Frequently Asked Questions (7)
Support and SLA
In this article we explain how you can access support, our SLA's and how to raise any issues.
Role
The available roles.
How to change your language in the platform.
How to change your language in the platform.
Can I give a user only access to a course and not the other features?
Sometimes you need to give a user access to only a specific course (or courses) and not any of the other features like the library.
Why is my course not getting to 100%
Why is my course not getting to 100%
Where can I find my certificate?
Where can you find your certificate(s)
How do I reset my password?
How to reset my password
Announcements (6)
Changelog 4.3
Changelog 4.3 update
New Support
Based on a recent study, we decided to change our support.
Changelog Update 4.2
In this article you will find the new edloomio changelog update 4.2
Bulk enrol teams
You can manually enroll users into teams by uploading a csv file.
Restrict courses inside the Library
You can restrict courses in the library in multiple ways like Teams, Categories, Course enrollment methods, and visibility.
Changelog 4.1
Discover the new features, improvements and bug fixes in the 4.1 version.
Reports (9)
Certificate report
In the Certificate Report, you can filter on team, course, expire within (Months), suspended user and status to see a detailed certificate report.
Face to face report
How to see the Face to face Report
Team Completion report
How to use the Team Completion report
Learning Journey Report
How to use the Learning Journey Report
Recompletion Report
How to use the Recompletion Report
Course Completion report
How to use the Course Completion report
Export Report
How to export a report
Sales Report
How to see the Sales Report
Report status and colors
In this article you can read what the status and colors mean in the reports.
Tools (19)
Automations
The new automation engine allows you to create automations by the simple methodology “If this, then this”.
Projectmanagement
Create projects in your edloomio L&D platform,
Registration Pages
Registration pages offer a great way to have employees, customers or partners create an account on your edloomio L&D platform.
Surveys
Create surveys in your edloomio L&D platform, gather and analyze data in order to make learning experiences more interactive and engaging.
Landing Pages
Landing pages enables you to use the power of storytelling. It will help you convert visitors into learners.
Newsletter
Newsletters are a powerful tool to reach your audience. Attract them with news or interesting information about your L&D programs and invite them to visit your edloomio L&D platform and start learning.
Knowledge Base
Make more learning content accessible in your own knowledge base.
Goals
Goals are a great way to stimulate a person to grow. Assign goals to individuals and review them once completed.
Learning Journey
Learning Journeys gives users a clear overview of which courses they need to complete in order to complete the Learning Journey. Often used for onboarding new hires.
Tools Page
The tools page covers the entire platform. Here you get a complete overview of all the tools that are available within the platform.
Library
Create a library where people can browse and access courses.
Jobs
Create a job listing in edloomio. When people apply for the job, they automatically enroll into a course where you can challenge them with quizzes, tasks or even mini games. You can instantly see who is the best candidate for the job and invite them for an interview.
Skills
Upskill or reskill your employees in these challenging times. Add skills and skill levels to course completion, learning journeys, goals and more. With active learning, employees will improve their skill levels automatically.
Gamification
The Gamification feature enables you to add points to courses and a leaderboard to stimulate competition between users.
Share
Enable social learning in your organisation and enable people to share their own learning content with others.
Messaging
Active one-to-one or group messaging in your edloomio platform.
Evaluations
Edloomio offers an easy way to schedule evaluations. These evaluations display on the user's profile and include an invitation to the user.
Explore
AI powered YouTube video recommendations based on user's learning.
Support Form
Activate a support form for your users.
Issues (2)
I can’t find my course in the library
When you’ve created a course and you can not find it.
My course does not show as complete
You have created a course, but the course is not marking completed for users.
Course How To's (28)
Ways to create user accounts
Here you will find more information on the different options for creating a user account
How to create a course?
To create a new course please follow these steps:
Bulk import new user's
Learn how to create multiple user accounts via a csv file.
How to create a new user account
To create a new user account you need to follow the next steps:
Upload certificate background in activity
In this manual you learn how to upload a certificate background in the certificate activity.
Delete course completion
How to delete the course completion of users.
Face to Face Session
Advanced offline training activity. Including booking options, sessions, waiting lists and more.
Manage course categories
How to manage a course category or categories.
Bulk enrol users into a course
Learn how to enrol multiple users into a course via a csv file.
Enrol users and teams to your course
How to enrol users and teams to your course.
How to enable or disable viewing test results?
It is possible to turn participants' access to test solutions on or off when they have finished the test. Find out how to turn this option on or off here
Bulk enrol users into a Learning Journey
Learn how to enrol multiple users into a Learning Journey via a csv file.
Bulk update user passwords
How to bulk update user passwords
Change text video's play button
If you want to hide or change the text in the video's play button, follow the next steps:
How to set up a text for the course results
If you need to set up the text for the course results please follow the next steps:
Import course completion dates
You can manually import course completion dates by uploading a csv file.
How to edit the course image
Want a new picture for your course? Just follow the next steps to edit the course image:
Course welcome message
When you enrol a user into a course you can automatically have a course welcome message sent to the user email address.
How to change a users password
Changing a user's password is easy. To change the password, follow the steps.
Course Completion Reminder
In a course you can enable the course completion reminder that will send a message to the enrolled users who have not completed the course yet.
Automatic course recompletion
Set up automatic course recompletion forcing users to recomplete the course.
Restrict access to activities of my course
How to restrict the access to activities of your course.
Archive course completion
How to archive course completion dates of users.
Communicate with users in your course
In this article we show you how you can communicate with users that are enrolled into your course.
Code Enrollment
How to set up Code Enrollment
Stripe payment
Request Stripe payment to access your course.
Course approval enrollment
The course approval enrollment gives you the option to require approval of a manager before the user is enrolled into the course.
Hide a course
How to hide a course.
Course Activities (11)
Offline Training Activity
Simple offline training activity to register classroom training attendance.
External Tool (LTI) Activity
LTI offers a way to link to courses on external platforms without the need to login.
Course Pages
How to use the Course Pages activity
SCORM Activity
Import external courses with the SCORM activity. An industry standard used by most course vendors.
Video Page
The Video Page activity can be added if you want to display a video inside a course.
Face to Face Activity
Advanced offline training activity. Including booking options, sessions, waiting lists and more.
Certificate Activity
Add a certificate activity to your course.
Interactive content (H5P)
Create interactive content with H5P. Add interactivity to your course.
Doc Viewer
The Doc Viewer activity can be used if you want to display documents/PowerPoints in a course.
Certificate not displaying special characters
In some languages that use special characters, on the certificate these special characters are missing and replaced with a question mark.
Compliance Activity
Add a compliance activity to your course.
Usage Cases (2)
Selling Learning (access to courses)
Sell access to your courses.
Employee Training
Edloomio enables you to easily create and manage employee training.
Setting Up Your Platform (7)
Day 1 with edloomio
We put together this quick guide to help you get started with configuring your L&D platform on day 1.
Teams
Copy your organisation structure into teams. Assign team leaders, run team reports and much more.
Office 365

Note: You are using version 3.10.5 of the Office 365


Introduction

Microsoft 365 services complement the edloomio learning platform to provide a more productive experience for teachers and students.

Differences from edloomio Core

Although edloomio now provides Microsoft 365 authentication and basic OneDrive repository support, the Microsoft 365 plugin suite provides a much wider set of features.

A few key features only found in the Microsoft 365 feature suite:

  • User sync from Microsoft 365/Azure AD to edloomio
  • Automatic and manual user matching from Microsoft 365/Azure AD to edloomio
  • Calendar sync
  • OneNote assignment submission and feedback types
  • Office document embedding using Office web apps
  • Fully customisable sign-in experience
  • Integration between edloomio courses and Microsoft Teams, with support for Teams Classes LTI
  • Integration with School Data Sync (SDS)

Requirements

To use the Office 365 feature, you need the following:

  • A Microsoft 365 subscription.
  • A Microsoft Azure subscription.

Features

The Office 365 feature contains 6 core plugins, and 3 optional plugins, which provide a wide variety of features to enhance your edloomio instance.

