Skip to Content
Technical Articles
Author's profile photo Ka Shun Wong

SuccessFactors LMS – Microsoft Teams VLS Integration

[UPDATE on 6 Feb 2021: The comprehensive guide with detailed configuration steps in LMS and Microsoft Azure has been posted in KBA#3113230 as Supplementary VLS Configuration for Microsoft Teams. You are advised to check the KBA instead of this blog]

 

SuccessFactors has recently (2H 2021) released the LMS VLS integration with Microsoft Teams, while the configuration steps are not comprehensive enough especially on Microsoft Azure side.

This blog quickly demonstrates how configuration has been made on both SuccessFactors LMS and Microsoft Azure.

Since there are still limitations/bugs to be solved by SuccessFactors, this blog post may be revised someday.

 

Ref:

  1. SAP Help Portal – Implementing Virtual Learning System (VLS)
  2. SAP KBA – 3113230 – Microsoft Teams – VLS Implementation Supplementary Links
  3. SuccessFactors Community – Microsoft Teams VLS Configuration – How to Set Up MS Teams in MS Azure Portal
  4. SuccessFactors Community – MicroSoft Teams VLS Integration

 

This blog will cover configurations in below order:

  1. Configuration in Microsoft Azure
  2. Configuration in SuccessFactors LMS [TBC]
  3. Walkthrough – Instructor Record VLS Settings [TBC]
  4. Walkthrough – Scheduling a VLS class [TBC]
  5. Walkthrough – Instructor starts the class [TBC]
  6. Walkthrough – Student starts the class [TBC]
  7. Walkthrough – Process VLS Attendance APM (Not working and pending to be solved) [TBC]

 


Step 1: Configuration in Microsoft Azure

You may refer to Microsoft Document links in SAP KBA – 3113230 – Microsoft Teams – VLS Implementation Supplementary Links:

  1. Register your Microsoft Teams app
  2. Configure the Microsoft Teams app to expose a web API [no use in my test case]
  3. Configure a client application to access a web API [only application permission is used in my test case]
  4. Allow applications to access online meetings on behalf of a user
  5. Grant per-user application access policy [instead of granting per-user, I have granted the application access policy to global aka all users in the Azure tenant]
  6. Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs

 

1 Register your Microsoft Teams app

Mark down the Application (client) ID and Directory (tenant) ID of your Microsoft Teams app created in the app.

 

3 Configure a client application to access a web API [only application permission is used in my test case]

This step is to grant your newly created Microsoft Teams app to access MS Graph API. Several APIs are used in this integration scope in order to:

  • Verify the instructor can access Microsoft Teams
  • Manage online meetings eg. create meetings for each class’s time slots, register students

Details please check SAP Help Portal – Implementing Virtual Learning System (VLS).

 

4 Allow applications to access online meetings on behalf of a user

This step will create an application access policy which defines the application access policy with mapping the newly created Microsoft Teams app.

This application access policy will further be granted to authorized users so that they can use the Microsoft Teams app to call various MS Graph API.

*This step requires MS PowerShell tool, which is generally found in MS Windows OS (Windows 11 is used in this case). Please make sure you have install Microsoft Teams PowerShell module before. (Ref: Install Microsoft Teams PowerShell Module)

Authenticate MicrosoftTeams:

Import-Module MicrosoftTeams
$userCredential = Get-Credential
Connect-MicrosoftTeams -Credential $userCredential

Create application access policy:

New-CsApplicationAccessPolicy -Identity Teams2SF_2-policy -AppIds “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” -Description “Teams2SF_2 Access Policy”

the argument after ‘-Identity’ defines the policy ID (freely by you)

the argument after ‘-AppIds’ refers the app ID of newly created MS Teams app in step 1.

the argument after ‘-Description’ defines the policy description (freely by you)

 

*Use cmdlet ‘Get-CsApplicationAccessPolicy’ to check all existing application access policy for verification

 

5 Grant per-user application access policy [instead of granting per-user, I have granted the application access policy to global aka all users in the Azure tenant]

You can grant the application access per user so that this user is authorized to call the MS Teams app and then MS Graph API. This user should be referred as Instructors in my guess (as I encountered the application access policy 403 during creating a VLS class when the instructor is not granted.

