4 integration points
1. Azure AD SSO (SAML / OIDC)
Setup OIDC (recommended): Azure Portal > AD > App registrations > New. Redirect URI: https://[tenant].studeia.com/api/auth/sso/[slug]/oidc/callback. Client secret. Studeia > Settings > SSO > Add Provider > OIDC. Discovery URL: https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration.
2. SCIM 2.0 (automatic provisioning)
Azure Portal > Enterprise Applications > Studeia > Provisioning > Mode: Automatic. Tenant URL: https://[tenant].studeia.com/api/scim/v2. Secret Token: generated in Studeia (AES-256-GCM encrypted). Group → Course mapping for auto-enrollment. Large groups (>50 members) processed via BullMQ.
3. Microsoft Teams (video provider)
Azure AD App > API Permissions > Microsoft Graph: OnlineMeetings.ReadWrite.All, OnlineMeetingRecording.Read.All. Application type (not Delegated). Admin consent required (Global Admin). Webhook: /api/webhooks/video/teams with Graph Change Notifications.
Limitation: endMeeting not supported via Graph API.
4. OneDrive sync (media library)
Same Drive integration pattern. AES-256-GCM encrypted tokens. Cron /api/cron/drive-sync.
Setup (1-2h)
- Azure AD App registration (10min)
- Configure API permissions + admin consent (10min)
- SSO OIDC in Studeia (5min)
- SCIM provisioning (30-45min)
- Teams provider (10min)
- OneDrive integration (10min)
- Test with 5 pilot users (10min)
LGPD + GDPR
OAuth tokens AES-256-GCM encrypted. SCIM Bearer token encrypted. Complete audit via ScimAuditLog. Microsoft DPA applicable for European companies.