rights as the user.
    13. Ensure that State is set to be Enabled.
    14. Select the Add scope button to save.
    15. In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Select Add a client application. Enter each of the following client IDs and select the authorized scope you created in the previous step:
      • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
      • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)
  5. Configure App Permissions.
    1. Click the API permissions link in the Manage section.
    2. Click Add a permission button.
    3. In Select an API section, choose Microsoft APIs tab, then choose Microsoft Graph.
    4. Check the checkbox for each Application and Delegated permission according to the section below.
    5. Click Add permissions at bottom of the page to add the permissions.
    6. After all the permissions are added, click the Grant admin consent for YOUR ORGANISATION NAME link.

Azure app permissions

The integration uses various Microsoft Graph APIs to communicate with Microsoft 365 to get and set data, which of which requires a different set of permissions. The integration provides a list of recommended permissions to be given to ensure all features in the integration works, all of which are added automatically by the PowerShell script if it's used. Advanced users can customise the permissions according to the need of their own organisation, e.g. if group/team integration is not used, all permissions related to group can be removed, e.g. Group.ReadWrite.All.

Application permissions vs delegated permissions

Before 3.10.6 and 3.11.3 release of the plugins in April 2022, the integration supports two connection methods to communicate with Microsoft Graph API endpoints - Application access and System API user.

  • Application access connection method uses an application token to call Graph APIs as an application, and requires application permissions.
  • System API user connection method calls the Graph APIs as the configured system API user, and requires delegated permissions.

Note that the System API user connection method is deprecated since the 3.10.6 and 3.11.3 release in April 2022.

Permissions

For a full list of Microsoft Graph API used, and the permissions required, please refer to this spreadsheet. Note that:

  • This document is constantly updated.
  • For each Graph API, a few permissions may be listed. Graph API can be called if permissions in any line is added, and the admin consent is granted for your organisation.


The recommended permissions to ensure all integration features work are listed below. These would be the same set of permissions that are applied when using the PowerShell script to set up the Azure app.

Type Permission Display Name Use
Application Permissions AppCatalog.Read.All Read all app catalogs Used to find installed Moodle Teams app to be installed in Teams created for connected Moodle courses.
AppRoleAssignment.ReadWrite.All Manage app permission grants and app role assignments Add user to the Azure app if the option in the user sync option is enabled.
Calendars.ReadWrite Read and write calendars in all mailboxes Required for calendar event sync.
Channel.ReadBasic.All Read the names and descriptions of all channels Used to find the general channel in a team to install the Moodle tab in course and Teams integration.
Directory.ReadWrite.All Read and write directory data A common permission used in integration configuration, user sync and course sync.
Directory.Read.All Read directory data A common permission used in integration configuration, user sync and course sync.
EduRoster.ReadWrite.All Read and write the organization's roster Required in SDS sync and course sync in tenants with education license.
Files.ReadWrite.All Read and write files in all site collections Required for the Microsoft 365 repository to access, download, and upload files to OneDrive.
Group.ReadWrite.All Read and write all groups Required in the integration between Moodle courses and Teams.
MailboxSettings.Read Read all user mailbox settings Required for syncing Outlook default timezone settings of the user.
Member.Read.Hidden Read all hidden memberships Required in the SDS sync feature to get school class members.
Notes.ReadWrite.All Read and write all OneNote notebooks Required for the OneNote integration to create notebooks, sections, and pages for assignments.
Sites.Read.All Read items in all site collections Required to detect OneDrive for Business URL setting.
Team.Create Create teams Required for creating Teams for Moodle courses.
TeamMember.ReadWrite.All Add and remove members from all teams Required for syncing Moodle course users to Teams.
TeamsAppInstallation.ReadWriteForTeam.All Manage Teams apps for all teams Required to install Moodle Teams app to Teams created from Moodle courses.
TeamSettings.ReadWrite.All Read and change all teams' settings Required in the integration between Moodle courses and Teams.
TeamsTab.Create Create tabs in Microsoft Teams. Required to create a Moodle tab in the Teams created from Moodle courses.
User.Read.All Read all users' full profiles Required for SSO and to sync user information between Microsoft 365 and Moodle.
Delegated Permissions Calendars.ReadWrite Have full access to user calendars Required for calendar event sync.
Files.ReadWrite.All Have full access to all files user can access Required for the Microsoft 365 repository to access, download, and upload files to OneDrive.
Group.ReadWrite.All Read and write all groups Required for course group integration.
Notes.ReadWrite.All Read and write all OneNote notebooks that user can access Required for the OneNote integration to create notebooks, sections, and pages for assignments.
User.Read.All Read all users' full profiles Required for SSO and to sync user information between Microsoft 365 and Moodle.
openid Sign users in Required for Teams SSO.
offline_access Maintain access to data you have given it access to Required for Teams SSO.
email View users' email address Required for Teams SSO.
profile View users' basic profile Required for Teams SSO.

Plugin auth_oidc configuration - part 2

  1. Navigate to the OpenID Connect authentication plugin's settings page (Site Administration > Plugins > Authentication > OpenID Connect)
  2. Enter the Application ID value you noted earlier from Azure into the Application ID box on the screen.
  3. Enter the Key value you noted earlier from Azure into the "Key" box on the screen.
  4. Click "Save changes" at the bottom of the screen.

Plugin local_o365 configuration

  1. Navigate to Site Administration > Plugins > Local plugins and click Microsoft 365 Integration
  2. Complete each of the steps as follows:
  3. Choose connection method
    1. Choose the method you want to use to connect to Microsoft 365. From release 3.10.6 and 3.11.3 in April 2022, the only option is Application access.
    2. Click Save changes
  4. Admin consent & additional information
    1. Admin consent: Every time you change a Requires admin permission in Azure, you will need an administrator to provide consent to use the permission. Clicking the Provide admin consent button will take you to a log in screen on Microsoft 365. An administrator will have to log in, and then will be given the option to approve the new permissions.
    2. Azure AD Tenant: This is the domain name that identifies your Microsoft 365 subscription, for example "contoso.onmicrosoft.com". If you know it, enter it in this box, if not, click the "Detect" button to attempt to detect the correct value.
    3. OneDrive for Business URL: This is the URL that your users use to access OneDrive for Business. This can usually be determined from your AzureAD tenant, for example, if your tenant is "contoso.onmicrosoft.com", your OneDrive for Business URL is "contoso-my.sharepoint.com." If you know the URL, enter it here, otherwise click "Detect" to attempt to detect the correct value. Only enter the domain name, do not include "http://", "www." or any trailing slashes. For example "contoso-my.sharepoint.com", not "https://contoso-my.sharepoint.com/"
    4. Click Save changes.
  5. Verify Setup
    1. This tool verifies that Azure has been correctly set up. Click the "Update" button to check setup.
    2. If the tool reports any missing permissions, return to Azure and ensure that all required permissions have been added to your configured application for Moodle.

