Introduction
Microsoft announced that from November 1, 2024, SharePoint Add-In and Azure Access Control Services (ACS) were no longer available for new tenants and that these services would be completely phased out for existing Learn365 tenants on May 1, 2025.
Learn365 uses SharePoint Add-In for application permissions on the course catalog SharePoint site and Azure Access Control (ACS) gives access to individual site collections (in this case, Learn365 course catalogs) without a signed in user.
On Microsoft's recommendation, we're moving to the Microsoft Entra ID (Azure Active Directory) authentication for SharePoint model.
For most customers, this will mean the Microsoft 365 global admin at your organization will need to run a short migration process from within Learn365. The Microsoft 365 global admin needs access to change permissions on the SharePoint site collection so this user will also need one of the following roles before migrating:
- A SharePoint site admin (site collection admin); or
- A member of the Owners group for all catalogs. While you don't need to be a catalog admin to run the migration, being a catalog admin automatically adds you the Owners group.
Notification banners will be displayed at the top of the Learn365 Admin Center for Microsoft 365 global admins, LMS admins, catalog admins, course admins, and instructors at all affected organizations until the migration is completed.
IMPORTANT
The migration makes changes in SharePoint and only in the background (that is to say, the changes aren't visible to users). Following the migration, users won't experience any changes in how they use Learn365 and the user interface stays the same.
Your organization must run the migration to ensure continued use of Learn365 from May 1, 2025 onwards.
If your organization doesn't run the migration:
- It won't be possible to create or delete course catalogs.
- It won't be possible to create or edit training.
- It won't be possible to enroll users in, or unenroll them from, training.
- Learners will encounter issues when they take training.
In this article
This article describes the key steps Microsoft 365 global admins should follow to migrate Learn365 at your organization from the SharePoint Add-In model to the new Microsoft Entra ID (Azure Active Directory) authentication for SharePoint model via the Learn365 Admin Center. It also describes the steps you should follow to migrate manually.
- Does my organization have to run the migration?
- Additional background information
- When can I run the migration?
- Run the migration
- Optional step: remove the now-unused LMS365 app from SharePoint site contents
- Frequently asked questions
Does my organization have to run the migration?
For organizations where Learn365 was installed before October 14, 2024, the Microsoft 365 global admin must complete the steps in this article by April 30, 2025 to ensure continued use of Learn365 after this date. For these organizations, Learn365 uses SharePoint Add-In for application permissions on the course catalog SharePoint site and Azure Access Control (ACS) gives access to individual site collections (in this case, Learn365 course catalogs) without a signed in user.
For organizations where Learn365 installed on or after October 14, 2024, no further action is required because you already use Microsoft Entra ID (Azure Active Directory) authentication for SharePoint. During the installation consent process for these organizations, we added a new application permission scope (Sites.Selected), which grants access only to course catalog SharePoint sites. These organizations won't have to run the migration.
Additional background information
We recommend you read the following articles before running the migration.
- For more information about Microsoft's retirement of SharePoint Add-In and Azure Access Control Services (ACS) and how this affects Learn365 customers, see this article.
- For more information about Microsoft's retirement of SharePoint Add-In, see this Microsoft article.
- For more information about Microsoft's retirement of ACS, see this Microsoft article.
- For information about upgrading SharePoint applications from Azure Access Control Service (ACS) to Microsoft Entra ID, see this Microsoft article.
- For information about the permissions needed to run the migration, see the Frequently asked questions section of the article.
When can I run the migration?
Notification banners will be displayed at the top of the Learn365 Admin Center for Microsoft 365 global admins, LMS admins, catalog admins, course admins, and instructors at all affected organizations.
Once the notification banners are displayed, the migration can be run at any time up until April 30, 2025. However, we advise you run the migration at the earliest opportunity. This is to ensure that, in the unlikely event you encounter any issues or errors during the migration, they can be resolved by April 30, 2025.
The notification banner displayed depends on your role:
- For the Microsoft 365 global admin only, the notification banner provides some background information, and invites you to grant consent and run the migration.
- For LMS admins, catalog admins, course admins, and instructors, the notification banner provides some background information, and invites them to contact their Microsoft 365 global admin to ask them to run the migration.
NOTE
Notification banners will continue to be displayed until the migration is completed successfully.
Run the migration
IMPORTANT
These migration steps must be completed by April 30, 2025 to ensure admins can continue to use Learn365. For most customers, it will take only a few seconds to run the migration via the Learn365 Admin Center. For more information on how long it will take to run the migration, see this section of the article.
There are two ways of running the migration.
-
Via the Learn365 Admin Center. We strongly recommend using this approach because it offers on-screen instructions for the two key steps (consent for updated application permissions and running the migration). Using this approach, you'll grant consent to the Have full control of all site collections (Sites.FullControl.All) permission.
If your organization prefers, you can grant consent only for the short period of time the migration takes to run. For more information, see this section of the article. - Migrate manually. You can use this approach if you don't want to consent to the Have full control of all site collections (Sites.FullControl.All) permission. Additionally, you should use this approach if you've already deleted the Sites.FullControl.All permission from the Learn365 app. To migrate manually, you should complete some initial configuration steps then contact Zensai Product Support, who will guide you through the process for every SharePoint site collection (Learn365 catalog) you want to migrate.
