Frequently Asked Questions

General (12)

Changing Student Passwords

If a teacher needs to change a student's password, they will follow these steps: (1) Select Profiles, (2) Select My Students, and once they find the student whose password they wish to change, they need to (3) check the box in front of their name. Then the "Change Password" button will light up (no longer grayed out).  Click on the  (4) Change Password button and fill in the required information - see below. 

NOTE: If your students are using Badges/QR Codes to login, then after changing their password you will need to print a new Badge by selecting My Students (QR Codes), then selecting the checkbox to the left of your student, and finally clicking on the QR Code button.  You can then print the new badge(s) displayed.



In the Change Password box you will enter the New Password and then in the box below it, Confirm the password.  At this point you can either click Save (at red arrow below) and tell them the password to use going forward, or if you want to require that they change their password to something only they know, check the "User must change password at next login" checkbox.  This will force them to enter a new password once they login.



If you haven't already done so, click on Save button and note the "Confirm" window (click on OK).


FAQ category: 

I am active in multiple LEAs and have more than one email address in the IAM service. How do I select my preferred email address?

A: Users who have more than one valid email address (e.g. they are active in multiple schools within an LEA or in multiple LEAs and have a unique email in each), may now see all valid emails in the IAM service. Those users will have the ability to choose a preferred email address from within the Profiles tab in The preferred email address will be the one used by the IAM Service when populating “email address” for integrated Target Applications. To choose a preferred email address, go to Profiles -> My Profile -> Edit Profile then use the pull down menu from the dialog box as shown in the following example:

FAQ category: 


The quickest way to access the IAM Service is to type into your browser window and go there directly.  If you want to bookmark the IAM Service, see the FAQ on "How Do I Bookmark the IAM Service?"




FAQ category: 

If you Forgot your username, or are Claiming Your Account for the first time, the eScholar UID number is the former 9- or 10-digit NCWise Student or Pupil Number (for Students) and the 10-digit State Employee UID or PowerSchool UID for teachers and staff. Employee UID numbers should be in the UID system as well as Payroll, so your Finance Department may be able to help you locate the number.  Many LEAs and Charter Schools were already using the UID number to logon to PowerSchool.  If so, then it's the same number/username you're already used to.

FAQ category: 


If you want to BOOKMARK the IAM Service, DO NOT bookmark the Login Screen where you enter your username and password, but rather the Rapid Identity Applications page (where the application icons are displayed).  Then whenever you want to go to the IAM Service you can click on that bookmark.

Key points to remember for Bookmarking the IAM Service:


   Don't Bookmark!                        BOOKMARK 



FAQ category: 

There are three main criteria for challenge questions:  

  • 5 of the 10 questions must be answered
  • The answers must be 3 or more characters
  • Answers can not be repeated among questions

In addition, the answers are not case-sensitive.

If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.


FAQ category: 

No, the response to a challenge question is not case-sensitive.

FAQ category: 


Users are not able to edit their profiles to add/change their email address in the IAM Service. The only way an IAM Service account's email address can be added/changed is if that user's email is added/changed in source data: PowerSchool for students; and - in order - PowerSchool, LINQ HR (upload for Charter Schools), or HRMS for staff.  (NOTE: The previous order lists the priority given to each data source.  If PowerSchool has an email for a staff member, that's the email address that will be used in the data sent to the NCEdCloud IAM Service).

We recommend that LEAs & Charter Schools strive to provide email addresses for all their users as there are important drawbacks for users without an email address within the service. For example:

  • LEA Administrators and other employees that use the Workflow features of the IAM Service would have no way to automatically be notified by the IAM Service of their workflow-related task items.
  • Some target services require the email address.  Without having email associated with the provisioned user account, functionality of those target services could be significantly impacted.


FAQ category: 

If you get a "The request is invalid" message or the screen shown below, it's likely because you "bookmarked" the Logon Screen (where you enter your Username) or used the "back button". To get to the IAM Service (to access your applications or change/reset your password for example), go to  Then bookmark the page where you see your Applications.  Then in the future, when you click on the bookmark you created on the Applications page, it will take you to the Logon page and then transfer you to NCEdCloud.   If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where you want to go (e.g. PowerSchool, Google Apps for Education, etc.).  That's why you get an error.

FAQ category: 


If you are having trouble getting to NCEdCloud applications and resources, please follow your local support process for resolving technology issues. If your local support staff cannot resolve your problem, they are authorized to escalate the problem to the Identity Automation Support Community for resolution.

FAQ category: 


We understand that some LEAs may have concerns about teachers being able to set their students' passwords, however, due to the fact that the IAM Service is a solution for the entire state it was not feasible to make the feature an option for those PSUs that wanted to implement it. However, please keep in mind that ALL password changes are audited within the service so a record of any password transaction is captured along with who made the change.


FAQ category: 


Parent/Guardian logins will not be affected.

FAQ category: 

Badge (QR Code) and Pictograph Logins for PK-5 (4)


The short answer is that iPad 2s cannot run the required version of iOS to allow access to the camera for scanning the badges.  Logging into NCEdCloud with student Badges requires that Apple iOS (mobile) devices be able to access the device camera through Safari (the apple browser) to scan a student's badge.  We have recently found out that Safari cannot "capture" the device camera on versions of iOS prior to 11.x.  The last version of iOS released for the iPad 2 was 9.3.5.  Therefore, iPad 2 devices cannot be used for Badge (QR Code) logins to NCEdCloud.  To the best of our knowledge, an Apple mobile device (iPhone, iPad) must be running an 11.x or higher version of iOS.