Connecting users to Microsoft 365

To use any Microsoft 365 features, a Moodle user must be connected to a Microsoft 365 user that has an active Microsoft 365 subscription. There are two ways to connect a Moodle user to a Microsoft 365 user.

Switch the user to use OpenID Connect authentication.

With this method, the user will log in to Moodle using their Microsoft 365 account credentials.

Link a Moodle user to a Microsoft 365 user.

Users in Moodle can also be linked to Microsoft 365 users without changing the Moodle user's authentication method. Users will be able to log in as they always have, and still use all the Microsoft 365 features.

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. As the user to link to Microsoft 365, visit a page that has the Microsoft block visible.
  3. Click the Connect to Microsoft 365 link in the Microsoft block.
  4. You will be brought to the Microsoft 365 / Moodle Control Panel.
  5. There will be a "Connection Status" indicator box on the right side of the screen, click the "Click here to connect" link.
  6. You will be brought to the AzureAD authentication screen. Log in with the Microsoft 365 user's credentials you'd like to connect to the Moodle user you are logged in as.
  7. If login was successful, you will be brought back to the Microsoft 365 / Moodle Control Panel page, where the Microsoft 365 connection indicator should now read Active.
  8. This user is now connected to the Microsoft 365 user.

Microsoft 365 Integration Configuration

This section is about how to configuration the integration between Moodle and Microsoft 365 services. All these settings are available to Moodle site administrators at Site Administration > Plugins > Local plugins > Microsoft 365 Integration.

Sync Settings

These features are accessible from the plugin's settings page (Site Administration > Plugins > Local plugins > Microsoft 365 Integration), in the Sync Settings tab.

User Sync

This option controls how users are synced from Azure AD to Moodle. If enabled, users from Azure AD can be automatically created and updated in Moodle. This feature can also suspend or delete users in Moodle when they are deleted from Azure AD, or attempt to automatically match Moodle users with users in the connected Azure AD.

The main benefit of using this option, compared to having accounts created as users log in using OpenID Connect, is that you can manage and enrol users before they first log in, so everything is ready to go the first time they access Moodle.

Notes:

  • The sync job runs in the Moodle cron.
  • By default, this runs once per day at 1:00 AM in the time zone local to your server.
  • To sync large sets of users more quickly, you can increase the frequency of the Sync users with Azure AD task using the Scheduled tasks management page. See Scheduled tasks.

There are several options that affect user sync:

  • Create accounts in Moodle for users in Azure AD: This will create users in Moodle from each user in the linked Azure Active Directory. Only users which do not currently have Moodle accounts will have accounts created. New accounts will be set up to use their Microsoft 365 credentials to log in to Moodle (using the OpenID Connect authentication plugin), and will be able to use all the features of the Microsoft 365 plugin set.
  • Update all accounts in Moodle for users in Azure AD.
  • Suspend previously synced accounts in Moodle when they are deleted from Azure AD.
  • Delete previously synced accounts in Moodle when they are deleted from Azure AD: This will delete users from Moodle if they are marked as deleted in Azure AD. The Moodle account will be deleted and all associated user information will be removed from Moodle. Be careful!
  • Re-enable suspended accounts for users in Azure AD: if the Microsoft 365 account connected to a suspended Moodle account is active, the Moodle account will be unsuspended.
  • Sync disabled status: all Microsoft 365 accounts marked as "disabled for login" will be suspended in Moodle.
  • Match preexisting Moodle users with same-named accounts in Azure AD: This will look at the each user in the linked Azure Active Directory and try to match them with a user in Moodle. This looks for matching usernames in Azure AD and Moodle. Matches are insensitive and ignore the Microsoft 365 tenant. For example, "BoB.SmiTh" in Moodle would match "bob.smith@example.onmicrosoft.com". Users who are matched will have their Moodle and Office accounts connected and will be able to use all Microsoft 365/Moodle integration features. The user's authentication method will not change unless the setting below is enabled.
  • Switch matched users to Microsoft 365 (OpenID Connect) authentication: This requires the "Match" setting above to be enabled. When a user is matched, enabling this setting will switch their authentication method to OpenID Connect. They will then log in to Moodle with their Microsoft 365 credentials. Note: Please ensure the OpenID Connect authentication plugin is enabled if you want to use this setting.
  • Assign users to application during sync: The sync will search all users in the linked Azure AD (other than those excluded by the User Creation Restriction, however not all users may be assigned to the Moodle application you created in Azure AD App Registration during early setup. This setting will assign any Azure AD users with a matching Moodle account to the Azure AD App for Moodle you created.
  • Sync Microsoft 365 profile photos to Moodle in cron job: User's photos in the Moodle profile will be updated with their image from their Azure AD profile - on user sync task run.
  • Sync Microsoft 365 profile photos to Moodle on login: User's photos in the Moodle profile will be updated with their image from their Azure AD profile - on login.
  • Sync Outlook timezone to Moodle in cronjob: User's timezone preference in Outlook will be synced to Moodle profile - on Moodle user sync task run.
  • Sync Outlook timezone to Moodle on login: User's timezone preference in Outlook will be synced to Moodle profile - on login.
  • Perform a full sync each run: By default user sync will only sync changes from Azure AD. Checking this option will force a full user sync each time.
  • Match Azure usernames to Moodle emails instead of Moodle usernames during the sync: Enabling this option will match Azure usernames to Moodle emails instead of the default behaviour which is Azure usernames to Moodle usernames.
  • Sync guest users: If enabled, guest users in the hosting tenant - which are originated from other tenants and added to the hosting tenants as guests - can SSO login.

User Creation Restriction

During user sync, by default, all users from Azure AD will be created in Moodle. This setting allows you to set a required field and value that a user must have in Azure to have an account created in Moodle. For example, if you wanted to only have users from the "IT" department syncing into Moodle, you would choose the "Department" field, and enter "IT".

User Field Mapping

This feature has been moved to the configuration page of the auth_oidc plugin.

