How to deploy School Data Sync by using PowerSchool Sync

Note: PowerSchool is a Student Information System (SIS) provider that integrates with School Data Sync (SDS) and Classroom in Office 365. Using the PowerSchool sync method lets you avoid compiling a set of CSV files and manually extracting the data from the SIS database.

To set up the integration, sign in to Office 365 and set up a sync profile using School Data Sync. Office 365 will make a direct connection to the SIS databases using the REST-based APIs provided by the PowerSchool.

In this topic:   

Prerequisites

Before you start synchronizing with SDS using the PowerSchool Sync method, , read the Overview of School Data Sync and Classroom and make sure you meet the following prerequisites:

  • An Office 365 for Education tenant.

  • Global Admin Permissions

  • The attributes in your PowerSchool SIS selected in the sync profile must not contain any characters shown in this list of invalid characters.

Note: Note: The data that you provide through School Data Sync may be accessible to third-party application providers through their apps, so you should sync only the data that you want to make available to these third parties.

Before you create the sync profile to connect to the PowerSchool SIS , you also need to complete the following initial setup.

Install the REST API plug-in for PowerSchool

Before Microsoft School Data Sync can access data from your PowerSchool server, you have to install an application plug-in on the PowerSchool server and obtain OAuth credentials by following these steps.

  1. On your local computer, create an XML plug-in installation file with following content, and save the file as “plugin.xml”.

    <?xml version="1.0" encoding="UTF-8"?>
     
    <plugin xmlns="http://plugin.powerschool.pearson.com" 
    
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    
            xsi:schemaLocation='http://plugin.powerschool.pearson.com plugin.xsd' 
    
            name="Microsoft School Data Sync" 
    
            version="1.0.0" 
    
            description="Plugin for PowerSchool REST API for Microsoft SDS"> 
    
        <oauth></oauth> 
    
        <publisher name="Microsoft Corp."> 
    
            <contact email="sis@microsoft.com" /> 
    
        </publisher>  
    
    </plugin> 
    
  2. Sign in to the PowerSchool admin portal website using your System Administrator credentials.

  3. On the start page, choose System from the main menu, then go to System Settings > Plugin Management Configuration > Install.

  4. Enter or select the plug-in installation file you just created (.xml), and then choose Install.

    The plug-in will appear in the Installed Plugins section on the Plugin Management Dashboard page. Make sure the plug-in is enabled. If it is not, choose the Enable option on the Plugin Management Dashboard page.

    On the Plugin Management Dashboard page, make sure that the plugin is enabled.
  5. Choose Data Configuration to view the OAuth credentials that were generated for the plug-in:

    Choose Data Configuration to view the OAuth credentials for the plugin
  6. Record the values for the Client ID andClient Secret so you can enter these credentials when you create your School Information Sync profile.

Make sure the REST endpoints are Internetaccessible

Microsoft School Data Sync must be able to reach your school’s PowerSchool server. To make sure the server is accessible, open ports 80 and 443 from the Internet to your PowerSchool server.

To validate that the endpoints are set correctly, check that you can open the PowerSchool server website pages from the Internet. For example, in your browser, go to https://partner12.powerschool.com/public/ and http://partner12.powerschool.com/public/.

About AADConnect deployment warnings

If you are configuring School Data Sync for a tenant which is synchronized from onpremises Active Directory through AADConnect, you may notice an increase in the number of Disconnectors shown in your miisclient. This is a result of Office 365 Group being unable to synchronize back to the AADConnect Metaverse and on-premises Active Directory. These warnings do not have any negative impact on your current AADConnect deployment, and only provide an informational note on the resultant sync failure. You should expect these warnings in AADConnect after enabling sync in SDS, as one Office 365 Group is created for each class synchronized through SDS.

Synchronize your users by using the PowerSchool syncmethod

Watch the video: Deploy School Data Sync

Deploy School Data Sync Video

After you've installed the plug-in and set up access, create a profile in Microsoft School Data Sync to synchronize your users' information. The steps here will work for most scenarios. (There are some more unusual cases which will need different setup steps, so if your situation doesn't work with these steps, check with your Microsoft contact.)

To synchronize your users
  1. In your web browser, go to sds.microsoft.com and then enter the global admin credentials for your Office 365 Education tenant.