If you see this error, it means that the password contained in the Badge QR Code (badges contain the student's Username/Student Number and their account Password), does not match the CURRENT Password of the account.  Someone has changed the password since the badge was printed (or it is an older copy of the badge), and therefore you will need to view and print a new badge for the affected student.  You can do this in NCEdCloud by clicking Profiles, then My Students (QR Code) - LEA ###, and check the box next to the student's name.  Then select the QR Code button to view the student badge, and print it (either right click or select "Print" from the browser menu).



If a student who is configured to use a Badge to login to NCEdCloud doesn't have it with them, they can enter their Username (Student Number) at the Username prompt and select "Go".  They will then see the Password screen for NCEdCloud and can enter their password to complete their login.  If they click on the "Scan Student QR Code" Button instead of entering Username, they will need to click on the "Start Over" button and "Ok" to get back to the Username screen.  Then after entering their Student Number and clicking "Go", they will be presented with the Password Screen.



QR Codes (Badges) must be "bright" enough for a student device camera to read properly.  Make sure the students aren't shading their badges or tilting them downward when scanning.  Having badges lighted by overhead lighing or an exterior window may help.  Also make sure the badge itself is printed clearly on white paper for the best contrast.  More recent releases of the RapidIdentity Portal software have also helped with the camera issue.


Multi-Factor Authentication (MFA) or One-Time Passwords (OTP) (12)


As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA AdministratorLEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.


As of November 2019, employees with NCEdCloud LEA Administrator, LEA Data Auditor, LEA Help Desk, or LEA Student Help Desk privileged roles, are required to use MFA and enter a One-Time Password (OTP) with each login to the NCEdCloud RapidIdentity portal.

Currently, because of the access these users have to employee and/or student data, MFA has been implemented for all privileged roles in the NCEdCloud IAM Service, including LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk and School Student Help Desk.  If additional privileged roles are added in the future, they will likely be required to use MFA as well.  However, at this time there are no plans to require MFA for any staff outside of these special groups.


The One-Time Password (OTP) is tied to your NCEdCloud ACCOUNT, not to a device.  Therefore, when you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup Page, the QR Code and the AlphaNumeric Code below it are what links the NCEdCloud MFA to the 6-digit code presented by your authentication application (Google Authenticator, RapidIdentity, Authy Desktop).  The QR code and the AlphaNumeric Code are "identical", as far as providing the same information to authentication apps - as long as they're taken from the same OTP Setup page.  Therefore, you can use the same authentication app on your phone to login to your iPad or your Windows machine.

If you're using Authy and have it installed on more than one device, that will work.  But you'll need to enter the same alphanumeric code you got from the original OTP Setup Page into each instance (write it down or take a picture with your phone).  However, if you're using more than one device it's going to be easier to install the app on your phone and have just one place to go for your 6-digit code.


It depends.  There are multiple ways of obtaining the 6-digit code that must be entered when you login to NCEdCloud (if you have one of the privileged roles).  See the NCEdCloud MFA page for details on the different authenticator applications.

While you can install the Authy application on your desktop, or use the Chrome extention "GAuth Authenticator", these must be installed on each device you use to access the NCEdCloud IAM Service.  If you use multiple devices to login to NCEdCloud and you keep your phone with you during the day, it is much easier to install a mobile app on your phone and use it no matter what device you use.  The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code.  Therefore, if you scan the QR code on the OTP Setup screen the first time you login (or after an OTP Reset), there is no charge to your account or any data usage when you use the authentication app.



It depends on the authenticator app you choose.  Both the Google Authenticator and RapidIdentity apps that run on your mobile device use a time-based one-time password (TOTP) algorithm to provide a valid 6-digit code (it is not texted to your phone), so while the application RUNS on your phone, you are not sharing the number with anyone nor being changed any fees.  However, Authy (one of the alternate authentication apps that runs on your desktop), requires that you enter your cell number when installing and registering the application with the vendor.



Each 6-digit code generated by any of the authentication applications is good for 30 seconds from the time it is first displayed.  Most apps have a timer that shows you how long you have until the code “expires”.  If you only have a few seconds left, it is best to wait for a new code to be generated so you have time to enter it into the NCEdCloud OTP login screen.  This 30-second limit only applies to the time the code will be visible in the authenticator application.  Once it is entered into the NCEdCloud Login screen, you are fully authenticated using MFA and have access to the IAM Service and all applications.


The short answer is once per day.  Your OTP (6-digit code) is part of the login process to NCEdCloud, so if you typically login to NCEdCloud more than once during the day (you use different computers, tablets, etc. or logoff and close your browser during the day), you will need to enter your OTP on the 3rd screen of the login.  If you use the same machine throughout the day, then you’ll only login (and enter your OTP) once.

GAuth Authenticator is a Chrome browser extension.  If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP.  GAuth does not require the use of a mobile phone or entering your phone number (like Authy).  More information on GAuth can be found on the NCEdCloud MFA page at

The Authy Desktop authenticator is available for both Windows and macOS, and there is a Chrome extention available to install it on Chromebooks.  There is also a mobile app version available (like Google Authenticator and RapidIdentity), that runs on Android and iOS.

What if I get an "Unable to register: it looks like there is no internet connection" Error when trying to setup Authy?

It you get an error when trying to setup your Authy app, it is likely because you are being blocked from accessing the site to register your installation.  You should contact your local Technology Support staff to see about having the site "whitelisted" in your content-filtering service (Zscaler or another application).

The "One-Time" in One-Time Password (OTP) refers to the number of times you can use a specific 6-digit passcode to login (one time), not something you only enter once.  A new valid password is generated for your account every 30 seconds so that someone can't look over your shoulder and see your 6-digit code, or a "hacker" can't capture what you enter and try to reuse it at a later time.  It's purpose is to add a "second factor" in addition to your account password, to make your login more secure.  It is usually only implemented for user accounts that have access to data of multiple users, or higher risk data/information - like employee and student data in the case of NCEdCloud.

