As title suggests, and the documentation lacks in guidance...
What are the minimum Azure permissions that are required so that the likes of the automated (scheduled) or manual user matching can succeed?
Our environment: We currently use Moodle 3.6.4 and we have a number of web services that automate user account creation and enrolment onto Moodle courses.
Our web services rely on the "username" as a search criteria when enrolling users. We cannot change this as it is the most appropriate "unique" field given that we use OpenID Connect authentication for users.
Our conundrum is that when a user changes their name we update Azure, we then manually change the user's Moodle profile to be a "manual" authentication (to allow us to update their username) and then revert back to OpenID Connect.
Although this is not the best approach for the plugin - and is the root cause of the fault being experienced - it is something we cannot change.
We have been through the local_o365 plugin settings and can identify tow methods of resolution: one manual and one automated (albeit scheduled).
We would like to trial using the CSV import "User matching" of the local_o365 plugin - which, we believe, should allow us to re-connect the amended Moodle profile to the amended Azure account - however the scheduled task ("Process Match Queue") that processes the queues is continually failing.
Execute scheduled task: Process Match Queue (local_o365\task\processmatchqueue) ... used 1 dbqueries ... used 0.32651686668396 seconds Scheduled task failed: Process Match Queue (local_o365\task\processmatchqueue),Could not get app or system token
We are aware that this relates to a permission on Azure - because we can see in the local_o365 "Verify setup" section that the "Azure AD Application Registration" has an error of "Could not check reply url." and the Microsoft Graph API has an error "Could not get app or system token". The "Could not check reply url." we're unsure of because Moodle and Azure both have the correct reply URL for our environment.
What are the minimum required permissions to enable us to get the User matching process to function correctly?