Course Sync

Course Sync features

The course sync feature is capable of creating Teams for Moodle courses, and sync Moodle course enrolments to the connected Teams. The Teams sync option allows a great deal of customization. An administrator can choose to create Teams for all courses, enable it on new courses only, or manually select the courses for which the sync need to be enabled.

Once enabled, the "Sync Moodle courses to Microsoft Teams" (\local_o365\task\coursesync) scheduled task will try to:

  • Create a group for any course without a connected group.
  • Sync existing enrolled users in the course to Teams according to capability checks.
  • If the tenant has education license, set education specific attribute in the group in order to support Teams Classes LTI integration.
  • Create a Team from the course, providing a suitable Team owner can be found. For tenants with education license, these will be class Teams; for others, these will be standard Teams.
  • If the a custom Moodle Teams app has been uploaded for the organisation following instructions below, the Moodle Teams app will be installed in the new Team, and a Moodle tab will be created in the general channel, pointing back to the connected Moodle course.

All subsequent enrolment / role assignment changes in Moodle courses will also be synced to connected Teams.

Teams vs Groups

Microsoft Teams share the same base with Microsoft 365 groups in many ways, notably they share the same GUID, and Teams ownership/membership are the same as group ownership/membership.

In the plugins before the 3.10.6 and 3.11.3 release in April 2022, Moodle site admins have the option to enable course sync to "group only" or "Teams", and the option to sync to standard Teams or class Teams.

From the 3.10.6 and 3.11.3 release in April 2002, these options are removed. Instead, site admins now have a single toggle to enable/disable sync of a course, and the Teams type depends on whether the hosting tenant has education license - if an education license is found, a class Team is always used.

Support for Teams Classes LTI

From the 3.10.6 and 3.11.3 release in April 2022, Teams created for courses in tenants with education license will have extra education specific attributes stamped in the underlaying group, which allows the Teams Classes LTI feature to be used in Moodle. The feature allows the Team to be embedded as an external tool in the Moodle course using the mod_lti plugin.

Note that Teams that are connected to Moodle courses in education tenants but were created before the release will also get the education specific attributes stamped as part of the upgrade, so they can make use of the Teams Classes LTI feature too.

Which users are synced to Teams

When syncing users from Moodle courses to Teams, only Moodle users who are connected to Microsoft 365 users according to Moodle records are synced. Such records can be created in 4 ways:

  • Automatically created in "Sync users with Azure AD" (\local_o365\task\usersync) scheduled task run, if user sync is configured.
  • Automatically created when a user logs in using auth_oidc.
  • Manually created by user themselves by using the user connection feature in the block_microsoft plugin.
  • Manually created by site administrators using the "User Matching" advanced feature.
Teams owner vs Teams member

When syncing users from Moodle courses to Teams, capabilities are used to determine whether a Moodle user is added to the Team as an owner or member:

  • Moodle users with "Team owner" (local/o365:teamowner) capability are added as Team owners. By default the teacher role has this capability.
  • Moodle users with "Team member" (local/o365:teammember) capability are added as Team members. By default the student role has this capability.

A Moodle user enrolled in the course but don't have any of the two capabilities are not synced to connected Teams.

Course Sync configurations

  • Course sync: This allows site admins to turn the course sync feature on and off. There are three options:
    • Disabled.
    • Customize: This flexible option allows site admins to choose the course on which course sync is enabled. Optionally, it's also possible to allow configuring course sync per course by authorised users, or to enable course sync by default on new courses.
    • All features enabled.
  • Delete Microsoft 365 groups when connected Moodle course is deleted: If enabled, when a Moodle course that's connected to Teams is deleted, the integration will try to delete the connected Team.
  • Delete Microsoft 365 Groups when course sync is disabled: If enabled, when sync is disabled on a Moodle course that's connected to Teams, the integration will try to delete the connected Teams.
  • Courses to sync per task run: This allows site admins to control the number of courses to process in a course sync task run. This is to prevent the course sync task to take too long to finish therefore blocking other tasks in Moodle cronjob. If 0 is configured, the default value of 20 is used.
  • Team / group names
    • Teams name prefix, Course part of the Teams name, and Teams name suffix allow site admins to customise the naming convention of the Teams created from Moodle courses. Note that the options for the Course part of the Teams name setting are:
      • Full name
      • Short name
      • Moodle created ID
      • ID number
    • Group mail alias prefix, Course part of the group mail alias, and Group mail alias suffix allow site admins to customise the naming convention of the groups created from Moodle courses.
    • Update Teams name on course update: If enabled, the integration will try to update the name of the connected Team if the settings of the connected Moodle course is updated.

Advanced settings

Administrator Tools

  • Tenants: This tool allows you to add additional Microsoft 365 tenants to be used with Moodle. Users from additional tenants can log-in to Moodle using their Microsoft 365 account, and use features like calendar sync and the OneDrive repository.
  • Health check: If you are experiencing problems with any Microsoft 365 / Moodle features, click the Health Check link to run tests on your system and look for potential problems.
  • Connections: This tool allows administrators to see and manage the connections between their Moodle users and Microsoft 365 accounts. Each user in the system is listed alongside the Microsoft 365 username the user is connected to, if any. Administrators can choose to manually connect or disconnect each user.
  • User Matching: This tool allows administrators to manually match Moodle and Microsoft 365 users using a CSV file. Administrators can upload a CSV file containing, on each line, a Moodle username, and Microsoft 365 username, and a 1 or 0 indicating whether to enable Microsoft 365 login for that user. Once uploaded, the file is processed in batches during the Moodle cron. The tool page will display the progress of this process.
  • Maintenance Tools: These tools perform maintenance tasks that can help solve problems which may crop up from time to time. Generally, users should not need these tools unless they encounter the specific situation these tools are designed to solve.
    • Resync users in groups for courses: Course group membership is kept up-to-date as users are enrolled and un-enrolled from courses in Moodle. If this membership gets out-of-date for whatever reason, this tool will force a resync of group membership.
    • Recreate deleted Microsoft 365 groups: Course groups are created from Moodle courses when using the course group feature. If a group is manually deleted from the Microsoft 365 administrator panel, this tool will recreate it.
    • Generate debug data package: This tool will generate a package of information that can be sent to the plugin suite maintainers to help debug problems in environment and setup. While no API keys are present, this information does contain a lot about your environment and setup, so please be careful about whom you send this information to.
    • Cleanup OpenID Connect Tokens: If your users are experiencing problems logging in using their Microsoft 365 account, trying cleaning up OpenID Connect tokens. This removes stray and incomplete tokens that can cause errors. WARNING: This may interrupt logins in-process, so it's best to do this during downtime.
    • Cleanup User Sync Delta Tokens: If user synchronisation is not fully working after updating it user sync settings, it may be caused by an old delta sync token. Cleaning up the token will remove force a complete re-sync the next time when the user sync is run.