  • Microsoft 365 Local Plugin (local_office365)
    • This is a shell plugin which has dependencies on the current version of each of the 5 other core plugins that make up the complete set. Installing this plugin ensures you have the current version of each of the functional plugins installed.
  • OpenID Connect Authentication Plugin (auth_oidc)
    • This plugin allows users to log in to edloomio using their Microsoft 365 accounts.
    • Users with existing edloomio accounts can switch to use this authentication type.
    • New users can log in with this plugin and have an account created for them.
    • Features:
      • Standards-Compliant OpenID Connect Authentication.
      • Supports authorization code or resource-owner credentials grants.
        • Users can log in to edloomio by clicking the identity provider on the login page, or by entering their OpenID Connect credentials.
      • User profile field mapping
        • User profiles can be mapped and synced from IdP to edloomio.
      • Customizable Icon + Identity Provider name
        • The icon and identity provider name shown on the edloomio login page can be customized. A number of prechosen icons are available, as well as the ability to upload your own.
      • Provides hooks to link OpenID Connect accounts to edloomio accounts
        • If you do not want to change your users' login method, you can still connect to an OpenID Connect provider. The plugin provides code-level hooks to link a edloomio account to an OpenID Connect account without changing the edloomio user's authentication method. This means you can obtain tokens from an OpenID Connect service in the background.
      • Optional user-self-service connection and disconnection
        • A user-facing page is available for users to switch to and from OpenID Connect authentication. Access to this page and feature is controlled by a capability so administrators can disable it.
  • Microsoft 365 support plugin (local_o365)
    • This plugin contains most of the Microsoft 365 integration back-end, such as the functions to communicate with Microsoft 365 services.
    • It also contains sync feature of many Microsoft 365 services, e.g. users, courses, calendars, events, files, notes and SDS.
    • Features:
      • Calendar sync from/to Outlook.
        • Users can sync site events, course events, assignment due dates, and their personal edloomio calendar to their Outlook calendar.
      • User sync
        • Users can be synced from Azure AD, or matched with existing users.
      • Course sync
        • Teams can be automatically created for course in edloomio , and Team membership is kept up-to-date with edloomio enrolments.
        • Teams created in tenants with education license can also be embedded in edloomio using Teams Classes LTI.
      • School Data Sync (SDS) Integration
        • Edloomio courses can be created from classes in SDS schools.
        • Bidirectional sync between SDS class owners/members with edloomio course teachers/students.

Setup

Enable the tool 

The feature is available from:

  • The edloomio tool page.

    When you log in to your edloomio instance and go to the tools page, you are presented with all the tools edloomio offers. Enabled the office365 tool. The tool will be automatically available.

    After you have the tool enabled in your edloomio instance, you'll need to do a bit of configuration before you can use the plugins.


    Plugin auth_oidc configuration - part 1

    1. Navigate to Admin Menu> Integrations> Office 365.
    2. Locate the OpenID Connect link button. 
    3. Click the Settings link for the plugin.
    4. Verify the Authorization and Token endpoints.
      1. These should be set by default to the following values:
        • Authorization Endpoint: https://login.microsoftonline.com/common/oauth2/authorize
        • Token Endpoint: https://login.microsoftonline.com/common/oauth2/token
      2. It's also possible to replace the "common" part in the endpoints to be your tenant name or tenant GUID. By doing so, users who are redirected to Microsoft login pages (using the auth code login flow) will see the custom login page of your tenant if one is configured following instructions. e.g.
        • Authorization Endpoint: https://login.microsoftonline.com/sample.onmicrosoft.com/oauth2/authorize
        • Token Endpoint: https://login.microsoftonline.com/sample.onmicrosoft.com/oauth2/token
      3. Note the endpoints may be in different format for B2C tenants. Please verify it in your Azure AD portal.
      4. Also note if you plan to use the multi-tenant feature to allow users from other Microsoft 365 tenants to login to the edloomio site, the default endpoints need to be used.
    5. Note the Redirect URI. This should be the URI of your edloomio instance followed by /auth/oidc/. You will need to enter this value into Azure portal later, so note this value and put it aside.
      • For example, https://www.example.com/auth/oidc/
      • Notes:
        1. This is a fixed value that is derived from your edloomio site's configured URL (wwwroot). You cannot change this value directly. If you need to change it for any reason, you must change your edloomio site's configured domain name ($CFG->wwwroot).
        2. This URI must be a fully qualified domain name pointing to your edloomio instance.
        3. The edloomio site's configured URL must use HTTPS, even with a self signed SSL cert. Redirect URI using HTTP will not be acceptable when creating Azure app for the integration.
        4. If your edloomio installation is configured with an IP address pointing to your instance, you must change $CFG->wwwroot in your config.php to a fully-qualified domain name.
        5. This domain name does not need to be publicly accessible (i.e. internet-wide), but does need to be accessible to users of your edloomio instance. So, for example, you can use an intranet-only domain name.

    Azure App Creation and Configuration

    Prerequisite

    You will need an Azure subscription. If you do not have one, you can create one by visiting Microsoft Azure Sign Up.

    To use edloomio with Microsoft 365 for SSO, you must configure Microsoft Azure to manage your Microsoft 365 Microsoft Azure Active Directory. A guide is available at this link.

    Note: During the setup, you are required to enter a credit card and phone number. If you do not setup virtual machines or use paid services on the subscription, and only use it to access the Azure Active Directory, you will not be charged for the subscription.

    Register Application in Azure using PowerShell script

    The easiest way to register application in Azure is to run the PowerShell script downloaded from the plugin configuration page. Go to Admin Menu> Integrations> Office 365. Hit the Download PowerShell Script button on the page.

    Instructions on how to the PowerShell script to create Azure app using the downloaded file is available at /local/o365/scripts/README.md path of your edloomio installation.

    You should only follow the manual process if you are unable to setup the AzureAd app via PowerShell script, or you need to verify some specific settings.

    Register Application in Azure manually

    The following steps are involved in the manual setup:

    1. Sign in to the Microsoft Azure Management Portal.
    2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
    3. Click New registration on the top menu.
    4. Enter a name for your application (can be anything you want, but should let you know this is for edloomio).
    5. Choose option applicable to your organisation in Supported account types section.
    6. In Redirect URI (optional) section, select Web and put the redirect URI from the OpenID Connect authentication plugin configuration. Ensure there is a trailing slash for this URI - i.e. https://example.com/auth/oidc/
    7. Click Register.
    8. You now have an application registered in Azure for edloomio. Move on to the next section to properly configure it.

    Configure application

    1. Locate the App.
      • If you followed steps above to create the Azure app, you should be redirected to the app settings page already.
      • Otherwise:
        1. Sign in to the Microsoft Azure Management Portal.
        2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
        3. Click on the App you created for edloomio. Note you may need to change the dropdown from "My apps" to "All apps" if the App was not created by you.
        4. Locate the Application ID, note this value (write it down or copy it somewhere), and set it aside. You'll need it later.
        5. Click on the display name of the App to open its settings.
    2. Enable implicit grant flow.
      1. From the menu on the left, go to Authentication link in the Manage section.
      2. In the Implicit grant section, check both "Access tokens" and "ID tokens".
      3. Save the changes.
    3. Create client secrets.
      1. From the menu on the left, go to Certificates & secrets link in the Manage section.
      2. Create a new client secret by clicking New client secret button.
      3. Enter a description, and select a duration for "Expires".
      4. Click Add.
      5. A value will appear under Value, note this value (write it down or copy it somewhere) and set it aside. You'll need it later.
    4. Expose an API - only required if Teams sync feature is used.
      1. From the menu on the left, go to Expose an API link in the Manage section.
      2. Click the Set link next to Application ID URI.
      3. This should open a Set the APP ID URI prompt, with a default value such as "api://00000000-0000-0000-0000-000000000000", where the GUID is the same as your Application ID.
      4. Replace this value with "api://URL.TO.EDLOOMIO/00000000-0000-0000-0000-000000000000", where URL.TO.EDLOOMIO is the wwwroot of your edloomio site, and the GUID is the same was default value, i.e. your Application ID.
      5. Click Save to create the Application ID URI.
      6. Click Add a scope.
      7. Enter access_as_user as scope name.
      8. Set Who can consent? to Admins and users.
      9. Set Admin consent title to Teams can access the user’s profile.
      10. Set Admin consent description to Allows Teams to call the app’s web APIs as the current user.
      11. Set User consent title to Teams can access the user profile and make requests on the user's behalf.
      12. Set User consent description to Enable Teams to call this app’s APIs with the same rights as the user.
      13. Ensure that State is set to be Enabled.
      14. Select the Add scope button to save.
      15. In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Select Add a client application. Enter each of the following client IDs and select the authorized scope you created in the previous step:
        • 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
        • 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)
    5. Configure App Permissions.
      1. Click the API permissions link in the Manage section.
      2. Click Add a permission button.
      3. In Select an API section, choose Microsoft APIs tab, then choose Microsoft Graph.
      4. Check the checkbox for each Application and Delegated permission according to the section below.
      5. Click Add permissions at bottom of the page to add the permissions.
      6. After all the permissions are added, click the Grant admin consent for YOUR ORGANISATION NAME link.