First Steps for New Charter Schools (2)

We recommend that you visit these pages for further information:

  1. “Claim My Account” at describes introductory information on the IAM service, account claiming instructions and directions for the Tech Director to obtain the LEA Administrator role.

  2. "Next Steps for LEA Administrators" at  This page contains information to help Charter Schools prepare to roll out the NCEdCloud IAM Service to their users and move forward with accessing Target Applications (including Home Base apps when integrated) using their NCEdCloud credentials (Username and password).

  3. "Self-Service Onboarding Checklist" at This checklist was developed with feedback from the onboarding planning sessions for Early Adopters of the NCEdCloud IAM Service and is intended to assist schools in preparing for a rollout of NCEdCloud user accounts. Charter Schools who wish to use the service should review the items below and plan/complete all tasks prior to requesting the integration of Target Applications.


You can go to "Claim My Account" from the NCEdCloud Home page and the process will be explained there.

LEA Administrators and/or Technology Directors can also find more information on requesting and granting privileged roles at the following:


User Passwords and Expiration (10)

  • Passwords shall be at a minimum 8 characters in length and no longer than 16 characters.
  • Passwords shall be comprised of at least one of each of the following:
    • Upper case letters
    • Lower case letters
    • Numbers
  • Passwords shall not contain the username alias (the portion of the user’s email address before  
  • Username, first name, last name, spaces cannot be used within the password
  • Passwords shall not begin or end with ! (an exclamation point)
  • Allowed special characters are: @ # $ % ^ & * - _ + = [ ] { } | \ : ’ . ? / ` ~ ” < > ( ) ; !
  • Passwords shall not be shared. No one will ever ask you for your password.
  • Passwords shall be changed at a minimum every 90 days for all in-scope users (employees)
  • If a user suspects any password has been compromised or is known by another individual the user shall immediately change their password and notify their local administration

Password change notifications will begin ten (10) days prior to a user’s password expiration. Within the 10-day window, each time a user logs into the IAM Service they will receive a pop-up notifying them their password will soon expire and they will be prompted to update their password. Users will continue to receive this notification until the password has been reset. Failure to change your password during this 10-day period will result in the user being prevented from further logins until they complete a password reset, which will be required by the IAM Service the next time the user tries to login.

Yes, passwords can be changed at any time, but for employees they must be changed at least every ninety (90) days. For students, the password expiration feature may optionally be turned on if the LEA wishes.

When a new employee claims their IAM account they will be forced to set an initial password. They will be prompted to change their password beginning 80 days (10-day notice) after they set their initial password.

Normally, NO.  Only if their LEA or Charter school opts-in to the IAM Service student password expiration.  To opt-in to the student password expiration policy, please have an IAM Service LEA Administrator submit a ticket to the NC DPI Technology Support Center at:

Student password expiration can be implemented in one of the following ways:

  • The entire LEA or Charter School (all students)
  • Only students in grade levels 6 - 13
  • Students in grade levels K-5 and below. 

Once implemented, students will be required to change their IAM Service passwords upon their next login and then again after 90 days.


Changing a user password that has expired is fairly straight forward:

Step 1: You attempt to login at the IAM Service RapidIdentity screen as usual.

Step 2: When you click on "Go" you receive a red error message indicating your password is expired.


Step 3: At the My Employee Profile screen click on the "Change Password" button.

Step 4: Review the Password Policy requirements and Enter your Current Password

Step 5: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).


Step 6: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 7: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.


Step 8: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.





The self-service function of changing a user password is fairly straight forward:


Step 1: Log into the NCEdCloud IAM Service, and at the Applications screen click on "Profiles".

Step 2: At the My Employee Profile screen click on the "Change Password" button.

Step 3: Review the Password Policy requirements and Enter your Current Password

Step 4: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).


Step 5: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 6: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.


Step 7: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.




If you forgot your password and it has expired (90 days or more since it was last set) you should reset it using the IAM Service's "Forgot My Password" functionality:

  1. Go to
  2. Click the "Need Help?" link toward the top right hand side of the login screen (will be updated to a Need Help? "button" in the Spring of 2020)
  3. Click the "Forgot My Password" link
  4. Enter your username
  5. You'll be asked to answer some of your challenge questions and enter a captcha code
  6. Next you'll be able to set a new password, and you're good for another 90 days
  7. Return to and proceed with your usual NCEdCloud activities


If the above steps are unsuccessful, please reach out to your school's Technology Support team for assistance with having your password reset.


All users (both employees and students) have a default password that is randomly generated for that specific user when their account is created.  However, employee users won't actually use their default password as they will set a new password when they claim their account.

For secondary students (grade 6 and higher) the LEA/Charter School may optionally have those students claim their own accounts, OR the LEA/Charter School may directly distribute the student usernames (pupil number) and default passwords.  To claim their own account a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and LEA / Charter School code.  When they start the process, they will be asked to chose and set their password. To complete the account claiming process (or during their first login if the account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming).

For primary student accounts (grades 5 and below) the LEA/Charter School has the option to use Badges (QR Code login) or Pictographs - see NCEdCloud Badges and Pictographs for K-5 Students.  Otherwise, teachers will need to directly distribute the student usernames (pupil number) and default passwords. There is no claim account process (or challenge questions) for K-5 students.


Currently there is no limitation on password history - which is to say that passwords may be reused.  However at NCDPI’s discretion in the future, password reuse limitations may be enabled.

