How to deploy School Data Sync by using PowerSchool Sync

Note: This topic is pre-release documentation and is subject to change in future releases.

PowerSchool is a Student Information System (SIS) provider that integrates with School Data Sync (SDS) and Classroom in Office 365. Using the PowerSchool sync method lets you avoid compiling a set of CSV files and manually extracting the data from the SIS databases.

To set up the integration, you sign in to Office 365 and set up a profile using School Data Sync. Then, based on the information in the profile, Office 365 makes a direct connection to the SIS databases using the REST-based APIs provided by the PowerSchool SIS System.

In this topic:   

Prerequisites

Before you start synchronizing with SDS using CSV Import, read the Overview of School Data Sync and Classroom and make sure you meet the following prerequisites:

  • Your Office 365 tenant must be an Office 365 Education tenant.

  • Synced identities must be licensed for SharePoint Online and Exchange Online. Skype for Business licenses aren't required. Note that OneDrive for Business is provided through the SharePoint Online license.

    If a student or teacher doesn't have the required licenses in Office 365, School Data Sync will still create their profile, but Classroom will not finish provisioning properly for them for any apps they aren't licensed to use.

  • The attributes in your PowerSchool SIS marked for sync must not contain any characters shown in this list of invalid characters.

Note: The data that you provide through School Data Sync may be accessible to third-party application providers through their apps, so you should sync only the data that you want to make available to these third parties.

Before you create the profile to connect to the SIS databases with PowerSchool School Data Sync, you also need to complete the following initial setup.

Install the REST API plug-in for PowerSchool

Before Microsoft School Data Sync can access data from your PowerSchool server, you have to install an application plug-in on the PowerSchool server and obtain OAuth credentials by following these steps.

  1. On your local computer, create an XML plug-in installation file with following content, and save the file as “plugin.xml”.

    <?xml version="1.0" encoding="UTF-8"?>
    <plugin xmlns="http://plugin.powerschool.pearson.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation='http://plugin.powerschool.pearson.com plugin.xsd'
    name="Microsoft School Data Sync"
    version="1.0.0"
    description="Plugin for PowerSchool REST API for Microsoft SDS">
    <oauth></oauth>
    <publisher name="Microsoft Corp.">
    <contact email="sis@microsoft.com" />
    </publisher>
    </plugin>
  2. Sign in to the PowerSchool admin portal website using your System Administrator credentials.

  3. On the start page, choose System from the main menu, then go to System Settings > Plugin Management Configuration > Install.

  4. Enter or select the plug-in installation file you just created (.xml), and then choose Install.

    The plug-in will appear in the Installed Plugins section on the Plugin Management Dashboard page. Make sure the plug-in is enabled. If it is not, choose the Enable option on the Plugin Management Dashboard page.

    On the Plugin Management Dashboard page, make sure that the plugin is enabled.
  5. Choose Data Configuration to view the OAuth credentials that were generated for the plug-in:

    Choose Data Configuration to view the OAuth credentials for the plugin
  6. Record the values for the Client ID and Client Secret so you can enter these credentials when you create your School Information Sync profile.

Make sure the REST endpoints are Internet accessible

Microsoft School Data Sync must be able to reach your school’s PowerSchool server. To make sure the server is accessible, open ports 80 and 443 from the Internet to your PowerSchool server.

To validate that the endpoints are set correctly, check that you can open the PowerSchool server website pages from the Internet. For example, in your browser, go to https://partner12.powerschool.com/public/ and http://partner12.powerschool.com/public/.

Make sure your Office 365 Azure Active Directory is whitelisted

Microsoft School Data Sync is currently in beta testing, so we are providing access to only a limited set of customers. We do this by whitelisting (allowing access for) your school’s Office 365 Azure Active Directory tenant. If your tenant is not already whitelisted, please check with your business or engineering team contact from Microsoft.

About AADConnect deployment warnings

If you are configuring School Data Sync for a tenant which is synchronized from onpremises Active Directory through AADConnect, you may notice an increase in the number of Disconnectors shown in your miisclient. This is a result of Office 365 Group being unable to synchronize back to the AADConnect Metaverse and on-premises Active Directory. These warnings do not have any negative impact on your current AADConnect deployment, and only provide an informational note on the resultant sync failure. You should expect these warnings in AADConnect after enabling sync in SDS, as one Office 365 Group is created for each class synchronized through SDS.