    Azure app permissions

    The integration uses various Microsoft Graph APIs to communicate with Microsoft 365 to get and set data, which of which requires a different set of permissions. The integration provides a list of recommended permissions to be given to ensure all features in the integration works, all of which are added automatically by the PowerShell script if it's used. Advanced users can customise the permissions according to the need of their own organisation, e.g. if group/team integration is not used, all permissions related to group can be removed, e.g. Group.ReadWrite.All.

    Application permissions vs delegated permissions

    Before 3.10.6 and 3.11.3 release, the integration supports two connection methods to communicate with Microsoft Graph API endpoints - Application access and System API user.

    • Application access connection method uses an application token to call Graph APIs as an application, and requires application permissions.
    • System API user connection method calls the Graph APIs as the configured system API user, and requires delegated permissions.

    Note that the System API user connection method is deprecated since the 3.10.6 and 3.11.3.

    Permissions

    For a full list of Microsoft Graph API used, and the permissions required, please refer to this spreadsheet. Note that:

    • This document is constantly updated.
    • For each Graph API, a few permissions may be listed. Graph API can be called if permissions in any line is added, and the admin consent is granted for your organisation.


    The recommended permissions to ensure all integration features work are listed below. These would be the same set of permissions that are applied when using the PowerShell script to set up the Azure app.

    TypePermissionDisplay NameUse
    Application PermissionsAppCatalog.Read.AllRead all app catalogsUsed to find installed edloomio Teams app to be installed in Teams created for connected edloomio courses.
    AppRoleAssignment.ReadWrite.AllManage app permission grants and app role assignmentsAdd user to the Azure app if the option in the user sync option is enabled.
    Calendars.ReadWriteRead and write calendars in all mailboxesRequired for calendar event sync.
    Channel.ReadBasic.AllRead the names and descriptions of all channelsUsed to find the general channel in a team to install the edloomio tab in course and Teams integration.
    Directory.ReadWrite.AllRead and write directory dataA common permission used in integration configuration, user sync and course sync.
    Directory.Read.AllRead directory dataA common permission used in integration configuration, user sync and course sync.
    EduRoster.ReadWrite.AllRead and write the organization's rosterRequired in SDS sync and course sync in tenants with education license.
    Files.ReadWrite.AllRead and write files in all site collectionsRequired for the Microsoft 365 repository to access, download, and upload files to OneDrive.
    Group.ReadWrite.AllRead and write all groupsRequired in the integration between edloomio courses and Teams.
    MailboxSettings.ReadRead all user mailbox settingsRequired for syncing Outlook default timezone settings of the user.
    Member.Read.HiddenRead all hidden membershipsRequired in the SDS sync feature to get school class members.
    Notes.ReadWrite.AllRead and write all OneNote notebooksRequired for the OneNote integration to create notebooks, sections, and pages for assignments.
    Sites.Read.AllRead items in all site collectionsRequired to detect OneDrive for Business URL setting.
    Team.CreateCreate teamsRequired for creating Teams for edloomio courses.
    TeamMember.ReadWrite.AllAdd and remove members from all teamsRequired for syncing edloomio course users to Teams.
    TeamsAppInstallation.ReadWriteForTeam.AllManage Teams apps for all teamsRequired to install edloomio Teams app to Teams created from edloomio courses.
    TeamSettings.ReadWrite.AllRead and change all teams' settingsRequired in the integration between edloomio courses and Teams.
    TeamsTab.CreateCreate tabs in Microsoft Teams.Required to create a edloomio tab in the Teams created from edloomio courses.
    User.Read.AllRead all users' full profilesRequired for SSO and to sync user information between Microsoft 365 and edloomio.
    Delegated PermissionsCalendars.ReadWriteHave full access to user calendarsRequired for calendar event sync.
    Files.ReadWrite.AllHave full access to all files user can accessRequired for the Microsoft 365 repository to access, download, and upload files to OneDrive.
    Group.ReadWrite.AllRead and write all groupsRequired for course group integration.
    Notes.ReadWrite.AllRead and write all OneNote notebooks that user can accessRequired for the OneNote integration to create notebooks, sections, and pages for assignments.
    User.Read.AllRead all users' full profilesRequired for SSO and to sync user information between Microsoft 365 and edloomio.
    openidSign users inRequired for Teams SSO.
    offline_accessMaintain access to data you have given it access toRequired for Teams SSO.
    emailView users' email addressRequired for Teams SSO.
    profileView users' basic profileRequired for Teams SSO.

    Feature auth_oidc configuration - part 2

    1. Navigate to the OpenID Connect authentication plugin's settings page (Admin Menu> Integrations> Office 365)
    2. Enter the Application ID value you noted earlier from Azure into the Application ID box on the screen.
    3. Enter the Key value you noted earlier from Azure into the "Key" box on the screen.
    4. Click "Save changes" at the bottom of the screen.

    Plugin local_o365 configuration

    1. Navigate to Admin Menu> Integrations> Office 365
    2. Complete each of the steps as follows:
    3. Choose connection method
      1. Choose the method you want to use to connect to Microsoft 365. 
      2. Click Save changes
    4. Admin consent & additional information
      1. Admin consent: Every time you change a Requires admin permission in Azure, you will need an administrator to provide consent to use the permission. Clicking the Provide admin consent button will take you to a log in screen on Microsoft 365. An administrator will have to log in, and then will be given the option to approve the new permissions.
      2. Azure AD Tenant: This is the domain name that identifies your Microsoft 365 subscription, for example "contoso.onmicrosoft.com". If you know it, enter it in this box, if not, click the "Detect" button to attempt to detect the correct value.
      3. OneDrive for Business URL: This is the URL that your users use to access OneDrive for Business. This can usually be determined from your AzureAD tenant, for example, if your tenant is "contoso.onmicrosoft.com", your OneDrive for Business URL is "contoso-my.sharepoint.com." If you know the URL, enter it here, otherwise click "Detect" to attempt to detect the correct value. Only enter the domain name, do not include "http://", "www." or any trailing slashes. For example "contoso-my.sharepoint.com", not "https://contoso-my.sharepoint.com/"
      4. Click Save changes.
    5. Verify Setup
      1. This tool verifies that Azure has been correctly set up. Click the "Update" button to check setup.
      2. If the tool reports any missing permissions, return to Azure and ensure that all required permissions have been added to your configured application for edloomio.

    Connecting users to Microsoft 365

    To use any Office 365 features, a edloomio user must be connected to a Microsoft 365 user that has an active Microsoft 365 subscription. There are two ways to connect a edloomio user to a Microsoft 365 user.

    Switch the user to use OpenID Connect authentication.

    With this method, the user will log in to edloomio using their Microsoft 365 account credentials.

    Link a edloomio user to a Microsoft 365 user.

    Users in edloomio can also be linked to Microsoft 365 users without changing the edloomio user's authentication method. Users will be able to log in as they always have, and still use all the Microsoft 365 features.

    1. Ensure the Microsoft block has been added to a page in edloomio (for example, the edloomio dashboard).
    2. As the user to link to Microsoft 365, visit a page that has the Microsoft block visible.
    3. Click the Connect to Microsoft 365 link in the Microsoft block.
    4. You will be brought to the Microsoft 365 / edloomio Control Panel.
    5. There will be a "Connection Status" indicator box on the right side of the screen, click the "Click here to connect" link.
    6. You will be brought to the AzureAD authentication screen. Log in with the Microsoft 365 user's credentials you'd like to connect to the edloomio user you are logged in as.
    7. If login was successful, you will be brought back to the Microsoft 365 / edloomio Control Panel page, where the Microsoft 365 connection indicator should now read Active.
    8. This user is now connected to the Microsoft 365 user.

    Microsoft 365 Integration Configuration

    This section is about how to configuration the integration between edloomio and Microsoft 365 services. All these settings are available to edloomio site administrators at Admin Menu> Integrations> Office 365.

    Sync Settings

    These features are accessible from the plugin's settings page (Admin Menu> Integrations> Office 365), in the Sync Settings tab.