LEA Administrators and Data Auditors (27)

What is the purpose of the "Disable account from Source Updates" checkbox in user account list view (under Profiles?

User Account Disables, Disabling Accounts From Source Updates, and the Override Views In “People”


There are 3 features in the People module of the NCEdCloud IAM Service that users with the LEA Administrator role can use.  This document will explain how and when to use each feature, and their relationships to each other.


The 3 Features are:

  1. User Account Disable/Enable buttons
  2. Disable Updates from Source Data checkbox
  3. LEA Employee/Student/Parent Overrides views (left navigation)


User Account Disable/Enable button

Only users with the NCEdCloud LEA Administrator role have the ability to Disable a user account under the People module.  This functionality in the NCEdCloud IAM Service is made available for "emergency" disables, usually related to a user termination or a compromised account.  Otherwise, a staff member who leaves employment under normal circumstances would have their Staff UID system record changed to “inactive” by the PSU’s payroll department or the PSU Staff UID Administrator, and their NCEdCloud account would be disabled automatically overnight.  

To “force” an account disable in the NCEdCloud IAM Service, simply search for the employee by name or UID (in People), select their record by clicking on the checkbox at the far left of the record, and then click on the “Disable” button along the bottom of the screen.  This will prevent the user from logging into the NCEdCloud.  It can be changed back by clicking on the Enable button.

It is important to note that all accounts are ultimately controlled by the data files that update the NCEdCloud IAM Service nightly.  These files are generated with data from the authoritative NCDPI source systems, and for employees this is the Staff UID system (PowerSchool is authoritative for Student accounts).  If an employee account is disabled in NCEdCloud, but Staff UID still has them listed as an “active” employee, then the data sent to the NCEdCloud will re-enable the account overnight.  Therefore, if there’s a chance the employee’s account has NOT been deactivated in the Staff UID system, and the account must remain disabled, the Disable Updates from Source Data checkbox must also be checked (see next section).


Disable Updates from Source Data checkbox

As mentioned above, the Disable Updates from Source Data checkbox controls whether or not any changes in the nightly source data file for a user, will update their NCEdCloud account.  Checking the “Disable updates from source data” checkbox, prevents any changes from being applied to the user’s NCEdCloud account.  You can find the checkbox by first searching for the user you want to update, and clicking on the checkbox at the far left of the user’s record in “list view”.  You will then see the “Details” button at the end of their record (see below)

Clicking on the Details button brings up the details screen (gray panel on the right of the screen, as shown below).  


Click the red “Edit Profile” button at the bottom of the details screen, and you can scroll to the user checkboxes, one of which is: “DISABLE UPDATES FROM SOURCE DATA”.


 Click on the checkbox to activate it and then click “Save”.


This will now keep the user account disabled, even if the latest source data indicates they are “Active” in your PSU, until the account is re-enabled (Clicking on the Enable button as mentioned above).  

While there are valid cases for using the “Disable Updates from Source Data” feature (the terminated employee or compromised account mentioned above, graduating students that still need access to a school issued email account through NCEdCloud, staff accounts that are being updated with invalid source data from another PSU, etc.), there are consequences for using this feature if the account remains in this state (not updating) for very long.  If the box is not “unchecked” once the source data issue has been resolved, then future valid changes to source data will not show up in NCEdCloud.

For example if a staff member transfers to a new PSU (yours or somewhere else), until the box is unchecked and their record updated with the new LEA code, they won’t have any access to applications at the new PSU.  Even changes like moving to a different school campus within the PSU won’t be reflected.  If you notice a new employee’s data in Staff UID is correct, but it’s not showing up in the NCEdCloud IAM Service, then you may need to open a ticket with Identity Automation.  Once the disable updates from source data checkbox is unchecked, they will be able to force an update to the account, and the user will then show up as an employee in your PSU.


In addition to what has already been covered, there are a couple of situations you should also be aware of: 

  1. If an employee is transferring to another PSU, DO NOT disable their account or check the Disable Updates from Source Data checkbox.  The employee will need to use their account to access applications at their new PSU.


  1. If you have concerns about a transferred employee accessing your PSU’s applications, work with your Payroll department or your Staff UID administrator to make sure the employee’s Staff UID record is updated to reflect an inactive status for YOUR PSU.


Once an employee is no longer active in your PSU, access to your applications, and any privileged roles they were granted (for your PSU), will be revoked.


LEA Employee/Student/Parent Override views

The “Overrides” delegations (views) for Employees, Students, or Parents, listed in the left navigation in the People module, allow an LEA Administrator to see which accounts have the “Disable updates from source data” checkbox checked, and are currently NOT being updated with changes from source data.  (All users listed in Overrides have the box checked.)

Admins can uncheck the box for users from this view (and they will no longer show up under Overrides), and any future changes to their user data will be updated in the NCEdCloud.  However, remember to also put a ticket in with Identity Automation to force an update of the user’s record in NCEdCloud.  This will ensure any changes made to source data while the account was not being updated, are synchronized with their account.  


*NOTE: User source data, received nightly  from NCDPI, is written to the Person Registry (a user database that’s part of the NCEdCloud IAM Service).  Changes in the nightly user data files are updated in the Person Registry when processed, and then pushed to the NCEdCloud IAM Service RapidIdentity accounts.  However, if there is no change in the data for a user between the new source data for that evening, and what was previously received and stored, no update occurs for that user in RapidIdentity. This prevents unnecessary writes to the RapidIdentity accounts.

If a change happens WHILE the disable updates checkbox is checked, the user account is NOT updated (although the Person Registry is).  However, when the box is unchecked, the user’s account WILL NOT be updated automatically that evening, since there is no longer any difference between the “current” data and what’s in the nightly files.  