Other advanced settings

  • Reset Team name prefix: When a Moodle course is reset, the name of the Team connected to the course can be updated to reflect the fact that the Team may not be connected any more.
  • Reset group name prefix: When a Moodle course is reset, the name of the group connected to the course can be updated to reflect the fact that the group may not be connected any more.
  • Microsoft 365 for China: Microsoft 365 in China differs slightly in some technical aspects. If you are using Microsoft 365 for China, select this box to ensure everything will work properly.
  • Record debug messages: If you experience problems using any Microsoft 365 features in Moodle, enable this setting. Once enabled, errors will be recorded to the Moodle log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administration > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".
  • Minimum inexact username length to switch to Microsoft 365: When using automatic user matching, this setting can be used to exclude accounts with short names. The intended use of this is to avoid matching generic accounts like "admin". This setting is the minimum length of a username required for automatic matching to match users.
  • Profile photo refresh time: Profile photo syncing can be a resource-intensive process, so this setting allows you to set a minimum time between profile photo refresh runs.
  • Custom theme (Advanced): This allows you to choose the theme to use in when accessing Moodle pages from the Moodle Teams tab.

Legacy settings

These features are deprecated and is likely to be removed in a future version.

School Data Sync (SDS)

The SDS feature of the plugin has the following functionalities:

  • Sync teacher / student profile field from a selected SDS school.
  • Sync classes from multiple SDS schools, and create Moodle courses from the classes.
  • Sync class owners and members to Moodle courses as teachers and students according to the configured roles.
  • Sync user enrolments and role changes in Moodle back to the connected SDS classes.


The functionalities above were tested using SDS V2.1, you can get sample files here: https://github.com/OfficeDev/O365-EDU-Tools/tree/master/CSV%20Samples/SDS%20v2.1

Settings

The settings applicable to the SDS feature are:

  • Create Courses: Allow selecting the schools available in the Azure tenant which need to be synced for course creation. Multiple schools can be selected. For each school selected, a new top-level course category will be created, and each class in the school will be created as a course in the category.
  • Teams creation enabled: This controls if Moodle courses created from syncing SDS classes are automatically connected to the Microsoft Team of the SDS class. This should be enabled only if Teams are automatically created from the SDS classes.
  • Enrol users: Enrol SDS class teachers and members into Moodle courses created from the classes.
  • Advanced enrolments sync with SDS classes: Control whether to sync SDS class role changes to Moodle, and whether to sync Moodle course enrolment / role changes back to SDS class.
  • Teacher role and Member role: Control the default teacher and student roles to assign in Moodle courses for SDS class owners and members.
  • Sync profile data from school: Control the SDS school from which teacher and student profiles are synced from. If a school is selected, the teacher / student profile fields are available to match in auth_oidc profile field mapping settings.

Sync triggers

  • Course and SDS user profile sync is triggered by the Sync with SDS (\local_o365\feature\sds\task\sync) scheduled task. Note this includes the sync of SDS teacher and student profile field, which is configured in auth_oidc.
  • Sync from Moodle to SDS (e.g. course enrolments and role changes to SDS class) are triggered by Moodle observer functions, thus don't require scheduled task runs. Note there is normally a delay of up to 1 minute on Microsoft end to see such changes.

Teams Settings

This section allows configuration Moodle and Microsoft Teams integration. When fully configured, the integration will

  • Automatically create Teams for Moodle courses configured to be synced.
  • Automatically sync Moodle course users to Teams.
  • Automatically create a Moodle tab in the general channel of the created Team, linking to the Moodle course page.
  • Allow users to use Moodle courses right from Teams.
  • Allow users to ask questions about their courses, assignments, grades and students from Teams using Moodle assistance bot.
  • Forward all Moodle notifications to users to Teams.

Some features can be disabled if needed.

Prerequisite

  1. OpenID Connect Authentication plugin is enabled and configured.
  2. Allow frame embedding is enabled in HTTP security section of site configuration.
    1. Login to the site as site administrator.
    2. Go to "Site administration", then in the "Site administration" tab, go to "HTTP security" in "Security" section.
    3. Find Allow frame embedding setting and make sure it's enabled.
    4. Save changes.
  3. Web services are enabled on the site.
    1. Login to the site as site administrator.
    2. Go to "Site administration", then in the "Site administration" tab, go to "Advanced features".
    3. Find Enable web services setting and make sure it's enabled.
    4. Save changes.
  4. Moodle Microsoft 365 Webservices are enabled.
    1. Login to the site as site administrator.
    2. Go to "Site administration", then in the "Plugins" tab, go to "External services" in "Web services" section.
    3. From the list of web services in the "External service" part in "Built-in services" section, find Moodle Microsoft 365 Webservices.
    4. If the web services is disabled, i.e. greyed out, go to its settings and enable it.
  5. Give Authenticated user role permission to create web service token.
    1. Login to the site as site administrator.
    2. Go to "Site administration", then in the "Users" tab, go to "Define roles" in "Permissions" section.
    3. In the "Manage roles" tab, from the list of roles, find "Authenticated user" role, and click the edit icon for the role.
    4. From the list of permissions, find "Create a web service token", i.e. moodle/webservice:createtoken, and set it to allow.
    5. Save changes.
  6. Before you can test the messaging bot, you need to be sure that the MS Teams account has a user created in Moodle (user should have the same username as your teams user email address and Moodle user authentication type should be oidc) and you must have accessed Moodle at least once with that account.

Register Application in Azure (for the bot)

Note this is different from the application registered above to allow user login integration and doesn't require any extra API permissions.