Synchronize your users by using the PowerSchool import method

Watch the video: Deploy School Data Sync

Deploy School Data Sync Video

After you've installed the plug-in and set up access, create a profile in Microsoft School Data Sync to synchronize your users' information. The steps here will work for most scenarios. (There are some more unusual cases which will need different setup steps, so if your situation doesn't work with these steps, check with your Microsoft contact.)

To synchronize your users
  1. In your web browser, go to sds.microsoft.com and then enter the global admin credentials for your Office 365 Education tenant.

  2. If it's your first time logging in and setting up a profile, choose Set up School Data Sync to create your first sync profile.

    Choose Set up SIS Sync

    Or, if you've already completed School Data Sync setup, choose Add Profile to create an additional sync profile.

    Choose Add Profile
  3. Type a profile name in the Enter a name for your profile box.

    Enter a name for your profile
  4. In the Data extraction options section, select PowerSchool API in the Select data source drop-down menu.

    Select PowerSchool API from the Select data source drop-down
  5. In the PowerSchool Connection Details section, enter the appropriate values for your SIS web access URL, client id, and the client secret. Refer to the Prerequisites section of this article for instructions for obtaining the appropriate values.

    Enter information for PowerSchool connection details
  6. After the appropriate values are added, choose Test Connection to validate connectivity to the SIS.

    Choose test connection to validate connectivity
  7. After connectivity to the SIS has been verified, select either Create new users or Sync existing users.

    Choose either Create new users or Sync existing users
    • Create new users Select this option if you are not syncing identities from your on-premises Active Directory, or the users in scope for sync are not created within Azure AD already. This option will create new user accounts for the students and teachers in PowerSchool, in scope for this sync profile. The scope of users from the SIS will be determined on the following page.

    • Sync existing users Select this option if you are syncing identities from your on-premises Active Directory, or the users in scope for sync are already created in Azure AD. This option will not create new user accounts for students and teachers in PowerSchool, in scope for this sync profile. The scope of users from the SIS will be determined on the following page.

  8. If you selected the Create new users option, skip this step. If you selected the Sync existing users option, select the appropriate Students and Teachers Identity match options from the available drop-down menu. This is where you must define how to match students and teachers in PowerSchool to the user account in Azure AD.

    • Identity matching options - Students

      Identity matching options for students

      Select source property This drop-down menu allows you to select the source property within PowerSchool to be used for identity matching. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      • Secondary Email Optional attribute field which can be included for sync and may also be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Student Number Optional attribute field which can be included for sync and also may be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567).

      • Username Required attribute field which must be included for sync and can be used for identity matching. The appropriate formatting for this attribute is either a string of alphanumeric characters with no spaces or invalid special characters (for example, JohnSmith), or could also be included as a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix. (for example, JohnSmith@contoso.com).

      Select suffix This drop-down menu allows you to append a domain suffix to the source property in PowerSchool, if needed to complete your identity matching plan. It will not actually modify the source value in PowerSchool, just append the value being attempted during the SDS match process. This menu also allows you to select the No Suffix Needed option if the source attribute already contains the required domain suffix (for example, Username with domain suffix included) or the target attribute value does not include a domain suffix (for example, mailNickname). Each domain added to the Office 365 tenant will be displayed in the drop-down menu as an available choice, in addition to the No Suffix Needed option previously mentioned. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select target property This drop-down menu allows you to select the target property within Azure AD to be used for identity matching.

      • UserPrincipalName Logon name for the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Mail PrimarySMTPAddress of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com). While it is suggested, this attribute is not always the same as the UserPrincipalName attribute.

      • mailNickname xchange Alias of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567). While it is recommended, this value is not always unique, so be cautious in selecting this attribute for identity matching and ensure you are always matching to a unique target value.

      Student identity matching matrix:

      In order to match source and target identities, you must select one value from the three choices available in the Select Source drop-down menu, and then define which of the three available target attributes in the Select Target drop-down menu will be an exact match. It is also possible that the source attribute only matches a portion of the target attribute, and requires a domain suffix to be appended to complete the matching logic (for example, JohnSmith source attribute + @contoso.com domain suffix = a match with JohnSmith@contoso.com target attribute).

      For various examples of matching logic success and failure for sync, watch the Identity Matching video.

