By creating and managing group restrictions via API, you can change the visibility and availability of users and their groups in the Learn365 Admin Center. For example, if the group restrictions are on, only the users from particular Microsoft Entra (Azure Active Directory) or custom user groups will be shown while enrolling learners in training.
You can apply restrictions to as many Microsoft Entra (Azure Active Directory) or custom user groups as you like. You can also limit the restrictions to particular course catalogs.
NOTE
If you set up multiple organizations (environments) within a single tenant, you can use the group restriction APIs to control the visibility of users between these environments. For more information, see the last section of this article.
To create and manage group restrictions via API:
1. Create or edit a group of users in the Microsoft Entra admin center. You’ll also need the object ID of the group.
2. Using the group object ID, add the Microsoft Entra (Azure Active Directory) group to the restriction list for your environment via the Learn365 API.
3. Alternatively, add the Microsoft Entra (Azure Active Directory) or custom user group to the restriction list by their group ID.
4. View a list of groups in your restriction list.
5. Turn the group restrictions on.
6. If needed, delete a restriction from your restriction list.
Group restrictions and people picker in the Learn365 Admin Center
When the group restrictions are turned on, only the users from the group included in the restrictions list are available in the people picker in the Learn365 Admin Center. In other words, only the users from particular Microsoft Entra (Azure Active Directory) or custom user groups included in the restriction list for your environment will be shown when you:
- add an admin in the Learn365 Admin Center > Global Settings > LMS Administrators,
- enroll a user in training,
- (if you set a restriction for a particular course catalog) enroll a user in training from this course catalog.
Add Microsoft Entra (Azure Active Directory) groups to a restriction list by their object ID
To add a Microsoft Entra (Azure Active Directory) group to a restriction list in Learn365 by their object ID, you’ll need the object ID. You can find it in the Microsoft Entra admin center. For more information, see this Microsoft article.
If you want to apply restrictions to a particular course catalog, you’ll need the course catalog ID. You can find this via the API by following the steps in this article.
To add a Microsoft Entra (Azure Active Directory) group to a restriction list:
1. Go to https://api.365.systems/ and make sure you are authorized with the relevant API key.
2. In the GroupRestrictions section, select the POST /groupRestrictions/addADGroup endpoint and select Try it out in the top right-hand corner.
3. In the objectId field, enter an object ID of a Microsoft Entra (Azure Active Directory) group.
4. If you want to add a restriction to a particular course catalog only, in the courseCatalogId field, enter the course catalog ID. Leaving this field empty will apply the restriction across the whole environment.
5. Select Execute to run the request.
6. Go to the Response block to check the results:
- 200 code with an empty body indicates a successful response.
- In case of an error, the response body contains the error object with the code and message keys explaining the issue.
Add groups to a restriction list by their group ID
To add a Microsoft Entra (Azure Active Directory) or a custom user group to a restriction list in Learn365 by their group ID, you’ll need the group ID. You can find it via API by following the steps in this article.
To add the group to a restriction list via API:
1. Go to https://api.365.systems/ and make sure you are authorized with the relevant API key.
2. In the GroupRestrictions section, select the POST /groupRestrictions/addGroup endpoint and select Try it out in the top right-hand corner.
3. In the groupId field, enter a group ID.
4. If you want to add a restriction for a particular course catalog only, in the courseCatalogId field, enter the course catalog ID. Leaving this field empty will apply the restriction across the whole environment.
5. Select Execute to run the request.
6. Go to the Response block to check the results:
- 200 code with an empty body indicates a successful response.
- In case of an error, the response body contains the error object with the code and message keys explaining the issue.
View a list of groups in a restriction list
To view a list of all group restrictions that were added to your environment:
1. Go to https://api.365.systems/ and make sure you are authorized with the relevant API key.
2. In the GroupRestrictions section, select the GET /groupRestrictions endpoint and select Try it out in the top right-hand corner.
