Frequently Asked Questions

General (13)

Changing Student Passwords

If a teacher needs to change a student's password, they will follow these steps: (1) Select Profiles, (2) Select My Students, and once they find the student whose password they wish to change, they need to (3) check the box in front of their name. Then the "Change Password" button will light up (no longer grayed out).  Click on the  (4) Change Password button and fill in the required information - see below. 

NOTE: If your students are using Badges/QR Codes to login, then after changing their password you will need to print a new Badge by selecting My Students (QR Codes), then selecting the checkbox to the left of your student, and finally clicking on the QR Code button.  You can then print the new badge(s) displayed.



In the Change Password box you will enter the New Password and then in the box below it, Confirm the password.  At this point you can either click Save (at red arrow below) and tell them the password to use going forward, or if you want to require that they change their password to something only they know, check the "User must change password at next login" checkbox.  This will force them to enter a new password once they login.



If you haven't already done so, click on Save button and note the "Confirm" window (click on OK).


FAQ category: 

I am active in multiple LEAs and have more than one email address in the IAM service. How do I select my preferred email address?

A: Users who have more than one valid email address (e.g. they are active in multiple schools within an LEA or in multiple LEAs and have a unique email in each), may now see all valid emails in the IAM service. Those users will have the ability to choose a preferred email address from within the Profiles tab in The preferred email address will be the one used by the IAM Service when populating “email address” for integrated Target Applications. To choose a preferred email address, go to Profiles -> My Profile -> Edit Profile then use the pull down menu from the dialog box as shown in the following example:

FAQ category: 


The quickest way to access the IAM Service is to type into your browser window and go there directly.  If you want to bookmark the IAM Service, see the FAQ on "How Do I Bookmark the IAM Service?"




FAQ category: 

If you Forgot your username, or are Claiming Your Account for the first time, the eScholar UID number is the former 9- or 10-digit NCWise Student or Pupil Number (for Students) and the 10-digit State Employee UID or PowerSchool UID for teachers and staff. Employee UID numbers should be in the UID system as well as Payroll, so your Finance Department may be able to help you locate the number.  Many LEAs and Charter Schools were already using the UID number to logon to PowerSchool.  If so, then it's the same number/username you're already used to.

FAQ category: 


If you want to BOOKMARK the IAM Service Rapid Identity Portal, DO NOT bookmark the Login Screen where you enter your username and password, but once you get to the Rapid Identity Portal (where your Application icons show up) you can bookmark THAT page.  Then whenever you want to go to the IAM Service you can click on that bookmark.

Key points to remember for Bookmarking the IAM Service:


   Don't Bookmark!                        BOOKMARK 



FAQ category: 

There are three main criteria for challenge questions:  

  • 5 of the 10 questions must be answered
  • The answers must be 3 or more characters
  • Answers can not be repeated among questions

In addition, the answers are not case-sensitive.

If a question is not answered it will be ignored in the password recovery process. For example, if you initially answer only 5 of the questions then you will be challenged with 2 of those 5 question. If you initially answer 6 questions then you will be challenged with 2 of those 6. You will never be asked a question that you did not answer during setup.


FAQ category: 

No, the response to a challenge question is not case-sensitive.

FAQ category: 


Users are not able to edit their profiles to add/change their email address in the IAM Service. The only way an IAM Service account's email address can be added/changed is if that user's email is added/changed in source data: PowerSchool for students; and - in order - PowerSchool, LINQ HR (upload for Charter Schools), or HRMS for staff.  (NOTE: The previous order lists the priority given to each data source.  If PowerSchool has an email for a staff member, that's the email address that will be used in the data sent to the NCEdCloud IAM Service).

We recommend that LEAs & Charter Schools strive to provide email addresses for all their users as there are important drawbacks for users without an email address within the service. For example:

  • LEA Administrators and other employees that use the Workflow features of the IAM Service would have no way to automatically be notified by the IAM Service of their workflow-related task items.
  • Some target services require the email address.  Without having email associated with the provisioned user account, functionality of those target services could be significantly impacted.


FAQ category: 


Various username conventions were researched and vetted over several months before selecting the UID convention. We understand the UID convention does not satisfy every user. In fact there is no solution that would satisfy the various constraints of the IAM Service and also be acceptable to all users. Yet we needed to have a convention that would get the job done.  We need to have something that works in all known current and future target apps and using email addresses wouldn't meet that criteria. Based on various feedback received, the NCDPI CIO, Michael Nicolaides, ultimately made the decision to use the UID convention.

