Cloud Sync

Panel synchronizes with both the Google Cloud as well as Microsoft Azure Cloud

How Panel Syncs with Cloud Providers

Panel synchronizes with both the Google Cloud as well as Microsoft Azure Cloud to import People. Panel will also import Chromebook Assets from the Google Cloud.

To take advantage of these features, you must configure synchronization permissions for one or both of these cloud vendors (Google and Microsoft).

You can choose to sync with Google or with Microsoft, or with both. If you choose to sync with both clouds, note that Google synchronizes first and then Microsoft Azure synchronizes second.

Take note if you sync with both Google and Azure: Because Panel synchronizes with Google first and with Microsoft Azure second, Microsoft Azure differences (if any) on People will overwrite Panel's original representation of Google's information.

For example: If a Person is in Google as “bob@example.com” with a name of “Robert Smith”, and is also in Microsoft Azure as “bob@example.com” with a name of “Bob Smith”, Panel will display the name “Bob Smith”, as “Robert Smith” from Google will be overwritten with “Bob Smith” from Microsoft Azure.

Likewise, if you sync to both Azure and Google, People will be merged based on their email addresses (if a common email address is found in both clouds). Any Person object that is represented in both Azure and Google must be removed from both Azure and Google before they will be removed from Panel.

Google Workspace Sync

K12 Panel can communicate with Google Workspace, Google Workspace for Education, and Google Workspace for Nonprofits to import People, your Organization Units hierarchy, and Chromebooks (as Assets).

This is a powerful feature of K12 Panel.

Google Sync Overview

By using the Google sync function, K12 Panel can pull in parts of your organizational intelligence to allow you to manage checkout of Assets to People, as well as see and inventory-control all of your Organization’s Chromebooks in Google.

K12 Panel will not to sync to your Google Workspace until you grant it the necessary permissions.

You must grant K12 Panel the access it needs to Sync.

Granting K12 Panel authorization to Google Sync

To sync K12 Panel with your Google Workspace, you will do the following simple steps. These steps must be performed by a K12 Panel administrator. This same logged in user must have the necessary permissions within the organization’s Google Workspace system (typically, a Google Workspace Super Admin is used, but that isn’t required).

Navigate to the Cloud Sync tab while logged in as a Google Workspace user that can authorize this action
Click the Authorize Panel to Perform Google Workspace Sync button
Grant Google Workspace the necessary read-only permissions
On initial authorization, a Google Workspace sync will be started.

Cloud syncs occur several times throughout the day on a periodic schedule. You can request an immediate sync by using the Request Immediate Cloud Sync Refresh button.

When you are ready to grant READ-ONLY permission to K12 Panel, you may click the Authorize button. You will be notified one more time that this is a read-only request, before being redirected to Google for final authorization from Google.

Once you acknowledge and Start Authorization, you will be taken to Google to perform FINAL authorization with Google for Read-Only access. The access you are authorizing only allows K12 Panel to read information from your Google Workspace setup and you can revoke this access at any time.

You will be asked by Google to ALLOW or DENY several READ-ONLY permissions. Please GRANT all of these to allow K12 Panel to perform the desired sync tasks.

You will notice that each request is to VIEW only - no changes can be performed with the permission you are granting.

It is important to note: NO PASSWORDS are stored in K12 Panel for this authorization.

No passwords are stored in K12 Panel. Your Google Workspace system maintains full control at all times, and can revoke K12 Panel’s authorization at any time.

K12 Panel maintains the permissions by caching the authorization granted by the Google Workspace administrator. This authorization is verified via the Google API every time it is used, and so it can be revoked by the Google Workspace administrator at any time either through K12 Panel or directly via Google.

Revoking Authorization

Once you have authorized K12 Panel to conduct Google Workspace Synchronizations, you can de-authorize this permission at any time.

Revoke from within K12 Panel

There is a De-Authorize Panel to Perform Google Workspace Sync button on the Cloud Sync tab. Simply push this to De-Authorize K12 Panel. The tokenized authorization

Revoke directly from Google

You can also De-Authorize K12 Panel via Google. To do this via Google:

Log into GMail (or any other Google site)
Navigate to http://myaccount.google.com
Select Security from the left menu
Scroll to Third-party apps with account access
Select Managed third-party access (or jump directly to it here)
Click into K12 Panel’s access and manage (revoke) permissions as you see fit

Remember: if you revoke permissions from K12 Panel to sync with Google, no additional synchronizations can take place until you re-authorize K12 Panel.

Microsoft Azure Sync

Panel can sync with Microsoft Azure to import People objects.

Microsoft takes a different approach to cloud sync permissions than Google. As an Azure administrator, you will create a new Azure App Registration in your Microsoft cloud to allow Panel to pull your Azure user information.

After creating the App Registration in Azure, you will copy several fields from the new App Registration to Panel. This will grant Panel the ability to pull Azure users in for use in Panel as People.

Create New Azure App Registration

Begin by logging into Azure Portal as an Azure Administrator: http://portal.azure.com
From the Azure Portal, navigate to App Registrations (this may take you directly there)
Click the “+ New registration” button
Enter a Name for the new registration:
1. Consider something simple like “allow Panel to read users”.
2. Leave Supported account type as “Accounts in this organizational directory only”.
3. You can leave Redirect URI blank. At the bottom, click Register
4. Click Register
Once created, select Certificates & secrets from the left navigation
1. Create a new client secret via the “+ New client secret” button
2. For Description, add “Panel access”
3. For Expires, list 24 months
4. Click Add
IMMEDIATELY copy the “Value” displayed and save it to Notepad or some other file where you have access - you will lose visibility to this and not be able to get it back
Navigate to API Permissions on the left
1. Click the “+ Add a permission” button
2. Select “Microsoft Graph”
3. Choose “Application Permissions”
4. Type (or search for) “User.Read.All”
5. Check the box for the User.Read.All permission
6. Click “Add permission”
Click the Grant Admin Consent button above the listed permissions
On the left-hand navigation menu, return to the Overview page
Along with the Secret Value that you saved earlier, you now have all of the information you need

If you forgot to save or if you lose the Value for your Client secret, don’t panic! You can simply delete your old secret and recreate a new one.

You will need to build a new Secret when the existing secret expires, and Panel will remind you if a Secret expires.

Enter Azure Cloud information into Panel

In Panel, click the “Add Azure Sync Settings” button
For “Client ID”, find the “Application (client) ID” of the Azure App registration process you built (under Overview in the Azure app)
For “Secret ID”, paste the secret you copied from Step 6 of the Azure App registration process
Click Save
Ready to sync with Azure!