    User Sync

    This option controls how users are synced from Azure AD to edloomio . If enabled, users from Azure AD can be automatically created and updated in edloomio . This feature can also suspend or delete users in edloomio when they are deleted from Azure AD, or attempt to automatically match edloomio users with users in the connected Azure AD.

    The main benefit of using this option, compared to having accounts created as users log in using OpenID Connect, is that you can manage and enrol users before they first log in, so everything is ready to go the first time they access edloomio.

    Notes:

    • The sync job runs in the edloomio cron.
    • By default, this runs once per day at 1:00 AM in the time zone local to your server.
    • To sync large sets of users more quickly, you can increase the frequency of the Sync users with Azure AD task using the Scheduled tasks management page. See Scheduled tasks.

    There are several options that affect user sync:

    • Create accounts in edloomio for users in Azure AD: This will create users in edloomio from each user in the linked Azure Active Directory. Only users which do not currently have edloomio accounts will have accounts created. New accounts will be set up to use their Microsoft 365 credentials to log in to edloomio (using the OpenID Connect authentication plugin), and will be able to use all the features of the Microsoft 365 plugin set.
    • Update all accounts in edloomio for users in Azure AD.
    • Suspend previously synced accounts in edloomio  when they are deleted from Azure AD.
    • Delete previously synced accounts in edloomio when they are deleted from Azure AD: This will delete users from edloomio if they are marked as deleted in Azure AD. The edloomio account will be deleted and all associated user information will be removed from edloomio. Be careful!
    • Re-enable suspended accounts for users in Azure AD: if the Microsoft 365 account connected to a suspended edloomio account is active, the edloomio account will be unsuspended.
    • Sync disabled status: all Microsoft 365 accounts marked as "disabled for login" will be suspended in edloomio.
    • Match preexisting edloomio users with same-named accounts in Azure AD: This will look at the each user in the linked Azure Active Directory and try to match them with a user in edloomio. This looks for matching usernames in Azure AD and edloomio. Matches are insensitive and ignore the Microsoft 365 tenant. For example, "BoB.SmiTh" in edloomio would match "bob.smith@example.onmicrosoft.com". Users who are matched will have their edloomio and Office accounts connected and will be able to use all Microsoft 365/edloomio integration features. The user's authentication method will not change unless the setting below is enabled.
    • Switch matched users to Microsoft 365 (OpenID Connect) authentication: This requires the "Match" setting above to be enabled. When a user is matched, enabling this setting will switch their authentication method to OpenID Connect. They will then log in to edloomio with their Microsoft 365 credentials. Note: Please ensure the OpenID Connect authentication plugin is enabled if you want to use this setting.
    • Assign users to application during sync: The sync will search all users in the linked Azure AD (other than those excluded by the User Creation Restriction, however not all users may be assigned to the edloomio application you created in Azure AD App Registration during early setup. This setting will assign any Azure AD users with a matching edloomio account to the Azure AD App for edloomio you created.
    • Sync Microsoft 365 profile photos to edloomio in cron job: User's photos in the edloomio profile will be updated with their image from their Azure AD profile - on user sync task run.
    • Sync Microsoft 365 profile photos to edloomio on login: User's photos in the edloomio profile will be updated with their image from their Azure AD profile - on login.
    • Sync Outlook timezone to edloomio in cronjob: User's timezone preference in Outlook will be synced to edloomio profile - on edloomio user sync task run.
    • Sync Outlook timezone to edloomio on login: User's timezone preference in Outlook will be synced to edloomio profile - on login.
    • Perform a full sync each run: By default user sync will only sync changes from Azure AD. Checking this option will force a full user sync each time.
    • Match Azure usernames to edloomio emails instead of edloomio usernames during the sync: Enabling this option will match Azure usernames to edloomio emails instead of the default behaviour which is Azure usernames to edloomio usernames.
    • Sync guest users: If enabled, guest users in the hosting tenant - which are originated from other tenants and added to the hosting tenants as guests - can SSO login.

    User Creation Restriction

    During user sync, by default, all users from Azure AD will be created in edloomio. This setting allows you to set a required field and value that a user must have in Azure to have an account created in edloomio. For example, if you wanted to only have users from the "IT" department syncing into edloomio, you would choose the "Department" field, and enter "IT".

    User Field Mapping

    This feature has been moved to the configuration page of the auth_oidc plugin.

    Course Sync

    Course Sync features

    The course sync feature is capable of creating Teams for edloomio courses, and sync edloomio course enrolments to the connected Teams. The Teams sync option allows a great deal of customization. An administrator can choose to create Teams for all courses, enable it on new courses only, or manually select the courses for which the sync need to be enabled.

    Once enabled, the "Sync edloomio courses to Microsoft Teams" (\local_o365\task\coursesync) scheduled task will try to:

    • Create a group for any course without a connected group.
    • Sync existing enrolled users in the course to Teams according to capability checks.
    • If the tenant has education license, set education specific attribute in the group in order to support Teams Classes LTI integration.
    • Create a Team from the course, providing a suitable Team owner can be found. For tenants with education license, these will be class Teams; for others, these will be standard Teams.
    • If the a custom edloomio Teams app has been uploaded for the organisation following instructions below, the edloomio Teams app will be installed in the new Team, and a edloomio tab will be created in the general channel, pointing back to the connected edloomio course.

    All subsequent enrolment / role assignment changes in edloomio courses will also be synced to connected Teams.

    Teams vs Groups

    Microsoft Teams share the same base with Microsoft 365 groups in many ways, notably they share the same GUID, and Teams ownership/membership are the same as group ownership/membership.

    edloomio site admins have the option to enable course sync to "group only" or "Teams", and the option to sync to standard Teams or class Teams.


    Support for Teams Classes LTI

    From the 3.10.6 and 3.11.3 release, Teams created for courses in tenants with education license will have extra education specific attributes stamped in the underlaying group, which allows the Teams Classes LTI feature to be used in edloomio. The feature allows the Team to be embedded as an external tool in the edloomio course using the mod_lti plugin.

    Note that Teams that are connected to edloomio courses in education tenants but were created before the release will also get the education specific attributes stamped as part of the upgrade, so they can make use of the Teams Classes LTI feature too.

    Which users are synced to Teams

    When syncing users from edloomio courses to Teams, only edloomio users who are connected to Microsoft 365 users according to edloomio records are synced. Such records can be created in 4 ways:

    • Automatically created in "Sync users with Azure AD" (\local_o365\task\usersync) scheduled task run, if user sync is configured.
    • Automatically created when a user logs in using auth_oidc.
    • Manually created by user themselves by using the user connection feature in the block_microsoft plugin.
    • Manually created by site administrators using the "User Matching" advanced feature.
    Teams owner vs Teams member

    When syncing users from edloomio courses to Teams, capabilities are used to determine whether a edloomio user is added to the Team as an owner or member:

    • edloomio users with "Team owner" (local/o365:teamowner) capability are added as Team owners. By default the teacher role has this capability.
    • edloomio users with "Team member" (local/o365:teammember) capability are added as Team members. By default the student role has this capability.

    A edloomio user enrolled in the course but don't have any of the two capabilities are not synced to connected Teams.

    Course Sync configurations

    • Course sync: This allows site admins to turn the course sync feature on and off. There are three options:
      • Disabled.
      • Customize: This flexible option allows site admins to choose the course on which course sync is enabled. Optionally, it's also possible to allow configuring course sync per course by authorised users, or to enable course sync by default on new courses.
      • All features enabled.
    • Delete Microsoft 365 groups when connected edloomio course is deleted: If enabled, when a edloomio course that's connected to Teams is deleted, the integration will try to delete the connected Team.
    • Delete Microsoft 365 Groups when course sync is disabled: If enabled, when sync is disabled on a edloomio course that's connected to Teams, the integration will try to delete the connected Teams.
    • Courses to sync per task run: This allows site admins to control the number of courses to process in a course sync task run. This is to prevent the course sync task to take too long to finish therefore blocking other tasks in edloomio cronjob. If 0 is configured, the default value of 20 is used.
    • Team / group names
      • Teams name prefixCourse part of the Teams name, and Teams name suffix allow site admins to customise the naming convention of the Teams created from edloomio courses. Note that the options for the Course part of the Teams name setting are:
        • Full name
        • Short name
        • edloomio created ID
        • ID number
      • Group mail alias prefixCourse part of the group mail alias, and Group mail alias suffix allow site admins to customise the naming convention of the groups created from edloomio courses.
      • Update Teams name on course update: If enabled, the integration will try to update the name of the connected Team if the settings of the connected edloomio course is updated.