FAQ category: 

If you get a "The request is invalid" message or the screen shown below, it's likely because you "bookmarked" the Logon Screen (where you enter your Username) or used the "back button". To get to the IAM Service (to access your applications or change/reset your password for example), go to  Then bookmark the page where you see your Applications.  Then in the future, when you click on the bookmark you created on the Applications page, it will take you to the Logon page and then transfer you to NCEdCloud.   If you try to go directly to the login screen by bookmarking it, the IAM Service won't know where you want to go (e.g. PowerSchool, Google Apps for Education, etc.).  That's why you get an error.

FAQ category: 


If you are having trouble getting to NCEdCloud applications and resources, please follow your local support process for resolving technology issues. If your local support staff cannot resolve your problem, they are authorized to escalate the problem to Tier 2 support (the NC DPI Technology Support Center) for resolution.

A helpful video about logging into the NCEdCloud IAM Service can also be found here:


FAQ category: 


We understand that some LEAs may have concerns about teachers being able to set their students' passwords, however, due to the fact that the IAM Service is a solution for the entire state it was not feasible to make the feature an option for those PSUs that wanted to implement it. However, please keep in mind that ALL password changes are audited within the service so a record of any password transaction is captured along with who made the change.


FAQ category: 


Parent/Guardian logins will not be affected.

FAQ category: 

Badge (QR Code) and Pictograph Logins for K-5 (4)


The short answer is that iPad 2s cannot run the required version of iOS to allow access to the camera for scanning the badges.  Logging into NCEdCloud with student Badges requires that Apple iOS (mobile) devices be able to access the device camera through Safari (the apple browser) to scan a student's badge.  We have recently found out that Safari cannot "capture" the device camera on versions of iOS prior to 11.x.  The last version of iOS released for the iPad 2 was 9.3.5.  Therefore, iPad 2 devices cannot be used for Badge (QR Code) logins to NCEdCloud.  To the best of our knowledge, an Apple mobile device (iPhone, iPad) must be running an 11.x or higher version of iOS.



If you see this error, it means that the password contained in the Badge QR Code (badges contain the student's Username/Student Number and their account Password), does not match the CURRENT Password of the account.  Someone has changed the password since the badge was printed (or it is an older copy of the badge), and therefore you will need to view and print a new badge for the affected student.  You can do this in NCEdCloud by clicking Profiles, then My Students (QR Code) - LEA ###, and check the box next to the student's name.  Then select the QR Code button to view the student badge, and print it (either right click or select "Print" from the browser menu).



If a student who is configured to use a Badge to login to NCEdCloud doesn't have it with them, they can enter their Username (Student Number) at the Username prompt and select "Go".  They will then see the Password screen for NCEdCloud and can enter their password to complete their login.  If they click on the "Scan Student QR Code" Button instead of entering Username, they will need to click on the "Start Over" button and "Ok" to get back to the Username screen.  Then after entering their Student Number and clicking "Go", they will be presented with the Password Screen.



QR Codes (Badges) must be "bright" enough for a student device camera to read properly.  Make sure the students aren't shading their badges or tilting them downward when scanning.  Having badges lighted by overhead lighing or an exterior window may help.  Also make sure the badge itself is printed clearly on white paper for the best contrast.  More recent releases of the RapidIdentity Portal software have also helped with the camera issue.


Multi-Factor Authentication (MFA) or One-Time Passwords (OTP) (12)


As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA AdministratorLEA Data Auditor, LEA Help Desk, and LEA Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.


As of November 2019, employees with NCEdCloud LEA Administrator, LEA Data Auditor, LEA Help Desk, or LEA Student Help Desk privileged roles, are required to use MFA and enter a One-Time Password (OTP) with each login to the NCEdCloud RapidIdentity portal.

Currently, because of the access these users have to employee and/or student data, MFA has been implemented for all privileged roles in the NCEdCloud IAM Service, including LEA Administrator, LEA Data Auditor, LEA Help Desk, and LEA Student Help Desk.  If additional privileged roles are added in the future, they will likely be required to use MFA as well.  However, at this time there are no plans to require MFA for any staff outside of these special groups.


The One-Time Password (OTP) is tied to your NCEdCloud ACCOUNT, not to a device.  Therefore, when you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup Page, the QR Code and the AlphaNumeric Code below it are what links the NCEdCloud MFA to the 6-digit code presented by your authentication application (Google Authenticator, RapidIdentity, Authy Desktop).  The QR code and the AlphaNumeric Code are "identical", as far as providing the same information to authentication apps - as long as they're taken from the same OTP Setup page.  Therefore, you can use the same authentication app on your phone to login to your iPad or your Windows machine.

If you're using Authy and have it installed on more than one device, that will work.  But you'll need to enter the same alphanumeric code you got from the original OTP Setup Page into each instance (write it down or take a picture with your phone).  However, if you're using more than one device it's going to be easier to install the app on your phone and have just one place to go for your 6-digit code.