3. Select Execute to run the request.
4. Go to the Response block to check the results:
-
200 code with an array of restrictions indicates a successful response. Each separate item in the array has three parameters:
- Id is an ID of a separate restriction in Learn365.
- CourseCatalogId is an ID of the course catalog to which the restriction applies. If it’s empty, the restriction applies to the whole environment.
-
GroupId is an ID of a user group in Learn365.
- 200 code with an empty body means there are no group restrictions in your environment.
- In case of an error, the response body contains the error object with the code and message keys explaining the issue.
Turn group restrictions on and off
To turn group restrictions on and off for your environment:
1. Go to https://api.365.systems/ and make sure you are authorized with the relevant API key.
2. In the GroupRestrictions section, select the PUT /groupRestrictions/state endpoint and select Try it out in the top right-hand corner.
3. In the isEnabled field, select true to turn on the restrictions or false to turn them off.
4. Select Execute to run the request.
5. Go to the Response block to check the results:
- 200 code with an empty body indicates a successful response.
- In case of an error, the response body contains the error object with the code and message keys explaining the issue.
Restrictions apply only to the restriction from a restriction list. You can check the list via the GET /groupRestrictions request.
When the group restrictions are turned on, only the users from the group included in the restrictions list are available in the people picker in the Learn365 Admin Center.
EXAMPLE
Let’s say:
1. You create the Human Resources group in Microsoft Entra (Azure Active Directory).
2. You add the Human Resources group to your restriction list in Learn365, but only for the People Development course catalog.
3. You turn on the group restriction.
4. When you’re enrolling learners in training for the People Development course catalog, only the users from the Human Resources group are available for selection.
Delete a restriction from a restriction list
To delete a specific restriction, you’ll need its ID. You can find it by sending the GET /groupRestrictions request and by checking the Id parameter in the response.
To delete a specific restriction from a restriction list:
1. Go to https://api.365.systems/ and make sure you are authorized with the relevant API key.
2. In the GroupRestrictions section, select the DELETE /groupRestrictions endpoint and select Try it out in the top right-hand corner.
3. In the id field, enter a restriction ID.
4. Select Execute to run the request.
5. Go to the Response block to check the results:
- 200 code with an empty body indicates a successful response.
- In case of an error, the response body contains the error object with the code and message keys explaining the issue.
Add restrictions for multiple environments (organizations) within a single tenant
If you set up multiple environments (organizations) within a single tenant, you can restrict the visibility of Microsoft Entra (Azure Active Directory) groups and users across the environments via API. For custom user groups and Flow365 users, setting up the visibility restriction isn’t needed because their visibility is limited to the specific environment by default.
Restricting visibility across different environments is controlled by specific sets of API keys. So, to set the restriction to one of the environments:
1. Make sure you have an active API key for the environment.
2. Authorize in https://api.365.systems/ with the API key.
3. Add Microsoft Entra (Azure Active Directory) users or groups to the restriction list.
4. Turn on the group restriction for the environment. When the group restrictions are turned on, only the users from the group included in the restrictions list are available in the people picker in the Learn365 Admin Center for the environment.
EXAMPLE
Let’s say:
- You have two environments – Environment A and Environment B – set up for your tenant.
- You have two Microsoft Entra (Azure Active Directory) groups: Marketing Team and Senior Developers.
- You want the Marketing Team to be visible only in Environment A and the Senior Developers only in Environment B.
In this case:
1. For Environment A, navigate to the Learn365 Admin Center > Global Settings > API key management and make sure you have an active API key.
2. Authorize in https://api.365.systems/ with the API key from Environment A.
3. Add the Marketing Team to the restriction list.
5. For Environment B, navigate to the Learn365 Admin Center > Global Settings > API key management and make sure you have an active API key.
6. Authorize in https://api.365.systems/ with the API key from Environment B.
7. Add the Senior Developers to the restriction list.
After that, only the users from the Marketing Team group are available in the people picker for Environment A, while the people picker for Environment B contains only the users from the Senior Developers group.
Comments
Article is closed for comments.