Q. How do I add Office 365 integration to my existing PowerSchool Learning domain, and what additional options will this integration provide?
A. Integrating your PowerSchool Learning domain with Office 365 provides a way for your users to sign into PowerSchool Learning using their Office 365 email address and password, through a Single-Sign-On (SSO) connection.
Through the process below, you will be able to take the necessary information (Client ID, Credentials Key, and Office 365 domain name) specific to your Office 365 configuration and input it into your PowerSchool Learning domain to connect the two. Let's get started!
Use these links to jump to a section:
- Configure Office 365
- Configure PowerSchool Learning Accounts
- What if I have an Office 365 subdomain that differs from the main domain suffix?
- I am on the new Azure portal. What is the difference?
Please note these screenshots are from the older version of Azure. If you have updated to the new Azure portal, it has a different look, but follows the same basic steps. Follow these steps to retrieve the ID and Key needed to successfully connect your Office 365 domain with your PowerSchool Learning domain.
- Navigate to Active Directory from your Office 365 domain (depending on your settings, this might display as Azure AD under Admin centers)
- Choose Active Directory from the left menu
- Choose the Directory name within your Office 365 domain.
- Click on the Applications tab towards the top of the page.
- Click the Add button at the bottom of the screen.
- Select the Add an application my organization is developing option.
- Give your application a name (such as "PowerSchool Learning") and select the Type Web Application and/or Web API. Click on the arrow in the bottom right of the pop-up window to continue.
- Enter your PowerSchool Learning domain (including https://) in both Sign-On URL and App ID URI, the click the check mark in the bottom right.
- Choose the Configure option while viewing the new application (new Azure portal users, skip to step 10).
- Select a Key duration of either 1 year or 2 years.
- Add the following Reply URLs (near the bottom)
Update these Delegated Permissions to other applications (new Azure portal users may show 4 permissions instead of 3):Windows Azure Active Directory
- Access the directory as the signed in user
- Have full access to all files the user can access
- View users' basic profile
- Click Save.
- Scroll down towards the middle of the page and copy down the Client ID.
- Scroll down to the Keys section and copy down the Key that has been generated.
Integrating the new application to your Learning domain
- Navigate to Domain Control in Learning
- Choose Applications > Partner Tools.
- Click Settings next to Microsoft Office 365.
- Update the Microsoft Office 365 Settings with the following:
- Microsoft Domain Name
- App Client ID (step 14 above)
- App Key (step 15 above)
- Click Save.
PowerSchool Learning Account Configuration
Please note: Domain Administrators using Version 1 Import Specifications can assign Office 365 email addresses to Accounts en masse using the google_id field of the users.csv file. Administrators using Version 2 Imports can assign Office 365 email addresses to Accounts en masse using the sso_id field of the users.csv file.
Changing Account Authentication Types Manually
Once you have configured your domain, you can add Office 365 SSO Authentication information on a per-user basis through the Accounts area of the Domain Control.
- Select Edit under the Manage Account menu for any user, then hit the Change button under the Authentication Method header, and select OK.
- Adjust the Authentication Method from PowerSchool Learning Authentication to Office 365 SSO and enter the Office 365 Username (email address header) for this individual. Select Save to keep your changes!
Curious as to what your Teachers and Students will see? Check out our article How do I log into PowerSchool Learning using Office 365, and what will it look like?
To add Office 365 subdomains, navigate in your PowerSchool Learning domain to Applications > Partner Tools. Click Settings next to Microsoft Office 365. Then, click Add Subdomain, enter in the subdomain name, and click Save.
An example of a common domain/subdomain setup is:
- Domain = @musd.onmicrosft.com
- Subdomain 1 = @students.k12.az.us
- Subdomain 2 = @musd.k12.az.us
Once you enter your subdomains, you can either import the Office 365 email addresses into user accounts (using the sso_id field), or you can manually edit an account to assign the user to the specific Office 365 domain.
You can Edit the authentication method of a user through the Manage Account menu, in the Accounts area of the Domain Control. If the user is not yet set to Microsoft Office 365 as their authentication method, click change at the top of the edit screen and switch the authentication method to Office 365. Otherwise, simply click edit next to their existing Office 365 username. Then, you'll see a dropdown menu containing your Office 365 email options. Simply select the correct one and enter in the prefix of the email address. Then, click Save.
If you have updated to the new Azure portal, you may be required to grant permission from your Office365 Global Admin account the first time a user logs in. This article provides more detail. Please use this link to grant permission: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=OBJECTID&resource=https://graph.microsoft.com&prompt=admin_consent
You will also want to ensure your permission settings in your Office365 domain are as follows:
Microsoft Azure AD Permissions
Microsoft Graph Permissions