A Microsoft Graph Integration is a synchronous connection between BrainStorm and your organization's Azure/M365 active directory. This integration can be used to manage users and groups. It can also be used to track usage data, which can then be used with External Triggers to tailor courses that target specific skills and users.
If your organization uses Microsoft Azure for active directory management, we recommend using the Microsoft Graph integration to manage your BrainStorm users. At this time, the Microsoft Graph integration can add new users to BrainStorm and merge changes made to existing users. Users removed from your Azure Active Directory are not automatically removed from BrainStorm.
The Microsoft Graph Integration with BrainStorm uses the email address instead of the User Principal Name (UPN). If your user's UPN and email address are not the same, make sure the SSO attribute mappings in BrainStorm are configured to use the email address instead of the name. For more information, see Azure AD Attribute Mappings for SSO.
After setting up a Microsoft Graph Integration, users will be imported overnight (US Time Zone). After the initial import, changes to your organization's active directory will automatically merge with BrainStorm each night.
Microsoft Graph Setup
A Microsoft Global Admin needs to complete these steps with access to authorize permissions. This administrator will also need a BrainStorm account with administrator role access.
- Click the account settings icon at the bottom left from the left sidebar, then select Integrations.
- Click Add Integration, select the desired configuration settings (see table below for descriptions), then click Save Changes at the bottom of the page.
Note: Each time you enable or disable the Licenses feature, you must re-authenticate with your organization’s global admin account. Setting Description Users If enabled, this will import user data (name, job title, department etc.) into the BrainStorm platform. Licensed Users Licensed users imports user accounts who are issued a M365 license (any license type). All All imports every account provided to us by Graph. This may include service accounts. Licenses If enabled, this feature will activate Microsoft licensing data and enable automatic group enrollment based on license type. Usage If enabled, this feature will acticate the application usage data. Make Active When Finished If this feature is enabled, the integration will be active and sync daily. If disabled, synchronizing with the BrainStorm platform will be paused. - A Microsoft dialog will allow you to sign in to Microsoft to approve access and enable this integration. To view permission details and what you authorize with BrainStorm, see Microsoft Graph Permissions. Once you have approved the integration, you'll be directed to the next step.
- Click Accept.
- You may email users to notify them that they've been added to the BrainStorm platform. Select the option to Notify recipient(s) once synced using the toggle. After initial sync, if additional users are added in future nightly syncs, they will be sent an email if the Notify recipient(s) once synced toggle is on.
A template email is available below for you to modify. See the Emails article for more information on creating/editing email templates. Click Notify & Finish. - Please go ahead and return to the Integrations screen to view the status. Users and user data will be available within 24 hours. You can return to this screen to view the Last Sync Date for the integration.
Microsoft Graph Permissions
Microsoft Global Admin Permissions
When you sign in to Microsoft as a global admin, you are signing in to a dialog generated by Microsoft where you will verify your identity with Microsoft. Your Microsoft global admin credentials are only visible to Microsoft; BrainStorm does not have access to these credentials. When you sign in to Microsoft, BrainStorm only receives an authorization token that is used to set up the integration.
BrainStorm Permissions with Microsoft Graph
After the global admin successfully signs in, Microsoft generates a dialog to show you the permissions requested by BrainStorm. This dialog allows you to view the permissions requested and ensures that you want to enable these permissions. Once you accept these permissions, the authorization token is updated to enable BrainStorm to access Microsoft Graph data. 
Note: The Microsoft Graph APIs do not grant BrainStorm sign-in and read user profile permissions even though the dialog suggests this permission is granted.
Application Permissions with Microsoft Graph
The Microsoft Graph Integration uses Application Permissions instead of the permissions associated with the global admin. Only the Application Permissions will be used to connect and view data. The global admin permissions will not be used for this integration. If you would like more information, you can see Microsoft's Application Permissions documentation.
What user information does BrainStorm sync with Microsoft Graph?
The following fields are synced with BrainStorm automatically:
| First Name |
| Last Name |
| Email (see IMPORTANT below for exceptions) |
| Department |
| Job Title |
| Country |
IMPORTANT: When a user is first synced, all user information is imported into BrainStorm. After initial import, all changes made within Microsoft Entra will be synced nightly, with the exception of Email. At this time, a user's email address is not updated in BrainStorm during a sync. If you update the email address in Microsoft Entra, a new BrainStorm user is created. We recommend that you update the BrainStorm email address as you update the email address in Microsoft Entra. This will ensure that you do not have duplicate users in BrainStorm.
What data does Microsoft Graph send to BrainStorm?