It depends.  There are multiple ways of obtaining the 6-digit code that must be entered when you login to NCEdCloud (if you have one of the privileged roles).  See the NCEdCloud MFA page for details on the different authenticator applications.

While you can install the Authy application on your desktop, or use the Chrome extention "GAuth Authenticator", these must be installed on each device you use to access the NCEdCloud IAM Service.  If you use multiple devices to login to NCEdCloud and you keep your phone with you during the day, it is much easier to install a mobile app on your phone and use it no matter what device you use.  The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code.  Therefore, if you scan the QR code on the OTP Setup screen the first time you login (or after an OTP Reset), there is no charge to your account or any data usage when you use the authentication app.



It depends on the authenticator app you choose.  Both the Google Authenticator and RapidIdentity apps that run on your mobile device use a time-based one-time password (TOTP) algorithm to provide a valid 6-digit code (it is not texted to your phone), so while the application RUNS on your phone, you are not sharing the number with anyone nor being changed any fees.  However, Authy (one of the alternate authentication apps that runs on your desktop), requires that you enter your cell number when installing and registering the application with the vendor.



Each 6-digit code generated by any of the authentication applications is good for 30 seconds from the time it is first displayed.  Most apps have a timer that shows you how long you have until the code “expires”.  If you only have a few seconds left, it is best to wait for a new code to be generated so you have time to enter it into the NCEdCloud OTP login screen.  This 30-second limit only applies to the time the code will be visible in the authenticator application.  Once it is entered into the NCEdCloud Login screen, you are fully authenticated using MFA and have access to the IAM Service and all applications.


The short answer is once per day.  Your OTP (6-digit code) is part of the login process to NCEdCloud, so if you typically login to NCEdCloud more than once during the day (you use different computers, tablets, etc. or logoff and close your browser during the day), you will need to enter your OTP on the 3rd screen of the login.  If you use the same machine throughout the day, then you’ll only login (and enter your OTP) once.

GAuth Authenticator is a Chrome browser extension.  If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP.  GAuth does not require the use of a mobile phone or entering your phone number (like Authy).  More information on GAuth can be found on the NCEdCloud MFA page at

The Authy Desktop authenticator is available for both Windows and macOS, and there is a Chrome extention available to install it on Chromebooks.  There is also a mobile app version available (like Google Authenticator and RapidIdentity), that runs on Android and iOS.

What if I get an "Unable to register: it looks like there is no internet connection" Error when trying to setup Authy?

It you get an error when trying to setup your Authy app, it is likely because you are being blocked from accessing the site to register your installation.  You should contact your local Technology Support staff to see about having the site "whitelisted" in your content-filtering service (Zscaler or another application).

The "One-Time" in One-Time Password (OTP) refers to the number of times you can use a specific 6-digit passcode to login (one time), not something you only enter once.  A new valid password is generated for your account every 30 seconds so that someone can't look over your shoulder and see your 6-digit code, or a "hacker" can't capture what you enter and try to reuse it at a later time.  It's purpose is to add a "second factor" in addition to your account password, to make your login more secure.  It is usually only implemented for user accounts that have access to data of multiple users, or higher risk data/information - like employee and student data in the case of NCEdCloud.

First Steps for New Charter Schools (2)

We recommend that you visit these pages for further information:

  1. “Claim My Account” at describes introductory information on the IAM service, account claiming instructions and directions for the Tech Director to obtain the LEA Administrator role.

  2. "Next Steps for LEA Administrators" at  This page contains information to help Charter Schools prepare to roll out the NCEdCloud IAM Service to their users and move forward with accessing Target Applications (including Home Base apps when integrated) using their NCEdCloud credentials (Username and password).

  3. "Self-Service Onboarding Checklist" at This checklist was developed with feedback from the onboarding planning sessions for Early Adopters of the NCEdCloud IAM Service and is intended to assist schools in preparing for a rollout of NCEdCloud user accounts. Charter Schools who wish to use the service should review the items below and plan/complete all tasks prior to requesting the integration of Target Applications.


You can go to "Claim My Account" from the NCEdCloud Home page and the process will be explained there.

