Organizations using Microsoft Entra ID (formerly Active Directory) can enable Microsoft single-sign-on (SSO integration) to automatically enroll users into the ThingLink account when they sign in with their Microsoft account.
- Availability
- How to set up the integration
- What happens after the integration is enabled
- What permissions & data are granted to ThingLink?
- What determines the user's account type?
Availability
This integration is available on all organizational licenses.
- Business accounts: Enterprise license
- Educational accounts: any organizational license
How to set up the integration
- As the administrator of your ThingLink account, open the 'Organization' tab on the left.
- Select the 'Integrations' tab, then click the 'Edit' button next to the 'Azure tenant ID' row (see the interactive image below).
- Enter your organization's Microsoft 365 organization ID (also known as Active Directory tenant ID) and click the 'Save changes' button at the bottom of the page. See the linked article or contact your IT department to learn where to find the organization ID.
- You will be redirected to sign in with your Microsoft account to allow ThingLink to use your organization's data. If you are an admin of your Microsoft/Azure tenancy, you can consent on behalf of your organization right here by ticking the box:
If you cannot grant consent on behalf of your organization, please go back to ThingLink, reach out to your Active Directory Global Administrator and ask them to grant tenant-wide admin consent to use ThingLink.
Another way to grant consent is to have your admin log into ThingLink with their Microsoft account. While logging in, they'll be asked to provide consent on behalf of their organization.
What happens after the integration has been enabled?
New users will join you automatically
Whenever somebody from your Office365 tenant creates a new ThingLink account using the 'Sign in with Microsoft' button, they are automatically added to your organizational account.
Existing users will have to request to join your organizational account
Users who had a ThingLink account before you enabled the integration and are not part of your organizational account will see a prompt to join you:
If they request to join your organization, you will need to approve or reject their request via the Organization tab - Requests.
You can also contact ThingLink's support team if you wish to review all such accounts and add them to your license preemptively.
What permissions & data are granted to ThingLink?
ThingLink uses Graph API to receive data about your users and determine their account type. You Azure Admin can review what kind of data we are accessing at any point by going to Azure Portal - 'Enterprise apps' - 'ThingLink' - 'Permissions':
Note that we receive this data only when users sign up to ThingLink, meaning that we won't store any information about those who do not use the platform. ThingLink cannot and will not read your roster.
Educational organizations: what determines the user's account type?
If you do not use Microsoft School Data Sync (SDS): all users will be assigned a student account.
If you use Microsoft School Data Sync: the user's account type on ThingLink is determined by their primaryRole / 'Education role' property. This property is set only if you are using Microsft School Data Sync (SDS). For more information on using SDS, please see this page.
Note that both student and teacher accounts have full access to all content creation tools. If someone's account type is incorrect, your administrator users can always change it via the Organization page -> Users tab as described here.
Comments
0 comments
Please sign in to leave a comment.