Forum Discussion
(Re)moving students from Groups via SDS
Thanks for your interest in SDS.
When you create CSV files from your SIS and upload those into SDS, SDS does update the properties in Azure Active Directory and Office 365 so that a user who moved from one section to another would no longer appear in the first group but would be part of the new group. For example, if STUDENT1 started the term in Math 101, but part way through the term was moved up to MATH 102 in you SIS, then the CSV uploaded to SDS would reflect that change in the SDS admin center as well as in AAD and Office 365.
If you are not seeing this, there could be a few explanations. The first question is, how quickly are you looking for the change to be made? Sometimes it takes a while for changes made via SDS to show up in the tenant depending on other updates and the load on the datacenters. Next, where are you looking to see if the user is still a member of a group? If you are looking in the Office 365 Admin center, it should be reflected. If you are looking somewhere else, such as in Exchange, then it might not have the changes reflected yet. Finally, SDS does not actually ever delete users or groups from AAD. So if you are expecting a group that no longer exists to be removed, or a user who is no longer enrolled in the school to be removed, then SDS will not do that. This is by design, since we do not want SDS to remove a user, their files, their mailbox, etc. just because they are no longer enrolled in a school, which might be a temporary situation. Removing users and groups needs to be a more intentional administrative task. If you want to remove users or sections, here is some more information on that:
- Here is a SOC article which walks through removing users - https://support.office.com/en-us/article/Delete-a-user-from-your-organization-D5155593-3BAC-4D8D-9D8B-F4513A81479E
- If you want to remove users in bulk, PowerShell is the way to go. Use the https://go.microsoft.com/fwlink/?linkid=842230 PowerShell cmdlet
To your other question about active/inactive status, SDS and AAD do not really use that today. When originally designing the schema we envisioned the status would be useful in certain scenarios, but right now it is not used.
Please let me know if this answers your question and if you are now seeing users moved from one section to another as expected. If not, please give as many specific details as you can about whixh SIS you are using, timing, and where yo uare looking for the changes, and I will either help you troubleshoot or get you to the right people who can help.
thanks,
Matt McGinnis
Thanks Matt,
I'm currently checking if the changes on the Groups works as you described. I'll let you if it works.I see that the internal Group names are having a fixed format like "11003_section@suffix.com". Do you know if it's possible to change this internal name? We'd like to define these names by ourselves.
Thanks,
RemyTypically the group name created in AAD inherits the "section name" from your CSV file, and the email address combines the SIS Id of the section with "section" to ensure a unique email address. So you can ensure the name displayed is how you want it either by editing the SIS so the section name is the way you want it, or you can change the name in the admin center if you are an administrator (though it looks like that would have to be one at a time, which would be tedious). I don't think there is a way to do it with a script, but I am looking into it. Also, I don't think there is a way to change the email alias, but I am looking into that as well. I'll reply on this thread as soon as I have more information.
Thanks!
Matt
Nice, I do see the changes made on the StudentEnrollments in the Groups now. Thats good news.
I've also performed a change on a group with a Powershell command, which did indeed change the e-mail adress of the group.
Set-UnifiedGroup -Identity "GroupnameX" -PrimarySmtpAddress "PREFIX-GroupnameX@domain.onmicrosoft.com"
After changing this property I see the Group-ID in the Admin Center changed. The initial section_xxxxx@domain.onmicrosoft.com is now just an alias. Also, SDS is still able to do mutations on the Team via StudentEnrollments.csv
DeletedAt the moment I'm using the Active/Inactive attribute (from our Powerschool sync) in an Azure AD dynamic group. Do you think that will be a problem going forward?
Hi Grant-
there is no problem using the status (active/inactive) attribute. There are no plans to change or remove it, I just don't know of any app that uses it currently. Are you actually using it, or have an apps that does? If so, please let me know so I can educate myself.
Thanks
Matt
DeletedAt the moment I am using it to handle our off-boarding process for students. We have both the paid and the free/unlimited 365 subscription SKU's for students (Office 365 Proplus for Students and Office 365 Education for Students). In order to manage licensing in as automated of a manner as I can, I've created two AAD groups, one for Active students and one for Inactive Students. I use the dynamic groups function in AAD to auto-populate both based on the attribute coming in from Powerschool via SDS. Then I configured AAD group licensing so that the Active Students group automatically gets both subscriptions, while the Inactive Students group only gets the free subscription. This allows me to make sure that our limited pool of paid subscriptions is assigned only to the appropriate students, without having to deal with a ton of administrative overhead to manually deassign licenses at the end of the school year or whenever a student drops.
Sorry if that explanation is a confusing mess, just let me know if you'd like me to clarify any of it.
-grant
