Skip to content

Latest commit

 

History

History

microsoft-integration

Sakai - Microsoft Suite Integration

This project contains:

  • Generic/Common API + services to communicate with Microsoft API (Microsoft Graph Library)
  • Administrator Workspace Tool to manage integration between Sakai Sites/Groups and Microsoft Teams/Channels

Tool Features

  • Admin can configure Microsoft credentials used to authenticate.
  • Admin can create relationships between Sites/Groups and Teams/Channels
  • Relationships can be used to synchronize users from Sakai to Microsoft.
  • Relationships can be "forced" or not.
    • In a "normal" relationship, a Microsoft Team/Channel will end with all users from the Sakai Site/Group related (the Microsoft Team/Channel may have users other than Sakai ones).
    • In a "forced" relationship, a Microsoft Team/Channel will end with and only with all users from the Sakai Site/Group related.
  • Users in Sakai with permission SiteService.SECURE_UPDATE_SITE will be added to Microsoft Team/Channel as owner. Otherwise they will be added as normal member.
  • Auto-config process to create relationships automatically based on existing Sites and Teams. This offers an option to create new Teams/Channels if no match found.
  • Job Scheduler included to synchronize all existing relationships.
  • Hooks included to provide a real-time synchronization:
    • Create Team when Site is created.
    • Create Channel when Group is created.
    • Delete Team when Site is delete.
    • Delete Channel when Group is delete.
    • Add user to Team when user is added to Site.
    • Add user to Channel when user is added to Group.
    • Remove user from Team when user is removed from Site.
    • Remove user from Channel when user is removed from Group.
  • All hooks can be enabled/disabled from config tab.
  • Sakai-Microsoft User Mapping configurable. How can we know a user in Sakai exists or not in Microsoft? We will use a specific user field:
    • Sakai:
      • Eid
      • Email
      • User Property: microsoft_mapped_id
    • Microsoft:
      • UserId
      • Email
  • During the syncrhonization process (manual, scheduled or real-time) Sakai users that do not exist in Microsoft AD, will be invited.
    • This behaviour can be enabled/disabled from config tab.
    • Important: Guest users will have limited permissions. For example, they never will be able to be Team/Channel owners.

Prerequisites

You need:

  • A Sakai 22.x instance.
  • For Microsoft integration:
    • A Microsoft Azure Active Directory application.
    • Azure Active Directory users must exist in Sakai and share an identification field (tipically, the email).

Microsoft Teams

Azure AD configuration

You must create a new application in the App Registrations section of the Azure Active Directory portal by clicking on the New Registration button.

App registrations

You can enter a name and select the supported account types. The Single tenant option is marked by default.

Registering new app

To grant MicrosoftCommonService access to your registered Azure application, you will need a client secret. To obtain this, you can access the Certificates & secrets section within the configuration page of your registered Azure application.

Client secret

Once the app is created, you need to configure the permissions for your registered Azure App in the API Permissions section. To add a new permission you must click Add a permission, then select Microsoft Graph and Application Permissions.

Permissions

The permissions to enable are defined in the following table:

ChannelMember.Read.All
ChannelMember.ReadWrite.All
Directory.Read.All
Directory.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Mail.Send
Team.Create
TeamMember.Read.All
TeamMember.ReadWrite.All
User.Invite.All
User.Read
User.Read.All
-- Media-Gallery Tool Links (TODO: maybe these links can be used in Meetings and OneDrive integration)
Sites.FullControl.All

Then you must click on the Grant admin consent button for your Azure directory.

Sakai - Microsoft Authorization Tool

Used to manage Authorization Code Flow from Microsoft: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow. This will enable the delegated access to Microsoft API.

Requires additional delegated permissions:

Files.Read.All
User.Read

Important: This tool replaces cloud-storage/onedrive so these deployed elements will be no longer needed:

  • .../lib/sakai-onedrive-api-XX.jar
  • .../components/sakai-onedrive-impl
  • .../webapps/sakai-onedrive-tool
  • .../webapps/sakai-onedrive-tool.war

Sakai - Microsoft Media Gallery Tool

Used to browse Media elements (Video and Audio) stored in Microsoft OneDrive. This tool could be added to a Site (course or project) or in MyWorkspace. Site tool requires a valid Site-Team synchonization. MyWorkspace tool requires delegated access.

Requires Sakai permissions:

microsoft.channels.view.all: Allow user to view all Microsoft private channels

Sakai - Microsoft Collaborative Documents Tool

Used to browse Microsoft collaborative documents (Word, Excel or PowerPoint) stored in OneDrive. This tool could be added to a Site (course or project) and requires a valid Site-Team synchonization.

Requires Sakai permissions:

microsoft.channels.view.all: Allow uesr to view all Microsoft private channels
microsoft.documents.create.files: Allow user to create new documents
microsoft.documents.create.folders: Allow user to create new folders
microsoft.documents.delete.files: Allow user to delete files
microsoft.documents.delete.folders: Allow to delete folders
microsoft.documents.upload.files: Allow to upload files

Also Requires additional delegated permissions:

Files.ReadWrite
Files.ReadWrite.All
Sites.ReadWrite.All

Microsoft Permissions (summarized, including meetings)

-- Application (20)
ChannelMember.Read.All
ChannelMember.ReadWrite.All
Chat.Read.All
ChatMessage.Read.All
Directory.Read.All
Directory.ReadWrite.All
Files.ReadWrite.All
Group.Create
Group.Read.All
Group.ReadWrite.All
Mail.Send
OnlineMeetings.ReadWrite.All
Sites.FullControl.All
Sites.Manage.All
Sites.ReadWrite.All
Team.Create
TeamMember.Read.All
TeamMember.ReadWrite.All
User.Invite.All
User.Read.All

-- Delegated (6)
Files.Read.All
Files.ReadWrite
Files.ReadWrite.All
Sites.Read.All
Sites.ReadWrite.All
User.Read

Sakai configuration

Everything will be configured through the administration tool.

Meetings README

Remember to set all Meetings related configuration according to: meetings/README.md

Future plans and Roadmap

  • Include custom Sakai permission to identify Microsoft owners.
  • Posibility to configure user property to use for ID mapping.
  • New Hook when user changes role in a Sakai Site.
  • Improve UI (accesibility, style cleaning).
  • Process hook: allUsersRemovedFromGroup

Contact

If you have any questions please contact the devs at Entornos de Formacion S.L. at [email protected]