  2. If it's your first time logging in and setting up a profile, you must choose to enable/disable SDS and Microsoft Classroom. To enable School Data Sync and proceed with the setup, toggle the School Data Sync switch on the On position.

    After you've enabled School Data Sync, choose Add Profile to create an SDS Sync Profile and begin syncing data from your SIS.

  3. Type a profile name in the Enter a name for your profile box.

  4. In the Data extraction section, select PowerSchool API in the Select data source drop-down menu.

  5. In the PowerSchool Connection Details section, enter the appropriate values for your SIS web access URL, client id, and the client secret. Refer to the Prerequisites section of this article for instructions for obtaining the appropriate values.

  6. After the appropriate values are added, choose Test Connection to validate connectivity to the SIS.

  7. In the Data Extraction section, select either Create new users or Sync existing users.

    • Create new users Select this option if you are not syncing identities from your on-premises Active Directory, or the users in scope for sync are not created within Azure Active Directory already. This option will create new user accounts for users within the PowerSchool SIS.

    • Sync existing users Select this option if you are syncing identities from your on-premises Active Directory, or the users in scope for sync are already created in Azure AD. This option will not create new user accounts for users within the students and teacher PowerSchool SIS.

  8. If you selected the Create new users option, skip this step. If you selected the Sync existing users option, select the appropriate Students and Teachers Identity match options from the available drop-down menu. This is where you must define how to match students and teachers in PowerSchool to the user account in Azure AD.

    • Identity matching options - Students

      Select source propertyThis drop-down menu allows you to select the source property within PowerSchool to be used for identity matching. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select suffixThis drop-down menu allows you to append a domain suffix to the source property in PowerSchool, if needed to complete your identity matching plan. It will not actually modify the source value in PowerSchool, just append the value being attempted during the SDS match process. This menu also allows you to select the No Suffix Needed option if the source attribute already contains the required domain suffix (for example, Username with domain suffix included) or the target attribute value does not include a domain suffix (for example, mailNickname). Each domain added to the Office 365 tenant will be displayed in the drop-down menu as an available choice, in addition to the No Suffix Needed option previously mentioned. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select target propertyThis drop-down menu allows you to select the target property within Azure AD to be used for identity matching.

      Student identity matching matrix:

      In order to match source and target identities, you must select one value from the three choices available in the Select Source drop-down menu, and then define which of the three available target attributes in the Select Target drop-down menu will be an exact match. It is also possible that the source attribute only matches a portion of the target attribute, and requires a domain suffix to be appended to complete the matching logic (for example, JohnSmith source attribute + @contoso.com domain suffix = a match with JohnSmith@contoso.com target attribute).

      For various examples of matching logic success and failure for sync, watch the Identity Matching video.

      • Secondary EmailOptional attribute field which can be included for sync and may also be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Student NumberOptional attribute field which can be included for sync and also may be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567).

      • UsernameRequired attribute field which must be included for sync and can be used for identity matching. The appropriate formatting for this attribute is either a string of alphanumeric characters with no spaces or invalid special characters (for example, JohnSmith), or could also be included as a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix. (for example, JohnSmith@contoso.com).

      • UserPrincipalNameLogon name for the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Mail PrimarySMTPAddress of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com). While it is suggested, this attribute is not always the same as the UserPrincipalName attribute.

      • mailNicknamexchange Alias of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567). While it is recommended, this value is not always unique, so be cautious in selecting this attribute for identity matching and ensure you are always matching to a unique target value.

    • Identity matching options - Teachers

      Select source propertyThis drop-down menu allows you to select the source property within PowerSchool to be used for identity matching. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select suffixThis drop-down menu allows you to append a domain suffix to the source property contained within PowerSchool, if needed to complete your identity matching plan. It will not actually modify the source value in PowerSchool, just append the value being attempted during the SDS match process. This menu also allows you to select the No Suffix Needed option if the source attribute already contains the required domain suffix (for example, Username with domain suffix included) or the target attribute value does not include a domain suffix (for example, mailNickname). Each domain added to the Office 365 tenant will be displayed in the dropdown menu as an available choice, in addition to the No Suffix Needed option previously mentioned. Watch the Identity Matching video to review how source, target, and append domain matching logic works, to help determine the appropriate value to select.

      Select target propertyThis dropdown menu allows you to select the target property within Azure AD to be used for identity matching. Watch the Identity Matching video to review how source, target, and append suffix matching logic works, to help determine the appropriate value to select.