Opening a support ticket with Identity Automation will result in them FORCING an update to the NCEdCloud accounts with whatever data exists in the Person Registry, thus syncing the authoritative source data and the NCEdCloud account data.)


Mark Scheible

Updated: July 2022



NC DPI purchased the Amplify application for grades K-3 and automatically shows the icon for students in those grade levels.  It also displays the icon for students in grade 4 to allow testing of students designated as "reading retained".  How can I get it to display for older students if our PSU has purchased Amplify for them (Grades 5 and 6)?

If your PSU has purchased ADDITIONAL Amplify coverage for students in grades 4-6, you can Submit the Amplify Request Form to add the icon to your PSU for Grades 5 and/or 6.  Once enabled, the icon will be presented to ALL students in the grades selected, as we cannot currently manage school-level icons for the entire state.  Note: This form must be filled out and submitted by a PSU staff member with the "LEA Administrator role" in the NCEdCloud.

If you have staff members in your LEA or charter school who were using accounts in the IAM Service but they no longer show up, the first place to check is typically the payroll system that your LEA or charter school uses. This occasionally happens with 10 and 11 month employees when their work/job Start Dates are not present or not in the upcoming school year in the payroll system.

The payroll system is used as the authoritative data source for the Staff UID system and tells the Staff UID system which staff members to make active in your LEA or charter school. If staff members are active in your LEA or charter school in the Staff UID system, their data is sent to the IAM Service nightly (as an active record). Click here to view the IAM Service source data workflow to see how staff and student data makes its way into the IAM Service.

If your payroll system does not show employees as “active” at the time the CEDARS UID extract is sent to the Staff UID system, they will be marked inactive in the Staff UID system. Inactive UID staff data is not sent to the NCEdCloud IAM Service in the nightly updates, and if a user record does not show up, their existing IAM Service account will be marked as inactive and disabled.  At that point, it will not be visible in the NCEdCloud IAM Service and the user will not be able to login. The account is still there, but until the user data is marked as Active in the UID system and picked up in the nightly feed from DPI, the account will remain “missing”.

For LINQ customers, if your current payroll practice is to end jobs for your 10, 10.5, or 11 month staff, you must either create them a new job with a future start date or update their existing job record with a new Start and End date in order to keep them active within the IAM Service. Any employee that has no Active or Future job within payroll will be sent as Inactive in the CEDARS UID Export.

Employee email address originally came from the HRMS system when NCEdCloud was first set up.  However, many PSUs complained that those records were only updated if an employee changed jobs, and frequently had an old email listed.  This process was changed a few years ago to obtain employee email address in a specific order by searching 2 or 3 source systems to find staff email address.  The process now starts with PowerSchool, then checks LINQ HR (if used by the LEA), and lastly HRMS. The process stops the first time it finds an email populated for the user.  Therefore, if HR updates HRMS and the employee has a new record added to the PSU's PowerSchool instance, there may be a mismatch between the two - however, the email in PowerSchool is the one that will appear in the NCEdCloud data.

In addition, a CRITICAL requirement for passing an employee's email address to the IAM Service is that the user's "school identifier" in the source data (3-digits identifying the school, or 6-digits with the LEA code + the school code), must match the "schoolID" in the UID system.  In PowerSchool this is the "homeschool" field, in LINQ HR it is the LINQ schoolID, and in HRMS it is the HRMS schoolID field.  In each scenario, the school identifier found in PowerSchool, LINQ HR, or HRMS, MUST match the schoolID in the user's active UID record.  If the user is listed in PowerSchool with an email address and the correct homeschool code (e.g. 123), but is listed in UID with the System Office code (000), then the records won't match and the email for that user will NOT be populated in the IAM Service.  This would be a reason why an employee is missing email in the NCEdCloud IAM Service.

When troubleshooting why a staff member's email is not populated in the NCEdCloud IAM Service, make sure to confirm that the school code is carried in the fields mentioned above and has the SAME value as the schoolID in the UID system.

I go to the Profiles tab and click on Manage My Employees, but I don't see anything.  Are my employees in the IAM Service?

The My Employees tab or the My Students tab under Profiles (on the left) in the IAM Service relies on a "Search" function. You need to enter some criteria to select the users you want to lookup. The easiest search is to enter an asterisk * wildcard in the search window and click the Search button. This will only return the first 1000 matching records, however, which is the limit of any query.  You can also look for all users beginning with the letter P by entering P + asterisk (P*) in the search window, and clicking Search.  To filter your lookup, click on the box for Advanced Search Mode and enter more specific criteria there. Save the search criteria, and click on Search. When searching on Last Name it is always helpful to enter a trailing asterisk * wildcard to make sure you retrieve users whose last name may be followed by a generational qualifier such as Jr., III, etc.

There are two general cases in which you may want to query your user data. The first is to obtain answers to questions about you data. The second is to perform actions on the results of a data query. An example is resetting students' passwords to their IAM "default passwords".

For the first case please see the first three bullets of the first item in this FAQ: How do I tell who has claimed their account in the IAM Service?

What you want to do is search for all users in your PSU that do not have a VALID email address format.  You can do this by following this procedure:

  1. Select the Manage Employees tab or Manage Students tab (under Profiles)
  2. Click on the Advanced Search checkbox and enter...
  3. For ALL users (Last Name = *) AND with an invalid email address format (Email != *@*.*)

The equation: Email  !=  *@*.*  translates as Email NOT EQUAL to wildcard@wildcard.wildcard (where "wildcard" represented by an asterisk, can be ANY value)

This search will turn up all users with invalid email addresses, such as those missing: the principal name, the @, or the school domain (e.g.

