Skip to Content
Technical Articles
Author's profile photo Carson Wong

SuccessFactors LMS – Microsoft Teams VLS Integration

[UPDATE on 6 Feb 2021: The comprehensive guide with detailed configuration steps in LMS and Microsoft Azure has been posted in KBA#3113230 as Supplementary VLS Configuration for Microsoft Teams. You are advised to check the KBA instead of this blog]

 

SuccessFactors has recently (2H 2021) released the LMS VLS integration with Microsoft Teams, while the configuration steps are not comprehensive enough especially on Microsoft Azure side.

This blog quickly demonstrates how configuration has been made on both SuccessFactors LMS and Microsoft Azure.

Since there are still limitations/bugs to be solved by SuccessFactors, this blog post may be revised someday.

 

Ref:

  1. SAP Help Portal – Implementing Virtual Learning System (VLS)
  2. SAP KBA – 3113230 – Microsoft Teams – VLS Implementation Supplementary Links
  3. SuccessFactors Community – Microsoft Teams VLS Configuration – How to Set Up MS Teams in MS Azure Portal
  4. SuccessFactors Community – MicroSoft Teams VLS Integration

 

This blog will cover configurations in below order:

  1. Configuration in Microsoft Azure
  2. Configuration in SuccessFactors LMS [TBC]
  3. Walkthrough – Instructor Record VLS Settings [TBC]
  4. Walkthrough – Scheduling a VLS class [TBC]
  5. Walkthrough – Instructor starts the class [TBC]
  6. Walkthrough – Student starts the class [TBC]
  7. Walkthrough – Process VLS Attendance APM (Not working and pending to be solved) [TBC]

 


Step 1: Configuration in Microsoft Azure

You may refer to Microsoft Document links in SAP KBA – 3113230 – Microsoft Teams – VLS Implementation Supplementary Links:

  1. Register your Microsoft Teams app
  2. Configure the Microsoft Teams app to expose a web API [no use in my test case]
  3. Configure a client application to access a web API [only application permission is used in my test case]
  4. Allow applications to access online meetings on behalf of a user
  5. Grant per-user application access policy [instead of granting per-user, I have granted the application access policy to global aka all users in the Azure tenant]
  6. Microsoft Graph permissions reference – Microsoft Graph | Microsoft Docs

 

1 Register your Microsoft Teams app

Mark down the Application (client) ID and Directory (tenant) ID of your Microsoft Teams app created in the app.

 

3 Configure a client application to access a web API [only application permission is used in my test case]

This step is to grant your newly created Microsoft Teams app to access MS Graph API. Several APIs are used in this integration scope in order to:

  • Verify the instructor can access Microsoft Teams
  • Manage online meetings eg. create meetings for each class’s time slots, register students

Details please check SAP Help Portal – Implementing Virtual Learning System (VLS).

 

4 Allow applications to access online meetings on behalf of a user

This step will create an application access policy which defines the application access policy with mapping the newly created Microsoft Teams app.

This application access policy will further be granted to authorized users so that they can use the Microsoft Teams app to call various MS Graph API.

*This step requires MS PowerShell tool, which is generally found in MS Windows OS (Windows 11 is used in this case). Please make sure you have install Microsoft Teams PowerShell module before. (Ref: Install Microsoft Teams PowerShell Module)

Authenticate MicrosoftTeams:

Import-Module MicrosoftTeams
$userCredential = Get-Credential
Connect-MicrosoftTeams -Credential $userCredential

Create application access policy:

New-CsApplicationAccessPolicy -Identity Teams2SF_2-policy -AppIds “xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx” -Description “Teams2SF_2 Access Policy”

the argument after ‘-Identity’ defines the policy ID (freely by you)

the argument after ‘-AppIds’ refers the app ID of newly created MS Teams app in step 1.

the argument after ‘-Description’ defines the policy description (freely by you)

 

*Use cmdlet ‘Get-CsApplicationAccessPolicy’ to check all existing application access policy for verification

 

5 Grant per-user application access policy [instead of granting per-user, I have granted the application access policy to global aka all users in the Azure tenant]

You can grant the application access per user so that this user is authorized to call the MS Teams app and then MS Graph API. This user should be referred as Instructors in my guess (as I encountered the application access policy 403 during creating a VLS class when the instructor is not granted.

