microsoft/o365-moodle

Field mappings and synchronization working only for few fields

nvallinoto opened this issue · 2 comments

nvallinoto commented

Dear Moodle developers,

I have successfully installed auth_oidc and local_o365 plugins for authorization and synchronization of users from Azure AD to Moodle using these Moodle/plugins versions:

Moodle - version: 4.1 - 2022112800
OpenID Connect - auth_oidc - version: 4.1.4 - 2022112825
Microsoft 365 Integration - local_o365 - version: 4.1.5 - 2022112826

The authorization is working quite well excluding the "Resource Owner Password Credentials Grant" login flow. This login flow inhibits some users to login to Moodle. At the moment I solved this issue using the "Authorization Code Flow" login flow.

The main problem I've encountered is the following:

  • only some fields are updated in Moodle user profiles after the task "Sync users from Microsoft Entra ID" is executed or the user logs in Moodle.

Only these fields are mapped in Moodle:
Given name, Surname, mail, UserPrincipalName.

Other fields are not mapped in Moodle such as:
SamAccountName, StreetAddress, OfficePhone, MobilePhone, extensionAttribute1..8, City, Company, Country, Department, DisplayName.

And other fields are not included in the combo, where you can choose the user data to be mapped from Open ID Connect Idp to Moodle, such as:
Name, cn, sn.

The last unexpected behaviour is that all the users have been moved (synced) to Moodle (active and not active) but the disabled users in Azure AD (Enabled=false) are not suspended users in Moodle. They appear active in Moodle.

Maybe I missed or I made some mistakes in configuration's page of the Microsoft 365 plugins.

Maybe some of you already encountered these behaviours and can give me a suggestion to solve it.

Your help will be very appreciated.

nvallinoto commented

I have an update concerning the users sync from AD Azure to Moodle.
Adding the tick to "Perform a full sync each run" (in Sync Settings of Microsoft 365 Integration) the behavior modified and after the execution of "Sync users from Microsoft Entra ID" daily task some further fields are now mapped and updated to Moodle.
The fields I tried and worked are: SamAccountName, CIty, Department.

weilai-irl commented

Hi @nvallinoto

First of all, the "Resource Owner Password Credentials Grant" flow is deprecated. There has been no development or test done it for some time now. It will be removed from the plugin soon.

Regarding the user sync task:

  • The "Perform a full sync each run" option controls whether to get full list of accounts or the delta list - accounts that have been changed since the last time the list of accounts were fetched. If you don't have an extremely large tenant with over 10,000 users, a full sync will probably work better.
  • Full sync and delta sync will return a list of users, each of which is represented in a user type of resource.
  • The list of user profiles that are fetched using either the full sync or delta sync are exactly the same. These are 'id', 'userPrincipalName', 'displayName', 'givenName', 'surname', 'mail', 'streetAddress', 'city', 'postalCode', 'state', 'country', 'jobTitle', 'department', 'companyName', 'preferredLanguage', 'employeeId', 'businessPhones', 'faxNumber', 'mobilePhone', 'officeLocation', 'manager', 'accountEnabled', 'onPremisesExtensionAttributes', 'onPremisesSamAccountName'.
  • If you want to sync additional profile fields that are not on the list, please make sure it appears on the list of properties first, and if it does, create a new issue for the feature request. These are processed relatively fast.
  • In case the field mapping works only on user sync task run, but not on login, the first thing you need to do is to verify the field mapping settings to ensure that they are configured to run at user login. If they do, then it means that the auth_oidc incorrectly thinks field mapping performed on user login doesn't require making calls to Graph API. (If field mapping only uses the remote fields from this list, but not others, they will be taken from user access/ID tokens, and no Graph API call will be made: Given name, Surname, mail, UserPrincipalName, Object ID) You may want to check why is that. The check is performed at

    o365-moodle/local/o365/classes/feature/usersync/main.php

    Lines 663 to 693 in cff3d93

    /**
    * Check if any of the fields in the field map configuration would require calling Graph API function to get user details.
    *
    * @param string $eventtype
    *
    * @return bool
    */
    public static function fieldmap_require_graph_api_call($eventtype) {
    global $CFG;
    require_once($CFG->dirroot . '/auth/oidc/lib.php');
    // Microsoft Identity Platform can only get user profile from Graph API.
    if (get_config('auth_oidc', 'idptype') == AUTH_OIDC_IDP_TYPE_MICROSOFT_IDENTITY_PLATFORM) {
    return true;
    } else {
    $fieldmappings = auth_oidc_get_field_mappings();
    $idtokenfields = ['givenName', 'surname', 'mail', 'objectId', 'userPrincipalName'];
    foreach ($fieldmappings as $fieldmapping) {
    $remotefield = $fieldmapping['field_map'];
    if (!in_array($remotefield, $idtokenfields)) {
    if ($fieldmapping['update_local'] == 'always' || $fieldmapping['update_local'] == 'on' . $eventtype) {
    return true;
    }
    }
    }
    }
    return false;
    }
    .

Hope this helps.

Regards,
Lai