      Teacher identity matching matrix:

      In order to match source and target identities, you must select one value from the three choices available in the Select Source drop-down menu, and then define which of the three available target attributes in the Select Target drop-down menu will be an exact match. It is also possible that the source attribute only matches a portion of the target attribute, and requires a domain suffix to be appended to complete the matching logic (for example, JohnSmith source attribute + @contoso.com domain suffix = a match with JohnSmith@contoso.com target attribute). Watch the Identity Matching video for various examples of matching logic success and failure for sync.

      • Secondary EmailOptional attribute field which can be included for sync and may also be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • Teacher NumberOptional attribute field which can be included for sync and also may be used for identity matching. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567).

      • UsernameRequired attribute field which must be included for sync and can be used for identity matching. The appropriate formatting for this attribute is either a string of alphanumeric characters with no spaces or invalid special characters (for example, JohnSmith), or could also be included as a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix. (for example, JohnSmith@contoso.com).

      • UserPrincipalNameThe logon name for the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com).

      • MailPrimarySMTPAddress of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters, followed by an @ symbol, followed by a domain suffix (for example, JohnSmith@contoso.com). While it is suggested, this attribute is not always the same as the UserPrincipalName attribute.

      • mailNicknameExchange Alias of the user. The appropriate formatting for this attribute is a string of alphanumeric characters with no spaces or invalid special characters (for example, 1234567). While it is recommended, this value is not always unique, so be cautious in selecting this attribute for identity matching and ensure you are always matching to a unique target value.

  9. After the Profile Name, Data Extraction Options, and Identity Matching Options are set in place, choose Next.

  10. On the Directory options page, select the appropriate domain for each drop-down list available. If you selected the Sync existing users option in step 7, you will only need to select the appropriate domain for Schools and Sections, since all existing students and teachers already have domains associated with their respective user accounts. This domain will be used as the domain suffix for the Office 365 Group created for each section, unless policy is in place to override this domain setting. You may also assign Classroom licenses to all users within the scope of sync, by checking the Assign Microsoft Classroom licenses checkbox. If you would like to allow SDS to maintain control of the Section/Group display names in O365, do not select the Sync option for Section Group Display Name checkbox. If you prefer that SDS create the group's Display Name based on the initial SDS sync, but allow the teachers to overwrite and maintain a custom display name after the first sync completes, check the second checkbox. 

    If you selected the Create new users option in step 7, you will need to select the appropriate domain for Schools and Sections, in addition to a domain for teachers, and a domain for students, as shown below. This domain will be used as the domain suffix for the user account created by SDS, for each student and teacher in scope for creation sync.

    Only one domain can be entered for teachers, and one domain for students within a single sync profile. If you have objects of those types which must be spread across multiple domains, you'll have to create a separate profile for each set of users (onesync profile per domain).

  11. If you selected the Create new users option in step 7, you also must select the appropriate SKU to assign to each of the newly created Teachers and Students using the drop-down menus shown below. Each available SKU in your Office 365 tenant will be present in the list. You can also choose to license each of these users for Classroom, by checking the checkbox shown below. After you've completed this section of the setup wizard, choose Next.

  12. On the Options to Sync page, select the school year you want to sync using this profile by choosing it within the Select school year dropdown menu.

    Screenshot of select school year to sync in School Data Sync

    Tip: Note: You may only select one school year per sync profile, and that school year will start syncing immediately once the profile is enabled for sync, regardless of the start date configured in PowerSchool for that school year. If you want to sync more than one school year, multiple sync profiles are required. To pre-stage a school year, before the current year ends, create a new sync profile with the next school year selected ahead of the school year start date, and delete the profile for the previous school year if/when you are ready to remove last year’s objects from the sync scope.

  13. In On the Select schools to sync menu, select the schools from your PowerSchool SIS you want to sync under this profile

  14. Under the Select properties to sync section, select any optional attributes you would like to sync for each of the various object types. The required attributes are already selected by default under each object type. After you’ve added in any optional attribute you want to sync to Azure, choose Next.

  15. On the Summary page, choose Submit to create the profile.

    The sync process does some data validation before creating the profile. If there are any errors, you'll have to correct them and then wait for the next sync cycle. Sync cycles run every 10 minutes.

  16. After the sync profile is created, select the Start Sync option to begin syncing the PowerSchool source data to Azure AD.