Grant the application access policy to all users in Azure tenant by ‘-Global’:

Grant-CsApplicationAccessPolicy -PolicyName Teams2SF_2-policy -Global

 

Step 1 Configuration in Microsoft Azure is done, and stay tuned for remaining steps since this is Lunar New Year holiday in my country~

Assigned Tags

      11 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Andrius Kurlinkus
      Andrius Kurlinkus

      Thank you. Your article is very useful. Just one question. Class time slots should synchronize with MS Teams calendar?

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      Yes. I can see they are sync, and everytime you update time slot will also trigger the email notification as well.

      Author's profile photo Andrius Kurlinkus
      Andrius Kurlinkus

      We configured everything according to the SAP manual attached, which only indicated two types of permissions (picture below), in LMS side VLS works fine, but calendar is not sync.

      In your article indicates five, could you explain what the rest of the permissions should do? I am referring to the following permissions:

      User.ReadWrite.All

      Directory.Read.All

      Directory.ReadWrite.All

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      I learnt those 5 permissions from previous version of KBA#3113230 (as well as SuccessFactors Community), and which the KBA has been updated recently that only 2 permissions (as per your reply) are required.

      To be honest I can't tell why/where those permissions are used (maybe during creating instructor account, creating VLS class, registering class, processing VLS attendance APM, etc) and we can see SuccessFactors keeps updating the design (eg. I found instructor was treated as the meeting host and other registered users was treated as the meeting attendees and they have to wait for instructor to add into the teams meeting in early testing. But now both instructor and registered users are playing the same role in the teams meeting..)

      Author's profile photo Stanley Merkx
      Stanley Merkx

      Hi Carson, thanks for the blog post, it is very helpful.

      Would you be able to share the KBA document that states the required permissions? I do not have access to these documents. I have asked our Successfactors admin for the document, but that version (version 6 - released on 18.01.2022) only contains 6 links to very generic Microsoft documentation and says nothing about required permissions.

      I need to provide documentation to our Azure AD global admins about the exact permissions required. Not so simple with limited access to documentation and with permissions apparently being a moving target...

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      You can find the attachment in KBA#3113230 which has stated the permissions in p.6.

       

      Hope this helps.

      Author's profile photo Mohammad Suhaib Khan
      Mohammad Suhaib Khan

      Carson Wong, It is really useful. The session created out of this integration can be leveraged for social collaboration like content sharing ??

      Author's profile photo Carson Wong
      Carson Wong
      Blog Post Author

      It depends on the MS Teams, but I see even the basic Teams meeting can have share screen/content/recording..so it will be fine.

      In my understanding, LMS only calls standards APIs delivered by Microsoft Teams (via Microsoft Graph API) for the integration. There is no LMS-specific functions built in this case.

      Author's profile photo Alejandra Moyano
      Alejandra Moyano

      Hi Carson, thank you for the information, Can you share with me  the Configuration in SuccessFactors LMS [TBC] please ?  I have not been able to download the template.  thanks for your help.

      Author's profile photo Carson Wong
      Carson Wong

      <?xml version="1.0" encoding="UTF-8"?>
      <connector>
      <description>Microsoft Teams Meeting connector</description>
      <! -- The plateau connector class. This should not be modified. It is the implementation class for Teams integration -->
      <connector_class>com.successfactors.lms.framework.vle.impl.TeamsConnector</connector_class>
      <!-- ======================================= -->
      <!-- configuration parameters for Teams -->
      <!-- ======================================= -->
      <url_api_address>https://graph.microsoft.com</url_api_address>
      <api_key>Application (client) ID of tenant from Azure portal</api_key>
      <password>Value field from client secret</password>
      <tenant_id>Directory (tenant) ID of tenant from Azure portal</tenant_id>
      <application_id>Application (client) ID of tenant from Azure portal</application_id>
      </connector>

      Author's profile photo Renata Karlettidou
      Renata Karlettidou

      Carson Wong We completed the integration and it works as described by SAP, except the VLS Attendance APM. Is there any update concerning this matter?