Grant the application access policy to all users in Azure tenant by ‘-Global’:

Grant-CsApplicationAccessPolicy -PolicyName Teams2SF_2-policy -Global

 

Step 1 Configuration in Microsoft Azure is done, and stay tuned for remaining steps since this is Lunar New Year holiday in my country~

Assigned Tags

      34 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Andrius Kurlinkus
      Andrius Kurlinkus

      Thank you. Your article is very useful. Just one question. Class time slots should synchronize with MS Teams calendar?

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      Yes. I can see they are sync, and everytime you update time slot will also trigger the email notification as well.

      Author's profile photo Andrius Kurlinkus
      Andrius Kurlinkus

      We configured everything according to the SAP manual attached, which only indicated two types of permissions (picture below), in LMS side VLS works fine, but calendar is not sync.

      In your article indicates five, could you explain what the rest of the permissions should do? I am referring to the following permissions:

      User.ReadWrite.All

      Directory.Read.All

      Directory.ReadWrite.All

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      I learnt those 5 permissions from previous version of KBA#3113230 (as well as SuccessFactors Community), and which the KBA has been updated recently that only 2 permissions (as per your reply) are required.

      To be honest I can't tell why/where those permissions are used (maybe during creating instructor account, creating VLS class, registering class, processing VLS attendance APM, etc) and we can see SuccessFactors keeps updating the design (eg. I found instructor was treated as the meeting host and other registered users was treated as the meeting attendees and they have to wait for instructor to add into the teams meeting in early testing. But now both instructor and registered users are playing the same role in the teams meeting..)

      Author's profile photo Stanley Merkx
      Stanley Merkx

      Hi Carson, thanks for the blog post, it is very helpful.

      Would you be able to share the KBA document that states the required permissions? I do not have access to these documents. I have asked our Successfactors admin for the document, but that version (version 6 - released on 18.01.2022) only contains 6 links to very generic Microsoft documentation and says nothing about required permissions.

      I need to provide documentation to our Azure AD global admins about the exact permissions required. Not so simple with limited access to documentation and with permissions apparently being a moving target...

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      You can find the attachment in KBA#3113230 which has stated the permissions in p.6.

       

      Hope this helps.

      Author's profile photo Mohammad Suhaib Khan
      Mohammad Suhaib Khan

      Carson Wong, It is really useful. The session created out of this integration can be leveraged for social collaboration like content sharing ??

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      It depends on the MS Teams, but I see even the basic Teams meeting can have share screen/content/recording..so it will be fine.

      In my understanding, LMS only calls standards APIs delivered by Microsoft Teams (via Microsoft Graph API) for the integration. There is no LMS-specific functions built in this case.

      Author's profile photo Alejandra Moyano
      Alejandra Moyano

      Hi Carson, thank you for the information, Can you share with me  the Configuration in SuccessFactors LMS [TBC] please ?  I have not been able to download the template.  thanks for your help.

      Author's profile photo Carson Wong
      Carson Wong

      <?xml version="1.0" encoding="UTF-8"?>
      <connector>
      <description>Microsoft Teams Meeting connector</description>
      <! -- The plateau connector class. This should not be modified. It is the implementation class for Teams integration -->
      <connector_class>com.successfactors.lms.framework.vle.impl.TeamsConnector</connector_class>
      <!-- ======================================= -->
      <!-- configuration parameters for Teams -->
      <!-- ======================================= -->
      <url_api_address>https://graph.microsoft.com</url_api_address>
      <api_key>Application (client) ID of tenant from Azure portal</api_key>
      <password>Value field from client secret</password>
      <tenant_id>Directory (tenant) ID of tenant from Azure portal</tenant_id>
      <application_id>Application (client) ID of tenant from Azure portal</application_id>
      </connector>

      Author's profile photo Tim Knödgen
      Tim Knödgen

      Hi Carson,

      thanks for this helpful blog post!

      Do you know the difference between <api_key> and <application_id>?

      Because the description is the same: Application (client) ID of tenant from Azure portal

      Thanks!

       

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      You are right that they are exactly storing the same information.

      Author's profile photo Renata Karlettidou
      Renata Karlettidou

      Carson Wong We completed the integration and it works as described by SAP, except the VLS Attendance APM. Is there any update concerning this matter?