    • Identity matching options - Teachers

      Identity matching options for teachers drop-down

      Select source property This drop-down menu allows you to select the source property within PowerSchool to be used for identity matching. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      • Secondary Email Optional attribute field which can be included for sync and may also be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Teacher Number Optional attribute field which can be included for sync and also may be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567).

      • Username Required attribute field which must be included for sync and can be used for identity matching. The appropriate formatting for this attribute is either a string of alphanumeric characters with no spaces or invalid special characters (for example, JohnSmith), or could also be included as a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix. (for example, JohnSmith@contoso.com).

      Select suffix This drop-down menu allows you to append a domain suffix to the source property contained within PowerSchool, if needed to complete your identity matching plan. It will not actually modify the source value in PowerSchool, just append the value being attempted during the SDS match process. This menu also allows you to select the No Suffix Needed option if the source attribute already contains the required domain suffix (for example, Username with domain suffix included) or the target attribute value does not include a domain suffix (for example, mailNickname). Each domain added to the Office 365 tenant will be displayed in the dropdown menu as an available choice, in addition to the No Suffix Needed option previously mentioned. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select target property This dropdown menu allows you to select the target property within Azure AD to be used for identity matching. Watch the Identity Matching video to review how source, target, and append suffix matching logic works, to help determine the appropriate value to select.

      • UserPrincipalName The logon name for the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Mail PrimarySMTPAddress of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com). While it is suggested, this attribute is not always the same as the UserPrincipalName attribute.

      • mailNickname Exchange Alias of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567). While it is recommended, this value is not always unique, so be cautious in selecting this attribute for identity matching and ensure you are always matching to a unique target value.

      Teacher identity matching matrix:

      In order to match source and target identities, you must select one value from the three choices available in the Select Source drop-down menu, and then define which of the three available target attributes in the Select Target drop-down menu will be an exact match. It is also possible that the source attribute only matches a portion of the target attribute, and requires a domain suffix to be appended to complete the matching logic (for example, JohnSmith source attribute + @contoso.com domain suffix = a match with JohnSmith@contoso.com target attribute). Watch the Identity Matching video for various examples of matching logic success and failure for sync.

  9. After the Profile Name, Data Extraction Options, and Identity Matching Options are set in place, choose Next.

  10. On the Directory options page, select the appropriate domain for each drop-down list available. If you selected the Sync existing users option in step 7, you will only need to select the appropriate domain for Schools and Sections, since all existing students and teachers already have domains associated with their respective user accounts. This domain will be used as the domain suffix for the Office 365 Group created for each section, unless policy is in place to override this domain setting.

    Directory options when syncing existing users

    If you selected the Create new users option in step 7, you will need to select the appropriate domain for Schools and Sections, in addition to a domain for teachers, and a domain for students, as shown below. This domain will be used as the domain suffix for the user account created by SDS, for each user included in the student and teacher csv files.

    Only one domain can be entered for teachers, and one domain for students within a single sync profile. If you have objects of those types which must be spread across multiple domains, you'll have to create a separate profile for each set of users (onesync profile per domain).

    Directory options when syncing new users
  11. If you selected the Create new users option in step 7, you also must select the appropriate SKU to assign to each of the newly created Teachers and Students using the drop-down menus shown below. Each available SKU in your Office 365 tenant will be present in the list. After each user type is selected, choose Next.

    Select the Office 365 SKU assigned to teachers and students
  12. On the Options to Sync page, select the school year you want to sync using this profile by choosing it within the Select school year dropdown menu.

    Screenshot of select school year to sync in School Data Sync

    Tip: Note: You may only select one school year per sync profile, and that school year will start syncing immediately once the profile is enabled for sync, regardless of the start date configured in PowerSchool for that school year. If you want to sync more than one school year, multiple sync profiles are required. To pre-stage a school year, before the current year ends, create a new sync profile with the next school year selected ahead of the school year start date, and delete the profile for the previous school year if/when you are ready to remove last year’s objects from the sync scope.

  13. On the Options to Sync page, select the schools you want to sync using this profile under the Select schools to sync section.

    Select the names of the schools you want to sync
  14. Under the Select properties to sync section, select any optional attributes you would like to sync for each of the various object types. The required attributes are already selected by default under each object type. After you’ve added in any optional attribute you want to sync to Azure, choose Next.