LEA Administrators and/or Technology Directors can also find more information on requesting and granting privileged roles at the following:


User Passwords and Expiration (10)

  • Passwords shall be at a minimum 8 characters in length and no longer than 16 characters.
  • Passwords shall be comprised of at least one of each of the following:
    • Upper case letters
    • Lower case letters
    • Numbers
  • Passwords shall not contain the username alias (the portion of the user’s email address before  
  • Username, first name, last name, spaces cannot be used within the password
  • Passwords shall not begin or end with ! (an exclamation point)
  • Allowed special characters are: @ # $ % ^ & * - _ + = [ ] { } | \ : ’ . ? / ` ~ ” < > ( ) ; !
  • Passwords shall not be shared. No one will ever ask you for your password.
  • Passwords shall be changed at a minimum every 90 days for all in-scope users (employees)
  • If a user suspects any password has been compromised or is known by another individual the user shall immediately change their password and notify their local administration

Password change notifications will begin ten (10) days prior to a user’s password expiration. Within the 10-day window, each time a user logs into the IAM Service they will receive a pop-up notifying them their password will soon expire and they will be prompted to update their password. Users will continue to receive this notification until the password has been reset. Failure to change your password during this 10-day period will result in the user being prevented from further logins until they complete a password reset, which will be required by the IAM Service the next time the user tries to login.

Yes, passwords can be changed at any time, but for employees they must be changed at least every ninety (90) days. For students, the password expiration feature may optionally be turned on if the LEA wishes.

When a new employee claims their IAM account they will be forced to set an initial password. They will be prompted to change their password beginning 80 days (10-day notice) after they set their initial password.

Normally, NO.  Only if their LEA or Charter school opts-in to the IAM Service student password expiration.  To opt-in to the student password expiration policy, please have an IAM Service LEA Administrator submit a ticket to the NC DPI Technology Support Center at:

Student password expiration can be implemented in one of the following ways:

  • The entire LEA or Charter School (all students)
  • Only students in grade levels 6 - 13
  • Students in grade levels K-5 and below. 

Once implemented, students will be required to change their IAM Service passwords upon their next login and then again after 90 days.


Changing a user password that has expired is fairly straight forward:

Step 1: You attempt to login at the IAM Service RapidIdentity screen as usual.

Step 2: When you click on "Go" you receive a red error message indicating your password is expired.


Step 3: At the My Employee Profile screen click on the "Change Password" button.

Step 4: Review the Password Policy requirements and Enter your Current Password

Step 5: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).


Step 6: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 7: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.


Step 8: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.





The self-service function of changing a user password is fairly straight forward:


Step 1: Log into the NCEdCloud IAM Service, and at the Applications screen click on "Profiles".

Step 2: At the My Employee Profile screen click on the "Change Password" button.

Step 3: Review the Password Policy requirements and Enter your Current Password

Step 4: When you begin typing your "New" password, you will see an error message "Password Does Not Meet Requirements" (in red) displayed at the bottom of the screen.  This is normal until you have fill all the requirements of the password policy (length, case, number).


Step 5: Once you have entered a password that meets the Password Policy requirements, the message will change to "Password Meets Requirements" (green).

Step 6: Once you enter a new valid password (green message remains), you will need to Confirm it by retyping the password.  Until you accurately duplicate your new password, the "Change Password" button at the bottom will remain "grayed out".  When you type in an exact match to your new password, the button will become active and you can click on "Change Password" to complete your password change.


Step 7: Once you have completed the above screens and clicked on Change Password, you should see the following screen indicating a successful password change:


* Error:  If you receive the following message after clicking on change Password, it means that you mistyped your current (old) password in the first box.




If you forgot your password and it has expired (90 days or more since it was last set) you should reset it using the IAM Service's "Forgot My Password" functionality:

  1. Go to
  2. Click the "Need Help?" link toward the top right hand side of the login screen (will be updated to a Need Help? "button" in the Spring of 2020)
  3. Click the "Forgot My Password" link
  4. Enter your username
  5. You'll be asked to answer some of your challenge questions and enter a captcha code
  6. Next you'll be able to set a new password, and you're good for another 90 days
  7. Return to and proceed with your usual NCEdCloud activities


If the above steps are unsuccessful, please reach out to your school's Technology Support team for assistance with having your password reset.


All users (both employees and students) have a default password that is randomly generated for that specific user when their account is created.  However, employee users won't actually use their default password as they will set a new password when they claim their account.

For secondary students (grade 6 and higher) the LEA/Charter School may optionally have those students claim their own accounts, OR the LEA/Charter School may directly distribute the student usernames (pupil number) and default passwords.  To claim their own account a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and LEA / Charter School code.  When they start the process, they will be asked to chose and set their password. To complete the account claiming process (or during their first login if the account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming).

For primary student accounts (grades 5 and below) the LEA/Charter School has the option to use Badges (QR Code login) or Pictographs - see NCEdCloud Badges and Pictographs for K-5 Students.  Otherwise, teachers will need to directly distribute the student usernames (pupil number) and default passwords. There is no claim account process (or challenge questions) for K-5 students.


Currently there is no limitation on password history - which is to say that passwords may be reused.  However at NCDPI’s discretion in the future, password reuse limitations may be enabled.

