Skip to main content

Integrate with Microsoft Entra ID (formerly Azure Active Directory)

Learn how to sync employee and team data automatically with Microsoft Entra ID.

Updated this week

Microsoft Entra ID stores essential employee data, which can be synchronized to streamline user management and organizational updates. The Microsoft Entra ID integration allows for seamless synchronization of user and team data.

  • Available for users with role Owner.
    Learn more about roles and permissions here.

  • Available as Paid add-on

  • Available on Desktop

Benefits of the integration

  • Automated user creation and updates: Avoid manual entry by synchronizing user data directly from Microsoft Entra ID into edyoucated.

  • Reflect organizational changes: Automatically update changes in team structures, supervisors, and employee status.

  • Efficient deactivation: Automatically deactivate users who leave the organization, reducing manual oversight.

Obtaining API credentials from Microsoft Entra ID

  1. Log in to your Microsoft Entra ID account via https://entra.microsoft.com. Ensure you have admin access.

  2. Go to Identity > Applications > App registrations in the left navigation bar.

  3. Click New registration.

  4. Enter a Name, ignore the remaining parts and click on Register.

  5. Note down the Application (client) ID and Directory (tenant) ID. You will need to add them on edyoucated later.

  6. Click on Certificates & secrets in the inner left navigation bar.

  7. Click on New client secret, enter a description and select an expiry date. When the expiry date is reached, the integration will stop working until the updated secret is entered on edyoucated.

  8. Note down the Value. After leaving the page, you will not be able to copy the value anymore, unless a new secret is issued.

  9. Click on API permissions in the inner left navigation bar. Click on Add a permission, and select Microsoft Graph in the right side-panel. Select Application permissions and then grant the following permissions:

    1. User.Read.All

    2. Group.Read.All (only required if you want to synchronize groups)

    3. GroupMember.Read.All (only required if you want to synchronize groups)

  10. The selected permissions will appear in the table in the center view. They will still have status Not granted for..., so you will need to click on Grant admin consent for.... After confirmation, the status should change to Granted for....

Setting up and activating the integration

Note: To access and configure the integration, you must be an organization owner. The integration is a paid add-on and must be enabled by your edyoucated account manager.

  1. Click on your profile picture in the upper right corner and select Integrations.

  2. Click on Add/Edit integration in the Microsoft Entra ID card. A new page opens.

  3. Configure credentials:

    • Enter your Tenant ID, Client ID and Client Secret obtained from Microsoft Entra ID. Learn more about how to obtain the credentials in the section above.

    • Ensure these credentials are kept secure and confidential.

  4. Choose a default language. This defines the language of emails that automatically created users receive before they can adjust their language settings.

    If the selected language is not yet maintained for transactional emails, English will be used as a fallback.

  5. Define synchronization rules: Synchronization rules define the criteria that are used to decide which users from your external system will be synced into edyoucated. Decide if you want to sync guest users (based on the user type attribute from Microsoft Entra ID). Regular users will always be synced.

  6. Configure users synchronization: First name, last name, and email are required. Decide if the job title should be synced to edyoucated.

  7. Configure team synchronization: Decide if teams should be created for each Group and/or each Manager. When choosing to create teams for each Group, only direct group members are included. Nested group memberships are not expanded.

  8. Use the Test button to ensure settings are correct before activating.

  9. Once testing is successful, click Activate at the top right of the page. A modal window will appear.

  10. In the modal, click Activate integration to start the integration. This will automatically execute the first integration run.

Note: Teams created by the integration support manual additions. Organization owners can add members and assign the Manager role in these synced teams. Manual memberships persist across future sync runs and are only removed when the team itself is deleted. If a user is added manually and later also added to the same team via sync, the original manual role remains unchanged.

Note: If the synchronization is active, it runs automatically every day at 4 a.m. UTC. If higher frequency is needed, contact the edyoucated customer support for adjustments.

Tip: For example, if teams are created for each Manager and there are ten managers in Microsoft Entra ID, ten new teams are created, in which the manager from Microsoft Entra ID has the Supervisor role on edyoucated, and which include all the subordinates of the manager as regular team members. The team name will include the supervisor's name, such as Peter Wright's team.

Integration configuration screen

Synchronized user fields

By default, the following fields need to be synchronized from your Entra ID instance:

  • First name (givenName)

  • Last name (surname)

  • Email (userPrincipalName)

Note: By default, the account's unique User Principal Name (UPN) is used to fill the email attribute on edyoucated (which will be used to send reminders and other transactional emails). This is considered best practice from Microsoft. However, if your organization's UPN differs from the primary email of the user, then you should contact the edyoucated support team to rather use the email attribute from Microsoft Entra ID to populate the email attribute in edyoucated.

Optional fields to be synchronized:

  • Job title (jobTitle)

The profile photo is not synchronized.

Viewing integration runs

  1. Click on your profile picture in the upper right corner and select Integrations.

  2. Click on Add/Edit integration in the Microsoft Entra ID card. A new page opens.

  3. Open the Runs tab.

In the Runs tab, you will find a table displaying all executed runs of the integration. This table provides the following information about each run:

  • Triggered at: Indicates the date and time when the run was executed.

  • Triggered by: Shows whether the run was automatic or manually started by a user. If manual, it displays the username, email address, and user image.

  • Status: A green checkmark indicates a successful run, while a red X signifies a failure.

  • Error: If the run failed, this column contains an error message.

Runs tab table

Clicking on a run in the table will expand a sidebar on the right side of the screen. This sidebar provides additional run details:

  • If the run was successful, it shows the actions performed, such as the number of users or teams created, updated, or deactivated.

  • If the run failed, it provides information about the error encountered.

Note: In scenarios where a manually added user is later also added by sync to the same team, the run may display "1 team updated" even if no effective changes were applied (manual membership and role remain untouched).

Run details sidebar

Deactivating the integration

To stop the integration, click the Deactivate button at the top right of the page. No further runs will occur. You can re-activate the integration anytime.

Error handling

  • If an error occurs during synchronization, it will be logged, and organization owners will receive an email notification.

  • Automatic synchronization will pause until the error is resolved.

FAQs and limitations

  • SCIM provisioning: Not supported at the moment. The integration uses Microsoft Graph. If you require SCIM, please contact edyoucated support; this would require additional engineering effort.

  • Profile pictures: Synchronization of user profile photos is not supported.

  • Nested groups: Nested group memberships are not expanded or converted. Teams created from Entra groups include only direct members of those groups.

  • Email deliverability and whitelisting: A dedicated DKIM property is available to help with email whitelisting. If your organization needs to configure this, please contact edyoucated support to receive the details.

  • Manual members in synced teams: Organization owners can manually add members and managers to integration-created teams. These manual entries persist across sync runs and are removed only when the team is deleted.

  • Duplicate memberships: If a user is added manually and later added to the same team via sync, the original manual role stays unchanged.

Related Articles
Create and manage teams
Integrate with Personio
Set up single sign-on (SSO) in edyoucated with Microsoft Entra ID
Create and manage users
Joining or switching organizations on edyoucated
Did this answer your question?