Eduphoria’s Active Directory (AD) Synchronization feature allows districts to synchronize user accounts from Active Directory to Eduphoria automatically. Districts can configure the feature to perform the following actions:
- Create new accounts in Eduphoria as they are created in Active Directory
- Remove deleted/disabled accounts
- Synchronize location information
- Synchronize employee ID
Note: This synchronization is a one-way pull from Active Directory to Eduphoria. No information is ever written back to Active Directory from Eduphoria. Once this feature is enabled, the ability to edit email address/username, firstname, lastname, and campus information on Eduphorai accounts under Manage Users in Management is lost because that information comes from Active Directory.
This tool does not enable users to authenticate with their Active Directory credentials. It simply keeps a district’s Eduphoria users synchronized with Active Directory.
Active Directory User Syncing can be used in addition to Active Directory Remote Authentication, SAML, or ClassLink if you want users to authenticate via Active Directory.
Standard Fields
The following fields are synchronized from Active Directory by default when Directory Services Integration is enabled.
Optional Fields
The following fields are synchronized from Active Directory depending on the additional options enabled for Directory Services Integration.
Account Requirements
Before districts can synchronize an account to Eduphoria from Active Directory, the following must be true of the account:
- The account cannot be in an Active Directory Organizational Unit (OU) that has the string “Students” or “Computers” in its name, regardless of capitalization.
- The account must have a valid email address listed in Active Directory.
- The account must be a member of an Allowed Group, which is specified on the Groups tab of the Eduphoria AD Remote Authentication and User Sync Tool.
Creating, Deleting, Reactivating, and Modifying Accounts
Account Creation
If an account is found in Active Directory that does not exist in Eduphoria, Directory Services Integration will automatically create that account in Eduphoria. The account in Eduphoria will be forever linked to the account in Active Directory by the unique object GUID.
Account Deletion
If an account in Active Directory is disabled, deleted, or removed from an Allowed Group, Directory Services Integration will automatically delete that account from Eduphoria. Account deletion is an optional User Syncing feature enabled by turning on the Delete disabled and deleted accounts from Eduphoria functionality under Directory Services & Student Sign-On in Management.
Reactivating Deleted or Disabled Accounts
If an account was deleted from Eduphoria because it was removed from an Allowed Group or the account was disabled in Active Directory, all that needs to be done is to put it back in an Allowed Group or re-enable the account in Active Directory.
Either of these actions will result in the account and all its data being re-enabled in Eduphoria. This can occur because Eduphoria links to the account on the objectGUID field in Active Directory, knowing it is the same account.
If an account was deleted from Eduphoria because it was deleted from Active Directory, go into Eduphoria and un-delete the account before recreating it in Active Directory. This is required because when accounts are deleted and recreated in Active Directory, the objectGUID is linked to the account on changes, and it no longer sees it as the same account. The tool assumes the account is a new user with a re-used username/email.
If un-deletion of the account occurs in Eduphoria first, it will link back to that account on the email address and update the objectGUID link. The account must be un-deleted in Eduphoria before this will happen. If the account in Eduphoria is not un-deleted before recreating it in Active Directory, a brand new account will be created in Eduphoria for that user.
Account Modification
Any modifications to Name, Username, Email, Campus Memberships (if enabled), or Employee ID (if enabled) in Active Directory will automatically update the account in Eduphoria on the next Directory Services Synchronization.
Once you have enabled Directory Services Integration and linked the Eduphoria account to an Active Directory account, you cannot make changes to these fields in Eduphoria. You must modify the account in Active Directory.
If you do not have the Read school assignments or Read Employee ID options turned on, you can still make changes to the user’s employee ID and campus with Directory Services enabled.
Location Management
With the Read school assignments option enabled, Directory Services Integration can pull Campus assignments from Active Directory and set those campuses in Eduphoria.The Read school assignments option does not synchronize Department information for user accounts. Department membership must still be set manually under Manage Users in Management. With this option turned on, you cannot set Campus membership manually from within Eduphoria. All campuses for a user under Manage Users will be grayed out since they are syncing from Active Directory.
Campus information is pulled from the Department “department” or Office “physicalDeliveryOfficename” fields in Active Directory. The AD User Sync tool looks in both fields so that campus info can be used in either or both places. Multiple campuses can be listed if separated by a , ; | / or \ in either field.
Campus information listed in the Office or Department fields in Active Directory must match either the full literal campus name of the school in Eduphoria under Manage Schools or the full literal Local ID or State ID fields under Manage Schools for that campus in Eduphoria. The AD User Sync tool attempts to match on School Name, State ID, and Local ID in that order. If the tool cannot match a campus for a user, it will create that user without a campus assignment.
The First Synchronization and Notifications
The first synchronization will need to be manually initiated from the Eduphoria AD Remote Authentication and User Sync Tool. The first synchronization will link the existing user accounts in Eduphoria based on either GUID if a district already uses Active Directory or email address if a district uses Schoolobjects authentication.
After the first sync, all accounts are linked based on GUID. The first sync will present a list of changes that must be approved, giving the opportunity to catch mistakes before those mistakes are applied to the Eduphoria accounts.
The tool automatically performs subsequent synchronizations and will send an email summarizing the successful changes and failures. The automatic synchronization will fail and send an email if the tool detects a 5% or greater change to the user base. After an automatic fail, a district can manually run the synchronization tool and approve changes similar to the first sync.
Comments
0 comments
Article is closed for comments.