The easiest way to search for user records that are missing an email address is to select the Manage Employees tab or the Managed Students tab (under Profiles) and then do an Advanced Search for [Last Name = *] AND [Email != * ].  This search string looks at all users (since you entered an asterisk for Last Name) and where the Email field DOES NOT equal "something".  In otherwords, if there is an entry in the email field, it skips that record.  If the user's email field is empty/blank/null then it is displayed because there is nothing in the field.

Any user, including new teachers, must have a UID in order to appear in the IAM Service. UIDs are obtained through the UID process.  Please see the summary and detailed explanations below...

UID Summary: 

As soon as an employee is hired with a future start date, they are eligible to receive a UID and subsequently receive access to systems for professional development and other tasks.Some payroll systems (e.g. LINQ) have taken this into consideration and include new hires with a future start date in the UID export for the current fiscal year. However, if your payroll system does not include new employees with a future start date in the UID export file, we recommend that you reach out to your vendor and request that they address this issue as soon as possible. In the meantime, you can add these new employees to the Staff UID system manually using the “Add Staff” feature available to authorized users.

The “Add Staff” feature in the Staff UID System provides a staff member with a UID, makes them active at the correct location(s), and provisions the new staff member’s account to applicable downstream systems (NCEdCloud, PowerSchool, etc.), outside of the payroll file export process. Documentation for the steps to add a staff member to the Staff UID System using this feature can be found at Once their start date occurs, they will be included in the UID export file and uploaded to the Staff UID System. Because they are already in the system, the employee record in the UID export will be identified as an exact match.

Please see the following resources for more details on the UID System:

Source Data Requirements

UID Support & Training

Charter Schools should also look here: For Charter Schools


Frequently, employees that transfer from another PSU are not updated in their former payroll system and the Staff UID System in a timely manner.  If you find that the Profile of an employee still lists information from a former LEA or Charter School (e.g. LEA Code and/or School Codes), you will need to contact that PSU and have them update their Payroll System and the Staff UID System. Contacts for PSUs can be found within the NC EDDIE system on the NCDPI website at

Steps to Inactivate Staff at Previous PSU:

  • The employee's payroll record at the former PSU needs to be marked "Inactive".
  • The record needs to be uploaded to the Staff UID System, which will mark the UID record at the former district as "Inactive".
  • The following business day the old data will no longer be pulled into the IAM Service and "old" information should disappear from the user's IAM Service Profile.


Contract employees who are not in a PSU's payroll system (which is how most employees have records created or updated in the Staff UID System), can get an account in the NCEdCloud IAM Service by creating their records directly in the Staff UID System.  Information about the UID System can be found on the NCDPI Site.  The process for adding Non-PSU Employees to the UID System can be found under - Acquiring Staff IDs for Non‐Payroll Staff.

If Contract employees will need to access PowerSchool, they'll need to be added to your PowerSchool instance.  Make sure their UID number is in the StatePrid field in PowerSchool, as that field is matched when a user logs in using the NCEdCloud IAM Service.

Several Home Base User Group members have asked which PowerSchool field will be matched against the UID in the SAML Assertion when a user logs into PowerSchool. The UID number is the unique identifier for IAM, it is stored within PowerSchool as follows:

employee => SIF_StatePrid

student => State_studentnumber

Please note that on some screens SIF_StatePrid may show up as StatePrId. It is the same thing. So for employees,  (SIF_StatePrid = StatePrID = UID)

Also note that if you see Student_number on the screen it is the same number as the state_studentnumber.  (Student_number = state_studentnumber)

The Tech Director/CTO for an LEA or Charter School should be the first person to claim their account and request the LEA Administrator Role.  To request a privileged role for others, choose the ‘Workflow’ button on the left menu and then choose the ‘Requests’ tab along the top. Select the desired role checkbox(es) (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) and click the Submit Requests button. (See for more information and an example screen-shot.) Note that anyone who has the LEA Administrator Role automatically attains the same privileges as LEA Help Desk, LEA Student Help Desk and LEA Data Auditor, hence it is not necessary for an LEA Administrator to also have the other roles.

The first request from a PSU for the LEA Administrator role will be vetted by NCDPI support staff prior to granting the role.  Once granted, an LEA Administrator may approve future workflow requests, as well as have access to administrative functions in the IAM Service for their district's or charter school's employees and students.  They will also be granted access to the LEA Administrator website where more protected content is available.



Using the workflow process, employees are able to request the LEA Administrator, LEA Data Auditor, LEA Help Desk, and/or the LEA Student Help Desk roles. These requests would typically be granted or denied based on the discretion of the LEA Administrator(s) of the LEA or Charter School. Privileged roles are described briefly below. Further information on these roles is available in the training videos on  

It is up to each LEA and Charter School to determine which employee(s) should be granted these privileged roles. Keep in mind they do have extra privileges and access to data so you must use careful judgment in granting the roles.  Note that anyone who has the LEA Administrator role automatically attains the same privileges as LEA Data Auditor, LEA Help Desk and LEA Student Help Desk, hence it is not necessary for an LEA Administrator to also have the other roles.

LEA Administrator

The LEA Administrator Role is the highest level of privilege an employee can receive in the IAM Service.  Any employee with this role is granted full access to all your LEA’s or Charter School’s student and employee identity data, the ability to enable/disable accounts, change passwords and to request and approve other privileged roles for Administrators, Data Auditors, Help Desk Support, etc.   You can have as many employees with these roles as you would like, but just be aware of the access and associated risks.  If you have this role, no other roles are needed as their privileges would be redundant.  Allowed actions include: Full access to LEA user data (Profiles, data files, viewing and searching).  Typically this role would be assigned to the CTO/Technology Director and his/her designated trusted staff.