LEA Administrators and Data Auditors (24)

If you have staff members in your LEA or charter school who were using accounts in the IAM Service but they no longer show up, the first place to check is typically the payroll system that your LEA or charter school uses. This occasionally happens with 10 and 11 month employees when their work/job Start Dates are not present or not in the upcoming school year in the payroll system.

The payroll system is used as the authoritative data source for the Staff UID system and tells the Staff UID system which staff members to make active in your LEA or charter school. If staff members are active in your LEA or charter school in the Staff UID system, their data is sent to the IAM Service nightly (as an active record). Click here to view the IAM Service source data workflow to see how staff and student data makes its way into the IAM Service.

If your payroll system does not show employees as “active” at the time the CEDARS UID extract is sent to the Staff UID system, they will be marked inactive in the Staff UID system. Inactive UID staff data is not sent to the NCEdCloud IAM Service in the nightly updates, and if a user record does not show up, their existing IAM Service account will be marked as inactive and disabled.  At that point, it will not be visible in the NCEdCloud IAM Service and the user will not be able to login. The account is still there, but until the user data is marked as Active in the UID system and picked up in the nightly feed from DPI, the account will remain “missing”.

For LINQ customers, if your current payroll practice is to end jobs for your 10, 10.5, or 11 month staff, you must either create them a new job with a future start date or update their existing job record with a new Start and End date in order to keep them active within the IAM Service. Any employee that has no Active or Future job within payroll will be sent as Inactive in the CEDARS UID Export.

Employee email address originally came from the HRMS system when NCEdCloud was first set up.  However, many PSUs complained that those records were only updated if an employee changed jobs, and frequently had an old email listed.  This process was changed a few years ago to obtain employee email address in a specific order by searching 2 or 3 source systems to find staff email address.  The process now starts with PowerSchool, then checks LINQ HR (if used by the LEA), and lastly HRMS. The process stops the first time it finds an email populated for the user.  Therefore, if HR updates HRMS and the employee has a new record added to the PSU's PowerSchool instance, there may be a mismatch between the two - however, the email in PowerSchool is the one that will appear in the NCEdCloud data.

In addition, a CRITICAL requirement for passing an employee's email address to the IAM Service is that the user's "school identifier" in the source data (3-digits identifying the school, or 6-digits with the LEA code + the school code), must match the "schoolID" in the UID system.  In PowerSchool this is the "homeschool" field, in LINQ HR it is the LINQ schoolID, and in HRMS it is the HRMS schoolID field.  In each scenario, the school identifier found in PowerSchool, LINQ HR, or HRMS, MUST match the schoolID in the user's active UID record.  If the user is listed in PowerSchool with an email address and the correct homeschool code (e.g. 123), but is listed in UID with the System Office code (000), then the records won't match and the email for that user will NOT be populated in the IAM Service.  This would be a reason why an employee is missing email in the NCEdCloud IAM Service.

When troubleshooting why a staff member's email is not populated in the NCEdCloud IAM Service, make sure to confirm that the school code carried in the fields mentioned above, and has the SAME value as the schoolID in the UID system.

I go to the Profiles tab and click on Manage My Employees, but I don't see anything.  Are my employees in the IAM Service?

The My Employees tab or the My Students tab under Profiles in the IAM Service relies on a "Search" function. You need to enter some criteria to select the users you want to lookup. The easiest search is to enter an asterisk * wildcard in the search window and click the Search button. This will only return the first 1000 matching records, however, which is the limit of the query.  You can also look for all users beginning with the letter P by entering P + asterisk (P*) in the search window, and clicking Search.  To filter your lookup, click on the box for Advanced Search Mode and enter more specific criteria there. Save the search criteria, and click on Search. When searching on Last Name it is helpful to always enter a trailing asterisk * wildcard to make sure you retrieve users whose last name may be followed by a generational qualifier such as Jr., III, etc.

What you want to do is search for all users in your PSU that do not have a VALID email address format.  You can do this by following this procedure:

  1. Select the Manage Employees tab or Manage Students tab (under Profiles)
  2. Click on the Advanced Search checkbox and enter...
  3. For ALL users (Last Name = *) AND with an invalid email address format (Email != *@*.*)

The equation: Email  !=  *@*.*  translates as Email NOT EQUAL to wildcard@wildcard.wildcard (where "wildcard" represented by an asterisk, can be ANY value)

This search will turn up all users with invalid email addresses, such as those missing: the principal name, the @, or the following school domain (e.g.

The easiest way to search for user records that are missing an email address is to select the Manage Employees tab or the Managed Students tab (under Profiles) and then do an Advanced Search for [Last Name = *] AND [Email != * ].  This search string looks at all users (since you entered an asterisk for Last Name is searchs every record), and where the Email field DOES NOT equal "something".  In otherwords, if there is an entry in the email field, it skips that record.  If the user's email field is empty/blank/null - then it is displayed because there is nothing in the field.

