Overview

itopia Labs Roster Sync allows administrators to automatically assign Classes to collections of users defined on third-party platforms, including Google Workspace and Microsoft Azure. When you configure Roster Sync, Labs will periodically connect to your rostering platform and update the students and/or instructors assigned to your Classes.

The Roster Sync configuration is a little different for every platform, but the Labs Admin Portal walks you through it every step of the way. We are regularly adding new platforms to Roster Sync, so let us know if you don't see your preferred platform.

By default, Roster Sync will run once a day between 8PM and 10PM Eastern time (UTC-5). You can perform an instant sync for a specific Class from the Class's Settings view in the Labs Admin Portal (labs-admin.itopia.com)

The following sections provide details on our current Roster Sync platforms, including initial configuration and troubleshooting tips.

Google Workspace

Configuring Roster Sync for Google Workspace enables you to sync your Class assignments to Google groups or Google Classroom rosters. When you enable Roster Sync for Google, Labs will allow you to choose how to assign students and instructors to each Class: G Suite Groups, Google Classrooms, or Direct Assignment. If you choose G Suite Groups or Google Classrooms, you can begin typing the name of a group or Classroom and Labs will search your Google Workspace and provide you with auto-fill options.

To enable Roster Sync for Google Workspace, you will need to configure domain-wide delegation in your Workspace organization. Domain-wide delegation allows a specific service account to authenticate in your organization and have specific scopes of access throughout your Google Workspace environment. You will need to log in to your Workspace organization as a user with the Super Admin role. For more information on scopes, refer to Google's documentation on OAuth 2.0 scopes.

When you configure Roster Sync in the Labs Admin Portal, Labs prepares a dedicated service account for your District and provides you with detailed instruction on enabling domain-wide delegation in your environment. The OAuth 2.0 scopes required by itopia Labs are:

https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.groupMember.readonly
https://www.googleapis.com/auth/classroom.courses.readonly
https://www.googleapis.com/auth/classroom.rosters.readonly
https://www.googleapis.com/auth/classroom.profile.emails

Microsoft Azure

Configuring Roster Sync for Microsoft Azure enables you to sync your Class assignments to Azure groups, including unified groups, security groups, and distribution groups. When you enable Roster Sync for Microsoft, Labs will allow you to choose how to assign students and instructors to each Class: Azure Group or Direct Assignment. If you choose Azure Group, you can begin typing the name of a group and Labs will search your Azure domain and provide you with auto-fill options.

To enable Roster Sync for Microsoft Azure, you will need to authorize the Labs service account to access your Azure domain using the Microsoft Graph API. For more information on the Graph API, refer to Microsoft's documentation.

When you configure Roster Sync in the Labs Admin Portal, Labs provides an automated process for requesting the necessary permissions and allowing you to grant access. You will need to sign in to your Azure domain as an account with global administrator permissions in order to grant access on behalf of your organization.

The Graph access scopes required by itopia Labs are:

User.Read.All
Group.Read.All
GroupMember.Read.All

Limitations of Roster Sync with Microsoft Azure

Microsoft Azure groups include a setting called hide group membership; this setting prevents enumerating the members of the group by non-administrators or external service accounts such as that used by itopia Labs. As such, Labs is unable to sync Class assignment to Azure groups that have been configured with the hide group membership setting enabled.

The hide group membership setting is not visible in the Azure web console; you must use the Azure Shell or other API access to check the configuration of this setting. Microsoft does not provide explicit documentation of this setting; however, the setting is discussed briefly in the New-UnifiedGroup cmdlet documentation.

ClassLink

itopia Labs supports single sign-on (SSO) and Roster Sync with ClassLink. Administrators can publish itopia Labs into their organization's LaunchPad, and then assign specific Labs to users, classes, or teachers from within the Labs Admin Console.

For more information, please see ClassLink Integration with itopia Labs