After provisioning users into your account (through Imports for example), you may integrate with Microsoft Office 365 to authenticate users into Schoology using their Office 365 login credentials. For enhanced security, Schoology also requires that you add your Azure Tenant ID.
Schoology offers an Azure app that has been approved as a trusted authentication receiver by Microsoft. This app is configured to accept logged in Microsoft user information. During the SSO login flow, Schoology uses specific credentials from its app when requesting identity information about Microsoft users.
Note: At no point does Schoology have access to the district's entire LDAP/Azure Directory. We will only ever have read access to specific pieces of information about the logged in user such as name, email, and tenant_id.
With this feature you can authenticate users based on their Microsoft Username, Email Address, or Unique ID. Schoology uses OpenID authentication (a layer on top of OAuth 2.0) to authenticate users in Microsoft Azure and sign them into Schoology.
Microsoft Office 365 SSO
To set up Office 365 SSO by Username, the prefix of the Microsoft Office 365 email address must match the Username field in Schoology. If you're provisioning users from your SIS, your SIS will most likely populate the Unique ID.
To set up Office 365 SSO by Email, the email address in Schoology must match the users' Microsoft Office 365 email address.
Part 1: Configure Your Microsoft External Account Settings
- Click Tools in the top menu of your home page in Schoology.
- Select School Management in the drop-down menu.
- Select Integration from the left menu to view the Authentication tab.
- Select Cloud/On Premise Directory.
- Select Microsoft Office 365.
- Set the Return URL to the address to redirect users when they log out of Schoology.
Note: Set your Return URL to https://login.microsoftonline.com/logout.srf to ensure users are logged out of Microsoft when they log out of Schoology. This is especially suggested for schools that use shared computers.
- Add your Microsoft Azure Tenant ID. See below for instructions on how to retrieve your account's Tenant ID from your Azure profile.
- In the Match Microsoft Using menu, select Username, Unique ID, or Email, according to your user authentication plan:
- Microsoft Username: The Username field in Schoology must match the prefix of the Office365 email addresses.
- Microsoft Email Address: The Email field in Schoology must match the Office365 email addresses.
- Microsoft Unique ID: The Unique ID field in Schoology must match the corresponding Office365 credentials.
- Click Save Changes to complete.
Finding and Copying Your Office 365 Tenant ID
You can find your organization's Tenant ID by logging into the Azure Active Directory portal. Microsoft has outlined this process in their support center here.
Please contact Microsoft if you encounter any difficulty locating your Tenant ID.
Part 2: Change Your Landing Page
Once you've successfully established the link to your Microsoft instance, click into the Custom Domain tab.
Here, you should see that your Domain Type has been set and and your Domain Alias has been changed to your school's custom subdomain. These are configured by working with your Schoology Implementation or Project Manager during your school's implementation process. If these fields are not configured in the Custom Domain tab, contact Schoology Support.
Change the Landing Page drop-down menu from Schoology Log In to External Account Provider and click Save Changes. Changing the landing page is the important final step in enabling your Microsoft 365 SSO configuration. Once you click Save Changes, your users will be able to log in to Schoology using your custom domain and Microsoft credentials.
FAQs about the Schoology Microsoft Integration
How do we identify a Microsoft user in Schoology?
- A user starts on app.schoology.com and is directed to their custom login domain after selecting their school or organization.
- They will get redirected to the Office 365 login page to enter their Microsoft credentials.
- After an authentication handshake (using openID to confirm Microsoft credentials and identify of user), the logged in Microsoft user's information will get sent back to Schoology in the form of a Json Web Token (JWT)
- Schoology will parse this token and compare the information in it against existing users in Schoology. We will use information from Microsoft user's email address and attempt to match it to a Schoology email address, username, or Unique ID
- If a match is found, the user is logged into and redirected back to Schoology. At this point, the SSO is complete.
Why do we require Tenant ID?
- In step #4 above, Schoology checks to make sure the tenant_id of the JWT that Schoology receives matches the tenant_id entered by the School in the SSO configuration page. This protects against a potential security issue when matching by username/unique ID in Schoology if multiple Microsoft SSO districts have users with the same username/unique ID.