Any user, including new teachers, must have a UID in order to appear in the IAM Service. UIDs are obtained through the UID process.  Please see the summary and detailed explanations below...

UID Summary: 

As soon as an employee is hired with a future start date, they are eligible to receive a UID and subsequently receive access to systems for professional development and other tasks.Some payroll systems (e.g. LINQ) have taken this into consideration and include new hires with a future start date in the UID export for the current fiscal year. However, if your payroll system does not include new employees with a future start date in the UID export file, we recommend that you reach out to your vendor and request that they address this issue as soon as possible. In the meantime, you can add these new employees to the Staff UID system manually using the “Add Staff” feature available to authorized users.

The “Add Staff” feature in the Staff UID System provides a staff member with a UID, makes them active at the correct location(s), and provisions the new staff member’s account to applicable downstream systems (NCEdCloud, PowerSchool, etc.), outside of the payroll file export process. Documentation for the steps to add a staff member to the Staff UID System using this feature can be found at Once their start date occurs, they will be included in the UID export file and uploaded to the Staff UID System. Because they are already in the system, the employee record in the UID export will be identified as an exact match.

Please see the following resources for more details on the UID System:

Source Data Requirements

UID Support & Training

Charter Schools should also look here: For Charter Schools


Frequently, employees that transfer from another PSU are not updated in their former payroll system and the Staff UID System in a timely manner.  If you find that the Profile of an employee still lists information from a former LEA or Charter School (e.g. LEA Code and/or School Codes), you will need to contact that PSU and have them update their Payroll System and the Staff UID System. Contacts for PSUs can be found within the NC EDDIE system on the NCDPI website at

Steps to Inactivate Staff at Previous PSU:

  • The employee's payroll record at the former PSU needs to be marked "Inactive".
  • The record needs to be uploaded to the Staff UID System, which will mark the UID record at the former district as "Inactive".
  • The following business day the old data will no longer be pulled into the IAM Service and "old" information should disappear from the user's IAM Service Profile.


Contract employees who are not in an LEA's or Charter School's payroll system, can get IAM Service accounts by creating their records directly in the UID System.  Information about the UID System can be found on the NCDPI Site.  The process for adding Non-LEA Employees to the UID System can be found under - Acquiring Staff IDs for Non‐Payroll Staff.

If Contract employees will need to access PowerSchool, they'll need to be added to your PowerSchool instance.  Make sure their UID# is in the StatePrid field in PowerSchool, as that field is matched when a user logs in using the IAM Service.

Several Home Base User Group members have asked which PowerSchool field will be matched against the UID in the SAML Assertion when a user logs into PowerSchool. The UID number is the unique identifier for IAM, it is stored within PowerSchool as follows:

employee => SIF_StatePrid

student => State_studentnumber

Please note that on some screens SIF_StatePrid may show up as StatePrId. It is the same thing. So for employees,  (SIF_StatePrid = StatePrID = UID)

Also note that if you see Student_number on the screen it is the same number as the state_studentnumber.  (Student_number = state_studentnumber)

The Tech Director/CTO for an LEA or Charter School should be the first person to claim their account and request the LEA Administrator Role.  To request a privileged role for others, choose the ‘Workflow’ button on the left menu and then choose the ‘Requests’ tab along the top. Select the desired role checkbox(es) (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk) and click the Submit Requests button. (See for more information and an example screen-shot.) Note that anyone who has the LEA Administrator Role automatically attains the same privileges as LEA Help Desk, LEA Student Help Desk and LEA Data Auditor, hence it is not necessary for an LEA Administrator to also have the other roles.

The first request from an LEA for the LEA Administrator role will be vetted by NCDPI support staff prior to granting the role.  Once granted, an LEA Administrator may approve future workflow requests, as well as have access to administrative functions in the IAM Service for their district's employees and students.  They will also be granted access to the LEA Administrator website where more protected content is available.



Using the workflow process, employees are able to request the LEA Administrator, LEA Data Auditor, LEA Help Desk, and/or the LEA Student Help Desk roles. These requests would typically be granted or denied based on the discretion of the LEA Administrator(s) of the LEA or Charter School. Privileged roles are described briefly below. Further information on these roles is available in the training videos on  

It is up to each LEA and Charter School to determine which employee(s) should be granted these privileged roles. Keep in mind they do have extra privileges and access to data so you must use careful judgment in granting the roles.  Note that anyone who has the LEA Administrator role automatically attains the same privileges as LEA Data Auditor, LEA Help Desk and LEA Student Help Desk, hence it is not necessary for an LEA Administrator to also have the other roles.