LEA Data Auditor

The LEA Data Auditor role has two main capabilities:  1) View-only access to student and employee profiles (e.g. View My Students, View My Employees); and 2) Use of the File Access Module where source data files are located and downloadable. CAUTION: Downloaded data files contain highly sensitive data. It is essential that the LEA/CS practice proper handling, storage & disposal of downloaded data files. The LEA Data Auditor role does NOT allow changing another user’s password or disabling/enabling user accounts.  If a user with the data auditor role also needs to reset passwords for users, they can request the Help Desk role.  Allowed actions include: Viewing and searching user data for the district, access to LEA source and user data files.  Good candidates fo this role might include PowerSchool Data Coordinators and staff who are responsible for entering payroll and/or HRMS data.

LEA Help Desk

The LEA Help Desk role allows LEA/Charter School technical staff the ability to perform basic minimal management for users within their LEA. Allowed actions on all accounts in the LEA include: reset challenge questions, change password and disable account claiming.  You might find this role appropriate for technology facilitators, help desk personnel and Media Specialists.

LEA Student Help Desk

Employees with the LEA Student Help Desk role will be able to access the “Help Desk For Students” tab in the Profiles section of From there they will be able to perform minimal account management for student users within their LEA. Allowed actions on all student accounts in the LEA will include: reset challenge questions, change password, and disable account claiming. You might find this role appropriate for technology facilitators, help desk personnel and Media Specialists.


School Help Desk

The School Help Desk role allows LEA/Charter School staff the ability to perform minimal account management for users within a specific school (or schools) in their PSU. Allowed actions on all accounts in the school include: reset challenge questions, change password and disable account claiming.  You might find this role appropriate for instructional technology facilitators, help desk personnel and Media Specialists.

School Student Help Desk

Employees with the School Student Help Desk role will be able to access the “School Help Desk For Students” tab in the Profiles section of From there they will be able to perform minimal account management for student users within a specific school (or schools) in their LEA. Allowed actions on all student accounts in the school(s) will include: reset challenge questions, change password, and disable account claiming. You might find this role appropriate for instructional technology facilitators, guidance counselors, and Media Specialists.


The LEA Administrator, LEA Data Auditor, LEA Help Desk and/or the LEA Student Help Desk roles can be revoked in either of two ways:

1. The user with the elevated privilege can self-revoke a role by using the same workflow process they used to originally request the role.

For example, after logging into the IAM Service:

Workflow button - left side > Requests - top tab > Deselect the role to be revoked > Click Submit Request.

The privileged role would be revoked immediately.


2. Designated LEA/Charter School personnel may request role removal by opening a Sales Force ticket with Identity Automation at: 

Customer Support Community: or by email:



NOTE:  While an LEA Administrator doesn't have the ability to *directly* remove another employee's elevated privileges, an LEA Administrator *does* have the ability to immediately disable an account if needed.  That process is described in the Training Videos (see the Applications tab -> Training ->  LEA Administrator Training -> "How do I disable someone's account?")

No, there is no requirement that you make any changes to your user accounts within your LEA. The UID number however is the login for cloud-based services such as HomeBase and other NCEdCloud IAM apps (should you choose to adopt them).  Whether an LEA chooses to use NCEdCloud IAM accounts within their local district services is up to you. If it is of interest to do so, it is possible the NCEdCloud IAM’s CDLR service could help facilitate that. 

There are several important drawbacks for users without an email address within the service.  For example:

  1. LEA Administrators and other employees that use the Workflow features of the IAM service would have no way to automatically be notified by the IAM service of their workflow-related task items.

  2. Some target services require the email address.  Without having email associated with the provisioned user account, functionality of those target services could be significantly impacted.

  3. The “Forgot my username” function requires email, so that IAM feature would not work.  

The ability to see the "My Students" tab in the Rapid Identity Portal under Profiles view, is based on whether the employee who logs into the IAM Service has one of the designated "Teacher Job Codes".  Job Codes are setup by the NCDPI and are assigned to an employee through their payroll system and stored in the UID system.  Below are the job codes (sometimes referred to as object codes), that allow an employee to see the My Students tab.  An employee with this tab would be able to use it to help reset passwords for any of their students that are assigned to them (typically as the primary teacher for a class) within PowerSchool.

Job Codes:

121 Teacher
122 Interim Teacher
123 JROTC Teacher
124 Foreign Exchange (VIF) 
125 New Teacher Orientation
126 Extended Contracts
127 Master Teacher
128 Re-Employed Retired
131 Instructional Support I
132 Instructional Support II
134 Teacher Mentor
135 Instructional Facilitator
142 Teacher Assistant NCLB
162 Substitute Teacher Regular - Teacher Absence 
164 Substitute Teacher - Full Time Certified


There is a “My Students for Non-teachers” exception role in the IAM Service that can optionally be requested by employees that don't have one of the above job codes but do have students assigned to them. When granted, this role allows employees who are teaching classes but do not fall within the previous job codes, to see their assigned students via the "My Students for Non-teachers" tab in the IAM service.  This role must be requested each school year, as it will expire on June 30th of the school year in which it is granted.


To request this role, the employee would do the following after logging into

Workflow tab on left -> Requests tab across the top -> Check "My Students for non-Teachers" box -> click "Submit Request" button

The approval request would then go to an employee in your LEA/Charter School with the LEA Administrator role.

