Background

An Azure user access review rule disabled and deleted the Azure Active Directory (AAD) guest user accounts for LMS365 students.

LMS365 brings users into an AAD tenant as guests to provide access to SharePoint sites that LMS365 courses are built on. Students in this scenario take a recertification course annually, and in the meantime, are otherwise inactive in the AAD tenant. This flags the user to be disabled and removed due to their inactivity.

When a student registers for a refresher, or another class after a time period longer than 6 months, they will not appear in the LMS365 student list to enroll to the course because they have been removed from AAD.

NOTE: The deletion of the guest user from AAD removes the student from the LMS365 student list but does NOT delete the student record in LMS365. A full list of students can be exported via LMS365 API. The student record is retained with the email address and original Azure Object ID. See below:

The Problem

If a student is not in the LMS365 student list, they must be added before enrollment to a course.

When a student is an active existing user/guest of AAD, the student will be added to the student list and can be enrolled to their course without issue.

If they are NOT an active user/guest in the AAD, and invitation is emailed by LMS365 to for the student to join the host tenant AAD as a guest.

In this scenario, when the AAD guest user is added as a student in LMS365, a second LMS365 user account is created with the same email address they were previously added with, but a new DirectoryObjectID as assigned by AAD.

The new LMS365 user account is not provisioned with the permissions needed to access the LMS SharePoint sites.

When the student logs in to LMS365 to access their course, they are presented with a message that they do not have permission to the site and provided an opportunity to request access. LMS administrators are notified, however, does not provide the new LMS365 user account with the permission they need.

Solution

The following steps can be taken to restore user access.

1. Remove the student from the LMS365 learner list

2. Using LMS API, export a list of users

3. Search for the user email address

4. If there are two entries for the email address, you can merge student records from the ‘is deleted’ account into the new active account.

5. If student records are not necessary, purge the accounts (the DirectoryObjectID parameter can be used in place of LoginName for this function)

6. Go to the SharePoint site and edit the URL to add the following string: /_layouts/15/people.aspx?MembershipGroupId=0

   1. for example: https://contoso.sharepoint.com/sites/contosotraining/_layouts/15/people.aspx?MembershipGroupId=0

7. Find and select the user you’re looking to restore access for, remove them from the SharePoint site

8. Return to LMS365 learner list, add the learner. If they do not have an active AAD guest user account, they will be sent an invitation. If they do have an active AAD guest account, they will be added directly to the learner list

9. Enroll the student to the course/session they are registered for