Active Directory User Syncing

Introduction

The Eduphoria Active Directory Synchronization feature allows easy automatic updates to important staff information.

It can be optionally configured to

• automatically create and delete accounts,
• update email and name information, and
• manage locations.  

Before you begin with the setup process, we recommend reading the short FAQs below and reviewing the technical specs document. These will help you understand exactly how the feature functions.

Note: On first synchronization, the system will email all newly created users with a welcome email containing a link for users to create a password. This email will not be sent if the district has successfully set up Active Directory Remote Authentication or SAML prior to setting up the AD sync tool.

Setup Steps

Web Manager Setup

Follow the steps below to set up the synchronization feature: 

1. Log into Eduphoria as a system administrator. 
2. Navigate to the Management app.
3. Select the Organization tab. 
4. Select Directory Services.
5. Check the first ox Enable Microsoft Active Directory Integration to enable the entire synchronization feature. 
   • Note: Once enabled, optional features may be selected to delete Eduphoria accounts, update school/location information, and synchronize employee ID.

If the Read Employee ID field is enabled within System Management under Directory Services & Student Sign-On, the field in Active Directory where employee ID can be found must be specified. This field needs to be populated with the true Active Directory name, not the user-friendly name. For example, the field should read "PhysicalDeliveryOfficeName" instead of "office". 

Once all desired options are selected, select the Save button on the top toolbar.

Eduphoria! Directory Sync Tool Setup

After enabling the synchronization feature and selecting the various options, the local synchronization tool may be installed and configured. 

• This small application will need to be installed on a computer in the local network’s domain.
• The tool requires a 64-bit Windows Operating System. 
• It will not run on a 32-bit Operating System.  
• It will do the actual polling of Active Directory and synchronization with the Eduphoria! system.

For additional specifications, please see this article. 

Download the AD Sync tool

Launch the installer and follow the onscreen instructions; no options are available. 

Once installed, a new icon will appear on the desktop for the SchoolObjects Directory Synch tool. Launching this tool opens a small application with two options: Run and Settings. 

Before running any synchronizations, use the Settings button to set up the process.

The Connection tab houses the credentials used to connect to Eduphoria. This user account must have System Administrator access. Enter the username and password, select Save, and then select Test Connection. After confirming a proper connection, select Save again.

The Groups tab will allow the definition of which security groups will be included in the synchronization. Type the group name in the top white box, then select Add. To correct any input mistakes, select the erroneous group and select Remove.  

 The First Synchronization

Note: On first synchronization, the system will email all newly created users with a welcome email containing a link for users to create a password. This email will not be sent if the district has successfully set up Active Directory Remote Authentication or SAML prior to setting up the AD sync tool.

Once the Web Manager and locally installed tool are configured, you can run the first synchronization. Since the first run may cause more than 5% changes due to account information updating, you will need to run the process manually.  

• Select the Run Now option under any of the Settings tabs, OR
• Select Run on the initial screen of the local tool. 

This will show the changes as they actually occur.

After the process is complete, System Administrators in Eduphoria! should receive an email as to the status. You will see a list of all users created, deleted, or updated on the left. Selecting any user will show the user's name, email address, Active Directory GUID, type of change, and the user's internal Eduphoria! User ID.  

If all changes look acceptable, click Apply Changes. This will then process the actual synchronization with Eduphoria. If there appear to be erroneous changes, then you can Cancel the process. This makes the initial synchronization very safe, as you are required to approve the changes.

Remember that if more than 5% of users are modified in the scheduled process, then it will fail. A summary email will still be sent informing System Administrators of the failure and informing you that a manual process will need to be completed if those changes should be committed.

FAQs

Q:Are passwords synchronized?  

No Active Directory password information is exchanged using this feature.  Active Directory User Syncing can be used alongside Active Directory Remote Authentication, SAML2, or basic Schoolobjects authentication methods.

Schoolobjects Authentication - The user's email address will remain as the user login and will also be required in Active Directory as that is how the initial connection between Eduphoria! and Active Directory accounts will be made. Users will still log in using their existing credentials, email address, and user-defined password.

Active Directory Remote Authentication or SAML - The user will continue to use their Active Directory credentials to log in through the Remote Authentication portal or SAML provider.

Q:How do I control which users are synchronized?

The feature is designed to allow only certain security groups to be synchronized. When configuring the tool that polls Active Directory, you can specify particular security groups to allow.

Q:What information is synchronized?

By default, the following pieces of data will be automatically updated based on the information in Active Directory:

• first name
• last name
• email address
• new accounts 

However, you can optionally enable the synchronization of account deletion, user school/location, and employee ID.  

Q:What actions in Active Directory will delete and create/restore accounts?

• Any new account that exists in the allowed security groups will be automatically created in Eduphoria!.  
• Deleting or Disabling an account in Active Directory will delete the corresponding account in Eduphoria!, if that feature is enabled.  
• Removing a user from the allowed security group(s) will cause that user account to be deleted in Eduphoria!.
• Eduphoria! will synchronize the Active Directory GUID with each Eduphoria! account. This is used to update and connect the account even if username, email, and other identifying fields in Active Directory are changed. Therefore, should you delete an account from Active Directory, that GUID will be deleted with it.  
• A new account created, even using the same email or username, will be treated as a new account in Eduphoria!.  
• Manually un-deleting an account in Eduphoria! will reset the GUID connection. This will allow you to reconnect an existing Eduphoria! account to an Active Directory account that was deleted and then recreated.

Q:How often will the synchronization occur?

You can schedule the tool to run as often as you like. Depending on the size of your user base, you should adjust the frequency of synchronization accordingly. Larger user sets should synchronize less often, etc.

Q:Will I know what changes are made?

An update email is sent to all Eduphoria! System Administrators in the system. This email will include what specific changes were made.

Q: During configuration, what if all of my users are not found in Active Directory?

Should a mistake occur in setup, the system will automatically stop synchronization if more than 5% of the users change at once. This is to prevent your entire user base from being deleted, moved to the wrong locations, etc. An email will still be sent to System Administrators notifying them of the failure to synchronize.

Q: What fields will be read in Active Directory?

For the first name, last name, and email address, the corresponding fields in Active Directory will be read for this information. Location management can use either the Department field or the Office field. Each field can contain information, as it will be combined to assign a user to multiple locations. Each field can also contain multiple values as long as they are separated with a comma, semicolon, backslash, or forward slash. Employee ID will be read from the field that you specify during configuration.