    Advanced settings

    Administrator Tools

    • Tenants: This tool allows you to add additional Microsoft 365 tenants to be used with edloomio. Users from additional tenants can log-in to edloomio using their Microsoft 365 account, and use features like calendar sync and the OneDrive repository.
    • Health check: If you are experiencing problems with any Microsoft 365 / edloomio features, click the Health Check link to run tests on your system and look for potential problems.
    • Connections: This tool allows administrators to see and manage the connections between their edloomio users and Microsoft 365 accounts. Each user in the system is listed alongside the Microsoft 365 username the user is connected to, if any. Administrators can choose to manually connect or disconnect each user.
    • User Matching: This tool allows administrators to manually match edloomio and Microsoft 365 users using a CSV file. Administrators can upload a CSV file containing, on each line, a edloomio username, and Microsoft 365 username, and a 1 or 0 indicating whether to enable Microsoft 365 login for that user. Once uploaded, the file is processed in batches during the edloomio cron. The tool page will display the progress of this process.
    • Maintenance Tools: These tools perform maintenance tasks that can help solve problems which may crop up from time to time. Generally, users should not need these tools unless they encounter the specific situation these tools are designed to solve.
      • Resync users in groups for courses: Course group membership is kept up-to-date as users are enrolled and un-enrolled from courses in edloomio . If this membership gets out-of-date for whatever reason, this tool will force a resync of group membership.
      • Recreate deleted Microsoft 365 groups: Course groups are created from edloomio courses when using the course group feature. If a group is manually deleted from the Microsoft 365 administrator panel, this tool will recreate it.
      • Generate debug data package: This tool will generate a package of information that can be sent to the plugin suite maintainers to help debug problems in environment and setup. While no API keys are present, this information does contain a lot about your environment and setup, so please be careful about whom you send this information to.
      • Cleanup OpenID Connect Tokens: If your users are experiencing problems logging in using their Microsoft 365 account, trying cleaning up OpenID Connect tokens. This removes stray and incomplete tokens that can cause errors. WARNING: This may interrupt logins in-process, so it's best to do this during downtime.
      • Cleanup User Sync Delta Tokens: If user synchronisation is not fully working after updating it user sync settings, it may be caused by an old delta sync token. Cleaning up the token will remove force a complete re-sync the next time when the user sync is run.

    Other advanced settings

    • Reset Team name prefix: When a edloomio course is reset, the name of the Team connected to the course can be updated to reflect the fact that the Team may not be connected any more.
    • Reset group name prefix: When a edloomio course is reset, the name of the group connected to the course can be updated to reflect the fact that the group may not be connected any more.
    • Microsoft 365 for China: Microsoft 365 in China differs slightly in some technical aspects. If you are using Microsoft 365 for China, select this box to ensure everything will work properly.
    • Record debug messages: If you experience problems using any Microsoft 365 features in edloomio , enable this setting. Once enabled, errors will be recorded to the edloomio log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administration > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".
    • Minimum inexact username length to switch to Microsoft 365: When using automatic user matching, this setting can be used to exclude accounts with short names. The intended use of this is to avoid matching generic accounts like "admin". This setting is the minimum length of a username required for automatic matching to match users.
    • Profile photo refresh time: Profile photo syncing can be a resource-intensive process, so this setting allows you to set a minimum time between profile photo refresh runs.
    • Custom theme (Advanced): This allows you to choose the theme to use in when accessing edloomio pages from the edloomio Teams tab.

    Legacy settings

    These features are deprecated and is likely to be removed in a future version.

    School Data Sync (SDS)

    The SDS feature of the plugin has the following functionalities:

    • Sync teacher / student profile field from a selected SDS school.
    • Sync classes from multiple SDS schools, and create edloomio courses from the classes.
    • Sync class owners and members to edloomio courses as teachers and students according to the configured roles.
    • Sync user enrolments and role changes in edloomio back to the connected SDS classes.


    The functionalities above were tested using SDS V2.1, you can get sample files here: https://github.com/OfficeDev/O365-EDU-Tools/tree/master/CSV%20Samples/SDS%20v2.1

    Settings

    The settings applicable to the SDS feature are:

    • Create Courses: Allow selecting the schools available in the Azure tenant which need to be synced for course creation. Multiple schools can be selected. For each school selected, a new top-level course category will be created, and each class in the school will be created as a course in the category.
    • Teams creation enabled: This controls if edloomio courses created from syncing SDS classes are automatically connected to the Microsoft Team of the SDS class. This should be enabled only if Teams are automatically created from the SDS classes.
    • Enrol users: Enrol SDS class teachers and members into edloomio courses created from the classes.
    • Advanced enrolments sync with SDS classes: Control whether to sync SDS class role changes to edloomio, and whether to sync edloomio course enrolment / role changes back to SDS class.
    • Teacher role and Member role: Control the default teacher and student roles to assign in edloomio courses for SDS class owners and members.
    • Sync profile data from school: Control the SDS school from which teacher and student profiles are synced from. If a school is selected, the teacher / student profile fields are available to match in auth_oidc profile field mapping settings.

    Sync triggers

    • Course and SDS user profile sync is triggered by the Sync with SDS (\local_o365\feature\sds\task\sync) scheduled task. Note this includes the sync of SDS teacher and student profile field, which is configured in auth_oidc.
    • Sync from edloomio to SDS (e.g. course enrolments and role changes to SDS class) are triggered by edloomio observer functions, thus don't require scheduled task runs. Note there is normally a delay of up to 1 minute on Microsoft end to see such changes.

    Teams Settings

    This section allows configuration edloomio and Microsoft Teams integration. When fully configured, the integration will

    • Automatically create Teams for edloomio courses configured to be synced.
    • Automatically sync edloomio course users to Teams.
    • Automatically create a edloomio tab in the general channel of the created Team, linking to the edloomio course page.
    • Allow users to use edloomio courses right from Teams.
    • Allow users to ask questions about their courses, assignments, grades and students from Teams using edloomio assistance bot.
    • Forward all edloomio notifications to users to Teams.

    Some features can be disabled if needed.

    Prerequisite

    1. OpenID Connect Authentication plugin is enabled and configured.
    2. Allow frame embedding is enabled in HTTP security section of site configuration.
      1. Login to the site as site administrator.
      2. Go to "Site administration", then in the "Site administration" tab, go to "HTTP security" in "Security" section.
      3. Find Allow frame embedding setting and make sure it's enabled.
      4. Save changes.
    3. Web services are enabled on the site.
      1. Login to the site as site administrator.
      2. Go to "Site administration", then in the "Site administration" tab, go to "Advanced features".
      3. Find Enable web services setting and make sure it's enabled.
      4. Save changes.
    4. edloomio Microsoft 365 Webservices are enabled.
      1. Login to the site as site administrator.
      2. Go to "Site administration", then in the "Plugins" tab, go to "External services" in "Web services" section.
      3. From the list of web services in the "External service" part in "Built-in services" section, find edloomio Microsoft 365 Webservices.
      4. If the web services is disabled, i.e. greyed out, go to its settings and enable it.
    5. Give Authenticated user role permission to create web service token.
      1. Login to the site as site administrator.
      2. Go to "Site administration", then in the "Users" tab, go to "Define roles" in "Permissions" section.
      3. In the "Manage roles" tab, from the list of roles, find "Authenticated user" role, and click the edit icon for the role.
      4. From the list of permissions, find "Create a web service token", i.e. edloomio/webservice:createtoken, and set it to allow.
      5. Save changes.
    6. Before you can test the messaging bot, you need to be sure that the MS Teams account has a user created in edloomio (user should have the same username as your teams user email address and edloomio user authentication type should be oidc) and you must have accessed edloomio at least once with that account.

    Register Application in Azure (for the bot)

    Note this is different from the application registered above to allow user login integration and doesn't require any extra API permissions.