The complete process for restoring an account to unclaimed status is:

  • Under Profiles > Manage Employees tab or Manage Students tab, enter the user's UID and click Search to retrieve the account in question.
  • On the far right of the account line that was returned, click the "pencil". A dialog box opens and then UNCHECK the "Disable Claim Account" box and click Save.
  • Select (check) the checkbox on the far left of the account line and then...
  • Click Change Password button above the search box. A dialog box opens and then check only the "Set Password to Default Value" option and then click Save.
  • Click Reset Challenge Responses button above the search box and then Yes to confirm.


This entire process must be followed to assure a complete reset to unclaimed status.


Home Base Maintenance Periods typically involve downtime of PowerSchool and sometimes other Home Base applications. However, during such downtime, other IAM Service integrated applications remain available.

For a complete schedule of Home Base Maintenance Periods, please see... Home Base Maintenance and Support


Upstream data processes produce the user data that is provided to the NCEdCloud IAM service early in the morning on Monday through Saturday. If an updated data field value is entered into that field's source system prior to that source system's cutoff time, then the data is provided to the IAM service the following day. (Note that data is typically NOT provided to the IAM service on Sunday mornings). After the IAM service receives updated data very early on the following morning, it is processed by the IAM service and made available later on that same day, usually before school starts.

For details on the source systems and cutoff times for various employee and student fields and SchoolNet roles please see:

NCEdCloud IAM Service Sources and Timing for Employee Data Fields


As of July 2015 the IAM Service was integrated with all Home Base applications and is no longer an Opt-In Service. The Single Sign-On (SSO) feature of the IAM Service enables users to logon to one of the Home Base applications, or any other resource integrated with the IAM Service, one time and then access any other application without having to logon again.

Non-Home Base Target Application will continue to be opt-in for LEAs and Charter Schools, however, now that the service is rolled out to all North Carolina K-12 users it will make more sense to continue to integrate additional applications to take advantage of the SSO provided by the IAM Service.



  • Individual Applications have their own timeouts -- it is Application dependent.
  • The NCEdCloud IAM Service RapidIdentity Portal:
    • Login Screen inactivity timeout (you go to the login screen but don't login) = 5 minutes
      • If timed-out here, close the unused login window/tab, open a new window/tab and start over.
    • Once in the NCEdCloud portal, the inactivity timeout = 8 Hours
  • The SAML assertion timeout is valid for 5 minutes (the assertion itself)
    • Individual Applications can have a different timeout for their session(s).  If it is > 5 minutes and that timeout occurs, they will check the SAML assertion and then handle it however they're configured.
  • In general it is best that users completely close their browser sessions (Chrome, Safari, Firefox, etc.) when they are done.
    • One example is Google Apps. If Google Apps is integrated with the IAM Service and a user logs in, they stay logged in until they close the browser, which could be days or weeks.


How do I tell who has claimed their account in the IAM Service?

There are two ways to determine this:

  1. The prefered way is to use a 'report' that is provided to every LEA and Charter School in the "Files" area of the IAM Service.  
    • Click on the LEA Data Bucket under Files and you should see your most recent seven days of *_psu_userdata.txt (* = timestamp)
    • Highlight the most recent userdata.txt file and then click on download (remember to secure this file and delete it when you're done as this has employee and student PII in it)
    • Open the file in MS Excel or other spreadsheet program and select "Finish" if prompted (The file is tab delimited)
    • Then select Data (from the main menu along the top) and Sort
    • In the sort window select the dropdown for column and select idautoPersonClaimFlag and
    • Under Order, select Largest to Smallest
    • Then click OK and you should see all your users who have claimed their accounts will have a "True" in column AA (idautoPersonClaimFlag)
    • Once most of your users have claimed their accounts, you can sort on that column by smallest to largest (the default) and you'll see who has NOT claimed their account.​
  2. The other way, is to use the Search function under Profiles​​
    • ​​Select Manage LEA Employees
    • Click on the Advanced Search checkbox
    • Then click on Define Criteria
    • Select Other and enter "idautoPersonClaimFlag" in the first box and "True" in the second box
    • Then select Save, and at the Profiles page, select Search
    • Users (up to the first 1000) that have claimed their accounts will be displayed
    • You can add other search criteria to narrow the search results, but this method is not as flexible as the first method using the userdata.txt report


There are a couple of Chrome settings that may improve your experience in using the NCEdCloud IAM Service:

  1. ’Continue where I left off’ - attempts to re-establish all of your sessions that were open when you closed the browser. This can result in a continuation of a session -OR- can result in some very cryptic errors within the Application.  Change this under Settings > On startup

  2. ‘Continue running background apps when Google Chrome is closed’ - Disable this setting under Settings > Show advanced settings… > System > uncheck the item.


In addition, other users have reported that clearing cached images & files has also helped: Ctrl-Shift-Del (or Menu > More tools... > Clear browsing data...) and clear only Cached images and files.


For primary student accounts (grades K-5) the PSUs will always need to directly distribute the student usernames (pupil number) and default passwords, or NCEdCloud Badges (QR Codes) usually through teachers. There is no claim account process (or challenge questions) for primary students.

For secondary student accounts (grade 6 and higher) the PSU may optionally choose to have those students claim their own accounts, or the PSU may directly distribute the student usernames (pupil number) and default passwords.  To claim their own account, a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and PSU (LEA) code.  To complete the account claiming process (or the initial login if account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming ).



PowerSchool administrators can continue to configure timeouts for PowerSchool (e.g. 5 minutes, 10 minutes, etc.). Other applications may have different timeout settings which may vary from application to application. See also..


Browser tabs or windows opened in “private” or “incognito” mode will prevent session information from being shared between other tabs/windows. As a result there is no memory of logons done within other tabs, hence accessing NCEdCloud IAM applications in a different private tab or window would require an additional logon.  Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. Home Base applications, Google Apps, Discovery Education, Follett Destiny, etc).