LEA Administrator

The LEA Administrator Role is the highest level of privilege an employee can receive in the IAM Service.  Any employee with this role is granted full access to all your LEA’s or Charter School’s student and employee identity data, the ability to enable/disable accounts, change passwords and to request and approve other privileged roles for Administrators, Data Auditors, Help Desk Support, etc.   You can have as many employees with these roles as you would like, but just be aware of the access and associated risks.  If you have this role, no other roles are needed as their privileges would be redundant.  Allowed actions include: Full access to LEA user data (Profiles, data files, viewing and searching).  Typically this role would be assigned to the CTO/Technology Director and his/her designated trusted staff.

LEA Data Auditor

The LEA Data Auditor role has two main capabilities:  1) View-only access to student and employee profiles (e.g. View My Students, View My Employees); and 2) Use of the File Access Module where source data files are located and downloadable. CAUTION: Downloaded data files contain highly sensitive data. It is essential that the LEA/CS practice proper handling, storage & disposal of downloaded data files. The LEA Data Auditor role does NOT allow changing another user’s password or disabling/enabling user accounts.  If a user with the data auditor role also needs to reset passwords for users, they can request the Help Desk role.  Allowed actions include: Viewing and searching user data for the district, access to LEA source and user data files.  Good candidates fo this role might include PowerSchool Data Coordinators and staff who are responsible for entering payroll and/or HRMS data.

LEA Help Desk

The LEA Help Desk role allows LEA/Charter School technical staff the ability to perform basic account management for users within their LEA. Allowed actions on all accounts in the LEA include: reset challenge questions, change password and disable account claiming.  You might find this role appropriate for technology facilitators, help desk personnel and Media Specialists.

LEA Student Help Desk

Employees with the LEA Student Help Desk role will be able to access the “Help Desk For Students” tab in the Profiles section of From there they will be able to perform basic account management for student users within their LEA. Allowed actions on all student accounts in the LEA will include: reset challenge questions, change password, and disable account claiming. You might find this role appropriate for technology facilitators, help desk personnel and Media Specialists.


The LEA Administrator, LEA Data Auditor, LEA Help Desk and/or the LEA Student Help Desk roles can be revoked in either of two ways:

1. The user with the elevated privilege can self-revoke a role by using the same workflow process they used to originally request the role.

For example, after logging into the IAM Service:

Workflow button - left side > Requests - top tab > Deselect the role to be revoked > Click Submit Request.

The privileged role would be revoked immediately.


2. Designated LEA/Charter School personnel may request role removal by submitting a request to the NCDPI Tech Support Center:


NOTE:  While an LEA Administrator doesn't have the ability to *directly* remove another employee's elevated privileges, an LEA Administrator *does* have the ability to immediately disable an account if needed.  That process is described in the Training Videos (see the Applications tab -> Training ->  LEA Administrator Training -> "How do I disable someone's account?")

No, there is no requirement that you make any changes to your user accounts within your LEA. The UID number however is the login for cloud-based services such as HomeBase and other NCEdCloud IAM apps (should you choose to adopt them).  Whether an LEA chooses to use NCEdCloud IAM accounts within their local district services is up to you. If it is of interest to do so, it is possible the NCEdCloud IAM’s CDLR service could help facilitate that. 

There are several important drawbacks for users without an email address within the service.  For example:

  1. LEA Administrators and other employees that use the Workflow features of the IAM service would have no way to automatically be notified by the IAM service of their workflow-related task items.

  2. Some target services require the email address.  Without having email associated with the provisioned user account, functionality of those target services could be significantly impacted.

  3. The “Forgot my username” function requires email, so that IAM feature would not work.  

The ability to see the "My Students" tab in the Rapid Identity Portal under Profiles view, is based on whether the employee who logs into the IAM Service has one of the designated "Teacher Job Codes".  Job Codes are setup by the NCDPI and are assigned to an employee through their payroll system and stored in the UID system.  Below are the job codes (sometimes referred to as object codes), that allow an employee to see the My Students tab.  An employee with this tab would be able to use it to help reset passwords for any of their students that are assigned to them (typically as the primary teacher for a class) within PowerSchool.

There is a “My Students for Non-teachers” exception role in the IAM Service that can optionally be requested by employees that don't have one of the above job codes but do have students assigned to them. When granted, this role allows employees who are teaching classes but do not fall within the previous job codes, to see their assigned students via the "My Students for Non-teachers" tab in the IAM service.  This role must be requested each school year, as it will expire on June 30th of the school year in which it is granted.


To request this role, the employee would do the following after logging into

Workflow tab on left -> Requests tab across the top -> Check "My Students for non-Teachers" box -> click "Submit Request" button

The approval request would then go to an employee in your LEA/Charter School with the LEA Administrator role.