    1. Sign in to the Microsoft Azure Management Portal.
    2. Click on the Azure Active Directory link from Azure services section, then App Registrations from the Manage section on the left.
    3. Click New application on the top menu.
    4. Enter a name for your application (can be anything you want, but should let you know this is for bot services).
    5. Choose "Accounts in any organizational directory (Any Azure AD directory - Multitenant)" option in Supported account types section (multitenant application is required).
    6. Click Register button to finish registration.
    7. You should be redirected to the settings page of the newly registered app; if not, find the app from the list of apps, and go to the settings page by clicking on its name.
    8. Note the Application (client) ID of the app, which will be used in plugin configuration in edloomio.
    9. From the Manage section on the left of the page, go to Certificates & Secrets, and create a new client secret by clicking the New client secret button. Note the secret which will be used in plugin configuration in edloomio.
    10. In Teams Settings tab of Microsoft 365 Integration configuration in edloomio, fill in the Application (client) ID and the client secret in Application ID and Client Secret settings respectively.
    11. Save changes.

    Update authentication application settings in Azure

    When performing Step 1/3: Register edloomio with Azure AD in the Setup tab of Microsoft 365 Integration configuration, the PowerShell script downloaded from edloomio was used, you can skip this section. If you followed manual steps, or the application registration was completed before, you will need to follow these steps.

    1. Sign in to the Microsoft Azure Management Portal.
    2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
    3. Click the app created for edloomio. Note this is not the app for edloomio Teams integration, but the one used for authentication. You may need to show All applications if the app wasn't created by your account.
    4. Go to the settings of the application by clicking its name.
    5. In the Manage section on the left of the page, go to Authentication.
    6. In the list of Redirect URIs, add the following entry, in type Web:
      1. https://your.edloomio.url/local/o365/sso_end.php
    7. If bot feature is to be enabled, also add the following entry, in type Web:
      1. https://token.botframework.com/.auth/web/redirect
    8. Save changes.

    Bot configuration

    This section is only required if you want to enable bot features in the configuration. If bot feature is not required, please skip.

    Bot deployment

    1. Go back to Teams Settings section of Microsoft 365 Integration configuration in edloomio as site administrator.
    2. Make sure Application ID and Client secret are configured and saved.
    3. Click Deploy to Azure button. This will start the process of bot deployment in Azure Portal in a popup window.
    4. Configure the following in the Custom deployment window:
      1. Choose your Subscription.
      2. Choose your Resource group. you may need to create a new one.
      3. Choose your Location.
      4. LUIS Pricing Tier - LUIS pricing tiers are explained here. The free tier should be able to get you started.
      5. LUIS Region - Region where the LUIS resource will be deployed.
      6. Bot Application ID - the application ID of the edloomio Teams integration application, which is the same as Application ID in Teams Settings tab of Microsoft 365 Integration configuration.
      7. Bot Application Password - the client secret of the edloomio Teams integration application, which is the same as Client Secret in Teams Settings tab of Microsoft 365 Integration configuration.
      8. edloomio URL'.
      9. Azure AD Application ID - The Application ID saved in the Setup tab of Microsoft 365 Integration configuration.
      10. Azure AD Application Key - The Application Key saved in the Setup tab of Microsoft 365 Integration configuration.
      11. Azure AD Tenant - The tenant name (xyz.onmicrosoft.com) of your Azure AD tenant.
      12. Shared edloomio Secret - Paste the Shared edloomio Secret setting of in the Teams Settings tab of Microsoft 365 Integration configuration.

    Once all configured, agree the terms and conditions, and click Purchase. This will start the bot deployment, which can take a few minutes to finish.

    Post deployment configuration

    After bot deployment is finished:

    1. Sign in to the Microsoft Azure Management Portal.
    2. In the Navigation section of the page, go to Resource groups.
    3. From the list of resource groups, select the one in which the bot was created and deployed.
    4. One of the resources in the group should be in type Web App Bot. Click its name to go to settings.
    5. Copy the Messaging endpoint of the resource (e.g. https://provisioned-bot-name.azurewebsites.net/api/messages), rename messages to webhook (Ex: https://provisioned-bot-name.azurewebsites.net/api/webook)
    6. Paste this endpoint to the Bot webhook end point field in Teams Settings tab of Microsoft 365 Integration configuration page.
    7. Check Bot feature enabled box in Teams Settings tab of Microsoft 365 Integration configuration page.
    8. Save changes.

    Add edloomio app to Teams

    Once all configured, you are ready to add edloomio app to Teams.

    1. Go to Teams Settings tab of Microsoft 365 Integration configuration page.
    2. Click Download manifest file button. This will download a manifest file (in .zip format) which contains the edloomio app.
    3. Follow these instructions to upload the app to the app catalog of your tenant.
    4. Once the app is uploaded to the catalog of your tenant, it can be used in any Teams in the tenant.

    Teams edloomio app settings

    After downloading the manifest file of edloomio app, a new tab Teams edloomio app will be made available in Microsoft 365 Integration configuration page, which contains a single setting to configure the app ID of the edloomio app uploaded to Teams. This is optional but recommended. If configured, all new Teams created by edloomio course sync will:

    • automatically install the edloomio app,
    • automatically create a edloomio tab in the General channel.
    • automatically configure the edloomio tab to point to the edloomio course that's related to the Team.

    From the 3.10.6 and 3.11.3 release of the plugins in April, 2022, the edloomio App ID should be automatically detected as soon as the edloomio Teams app is uploaded to the organisation catalog in Teams.

    OpenID Connect Authentication Plugin

    Basic Usage

    Once configured, you should see a link named "OpenID Connect" on the edloomio login page. Clicking this link will redirect the browser to the identity provider. Users will log in there, and will be redirected back to edloomio. If they have logged in to edloomio using OpenID Connect before, they will be logged in to their existing edloomio account. If they have not logged in to edloomio with OpenID Connect before, an account will be created for them.

    Note: If the "Prevent account creation when authenticating" setting is enabled in edloomio, new accounts will not be created.

    Settings

    There are a number of options you can use to customize how the plugin behaves. To configure the plugin, visit the plugin's settings page. (Admin Menu> Integrations> Office 365> OpenID Connect setting page)

    • Provider Name: The name entered here will be used through the OpenID Connect plugin and the Microsoft 365 plugins to refer to the system used to log users in. For example, if your users are used to calling their Azure AD account their "School" account, you enter "School account" here, and all references to authentication will be "Log in with your School account".
    • Auto-Append: When using the "Username/Password" login flow, this setting with automatically append a given string to an entered username. This is useful in Azure AD usernames, where a single domain name is often used for every user - i.e. [user]@contoso.onmicrosoft.com. Users would normally have to enter this entire username to successfully log in to edloomio, but in this example, entering "@contoso.onmicrosoft.com" here means users would only have to enter their unique username, i.e. "bob.smith", instead of "bob.smith@contoso.onmicrosoft.com".
    • Domain Hint: If users have several different Azure AD accounts with different tenants (i.e. @contoso.onmicrosoft.com, @example.onmicrosoft.com), but edloomio only uses one of these tenants, you can enter that tenant in this box to have the Azure AD login screen only ever suggest accounts from that tenant.
    • Login Flow: This setting changes how users log in to edloomio using the plugin. You can redirect users to the OpenID Connect provider's login page, or have users enter their credentials directly into edloomio. See the "Login Flows" section below for further information.
    • User Restrictions: This setting allows you to restrict the users that can log in to edloomio using OpenID Connect (Azure AD). Once you've entered at least one user restriction, users logging in to edloomio must match at least one entered pattern.
    • Single sign off and Logout Endpoint: If Single sign off is enabled, when a edloomio user connected to Microsoft 365 account (regardless of authentication type) logs out of edloomio, edloomio will trigger a request to the Logout Endpoint. The Logout Endpoint can be the default Microsoft 365 common logout endpoint, or the tenant specific version of it, or it can be a custom page achieving the same result.
    • Record debug messages: If you experience problems using OpenID Connect, enable this setting. Once enabled, errors will be recorded to the edloomio log for review. These errors can help you or the plugin developers debug and fix the problem. The error log can be viewed by navigating to Site Administration > Reports > Logs, changing the "All activities" select box to "Site errors", and clicking "Get these logs".
    • Custom Icon: This setting allows you to choose from a selection of predefined icons to appear next to the identity provider link on the login page. You can also upload your own icon.
    1. Visit the plugin settings page (Site Administration > Plugins > Authentication > OpenID Connect)
    2. Locate the "Icon" section of the settings page.
    3. There are several predefined icons to choose from, clicking an icon will use that icon on the login page.
    4. To use a custom icon, use the file picker below the "Icon" setting.
      1. This image will not be resized on the login page, so we recommend uploading an image no bigger than 35x35 pixels.
      2. If you have uploaded a custom icon and want to go back to one of the stock icons, click the custom icon in the file picker and click "Delete", then "OK", then "Save Changes" at the bottom of the settings page. The selected stock icon will now appear on the edloomio login page.
    • Data mapping: This section allows edloomio site administrators to configure profile field mapping from Microsoft 365 to edloomio. See user field mapping section below.