A Microsoft Graph integration provides a gateway to the data and intelligence available for your organization. BrainStorm will receive the following information from Microsoft when a Graph integration is used.
| Email address |
| First name |
| Department |
| Job title |
| M365 License type |
| Country |
| Office location |
| Reports to |
| Hire date |
| Create date |
| Teams | |
| Number of licenses | |
| Number of private chat instant messages (IMs) | |
| Number of team chat instant messages (IMs) | |
| Number of meetings | |
| Number of calls | |
| OneDrive | |
| Number of licenses | |
| Number of files synced | |
| Number of files viewed/edited | |
| Number of files shared internally | |
| Exchange | |
| Number of licenses | |
| Number of emails sent | |
| Number of emails received | |
| Number of emails read | |
| SharePoint | |
| Number of licenses | |
| Number of files viewed/edited | |
| Number of files shared internally | |
| Number of pages viewed | |
| Skype | |
| Number of licenses | |
| Number of instant messages (IMs) peer to peer | |
| Number of conferences organized | |
| Number of conferences attended | |
| Yammer | |
| Number of licenses | |
| Number of posts read | |
| Number of likes | |
| Number of posts |
Does removing a user from Microsoft Graph remove that user from BrainStorm?
Currently, users removed from Microsoft Graph are not removed from BrainStorm. If a user has been removed, you'll need to remove them from BrainStorm manually.
Data Import Settings
During this part of the configuration settings, you will need to select at least one of the following data import settings:
| Data Import Settings | Description |
| Users | Enable end users to include Microsoft users data |
| Usage | Enable end users to include Microsoft user usage data. |
| License | Enable end users to include Microsoft account license type data. |
| Groups | Enable end users to include Microsoft Graph groups data. |
Microsoft Graph Application Permission Table
The permissions required by an app must be defined statically. We have apps with all possible combinations of permissions to avoid requesting more permissions than needed for a particular account based on its MS Graph settings.
| Application | Users.Read.All | Reports.Read.All | Organization.Read.All | Endpoints |
| BrainStorm-SaaSy-Users-Sync | True | False | False | |
| BrainStorm-SaaSy-Activity-Sync | False | True | False | |
| BrainStorm-SaaSy-Users-Activity-Sync | True | True | False | |
| BrainStorm-SaaSy-Users-Licenses-Sync | True | False | True | |
| BrainStorm-SaaSy-Users-Activity-Licenses-Sync | True | True | True |
Microsoft Graph Security FAQs
Q: How does authentication with Microsoft Graph work?
A: When the global admin authenticates, Microsoft provides BrainStorm with an authorization token. This authorization token is used in subsequent queries to synchronize the data in BrainStorm.
Q: Does BrainStorm need Microsoft Global Admin to authenticate with BrainStorm?
A: Yes. Because BrainStorm requests user data from your organization's Microsoft Graph configuration, a Microsoft Global Admin must grant that permission.
Q: Can BrainStorm still access the Microsoft Graph data points if it is no longer enabled?
A: No. If a Microsoft Graph integration is not enabled and active, BrainStorm cannot access Microsoft Graph data.
Q: Can BrainStorm access the admin credentials to sign in to M365?
A: No. When you sign in to M365 to enable Microsoft Graph for BrainStorm, you sign into a Microsoft-generated and controlled dialog. The information you enter here is only visible to Microsoft, and BrainStorm cannot access your credentials.
Q: Can BrainStorm see email, Teams communications, or other confidential information when enabling Microsoft Graph?
A: No. Enabling Microsoft Graph for BrainStorm does not give BrainStorm access to specific content, such as your emails, team communications, or document content. Microsoft Graph functionality is designed to provide you with usage information only, such as the number of messages sent, the number of emails read, etc.
Q: Does BrainStorm have access to any personally identifiable information or PII through Graph?
A: Yes. BrainStorm receives non-sensitive PII, such as email, first name, last name, department, title, etc.
Q: How does BrainStorm use Telemetry data from Microsoft Graph?
A: When your organization configures Microsoft Graph, we disclose which data we'd like access to and surface telemetry data about usage.
Q: What does the data display in the Microsoft Graph Activity Log?
A: Display if the the sync was sucessful. Note: The number of new users we received may not reflect the actual number of users brought into the BrainStorm platform. Please ensure the following criteria are met:
Users have been assigned active Microsoft licenses.
Users must have their first name, last name, and email address.
And toggle the Licensed option under the Configuration section.
Q: How to ensure communications do not go out after Microsoft Graph is enabled?
You can disable the notifications when you are setting up integration. This will ensure that end users do not receive a notification when you have enabled Microsoft Graph for your organization.
If you created an All Users group before enabling Microsoft Graph, ensure notifications are disabled.
Enabling BrainStorm User Engagement will allow you to send reminder emails to end users for "Required" or "Recommended" courses assigned to them.