      Author's profile photo Pieter Janssens
      Pieter Janssens

      We are also not able to record attendance automatically. Did you manage to resolve it?

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      We learnt the record attendance automatically function has been fixed recently. I have tested and it is working just fine.

      For quick reference:

      1. you should setup the corresponding attendance % as well as the completion/failure status in the Class
      2. Enable the APM for the VLS attendance recording

      Hope this helps.

      Author's profile photo Camelia Lahlou
      Camelia Lahlou

      This is very interesting! Thank you.

      Do you know if something similar could be done with Interview Scheduling in the Recruiting Management module?

      Thanks,

      Camélia

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      Hi Camelia,

      Are you referring the Interview Scheduling with Outlook feature in Recruiting Management?

      I have studied that configuration recently, and seems there is no way to setup the teams 'automatically' when the interview meeting request is created.

      Instead, since the feature uses the technical account (not interviewer or interviewee) to create the meeting request as an organiser, you may use that technical account to update the meeting request in Outlook or Teams app, but those updates cannot be captured in Recruiting Management.

      (Immature design...long time to go and my team generally not recommend to adopt this feature currently, let's see any enhancement in coming releases)

      Thanks,

      Carson

      Author's profile photo Camelia Lahlou
      Camelia Lahlou

      Hi Carson,

      I see. Thank you for the details.

      Best,

      Camélia

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Hi Carlson,

      Thanks for the blog. Really helpful.

      I was successfully able to update the VLS Configuration properties & also the VLS Settings for Instructor. However I am currently facing a issue while scheduling / adding a class in Successfactors LMS. I am not able to save the class after selecting the MS Teams as VLS Server & also selecting the Instructor who has added with MS Teams VLS Server with his/her email address.

      These users have Microsoft Teams account with the same email address including me.

      The Permissions which have been given at the MS Azure End in the Microsoft Graph are as below:

      OnlineMeetings.ReadWrite.All

      User.Read

      User.Read.All

      Error i am facing:

      Error message = Failed to send VLE Instructor Notification<br>Ticket No = 1016088<br>ErrorFingerprint [exceptionRootCauseTag=96ec49343cb40cd17dfbba76e2e60ce21aebf890, exceptionStackTraceTag=fb052b44dbd562e1df56fd95430d6a67798ea692]<br>Timestamp = 2022-08-18T13:03:12.485+0000

      Regards,

      VP.

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      Hi VP,

      So far I have not encountered your issue before and thus I went through again the configuration (in both Azure and LMS) in my DC10 testing environment and seems all good. You may check again the settings:

      • Instructor's email and the account in VLS setting should be in your AZure AD
      • You have granted the access policy to this instructor (or you can grant the access policy to all Azure AD User ie. global)

       

      If everything looks good but the problem still exists, I suggest you to raise the ticket to SAP Support.

       

      Hope this helps.

       

      Thanks,

      Carson

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Hi Carson,

      Thanks for the reply.

      I've checked the below with MS Azure Team:

      • Instructor's email and the account in VLS setting should be in your Azure AD. Instructor's email & account exists in Azure AD.
      • You have granted the access policy to this instructor (or you can grant the access policy to all Azure AD User ie. global) - The Azure Consultant has granted the access policy to all Azure AD Users i.e. global.

      SAP says this error is out of support & asked me to check VLE instructor template. The thing is customer do not use notifications currently.

      Could you please advise.

      Regards,

      VP.

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Hi Carson,

      The issue is resolved now.

      Under Mail Settings - The

      Also, selected Admin (from Free-Form) in the : field.

      Post which we were able to save the class with MS teams as VLS Server.

      Thanks for the help.

      Regards,

      Vinay.

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      Good to hear that.

      Author's profile photo Estela Olavarria
      Estela Olavarria

      Hello Carson

      Thanks for sharing this information, is very helpful.

      I am wondering if you can tell us how much effort is needed to implement this, in terms of time and resoures that need to be involved. Is testing straight forward?

      Thanks again

      Estela

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Hi Carson,

      I trust you are doing good.

