User creation / ongoing sync not syncing all fields

[louiseelena]

Hi,

We've recently launched our moodle site and are authenticating against our Azure AD. The sync is up and running - users are created and updated per the sync schedule - but most profile fields that we have mapped are not included in that. When a user is created, they have an email address, location (country and city), and that's it.

When they login for the first time, the rest of their profile is filled out: supervisor, job title, department, etc, etc.

I've checked the mapping, and it is all set up to be updated on creation, every login, and every user sync task - but it's not.

Any ideas what we might have missed? I'm assuming this is a configuration issue somewhere.

Thanks!

Louise

[EiffelD]

Hi @louiseelena ,

We have done this sort of setup a few times in our own and customer environments. At times the mapping may not be correct. Perhaps you could share screenshots of your current mappings and also a screenshot of what a new user is prompted on login in Moodle. Send through your Moodle version as well as the plugin versions of your MS integration plugin to get the folks to help you further.

Regards,
D

[louiseelena]

Thanks!

We're on Moodle Workplace 4.1.6, OIDC 4.1.2, o365 4.1.2.

Our custom fields mapping looks like this:

A user who has not yet logged in has a profile that looks like this:

(Additionally, it looks like their employee ID and department are mapped, but don't appear on the profile page.)

When they log in for the first time, they're prompted to confirm our privacy policy, but aren't asked to fill out any profile fields. Their profiles are, on login, synced to look like this:

From that, it looks like it's just Moodle custom fields that aren't mapping as part of the sync. Any ideas as to why that might be?

[louiseelena]

Just adding to this -

We've now noted that the sync isn't necessarily updating fields either. Some of our users get created in AD before they have an email address set up, so are getting created as users without an email (their username is still set to their email address, but their actual email address field is blank).

This is not then getting updated later on, when the sync runs after their email address is set up.

I'm guessing that this is a permissions issue or something in our configuration somewhere - but I'd welcome any ideas.

[joaop221]

@louiseelena I've had problems with field chars that is unsupported by database column. e.g.: phone number with letters.. The solution was unmap these fields.

[weilai-irl]

Hi @louiseelena

Of the top of my head, I can think of two things.

1. Could you go to the Microsoft 365 integration configuration page, and run verify setup near the bottom of the page, and past back results please. The fact that your user sync task is at least partially work means your Azure most certainly have required permission, but just to be sure. Although most fields used in field mapping are from one single Graph API (https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http), there are some particular fields that require separate Graph API calls, e.g. manager, groups, teams and roles, as well as profile photo and Outlook timezone sync.
2. Could you confirm if the "Perform a full sync each run" option in the user sync setting is enabled please. When this option is disabled, the user sync task would run a delta sync, i.e. it will only receive Microsoft accounts that have changed since the last time it was synced. The profile fields returned in these delta syncs are stored in delta token, and are determined at the first time the delta sync was run. So if the initial delta sync run for some reason didn't contain certain user profile fields, all subsequent delta sync using the delta token will not contain the fields. The fact that user field mapping on login works makes this is very likely the cause of the issue - field mapping triggered by user login doesn't use delta sync. To solve the issue, you will need to delete the existing saved delta token from the database, using the SQL script below. After it's cleared, the next user sync task run will effectively sync all users, and store a new delta token. If all profile fields are returned in this call, all subsequent delta user syncs will contain all the required profile fields. The query is
   DELETE FROM mdl_config_plugins WHERE plugin = 'local_o365' AND name = 'task_usersync_lastdeltatoken';

Please give it a try to see if it works.

Regards,
Lai