    User field mapping

    The Data mapping section allows edloomio site administrators to configure profile field mapping from Microsoft 365 to edloomio.

    The section contains 3 settings for each edloomio profile field available to be synced. Both basic edloomio profile fields and custom fields are available. The three settings are:

    • Data mapping (field name): This allows site administrators to select from the available remote fields in Microsoft 365 to sync data from. The available options depend on various other settings.
      • The most basic fields are those available in user ID token. These are available for auth_oidc configured to connect all OpenID Connect IdPs
      • If the auth_oidc plugin is configured to connect Azure AD IdP, and local_o365 is installed and configured, additional profile fields available in Graph API calls are available to choose from.
      • If SDS user sync is configured, additional SDS user fields for teachers and students are available to choose from.
    • Update local (field name): This allows configuring when the profile field is synced.
    • Lock value (field name): This controls whether to lock the profile field for local edit by non-admin users.

    How to use user restrictions

    1. Enter a regular expression pattern that matches the usernames of users you want to allow.
    2. Enter one pattern per line
    3. If you enter multiple patterns a user will be allowed if they match ANY of the patterns.
    4. The character "/" should be escaped with "\".
    5. If you don't enter any restrictions above, all users that can log in to the OpenID Connect provider will be accepted by edloomio.
    6. Any user that does not match any entered pattern(s) will be prevented from logging in using OpenID Connect.

    Login flows

    Plugin auth_oidc supports two different methods for users to log in: Authorization Request and Username/Password Authentication

    Authorization Request

    This flow redirects the user to Microsoft 365 to log in and are then brought back to edloomio logged in.

    Using this flow:

    1. The user clicks the name of the identity provider (What you entered in the "Provider Name" box at the top of the settings page.) on the edloomio login page.
    2. The user is redirected to Microsoft 365 to log in.
    3. Once successfully logged in, the user is redirected back to edloomio where the edloomio login takes place transparently.

    Username/Password Authentication

    This login flow works like a classic username and password, except the user uses their Microsoft 365 account information.

    Using this flow:

    1. The user enters their Microsoft 365 username and password directly into the edloomio login form.
    2. Their credentials are securely sent to Microsoft 365 for verification.
    3. If the credentials are verified, the user is logged in to edloomio.

    Switching existing edloomio users to use Microsoft 365 to log in

    If a user logs in to edloomio using OpenID Connect but does not have a edloomio account, one will be created for them. However, existing edloomio users can be migrated to use OpenID Connect and provide a connection to Microsoft 365.

    1. Ensure the Microsoft block has been added to a page in edloomio(for example, the edloomio dashboard).
    2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
    3. Click the Connect to Microsoft 365 link in the Microsoft block.
    4. You will be brought to the Microsoft 365 / edloomio Control Panel.
    5. Click the Microsoft 365 Login link under Microsoft 365 Features'
    6. Click the "Start using Microsoft 365 to log in to edloomio." link.
    7. You will be redirected to Microsoft 365 to log in. Log in with the account you'd like to link to the edloomio account you're using.
      1. NOTE: If you're already logged in to Microsoft 365, you will not have to enter your credentials on the Microsoft 365 login page. This Microsoft 365 account will be linked to the edloomio account. Ensure you are logged in to the correct account, or log out of Microsoft 365 first to show the Microsoft 365 login screen.
    8. The edloomio account will now use Microsoft 365 to log in. The previous login method will not work.
    9. The edloomio user can now use any of the Microsoft 365 features in edloomio.

    Connecting existing edloomio users to Microsoft 365 without changing login method

    1. Ensure the Microsoft block has been added to a page in edloomio(for example, the edloomio dashboard).
    2. Log in as the user to be migrated, visit a page that has the Microsoft block visible.
    3. Click the Connect to Microsoft 365 link in the Microsoft block.
    4. You will be brought to the Microsoft 365 / edloomio Control Panel.
    5. There will be a "Connection Status" indicator box on the right side of the screen, click the "Click here to connect" link.
    6. You will be brought to the AzureAD authentication screen. Log in with the Microsoft 365 user's credentials you'd like to connect to the edloomio user you are logged in as.
      1. NOTE: If you're already logged in to Microsoft 365, you will not have to enter your credentials on the Microsoft 365 login page. This Microsoft 365 account will be linked to the edloomio account. Ensure you are logged in to the correct account, or log out of Microsoft 365 first to show the Microsoft 365 login screen.
    7. If login was successful, you will be brought back to the Microsoft 365 / edloomio Control Panel page, where the Microsoft 365 connection indicator should now read Active.
    8. The edloomio account is now linked to the Microsoft 365 account and can use Microsoft 365 features as that user.
    9. The edloomio user's login method will not change, the user will log in to edloomio as they always have.

    OneDrive for Business Repository

    The OneDrive for Business repository allows users using the Microsoft 365 integration plugins to connect to their OneDrive for Business as a edloomio repository.

    Downloading and linking files

    1. When using a filepicker anywhere in edloomio, you'll see a list of repositories on the left side of the popup. Look for and click on "OneDrive for Business".
    2. You'll see two folders - "My Files" and "Courses". Click the folder for the document library you want to access.
      1. My Files contains all documents in your personal OneDrive for Business
      2. Courses will list all edloomio course shared document libraries that you have access to. If you want to download files from one of these, you'll click "Courses", then click the folder for the course you want to access.
    3. You will now see a list of all the files and folders in your OneDrive.
    4. Click the file you want to download into edloomio.
    5. Choose to "Make a copy of the file", or "Create an alias/shortcut to the file."
      1. If you want to download a copy of the file as it is now, choose "Make a cope of the file". This will copy the file into edloomio, and will then use the local edloomio copy when the file is accessed from within edloomio. Any changes to the file in OneDrive will not be seen in edloomio.
      2. If you want to link a file choose "Create an alias/shortcut to the file". This will create a link in edloomio to the file in OneDrive, and the file will be accessed from OneDrive directly. Any changes to the file in OneDrive will be seen when accessing the file from edloomio.
    6. You can change other file information like the filename or author name using the respective text fields. This information is only applicable to the edloomio side of the file, and will not transfer to OneDrive.
    7. Click "Select this file".

    Uploading files

    You can upload files into both your personal OneDrive for Business document library and a course SharePoint document library from the filepicker interface.

    1. When accessing a OneDrive document library from a file picker, you will see an "Upload New File" item in the list of files and folders.
    2. Click the "Upload new file" item.
    3. Choose the file you want to upload and click "Upload this file".
    4. The file will be uploaded to OneDrive and selected for the file picker.

    Embedding Office documents

    This repository allows users to embed Office documents from OneDrive into a course and have the live version viewable using Office web apps.

    1. Start as a user connected to Microsoft 365 and who has access to modify a course.
    2. Turn on editing for the course and choose "Add an activity or resource" for the section of the course you want to add the document.
    3. Choose the "File" resource to add to the course.
    4. In the "Content" section of the file resource settings page, click the "Add" button in the filepicker
    5. Choose the "OneDrive for Business" repository and choose your Office document.
    6. When you select a file, make sure "Create an alias/shortcut to the file" is selected, the click "Select this file"
    7. Expand the "Appearance" section, and choose "Embed" for the "Display" select box.
    8. Click "Save and display"
    9. You should see the file embedded into the page.

    OneNote

    OneNote is now available through Microsoft 365. If you have installed all the plugins (for example, by installing [1]) then you already have the OneNote plugins installed. To access OneNote using your Microsoft 365 subscription, add OneNote to the list of applications in your Azure application. This is done the same way you configured Azure permissions, above. Note that OneNote is still in preview, and may not be available to everyone yet. If you don't see OneNote in the list of applications to add to your Azure application, you can try logging in to a desktop OneNote application using an administrator account in your Microsoft 365 tenant. This sometimes expedites to the process of adding the OneNote preview to your tenant.

    Notes on release

    edloomio and Teams SSO integration

    The new releases is capable of getting a user token from either Teams desktop/mobile app or Teams web app, and attempt to log in as the user in the edloomio Teams tab. In order for it to work, changes in 3 sections are required.

