o365-moodle icon indicating copy to clipboard operation
o365-moodle copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Feature request: Full integration with multiple tenants

Open B0ulbi opened this issue 3 years ago • 7 comments

Hello,

If I understood correctly, the "Manage access to additional Microsoft 365 tenants" function allows only authentication. I want to know if there is a way to connect 3 tenant to a single moodle with a complete integration (Teams, usersync,calendar, etc ...)? Thanks a lot,

B0ulbi avatar Oct 26 '21 10:10 B0ulbi

Hi!

We have the same doubt. Is there any way to enable moodle-auth_oidc for two or more Microsoft 365 tenants?

Thanks.

maikong avatar Oct 28 '21 18:10 maikong

hello @weilai-irl Do you know a way to do the full integration for multiple tenants ? Thank you

B0ulbi avatar Nov 04 '21 16:11 B0ulbi

Hi @B0ulbi,

You are absolutely right in understanding that the current multi tenants feature is for authentication only, and doesn't support any other features such as user sync, course and teams integration etc. I recall a discussion with the Microsoft Education team about two years ago about this, and the conclusion at the time was it was way too complex, and there are so many ways this integration can be configured. The complexity of the logic, and the effort required to implement it simply overwhelmed the potential value this can add to the integration.

Just to give you a some ideas about how complex it will be from the discussion:

  • In order to facilitate full integration with multiple tenants, an Azure app needs to be created in each tenants, and the Moodle plugins will need to maintain and handle multiple sets of app configurations. Just look at the amount of configurations for one Azure app, this will be multiplied by the number of tenants, and this itself can be a lot of work.
  • When it comes to course and teams integration, a user from one tenant cannot access a team created in a different tenant, therefore we either need to add all users from an additional team as guests of the host tenant (considering the guest user sync feature wasn't available when this was discussed), or we need to create separate teams in different tenants (this requires a team owner from each tenant, which is a condition that's normally not met).

With that said, although I believe this requirement may be technically feasible, I don't see this going ahead for any time soon.

Regards, Lai

weilai-irl avatar Nov 05 '21 22:11 weilai-irl

@weilai-irl I would like to get some clarification as to the current state of the project.

We have O365 configured with multiple tenants (Students - host, Staff - additional).

With this configuration and the discussion to this thread, If I enable the Teams feature, will the users from a course who are from the Staff tenants will be enrolled in Teams as they are from a different tenant. ?

sam-suresh avatar Mar 06 '22 01:03 sam-suresh

Hi @sam-suresh,

I'm afraid this isn't the standard setup that the Teams sync feature is expected to work, but there might be a chance to get it work using a custom settings.

The standard setup would be that all users are from the root tenant, and if you need to separate users by roles, put them in different groups in the tenant. Teams sync would work perfectly in this configuration.

The multi-tenants feature in the plugins only supports basic SSO (login using auth_oidc) at the moment, and it will not keep the users from additional tenants in local_o365_objects table, therefore cannot sync them to teams. The underlaying reason this won't work is - each Team belongs to a tenant (the host tenant), and users from other tenants simply cannot access it.

With that said, there is one exception to this, which you can try - guest users. If a user A from tenant X is added as a guest to tenant Y, then user A can act as a normal user in tenant Y, and can be added to teams etc. This means that in theory the following would work:

  • Add users in your staff tenant as guests to your student tenant.
  • Configure user sync to allow guest users to login.
  • Disable current additional tenant settings, so that teachers can login using as the guest users form the host tenant. Note that normally this means the existing teacher accounts need to be deleted and re-created, but if you want to retain their data, you will need to migrate them manually.
  • Login as teacher users using their guest access, and ensure mapping records are created in local_o365_objects table for them.
  • Ensure the enrolment records of the teachers are correct on their new accounts, and set up course sync.

This should work in theory, but I haven't tested it myself. Please give it a try and let me know it goes.

Regards, Lai

weilai-irl avatar Mar 08 '22 11:03 weilai-irl

Hi @weilai-irl

just to be clear: even if we have added an additional tenant to the integration, we can still use usersync, teams etc with the original host tenant? At least the usersync seemed to work.

kkiiskin avatar Nov 14 '23 20:11 kkiiskin

Hi @kkiiskin

I confirm the current multi tenant feature in the plugins only allows for users from the additional tenants to login. It doesn't affect any other feature, such as user sync, course sync etc, of the main tenant.

Regards, Lai

weilai-irl avatar Nov 15 '23 09:11 weilai-irl