  1. Sign in to the Microsoft Azure Management Portal.
  2. Click on the Azure Active Directory link from Azure services section, then App Registrations from the Manage section on the left.
  3. Click New application on the top menu.
  4. Enter a name for your application (can be anything you want, but should let you know this is for bot services).
  5. Choose "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option in Supported account types section (multitenant application is required).
  6. Click Register button to finish registration.
  7. You should be redirected to the settings page of the newly registered app; if not, find the app from the list of apps, and go to the settings page by clicking on its name.
  8. Note the Application (client) ID of the app, which will be used in plugin configuration in Moodle.
  9. From the Manage section on the left of the page, go to Certificates & Secrets, and create a new client secret by clicking the New client secret button. Note the secret which will be used in plugin configuration in Moodle.
  10. In Teams Settings tab of Microsoft 365 Integration configuration in Moodle, fill in the Application (client) ID and the client secret in Application ID and Client Secret settings respectively.
  11. Save changes.

Update authentication application settings in Azure

When performing Step 1/3: Register Moodle with Azure AD in the Setup tab of Microsoft 365 Integration configuration, the PowerShell script downloaded from Moodle was used, you can skip this section. If you followed manual steps, or the application registration was completed before, you will need to follow these steps.

  1. Sign in to the Microsoft Azure Management Portal.
  2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
  3. Click the app created for Moodle. Note this is not the app for Moodle Teams integration, but the one used for authentication. You may need to show All applications if the app wasn't created by your account.
  4. Go to the settings of the application by clicking its name.
  5. In the Manage section on the left of the page, go to Authentication.
  6. In the list of Redirect URIs, add the following entry, in type Web:
    1. https://your.moodle.url/local/o365/sso_end.php
  7. If bot feature is to be enabled, also add the following entry, in type Web:
    1. https://token.botframework.com/.auth/web/redirect
  8. Save changes.

Bot configuration

This section is only required if you want to enable bot features in the configuration. If bot feature is not required, please skip.

Bot deployment

  1. Go back to Teams Settings section of Microsoft 365 Integration configuration in Moodle as site administrator.
  2. Make sure Application ID and Client secret are configured and saved.
  3. Click Deploy to Azure button. This will start the process of bot deployment in Azure Portal in a popup window.
  4. Configure the following in the Custom deployment window:
    1. Choose your Subscription.
    2. Choose your Resource group. you may need to create a new one.
    3. Choose your Location.
    4. LUIS Pricing Tier - LUIS pricing tiers are explained here. The free tier should be able to get you started.
    5. LUIS Region - Region where the LUIS resource will be deployed.
    6. Bot Application ID - the application ID of the Moodle Teams integration application, which is the same as Application ID in Teams Settings tab of Microsoft 365 Integration configuration.
    7. Bot Application Password - the client secret of the Moodle Teams integration application, which is the same as Client Secret in Teams Settings tab of Microsoft 365 Integration configuration.
    8. Moodle URL'.
    9. Azure AD Application ID - The Application ID saved in the Setup tab of Microsoft 365 Integration configuration.
    10. Azure AD Application Key - The Application Key saved in the Setup tab of Microsoft 365 Integration configuration.
    11. Azure AD Tenant - The tenant name (xyz.onmicrosoft.com) of your Azure AD tenant.
    12. Shared Moodle Secret - Paste the Shared Moodle Secret setting of in the Teams Settings tab of Microsoft 365 Integration configuration.

Once all configured, agree the terms and conditions, and click Purchase. This will start the bot deployment, which can take a few minutes to finish.

Post deployment configuration

After bot deployment is finished:

  1. Sign in to the Microsoft Azure Management Portal.
  2. In the Navigation section of the page, go to Resource groups.
  3. From the list of resource groups, select the one in which the bot was created and deployed.
  4. One of the resources in the group should be in type Web App Bot. Click its name to go to settings.
  5. Copy the Messaging endpoint of the resource (e.g. https://provisioned-bot-name.azurewebsites.net/api/messages), rename messages to webhook (Ex: https://provisioned-bot-name.azurewebsites.net/api/webook)
  6. Paste this endpoint to the Bot webhook end point field in Teams Settings tab of Microsoft 365 Integration configuration page.
  7. Check Bot feature enabled box in Teams Settings tab of Microsoft 365 Integration configuration page.
  8. Save changes.

Add Moodle app to Teams

Once all configured, you are ready to add Moodle app to Teams.

  1. Go to Teams Settings tab of Microsoft 365 Integration configuration page.
  2. Click Download manifest file button. This will download a manifest file (in .zip format) which contains the Moodle app.
  3. Follow these instructions to upload the app to the app catalog of your tenant.
  4. Once the app is uploaded to the catalog of your tenant, it can be used in any Teams in the tenant.

Teams Moodle app settings

After downloading the manifest file of Moodle app, a new tab Teams Moodle app will be made available in Microsoft 365 Integration configuration page, which contains a single setting to configure the app ID of the Moodle app uploaded to Teams. This is optional but recommended. If configured, all new Teams created by Moodle course sync will:

  • automatically install the Moodle app,
  • automatically create a Moodle tab in the General channel.
  • automatically configure the Moodle tab to point to the Moodle course that's related to the Team.

From the 3.10.6 and 3.11.3 release of the plugins in April, 2022, the Moodle App ID should be automatically detected as soon as the Moodle Teams app is uploaded to the organisation catalog in Teams.

OpenID Connect Authentication Plugin

Basic Usage

Once configured, you should see a link named "OpenID Connect" on the Moodle login page. Clicking this link will redirect the browser to the identity provider. Users will log in there, and will be redirected back to Moodle. If they have logged in to Moodle using OpenID Connect before, they will be logged in to their existing Moodle account. If they have not logged in to Moodle with OpenID Connect before, an account will be created for them.

Note: If the "Prevent account creation when authenticating" setting is enabled in Moodle, new accounts will not be created.

Settings

There are a number of options you can use to customize how the plugin behaves. To configure the plugin, visit the plugin's settings page. (Site Administration > Plugins > Authentication > OpenID Connect)