The complete process for restoring an account to unclaimed status is:

  • Under Profiles > Manage Employees tab or Manage Students tab, enter the user's UID and click Search to retrieve the account in question.
  • On the far right of the account line that was returned, click the "pencil". A dialog box opens and then UNCHECK the "Disable Claim Account" box and click Save.
  • Select (check) the checkbox on the far left of the account line and then...
  • Click Change Password button above the search box. A dialog box opens and then check only the "Set Password to Default Value" option and then click Save.
  • Click Reset Challenge Responses button above the search box and then Yes to confirm.


This entire process must be followed to assure a complete reset to unclaimed status.


Home Base Maintenance Periods typically involve downtime of PowerSchool and sometimes other Home Base applications. However, during such downtime, other IAM Service integrated applications remain available.

For a complete schedule of Home Base Maintenance Periods, please see... Home Base Maintenance Schedule


Upstream data processes produce the user data that is provided to the NCEdCloud IAM service early in the morning on Monday through Saturday. If an updated data field value is entered into that field's source system prior to that source system's cutoff time, then the data is provided to the IAM service the following day. (Note that data is typically NOT provided to the IAM service on Sunday mornings). After the IAM service receives updated data very early on the following morning, it is processed by the IAM service and made available later on that same day, usually before school starts.

For details on the source systems and cutoff times for various employee and student fields and SchoolNet roles please see:

NCEdCloud IAM Service Sources and Timing for Employee Data Fields


As of July 2015 the IAM Service was integrated with all Home Base applications and is no longer an Opt-In Service. The Single Sign-On (SSO) feature of the IAM Service enables users to logon to one of the Home Base applications, or any other resource integrated with the IAM Service, one time and then access any other application without having to logon again.

Non-Home Base Target Application will continue to be opt-in for LEAs and Charter Schools, however, now that the service is rolled out to all North Carolina K-12 users it will make more sense to continue to integrate additional applications to take advantage of the SSO provided by the IAM Service.



  • Individual Applications have their own timeouts -- it is Application dependent.
  • The NCEdCloud IAM Service RapidIdentity Portal:
    • Login Screen inactivity timeout (you go to the login screen but don't login) = 5 minutes
      • If timed-out here, close the unused login window/tab, open a new window/tab and start over.
    • Once in the NCEdCloud portal, the inactivity timeout = 8 Hours
  • The SAML assertion timeout is valid for 5 minutes (the assertion itself)
    • Individual Applications can have a different timeout for their session(s).  If it is > 5 minutes and that timeout occurs, they will check the SAML assertion and then handle it however they're configured.
  • In general it is best that users completely close their browser sessions (Chrome, Safari, Firefox, etc.) when they are done.
    • One example is Google Apps. If Google Apps is integrated with the IAM Service and a user logs in, they stay logged in until they close the browser, which could be days or weeks.



There are a couple of Chrome settings that may improve your experience in using the NCEdCloud IAM Service:

  1. ’Continue where I left off’ - attempts to re-establish all of your sessions that were open when you closed the browser. This can result in a continuation of a session -OR- can result in some very cryptic errors within the Application.  Change this under Settings > On startup

  2. ‘Continue running background apps when Google Chrome is closed’ - Disable this setting under Settings > Show advanced settings… > System > uncheck the item.


In addition, other users have reported that clearing cached images & files has also helped: Ctrl-Shift-Del (or Menu > More tools... > Clear browsing data...) and clear only Cached images and files.


For primary student accounts (grades K-5) the PSUs will always need to directly distribute the student usernames (pupil number) and default passwords, or NCEdCloud Badges (QR Codes) usually through teachers. There is no claim account process (or challenge questions) for primary students.

For secondary student accounts (grade 6 and higher) the PSU may optionally choose to have those students claim their own accounts, or the PSU may directly distribute the student usernames (pupil number) and default passwords.  To claim their own account, a secondary student would need their pupil number, grade, birthday in YYYYMMDD format, and PSU (LEA) code.  To complete the account claiming process (or the initial login if account is not claimed), a secondary student will need to answer at least 5 challenge response questions. (See: Student Account Claiming ).



PowerSchool administrators can continue to configure timeouts for PowerSchool (e.g. 5 minutes, 10 minutes, etc.). Other applications may have different timeout settings which may vary from application to application. See also..


Browser tabs or windows opened in “private” or “incognito” mode will prevent session information from being shared between other tabs/windows. As a result there is no memory of logons done within other tabs, hence accessing NCEdCloud IAM applications in a different private tab or window would require an additional logon.  Private or Incognito mode should be disabled when using your browser for NCEdCloud Target Applications (e.g. Home Base applications, Google Apps, Discovery Education, Follett Destiny, etc).