    Select optional proprties to sync to Azure AD
  15. On the Summary page, choose Submit to create the profile.

    The sync process does some data validation before creating the profile. If there are any errors, you'll have to correct them and then wait for the next sync cycle. Sync cycles run every 10 minutes.

  16. After the sync profile is created, select the Enable Sync option to begin syncing the PowerSchool source data to Azure AD.

After all user identities have been synced successfully for the profile, Profile Status changes to Success. If you need to create more profiles, for example, if you have users set up with different domains, repeat these steps for each profile.

Video: How to match source and target attributes for sync

For various examples of matching logic success and failure for sync, watch the Identity Matching video:

Identity Matric Matching video

SIS data in Office 365 will change when synced

After you complete the first SIS sync, data in your Office 365 SIS will be changed, based on the synced information. Changes might be related to a student, teacher, section, or any of the other attributes and objects types set up with School Data Sync. Changes may happen on a daily basis. To make sure changes in the SIS are reflected in School Data Sync and Classroom, data must be updated through the sync process.

All additions are processed and updates made whenever there is a sync, but deletions and certain changes do not occur automatically. This includes the following:

  • If a student is removed from a class in the SIS, the student is also removed from the class Unified Group in Classroom.

  • If a teacher is removed from a class, no change occurs in Classroom.

  • If a new teacher is added to a class, that teacher becomes the group owner, and that teacher is allowed to remove the other teacher, if needed.

  • If a student is deleted in the SIS, the sync does not delete the Azure Active Directory account for that student.

  • If a student is deleted in the SIS, the sync does not remove the student from the School’s Azure Active Directory.

  • If classes or schools are deleted in the SIS or removed from the sync profile, the sync does not delete the Class or School group in Azure Active Directory.

If you are syncing directly through PowerSchool SIS, changes are synced automatically on a continuous basis. All you need to do is update the data in your SIS and validate that changes are synced during the next sync cycle, with the exception of the deletes and changes mentioned in the previous list. Currently, PowerSchool sync occurs repeatedly. That is, after one sync completes, the next starts immediately and looks for any changes to sync.

Switching between sync methods

While you can successfully migrate from one sync method to another, we recommend maintaining the sync method initially deployed indefinitely, due to the difficulty associated with maintaining source anchor values through the switch between sync methods. A source anchor is the attribute SDS uses to identify a synced object in both the source and target directory after the initial sync. This source anchor must always be unique, and must never be changed throughout the lifetime of the synced object.

When an organization enables sync, there are 5 objects types that synchronize through School Data Sync. SDS synchronizes Schools, Sections, Students, Teachers, and Rosters. Once an object is successfully synchronized, SDS must keep the object in sync, to continue to synchronize object attribute level updates from the source directory (CSV, Clever, or PowerSchool) to the target directory (Azure AD). The objects types and their corresponding source anchor attributes are detailed below:

Object Type

Source Anchor Attribute (PowerSchool)

Source Anchor Attribute (Clever)

Source Anchor Attribute (CSV)

School

SIS ID

Clever ID

SIS ID

Section

SIS ID

Clever ID

SIS ID

Teacher

SIS ID

Clever ID

SIS ID

Student

SIS ID

Clever ID

SIS ID

Roster

SIS ID (Section) and SIS ID (User)

Clever ID (Section) and Clever ID (User)

Section SIS ID and SIS ID (User)

Once the source anchor is established upon the initial sync, it cannot be changed for the lifetime of the object. This concept is critical if you are considering switching between sync methods. When transitioning from one SDS sync method to another, the source anchor value must always be persisted, to continue to sync each object under the new sync method. Any deviation or change from the original source anchor value will result in objects failing to sync, and the resultant impact is users are unable to access Microsoft Classroom services dependent upon sync.

Transitioning from Clever Sync or PowerSchool Sync to the CSV File method is generally more feasible, as you can manually manipulate the CSV values for each source anchor attribute, to facilitate the transition. Migrating from CSV Sync to PowerSchool or Clever sync method however is generally much more difficult, as the source anchor attributes in these systems cannot be managed or manipulated to accommodate sync and the source anchor attribute persistence required for SDS to keep syncing objects after the switch.

See Also

Overview of School Data Sync and Classroom

School Data Sync Required Attributes for PowerSchool Sync

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×