    Update Azure app settings

    1. Sign in to the Microsoft Azure Management Portal.
    2. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
    3. Locate the app used for edloomio and Microsoft 365 integration, and click its name.
    4. Under Manage, select Expose an API.
    5. Select the "Set" link to generate the Application ID URI in the form of api://{AppID}. Insert your fully qualified domain name (with a forward slash "/" appended to the end) between the double forward slashes and the GUID. The entire ID should have the form of: api://fully-qualified-domain-name.com/{AppID}. e.g. api://URL.TO.EDLOOMIO/00000000-0000-0000-0000-000000000000.
    6. If you get errors when selecting the "Set" link, it may be because the Supported account types setting of your app is set to a value rather than the one with "single tenant". Try updating this value to get it working.
    7. Select the "Add a scope" button. In the panel that opens:
      1. enter "access_as_user" as the "Scope name".
      2. Set "Who can consent?" to "Admins and users".
      3. Set "Admin consent title" to be "Teams can access the user’s profile".
      4. Set "Admin consent description" to be "Allows Teams to call the app’s web APIs as the current user".
      5. Set "User consent title" to be "Teams can access the user profile and make requests on the user's behalf".
      6. Set "User consent description" to be "Enable Teams to call this app’s APIs with the same rights as the user".
      7. Ensure that "State" is set to "Enabled".
      8. Select the "Add scope" button to save.
    8. In the Authorized client applications section, identify the applications that you want to authorize for your app’s web application. Select Add a client application. Enter each of the following client IDs and select the authorized scope you created in the previous step:
      1. 1fec8e78-bce4-4aaf-ab1b-5451cc387264 (Teams mobile/desktop application)
      2. 5e3ce6c0-2b1f-4285-8d4b-75ee78787346 (Teams web application)
    9. Under Manage then API permissions, ensure the following permissions are added under "Microsoft Graph" > "Delegated permissions":
      1. User.Read (enabled by default)
      2. email
      3. offline_access
      4. OpenId
      5. profile
    10. Under Manage then Authentication, ensure the following boxes are checked for "implicit grant":
      1. ID Token
      2. Access Token.

    Download updated manifest file

    1. Login to edloomio as site administrator.
    2. Go to "Microsoft 365 Integration" page in the site admin section.
    3. Go to "Teams Settings" tab.
    4. Verify settings on the page, note that two new settings are added in this release:
      1. Microsoft app ID for the edloomio Teams app: This is used in the "ID" field of Teams app manifest file, which is essentially a self generated app ID to identify itself. It should be set to the default value in most use cases, otherwise it may affect upgrading of the Teams app. The only scenario a custom value is to be set for this setting is when there are multiple edloomio sites in the organisation, and they all need to be integrated with Teams, thus each site will require a separate Teams app. If custom value is required, please use powershell or external tools to generate valid ones.
      2. Teams app name: This allows you to give a custom name, rather than the default "edloomio", to the edloomio Teams app created. It can be useful if you have multiple edloomio sites in your organisation, and each creating a separate edloomio app for Teams integration.
    5. Once settings are verified, save changes, go back to the tab, and click the "Download manifest file" button to download the new manifest file for the upgraded app.

    Update edloomio app in Teams

    1. As a tenant admin, go to Teams.
    2. Go to "Apps" page to manage apps.
    3. From the menu on the left, click on the link "Built for YOUR ORGANISATION". This should list all custom apps uploaded for your tenant.
    4. Locate the previous edloomio app, click the options button on the card for more options, and click "update". This should open a file picker.
    5. Select the new manifest file downloaded from edloomio.

    Note that as long as the Microsoft app ID for the edloomio Teams app setting is not changed, this should be recognised as an app upgrade, rather than uploading a new app. This means that the app will be kept in all existing Teams that have it installed, and all existing edloomio tabs will keep working.

    Single Sign Off

    When a Microsoft 365 authenticated user clicks the edloomio log out button, it is possible to log the user out from Microsoft 365 at the same time.

    In order for this to work, configuration changes in two places are required:

    edloomio settings change

    1. Sign in edloomio as site admin.
    2. Go to "OpenID Connect" settings page under Plugins - Authentication:
    3. Go to "Advanced" tab.
    4. Enable "Single sign off".
    5. Save changes.

    Azure app settings change

    1. Click on the Azure Active Directory link from Azure services section, then App Registrations from Manage section on the left.
    2. Locate the app used for edloomio and Microsoft 365 integration, and click its name.
    3. In the Manage section on the left of the page, go to Authentication.
    4. In the list of Redirect URIs, add the root URL of your edloomio site (wwwroot) as an entry.

    3.10.5 release

    3.9.83.10.5 and 3.11.2 release of the plugins on 07 December 2021 updated the implementation of SDS feature, and updated it to use Microsoft Graph APIs instead of legacy APIs. As a result, additional permissions are required for the feature to work properly.

    • If your edloomio site uses Application access connection method, you will need to add and grant EduRoster.Read.All (covered by EduRoster.ReadWrite.All in the next release) and Member.Read.Hidden application permissions.
    • If your edloomio site uses System API User connection method, you will need to add and grant EduRoster.ReadBasic delegated permission.


    Known issue: If you try to access "School data sync" tab without the changes above to the app, you will get this error message: "Error in API call: Required roles claim values are not provided."

    The drop of System API user connection method

    For any edloomio site currently using the System API user connection method to communicate with Microsoft services, edloomio site administrators will get the option to switch to the Application access connection method to continue using the integration when they visit the Microsoft 365 integration configuration page.

    Azure app permission changes

    Preferably the Azure app permission changes need to be applied BEFORE the plugins are upgraded.

    The following application permissions need to be added to the Azure app:

    • AppCatalog.Read.All
    • Channel.ReadBasic.All
    • EduRoster.ReadWrite.All
    • Team.Create
    • TeamMember.ReadWrite.All
    • TeamsAppInstallation.ReadWriteForTeam.All
    • TeamSettings.ReadWrite.All
    • TeamsTab.Create

    All delegated permissions can be removed from the Azure app, with the following exceptions:

    • Calendars.ReadWrite
    • Files.ReadWrite.All
    • Group.ReadWrite.All
    • Notes.ReadWrite.All
    • User.Read
    • openid
    • offline_access
    • email
    • profile


    Make sure admin consent is granted for the latest list of permissions in Azure portal after making permission changes.

    edloomio site admins need to go back to the Microsoft 365 integration configuration page in edloomio and click the "Provide admin consent" button to update the application tokens. Purge cache after it's done, and verify setup to ensure no permissions are missing.

    Multi-tenant SSO improvements

    Previously when an additional tenant is added to the multi-tenant feature, edloomio stores the initial domain name of the tenant, e.g. contoso.onmicrosoft.com, and check if an authenticated user has the domain name in its UPN. This isn't scalable enough because a tenant can have multiple verified domain names, and tenant users can have UPN with any of them, e.g. contoso.com. The improved implementation records the ID of the additional tenant, along with all its verified domain names. When determining if an authenticated user is from an additional domain, the tenant ID is used.

    In order to facilitate this change, site administrators of all edloomio sites that have existing multi-tenant configured need to migrate their additional tenant settings. This will require a site administrator goes to the Microsoft 365 integration configuration page > Advanced > Configure additional tenants, and follow the instructions on the page. They will need to login to Microsoft 365 as the admin of the additional tenant to finish the setup, similar to how multi-tenant was originally set up.

    Teams integration known limitations

    • If the edloomio site is not publicly accessible, e.g. on an intranet, edloomio tabs will not work in Teams desktop and mobile apps. They will only work in web apps from browsers.
    • It is a known issue that if a Microsoft 365 user has never login to edloomio ever, the first attempt of the user to SSO from Teams to edloomio will not work silently. Instead, the user will need to click a button from the prompt to login.

    Use your own email (SMTP settings)
    Use your own email address to send messages from edloomio. These are the SMTP settings.
    OAuth 2 SSO
    The edloomio L&D platform supports Oauth 2 SSO. In this article we discuss more about the required settings.
    OAuth 2 Microsoft service
    How to set up OAuth 2 Microsoft service
    OAuth 2 Google service
    How to set up OAuth 2 Google service
    Edloomio Settings (1)
    SMTP Settings
    SMTP enables you to enter your own custom email address which your academy will use to send emails to users.