Run the migration via the Learn365 Admin Center
Required role: Microsoft 365 global admin. This user will also have to be a SharePoint site admin (site collection admin) or a member of the Owners group for all catalogs before migrating.
You run the migration from the notification banner in the Learn365 Admin Center.
The time it takes to run the migration depends on the number of catalogs you have. Typically, it will take a few seconds to migrate each catalog.
If you encounter any issues or errors during the migration, you can contact Zensai Product Support.
1. Open the Learn365 Admin Center.
2. Read the instructions in the banner notification at the top of any page in the Learn365 Admin Center.
3. When you're ready, select Consent for updated application permissions. The Permissions requested dialog opens.
Here, you'll see a list of permissions that are needed to run the migration.
For information about the permissions needed to run the migration, see the Frequently asked questions section of the article.
If your organization can't or doesn't want to grant permanent consent for the Have full control of all site collections (Sites.FullControl.All) permission, you can grant consent only for the short period of time the migration takes to run. For more information, see this section of the article.
4. Select Accept. This grants consent to use the new permission level, assigns the permission level to each catalog, and assigns permissions to the Learn365 app using Graph API.
Once you grant consent, you're redirected to the banner notification. A tick is displayed next to Consent for updated application permissions to show this step completed successfully.
5. Select Run migration. The SharePoint site permissions migration starts and the Migration started notification is displayed.
When the migration finishes, the Migration completed successfully notification is displayed and notification banners are removed for all users.
If you receive errors similar to the following, it means the Microsoft 365 global admin doesn't have the additional necessary permissions, that is to say, they aren't either a SharePoint site admin (site collection admin) or a member of the Owners group for all catalogs: "You don't have access to the catalog at <URL>. Please ensure that you have admin permissions for this SharePoint site."
6. Revoke permissions, if necessary.
- If you want to keep the Have full control of all site collections (Sites.FullControl.All) permission, no further action is required.
- If you chose to grant consent for this permission only for the purpose of running the migration, you can now revoke consent via the Microsoft Azure Portal.
7. Reconnect the connected account, if necessary.
Under certain circumstances, you might need to reconnect the account used to send email notifications, book rooms, and create Microsoft Teams meetings. Examples of when you might need to reconnect the account include, but are not limited to:
- If you use the Microsoft 365 global admin account as the connected account, you should now reconnect the connected account.
- If you originally used the Microsoft 365 global admin account as the connected account, then changed this to a different account, you might need to reconnect the connected account.
- Regardless of which account you use as the connected account, if you receive an error similar to the following, you should reconnect using the Microsoft 365 global admin account: "AADSTS65001: The user or administrator has not consented to use the application with ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'Learn365'. Send an interactive authorization request for this user and resource." Once connected using the Microsoft 365 global account, you can reconnect again with the preferred account.
For each catalog on the tenant that has the Microsoft 365 global admin account configured as the connected account, follow the steps in this article to disconnect the account, then connect again.
Run the migration manually
Required role: Microsoft 365 global admin.
You can use this approach if you don't want the migration to use the Have full control of all site collections (Sites.FullControl.All) permission. You can also use this approach if you've already deleted the Sites.FullControl.All permission from the Learn365 app.
Using this approach, even though the migration itself doesn't use the Sites.FullControl.All permission, you'll still need to consent to it briefly, so that other permissions, including the new Access selected site collections (Sites.Selected) permission, can also be applied. Once all the necessary permissions are granted, you can revoke the Sites.FullControl.All permission immediately via the the Microsoft Azure Portal. Revoking this permission ensures that the manual migration process doesn't use this permission.
Zensai Product Support will guide you through the process you'll need to complete for every SharePoint site collection (Learn365 catalog) you want to migrate.
If you encounter any issues or errors during the migration, you can contact Zensai Product Support.
1. Open the Learn365 Admin Center.
2. Read the instructions in the banner notification at the top of any page in the Learn365 Admin Center.
3. When you're ready, select Consent for updated application permissions. The Permissions requested dialog opens.
Here, you'll see a list of permissions that are needed to run the migration.
4. Select Accept. This grants consent to use the new permission level, assigns the permission level to each catalog, and assigns permissions to the Learn365 app using Graph API.
Once you grant consent, you're redirected to the banner notification. A tick is displayed next to Consent for updated application permissions to show this step completed successfully.
5. Revoke the Have full control of all site collections (Sites.FullControl.All) permission via the Microsoft Azure portal.
6. Once the Sites.FullControl.All permission is revoked, contact Zensai Product Support. Zensai Product Support will work with you to complete the migration.
At the time Zensai Product Support guides you through the migration, you'll need access to Windows PowerShell with an account that has global admin permissions. Additionally, we recommend you have full access to the Learn365 API.