  • Provider Name: The name entered here will be used through the OpenID Connect plugin and the Microsoft 365 plugins to refer to the system used to log users in. For example, if your users are used to calling their Azure AD account their "School" account, you enter "School account" here, and all references to authentication will be "Log in with your School account".
  • Auto-Append: When using the "Username/Password" login flow, this setting with automatically append a given string to an entered username. This is useful in Azure AD usernames, where a single domain name is often used for every user - i.e. [user]@contoso.onmicrosoft.com. Users would normally have to enter this entire username to successfully log in to Moodle, but in this example, entering "@contoso.onmicrosoft.com" here means users would only have to enter their unique username, i.e. "bob.smith", instead of "bob.smith@contoso.onmicrosoft.com".
  • Domain Hint: If users have several different Azure AD accounts with different tenants (i.e. @contoso.onmicrosoft.com, @example.onmicrosoft.com), but Moodle only uses one of these tenants, you can enter that tenant in this box to have the Azure AD login screen only ever suggest accounts from that tenant.
  • Login Flow: This setting changes how users log in to Moodle using the plugin. You can redirect users to the OpenID Connect provider's login page, or have users enter their credentials directly into Moodle. See the "Login Flows" section below for further information.
  • User Restrictions: This setting allows you to restrict the users that can log in to Moodle using OpenID Connect (Azure AD). Once you've entered at least one user restriction, users logging in to Moodle must match at least one entered pattern.
  • Single sign off and Logout Endpoint: If Single sign off is enabled, when a Moodle user connected to Microsoft 365 account (regardless of authentication type) logs out of Moodle, Moodle will trigger a request to the Logout Endpoint. The Logout Endpoint can be the default Microsoft 365 common logout endpoint, or the tenant specific version of it, or it can be a custom page achieving the same result.
  • Record debug messages: If you experience problems using OpenID Connect, enable this setting. Once enabled, errors will be recorded to the Moodle log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administration > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".
  • Custom Icon: This setting allows you to choose from a selection of predefined icons to appear next to the identity provider link on the login page. You can also upload your own icon.
  1. Visit the plugin settings page (Site Administration > Plugins > Authentication > OpenID Connect)
  2. Locate the "Icon" section of the settings page.
  3. There are several predefined icons to choose from, clicking an icon will use that icon on the login page.
  4. To use a custom icon, use the file picker below the "Icon" setting.
    1. This image will not be resized on the login page, so we recommend uploading an image no bigger than 35x35 pixels.
    2. If you have uploaded a custom icon and want to go back to one of the stock icons, click the custom icon in the file picker and click "Delete", then "OK", then "Save Changes" at the bottom of the settings page. The selected stock icon will now appear on the Moodle login page.
  • Data mapping: This section allows Moodle site administrators to configure profile field mapping from Microsoft 365 to Moodle. See user field mapping section below.

User field mapping

The Data mapping section allows Moodle site administrators to configure profile field mapping from Microsoft 365 to Moodle.

The section contains 3 settings for each Moodle profile field available to be synced. Both basic Moodle profile fields and custom fields are available. The three settings are:

  • Data mapping (field name): This allows site administrators to select from the available remote fields in Microsoft 365 to sync data from. The available options depend on various other settings.
    • The most basic fields are those available in user ID token. These are available for auth_oidc configured to connect all OpenID Connect IdPs
    • If the auth_oidc plugin is configured to connect Azure AD IdP, and local_o365 is installed and configured, additional profile fields available in Graph API calls are available to choose from.
    • If SDS user sync is configured, additional SDS user fields for teachers and students are available to choose from.
  • Update local (field name): This allows configuring when the profile field is synced.
  • Lock value (field name): This controls whether to lock the profile field for local edit by non-admin users.

How to use user restrictions

  1. Enter a regular expression pattern that matches the usernames of users you want to allow.
  2. Enter one pattern per line
  3. If you enter multiple patterns a user will be allowed if they match ANY of the patterns.
  4. The character "/" should be escaped with "\".
  5. If you don't enter any restrictions above, all users that can log in to the OpenID Connect provider will be accepted by Moodle.
  6. Any user that does not match any entered pattern(s) will be prevented from logging in using OpenID Connect.

Login flows

Plugin auth_oidc supports two different methods for users to log in: Authorization Request and Username/Password Authentication

Authorization Request

This flow redirects the user to Microsoft 365 to log in and are then brought back to Moodle logged in.

Using this flow:

  1. The user clicks the name of the identity provider (What you entered in the "Provider Name" box at the top of the settings page.) on the Moodle login page.
  2. The user is redirected to Microsoft 365 to log in.
  3. Once successfully logged in, the user is redirected back to Moodle where the Moodle login takes place transparently.

Username/Password Authentication

This login flow works like a classic username and password, except the user uses their Microsoft 365 account information.

Using this flow:

  1. The user enters their Microsoft 365 username and password directly into the Moodle login form.
  2. Their credentials are securely sent to Microsoft 365 for verification.
  3. If the credentials are verified, the user is logged in to Moodle.

Switching existing Moodle users to use Microsoft 365 to log in

If a user logs in to Moodle using OpenID Connect but does not have a Moodle account, one will be created for them. However, existing Moodle users can be migrated to use OpenID Connect and provide a connection to Microsoft 365.

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  3. Click the Connect to Microsoft 365 link in the Microsoft block.
  4. You will be brought to the Microsoft 365 / Moodle Control Panel.
  5. Click the Microsoft 365 Login link under Microsoft 365 Features'
  6. Click the "Start using Microsoft 365 to log in to Moodle." link.
  7. You will be redirected to Microsoft 365 to log in. Log in with the account you'd like to link to the Moodle account you're using.
    1. NOTE: If you're already logged in to Microsoft 365, you will not have to enter your credentials on the Microsoft 365 login page. This Microsoft 365 account will be linked to the Moodle account. Ensure you are logged in to the correct account, or log out of Microsoft 365 first to show the Microsoft 365 login screen.
  8. The Moodle account will now use Microsoft 365 to log in. The previous login method will not work.
  9. The Moodle user can now use any of the Microsoft 365 features in Moodle.

Connecting existing Moodle users to Microsoft 365 without changing login method

  1. Ensure the Microsoft block has been added to a page in Moodle (for example, the Moodle dashboard).
  2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
  3. Click the Connect to Microsoft 365 link in the Microsoft block.
  4. You will be brought to the Microsoft 365 / Moodle Control Panel.
  5. There will be a "Connection Status" indicator box on the right side of the screen, click the "Click here to connect" link.
  6. You will be brought to the AzureAD authentication screen. Log in with the Microsoft 365 user's credentials you'd like to connect to the Moodle user you are logged in as.
    1. NOTE: If you're already logged in to Microsoft 365, you will not have to enter your credentials on the Microsoft 365 login page. This Microsoft 365 account will be linked to the Moodle account. Ensure you are logged in to the correct account, or log out of Microsoft 365 first to show the Microsoft 365 login screen.
  7. If login was successful, you will be brought back to the Microsoft 365 / Moodle Control Panel page, where the Microsoft 365 connection indicator should now read Active.
  8. The Moodle account is now linked to the Microsoft 365 account and can use Microsoft 365 features as that user.
  9. The Moodle user's login method will not change, the user will log in to Moodle as they always have.