After all user identities have been synced successfully for the profile, Profile Status changes to Success. If you need to create more profiles, for example, if you have users set up with different domains, repeat these steps for each profile.

Video: How to match source and target attributes for sync

For various examples of matching logic success and failure for sync, watch the Identity Matching video:

Identity Matric Matching video

SIS data in Office 365 will change when synced

After you complete the first SIS sync, data in your Office 365 SIS will be changed, based on the synced information. Changes might be related to a student, teacher, section, or any of the other attributes and objects types set up with School Data Sync. Changes may happen on a daily basis. To make sure changes in the SIS are reflected in School Data Sync and Classroom, data must be updated through the sync process.

All additions are processed and updates made whenever there is a sync, but deletions and certain changes do not occur automatically. This includes the following:

  • If a student is removed from a class in the SIS, the student is also removed from the class Unified Group in Classroom.

  • If a teacher is removed from a class, no change occurs in Classroom.

  • If a new teacher is added to a class, that teacher becomes the group owner, and that teacher is allowed to remove the other teacher, if needed.

  • If a student is deleted in the SIS, the sync does not delete the Azure Active Directory account for that student.

  • If a student is deleted in the SIS, the sync does not remove the student from the School’s Azure Active Directory.

  • If classes or schools are deleted in the SIS or removed from the sync profile, the sync does not delete the Class or School group in Azure Active Directory.

If you are syncing directly through PowerSchool SIS, changes are synced automatically on a continuous basis. All you need to do is update the data in your SIS and validate that changes are synced during the next sync cycle, with the exception of the deletes and changes mentioned in the previous list. Currently, PowerSchool sync occurs repeatedly. That is, after one sync completes, the next starts immediately and looks for any changes to sync.

Switching between sync methods

While you can successfully migrate from one sync method to another, we recommend maintaining the sync method initially deployed indefinitely, due to the difficulty associated with maintaining source anchor values through the switch between sync methods. A source anchor is the attribute SDS uses to identify a synced object in both the source and target directory after the initial sync. This source anchor must always be unique, and must never be changed throughout the lifetime of the synced object.

When an organization enables sync, there are 5 objects types that synchronize through School Data Sync. SDS synchronizes Schools, Sections, Students, Teachers, and Rosters. Once an object is successfully synchronized, SDS must keep the object in sync, to continue to synchronize object attribute level updates from the source directory (CSV, Clever, or PowerSchool) to the target directory (Azure AD). The objects types and their corresponding source anchor attributes are detailed below:

Object Type

Source Anchor Attribute (PowerSchool)

Source Anchor Attribute (Clever)

Source Anchor Attribute (CSV)

School

SIS ID

Clever ID

SIS ID

Section

SIS ID

Clever ID

SIS ID

Teacher

SIS ID

Clever ID

SIS ID

Student

SIS ID

Clever ID

SIS ID

Roster

SIS ID (Section) and SIS ID (User)

Clever ID (Section) and Clever ID (User)

Section SIS ID and SIS ID (User)

Once the source anchor is established upon the initial sync, only certain objects can update their source anchor, while others cannot be changed. This concept is critical if you are considering switching between sync methods.

When transitioning from one SDS sync method to another, the source anchor values for Schools and Sections must always be persisted, to continue to sync each object under the new sync method. Any deviation or change from the original source anchor value will result in objects failing to sync. If the source anchor attribute values are not identical through the switch, the only way to transition from one sync method to the other is to delete the object in Azure AD and then recreate it under the new sync profile, using the new sync method.

When transitioning from one SDS sync method to another, the source anchor values for Students and Teachers can be updated during the switch, on if the user objects is not created through SDS sync, and maintains the identity matching values associated with the previous sync method. For example, if the original sync profile matched the identity for student using the username = userprincipalname matching logic, this same matching logic must be included under the new sync profile and result in an identity match under the new sync profile. Any deviation from the original identity matching logic may result in the sync failure and subsequent failure to update the source anchor value for that respective object.

Finally, when transitioning across sync methods when the new sync method is a CSV file, you must also update the student and teacher SIS ID values in the studentenrollment.csv and teacherroster.csv to reflect the correct SIS ID values of those respective object, if they have changed from the original Sis ID/Clever ID value set under the previous sync profile.

 

See Also

Overview of School Data Sync and Classroom

School Data Sync Required Attributes for PowerSchool Sync

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×