7. Once the migration steps are completed successfully, reconnect the connected account, if necessary.
After Zensai Product Support works with you to complete the migration, under certain circumstances, you might need to reconnect the account used to send email notifications, book rooms, and create Microsoft Teams meetings. Examples of when you might need to reconnect the account include, but are not limited to:
- If you use the Microsoft 365 global admin account as the connected account, you should now reconnect the connected account.
- If you originally used the Microsoft 365 global admin account as the connected account, then changed this to a different account, you might need to reconnect the connected account.
- Regardless of which account you use as the connected account, if you receive an error similar to the following, you should reconnect using the Microsoft 365 global admin account: "AADSTS65001: The user or administrator has not consented to use the application with ID xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' named 'Learn365'. Send an interactive authorization request for this user and resource." Once connected using the Microsoft 365 global account, you can reconnect again with the preferred account.
For each catalog on the tenant that has the Microsoft 365 global admin account configured as the connected account, follow the steps in this article to disconnect the account, then connect again.
Optional step: remove the now-unused LMS365 app from SharePoint site contents
Once the migration steps are completed successfully, you might want to tidy up your SharePoint site collection by removing the now-unused LMS365 app from SharePoint site contents.
This is an optional task. The app will no longer be referenced so you can safely remove or keep it.
To remove the LMS365 app from SharePoint site contents:
1. From any Learn365 page opened in the SharePoint site collection (the SharePoint Home page, the Course Catalog page or a training home page), select Settings (the cog icon) in the top right-hand corner then Site contents.
2. On the opened site contents page, find the LMS365 app, select Show actions (the three vertical dots menu), then Remove.
You'll need to open the classic SharePoint experience to continue.
3. Select Return to classic SharePoint to proceed.
4. On the Site Contents page, select the three horizontal dots menu on the LMS365 app card then Remove.
5. Select OK to confirm.
It might take several minutes to remove the app. Once removed, you can revert to the modern SharePoint experience.
Frequently asked questions
How long will the migration take?
When running the migration from the Learn365 Admin Center, it depends on the number of catalogs you have. Typically, it will take a few seconds to migrate each catalog.
Can I use Learn365 during the migration?
Yes. Learners can continue to engage with training and admins can continue to use most of the features in the Learn365 Admin Center. However, for the short period of time the migration takes to run, we strongly advise against creating, deleting, or editing course catalogs.
Why can't someone at Zensai run the migration for me?
Zensai employees can't run the migration on your behalf. The migration needs to be run by the Microsoft 365 global admin at your organization.
Why can only the Microsoft 365 global admin run the migration from the Learn365 Admin Center?
Only the Microsoft 365 global admin at your organization can run the migration from the Learn365 Admin Center. No other admins or users can do this.
To be able to move to the Microsoft Entra ID (Azure Active Directory) authentication for SharePoint model, we use Learn365 Entra ID app to get access to individual site collections. We've extended Entra ID app permissions and added a new application permission scope (Sites.Selected) to the Learn365 Entra ID app. This scope allows access only to course catalog SharePoint sites and it's available only to the Microsoft 365 global admin.
For more information about the Site.Select application permission scope, see this Microsoft article.
Does the Microsoft 365 global admin need any additional permissions to run the migration from the Learn365 Admin Center?
The Microsoft 365 global admin needs access to change permissions on the SharePoint site collection so this user will also need one of the following roles before migrating:
- A SharePoint site admin (site collection admin); or
- A member of the Owners group for all catalogs. While you don't need to be a catalog admin to run the migration, being a catalog admin automatically adds you the Owners group.
When running the migration from the Learn365 Admin Center, why do I have to consent to both Access selected site collections and Have full control of all site collections?
The Microsoft 365 global admin will be asked grant consent to use a set of permissions. You will have already granted consent for most of the permissions in the list but we've introduced a new one for the purpose of the migration: Access selected site collections.
Two important permissions, Access selected site collections and Have full control of all site collections, allow our application to do different things. You'll need to approve the use of both before you can run the migration.
Have full control of all site collections
The Have full control of all site collections permission is essential for migration purposes and is already used in Learn365, meaning the Microsoft 365 global admin has previously granted consent. This permission gives delegated access to SharePoint course catalog site collections and is used only to create course catalogs.
Access selected site collections
The Access selected site collections permission enables Learn365 to access selected course catalog site collections. It doesn't enable Learn365 to access all site collections in SharePoint. We've introduced this permission recently, meaning the Microsoft 365 global admin hasn't previously granted consent.
For more information about the Access selected site collections permission, see this Microsoft article.
My organization either can't or doesn’t want to grant consent for the Have full control of all site collections permission. How do we run the migration?
The migration can be run from the Learn365 Admin Center only if you consent to the Have full control of all site collections permission.
If for any reason your organization can't or doesn't want to grant permanent consent for the Have full control of all site collections permission, you can grant consent only for the short period of time the migration takes to run. Once the migration completes successfully, you can revoke it via the Microsoft Azure Portal.
Alternatively, the Microsoft 365 global admin at your organization can work with Zensai Product Support to run the migration manually. For more information, see this section of the article.
Comments
Article is closed for comments.