      I was going through a thread in Successfactors Community forum where they have mentioned the below:

      Microsoft Teams changed the attendance API, which requires additional permission to be added to the Azure portal: OnlineMeetingArtifact.Read.All. This permission is needed to get the meeting attendance records.

      Please ensure that you add this permission in your Azure before 2H 2022 goes into production; otherwise, the attendance processing will be unsuccessful, which may impact your business.

      Community URL - https://community.successfactors.com/t5/Learning-Forum/Announcement-Microsoft-Teams-requires-a-new-permission-to/td-p/296069

      Link - https://learn.microsoft.com/en-us/graph/cloud-communications-online-meeting-artifacts

      The same is mentioned in the Blog - https://talenteam.com/blog/successfactors-learning-and-microsoft-teams-vls-integration/

      Wanted to check if the permission - OnlineMeetingArtifact.Read.All also has to be added?

      Please advise.

      Regards,

      Vinay.

      Author's profile photo Ka Shun Wong
      Ka Shun Wong
      Blog Post Author

      Yes, it is required as per the attachment in SAP KBA#3113230 - Microsoft Teams - VLS Implementation Supplementary Links

      Author's profile photo Carson Wong
      Carson Wong

      Your concern is found in coming 2H2022 release as well.

      https://help.sap.com/docs/SAP_SUCCESSFACTORS_RELEASE_INFORMATION/8e0d540f96474717bbf18df51e54e522/9ed67a201b774007905f5354c9a9f146.html?parentHref=%2Fwhats-new%2F8fcf4960eea24f78b1d7613da406a885%3FApplication_Component%3DPerformance%252520%252526%252520Goals%26Version%3D2H%2525202022%26locale%3Den-US&parentName=SAP%20SuccessFactors%20What%27s%20New

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Thanks Carson. This helps.

      Author's profile photo Vinay Potdar
      Vinay Potdar

      Thanks Ka Shun.

      Author's profile photo Sanda Elena Dodan
      Sanda Elena Dodan

      Hi all, can you please vote for this improvement request: https://influence.sap.com/sap/ino/#/idea/291380/?section=sectionDetails (LMS integration to Teams)? The issue is very important to us as we have users with no TEAMS accounts being able to join TEAMS session, but the system doesn't recognize them as being in the class and add the training as INCOMPLETE in their learning history.

      Thanks!

      Author's profile photo Ka Shun Wong
      Ka Shun Wong
      Blog Post Author

      I have voted in this request and I am also thinking how system can differentiate who in the attendance list has been absent (so that incomplete status learning history should be recorded) or has been presented as anonymous users in Teams meeting.

      Maybe this can only be solved by having a UI for learning admin to cross-check the attendance list in LMS vs attendance record from Teams and then make decision, instead of simply using the APM (just this will be a long journey to make this enhancement live to me.)

      Author's profile photo Veera Teja Reddy Sirigireddy
      Veera Teja Reddy Sirigireddy

      Hi Carson,

       

      We were able to implement the Teams integration with LMS easily thanks to your blog, but the issue we are facing now is, we are not able to add external instructors in our system. We are facing the below error. Instructors mail ID is of Yahoo.com . We also tried to add my outlook mail ID still facing the same issue. Any thoughts on how to resolve the error. Please note we have no issue in adding instructors using our company mail ID.

      Author's profile photo Ka Shun Wong
      Ka Shun Wong
      Blog Post Author

      Instructor email will be checked against your company Teams AD (ie. Instructor has no Teams account under your company).

       

      Seems to me you should have external instructors which have valid Teams account under your company.

       

      SuccessFactors has made an update in 2H 2022 release for your reference:

      https://help.sap.com/docs/SAP_SUCCESSFACTORS_RELEASE_INFORMATION/8e0d540f96474717bbf18df51e54e522/15d1f53cdf954ecab64c115b30d157b0.html?parentHref=%2Fwhats-new%2F8fcf4960eea24f78b1d7613da406a885%3FApplication_Component%3DLearning%26Version%3D2H%25202022%26locale%3Den-US&parentName=SAP%20SuccessFactors%20What%27s%20New

      Author's profile photo Veera Teja Reddy Sirigireddy
      Veera Teja Reddy Sirigireddy

      Hi Carson,

       

      Thanks for your input. We will implement this change and check.