OneDrive for Business Repository

The OneDrive for Business repository allows users using the Microsoft 365 integration plugins to connect to their OneDrive for Business as a Moodle repository.

Downloading and linking files

  1. When using a filepicker anywhere in Moodle, you'll see a list of repositories on the left side of the popup. Look for and click on "OneDrive for Business".
  2. You'll see two folders - "My Files" and "Courses". Click the folder for the document library you want to access.
    1. My Files contains all documents in your personal OneDrive for Business
    2. Courses will list all Moodle course shared document libraries that you have access to. If you want to download files from one of these, you'll click "Courses", then click the folder for the course you want to access.
  3. You will now see a list of all the files and folders in your OneDrive.
  4. Click the file you want to download into Moodle.
  5. Choose to "Make a copy of the file", or "Create an alias/shortcut to the file."
    1. If you want to download a copy of the file as it is now, choose "Make a cope of the file". This will copy the file into Moodle, and will then use the local Moodle copy when the file is accessed from within Moodle. Any changes to the file in OneDrive will not be seen in Moodle.
    2. If you want to link a file choose "Create an alias/shortcut to the file". This will create a link in Moodle to the file in OneDrive, and the file will be accessed from OneDrive directly. Any changes to the file in OneDrive will be seen when accessing the file from Moodle.
  6. You can change other file information like the filename or author name using the respective text fields. This information is only applicable to the Moodle side of the file, and will not transfer to OneDrive.
  7. Click "Select this file".

Uploading files

You can upload files into both your personal OneDrive for Business document library and a course SharePoint document library from the filepicker interface.

  1. When accessing a OneDrive document library from a file picker, you will see an "Upload New File" item in the list of files and folders.
  2. Click the "Upload new file" item.
  3. Choose the file you want to upload and click "Upload this file".
  4. The file will be uploaded to OneDrive and selected for the file picker.

Embedding Office documents

This repository allows users to embed Office documents from OneDrive into a course and have the live version viewable using Office web apps.

  1. Start as a user connected to Microsoft 365 and who has access to modify a course.
  2. Turn on editing for the course and choose "Add an activity or resource" for the section of the course you want to add the document.
  3. Choose the "File" resource to add to the course.
  4. In the "Content" section of the file resource settings page, click the "Add" button in the filepicker
  5. Choose the "OneDrive for Business" repository and choose your Office document.
  6. When you select a file, make sure "Create an alias/shortcut to the file" is selected, the click "Select this file"
  7. Expand the "Appearance" section, and choose "Embed" for the "Display" select box.
  8. Click "Save and display"
  9. You should see the file embedded into the page.

OneNote

OneNote is now available through Microsoft 365. If you have installed all the plugins (for example, by installing [1]) then you already have the OneNote plugins installed. To access OneNote using your Microsoft 365 subscription, add OneNote to the list of applications in your Azure application. This is done the same way you configured Azure permissions, above. Note that OneNote is still in preview, and may not be available to everyone yet. If you don't see OneNote in the list of applications to add to your Azure application, you can try logging in to a desktop OneNote application using an administrator account in your Microsoft 365 tenant. This sometimes expedites to the process of adding the OneNote preview to your tenant.

Notes on special release

3.8.0.4 and 3.9.1 release

3.8.0.4 and 3.9.1 release of the plugins on 29 September 2020 introduced improvements on SSO integration for Moodle in Teams as well as Single Sign Off support, and requires additional actions from Moodle and Azure admins.

Moodle and Teams SSO integration

The new releases is capable of getting a user token from either Teams desktop/mobile app or Teams web app, and attempt to log in as the user in the Moodle Teams tab. In order for it to work, changes in 3 sections are required.

Update Azure app settings

  1. Sign in to the Microsoft Azure Management Portal.
  2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
  3. Locate the app used for Moodle and Microsoft 365 integration, and click its name.
  4. Under Manage, select Expose an API.
  5. Select the "Set" link to generate the Application ID URI in the form of api://{AppID}. Insert your fully qualified domain name (with a forward slash "/" appended to the end) between the double forward slashes and the GUID. The entire ID should have the form of: api://fully-qualified-domain-name.com/{AppID}. e.g. api://URL.TO.MOODLE/00000000-0000-0000-0000-000000000000.
  6. If you get errors when selecting the "Set" link, it may be because the Supported account types setting of your app is set to a value rather than the one with "single tenant". Try updating this value to get it working.
  7. Select the "Add a scope" button. In the panel that opens:
    1. enter "access_as_user" as the "Scope name".
    2. Set "Who can consent?" to "Admins and users".
    3. Set "Admin consent title" to be "Teams can access the user’s profile".
    4. Set "Admin consent description" to be "Allows Teams to call the app’s web APIs as the current user".
    5. Set "User consent title" to be "Teams can access the user profile and make requests on the user's behalf".
    6. Set "User consent description" to be "Enable Teams to call this app’s APIs with the same rights as the user".
    7. Ensure that "State" is set to "Enabled".
    8. Select the "Add scope" button to save.
  8. In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Select Add a client application. Enter each of the following client IDs and select the authorized scope you created in the previous step:
    1. 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
    2. 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)
  9. Under Manage then API permissions, ensure the following permissions are added under "Microsoft Graph" > "Delegated permissions":
    1. User.Read (enabled by default)
    2. email
    3. offline_access
    4. OpenId
    5. profile
  10. Under Manage then Authentication, ensure the following boxes are checked for "implicit grant":
    1. ID Token
    2. Access Token.

Download updated manifest file

  1. Login to Moodle as site administrator.
  2. Go to "Microsoft 365 Integration" page in the site admin section.
  3. Go to "Teams Settings" tab.
  4. Verify settings on the page, note that two new settings are added in this release:
    1. Microsoft app ID for the Moodle Teams app: This is used in the "ID" field of Teams app manifest file, which is essentially a self generated app ID to identify itself. It should be set to the default value in most use cases, otherwise it may affect upgrading of the Teams app. The only scenario a custom value is to be set for this setting is when there are multiple Moodle sites in the organisation, and they all need to be integrated with Teams, thus each site will require a separate Teams app. If custom value is required, please use powershell or external tools to generate valid ones.
    2. Teams app name: This allows you to give a custom name, rather than the default "Moodle", to the Moodle Teams app created. It can be useful if you have multiple Moodle sites in your organisation, and each creating a separate Moodle app for Teams integration.
  5. Once settings are verified, save changes, go back to the tab, and click the "Download manifest file" button to download the new manifest file for the upgraded app.

Update Moodle app in Teams

  1. As a tenant admin, go to Teams.
  2. Go to "Apps" page to manage apps.
  3. From the menu on the left, click on the link "Built for YOUR ORGANISATION". This should list all custom apps uploaded for your tenant.
  4. Locate the previous Moodle app, click the options button on the card for more options, and click "update". This should open a file picker.
  5. Select the new manifest file downloaded from Moodle.

Note that as long as the Microsoft app ID for the Moodle Teams app setting is not changed, this should be recognised as an app upgrade, rather than uploading a new app. This means that the app will be kept in all existing Teams that have it installed, and all existing Moodle tabs will keep working.

Single Sign Off

When a Microsoft 365 authenticated user clicks the Moodle log out button, it is possible to log the user out from Microsoft 365 at the same time.

In order for this to work, configuration changes in two places are required:

Moodle settings change

  1. Sign in Moodle as site admin.
  2. Go to "OpenID Connect" settings page under Plugins - Authentication:
  3. Go to "Advanced" tab.
  4. Enable "Single sign off".
  5. Save changes.

Azure app settings change

  1. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
  2. Locate the app used for Moodle and Microsoft 365 integration, and click its name.
  3. In the Manage section on the left of the page, go to Authentication.
  4. In the list of Redirect URIs, add the root URL of your Moodle site (wwwroot) as an entry.

3.8.0.5 and 3.9.2 release

3.8.0.5 and 3.9.2 release of the plugins on 18 November 2020 added support for synching the default timezone preference of the user in Outlook to Moodle. This requires the following permissions to be granted for the Azure app.

  • If your Moodle site uses Application access connection method, you will need to add and grant MailboxSettings.Read application permission.
  • If your Moodle site uses System API User connection method, you will need to add and grant MailboxSettings.Read delegated permission.

3.9.8, 3.10.5 and 3.11.2 release

3.9.8, 3.10.5 and 3.11.2 release of the plugins on 07 December 2021 updated the implementation of SDS feature, and updated it to use Microsoft Graph APIs instead of legacy APIs. As a result, additional permissions are required for the feature to work properly.

  • If your Moodle site uses Application access connection method, you will need to add and grant EduRoster.Read.All (covered by EduRoster.ReadWrite.All in the next release) and Member.Read.Hidden application permissions.
  • If your Moodle site uses System API User connection method, you will need to add and grant EduRoster.ReadBasic delegated permission.


Known issue: If you try to access "School data sync" tab without the changes above to the app, you will get this error message: "Error in API call: Required roles claim values are not provided."

3.10.6 and 3.11.3 release

3.10.6 and 3.11.3 release of the plugins on 06 April 2022 contained a few major changes that require Azure app and configuration updates:

  • Support for the System API user connection method was dropped, as a result, previously required delegated permissions can be dropped from the Azure app, and all application permissions are required.
  • The task that processes course sync is renamed from "Create user groups in Microsoft 365" (\local\o365\groupcreate) to "Sync Moodle courses to Microsoft Teams" (\local\o365\coursesync).
  • The course sync feature was completely rewritten following LMS integration guidelines set out by Microsoft. Many Graph API calls were changed, which requires changes in the Azure app permissions.
  • The change to the course sync feature also added support to Teams Classes LTI, which allows Teams connected to Moodle courses to be embedded in the course page as external tools using mod_lti.
  • The feature to allow users from additional tenants to login to Moodle was updated to support users having UPN with alternative domain names. This requires site administrators to migrate existing multi-tenant configurations.

The drop of System API user connection method

For any Moodle site currently using the System API user connection method to communicate with Microsoft services, Moodle site administrators will get the option to switch to the Application access connection method to continue using the integration when they visit the Microsoft 365 integration configuration page.

Azure app permission changes

Preferably the Azure app permission changes need to be applied BEFORE the plugins are upgraded.

The following application permissions need to be added to the Azure app:

  • AppCatalog.Read.All
  • Channel.ReadBasic.All
  • EduRoster.ReadWrite.All
  • Team.Create
  • TeamMember.ReadWrite.All
  • TeamsAppInstallation.ReadWriteForTeam.All
  • TeamSettings.ReadWrite.All
  • TeamsTab.Create

All delegated permissions can be removed from the Azure app, with the following exceptions:

  • Calendars.ReadWrite
  • Files.ReadWrite.All
  • Group.ReadWrite.All
  • Notes.ReadWrite.All
  • User.Read
  • openid
  • offline_access
  • email
  • profile


Make sure admin consent is granted for the latest list of permissions in Azure portal after making permission changes.

Moodle site admins need to go back to the Microsoft 365 integration configuration page in Moodle and click the "Provide admin consent" button to update the application tokens. Purge cache after it's done, and verify setup to ensure no permissions are missing.

Multi-tenant SSO improvements

Previously when an additional tenant is added to the multi-tenant feature, Moodle stores the initial domain name of the tenant, e.g. contoso.onmicrosoft.com, and check if an authenticated user has the domain name in its UPN. This isn't scalable enough because a tenant can have multiple verified domain names, and tenant users can have UPN with any of them, e.g. contoso.com. The improved implementation records the ID of the additional tenant, along with all its verified domain names. When determining if an authenticated user is from an additional domain, the tenant ID is used.

In order to facilitate this change, site administrators of all Moodle sites that have existing multi-tenant configured need to migrate their additional tenant settings. This will require a site administrator goes to the Microsoft 365 integration configuration page > Advanced > Configure additional tenants, and follow the instructions on the page. They will need to login to Microsoft 365 as the admin of the additional tenant to finish the setup, similar to how multi-tenant was originally set up.

Teams integration known limitations

  • If the Moodle site is not publicly accessible, e.g. on an intranet, Moodle tabs will not work in Teams desktop and mobile apps. They will only work in web apps from browsers.
  • It is a known issue that if a Microsoft 365 user has never login to Moodle ever, the first attempt of the user to SSO from Teams to Moodle will not work silently. Instead, the user will need to click a button from the prompt to login.

Any further questions?

For support, please open an issue on GitHub at [2]

For community discussion, please post in the Moodle office tool integrations forum on moodle.org. Note: developers may or may not see questions in this forum thread.

Resources

Tooling and guidance on deploying Scalable Moodle Clusters on Azure