You can manage your domains in Control Hub. Add, verify, and claim your domains to use features that require proof of domain ownership, ensure the security and integrity of your organization, and to help with your user management. Release or remove domains if you don't need them any more.
Why should I verify domains? You verify your domains to prove to Webex that you own them. This allows you to claim users into your organization if they signed up into a different organization. You also need to verify your domains before you can claim them.
To verify domains, we provide a token to add to your domain host's DNS TXT record. To confirm that you own the domain, we check for this token on the DNS server.
Why should I claim domains? Claim a domain if you want new users with that domain to automatically be created within your organization. This includes your users who sign themselves up for Webex. If you have not claimed your domain, then users who sign themselves up are created in a general organization with all the other "free" users. You cannot manage their services until you claim the users into your organization. Keep in mind that you don’t have to claim a domain to claim a user into your organization.
Before you claim a domain: Users who already exist in the free consumer organization are not automatically converted to your organization. You'll need to convert these users. We recommend that you convert consumer users to your organization before claiming the domain. That way, these users will not receive notification after domain claim.
Can I claim a domain in two different organizations? No. The purpose of the domain claim is to prevent other organizations from using the domain.
You can release a domain if you want to claim it in a different organization (if you own the domain and manage both organizations).
Before you begin
You must own the domains you want to verify and claim.
For Hybrid Calling for users and Webex-registered devices, you must verify domains that are contained in the on-premises directory URIs for end user accounts on Unified CM.
You are forced to verify in a particular order to prevent administrator lockout. For example, you must add the administrator domain first, followed by all the other domains.
Sign in to Control Hub at https://admin.webex.com, go to Organization Settings and under Domains click Add Domain.
Enter your domain name and click Add.
Click the ellipsis beside your domain and choose Retrieve verification token.
Copy the verification token into your DNS TXT record.
Click Verify next to each domain.
If the verification fails, the error is cached by your DNS server. Your DNS server clears the cache after the specified length of time in the Time To Live (TTL) setting. You must wait to try again after the DNS server clears the cache. You can add the verification token again and request the verification for the domain.
If the verification token is found and matched, the domain status changes to verified in Control Hub. To confirm that your domains are verified, go to Control Hub, click Settings, scroll to Domains, and then confirm that this status appears next to the domain entries:
After the domain is verified, the TXT record is no longer required and you can remove the verification token from your DNS server.
Although you've verified a domain, other organizations may continue to have users with this domain. Old consumer accounts won’t be automatically converted to organization users. If your domains are verified and users signed up for Webex App accounts, you can convert those users to licensed users in your organization.
The steps in Control Hub let you verify domains first, and then claim domains next as a further security measure.
Domain claim means that you're claiming an email domain for use only in your Webex organization.
This step prevents users with the claimed domain from being created in any other organization, including the free consumer organization.
No other Webex organization can add users using your claimed domains.
If you claim a domain, users can still self-register, and Webex creates them in your organization.
You can prevent users from self-registering if you want to control user creation/synchronization in your organization.
Before you begin
Registration errors can occur as a result of errors that are made in claiming domains. Before you claim any domains, make sure that you understand the following:
Service Providers should not claim the domains of customer organizations that they manage. They should claim only the domains of those users that are in the Service Provider's internal organization. Claiming the domain of users in a separate organization (even one that the Service Provider manages) can result in registration errors for the users in the customer organization as user authentication requests get routed through the Service Provider rather than the customer organization.
If two customer organizations (Company A and Company B) share the same domain and Company A has claimed the domain, registration for Company B users may fail due to the fact that user authentication requests are routed through the organization that has the domain claimed (Company A).
Before a domain claim, you must ensure that your domains are verified. Otherwise, your request may be rejected for security reasons. For example, you cannot claim a domain that belongs to another enterprise.
From the customer view in https://admin.webex.com, go to Organization Settings and under Domains click the ellipsis , then select Claim verified domain.
After a domain is claimed, you can see that the status appears next to the domain entries as:
There is no limit on the number of domains you can claim for your organization. However, if you have more than 20 claimed domains in a Webex organization, you may encounter issues with converting users.
What to do next
If you verified or claimed domains and want your Webex App users to be in a Verified state before they sign in for the first time, you can replace the email validation by doing the following:
Use Cisco Directory Connector to synchronize users from an Active Directory into Webex App.
Configure Single Sign-On (SSO) by integrating your organization's identity provider (IdP) with your Webex organization.
Activated users appear with a Verified status in Control Hub. After they sign in, they appear as Active. For more information about user statuses, see User Status and Actions in Cisco Webex Control Hub.
You may want to prevent users from self-registering with your claimed domains. Read https://help.webex.com/nfiu0ed.
Assign services to your users. While domain claim aligns users to your organization, these users only have free services until you add extra paid services to each user.
You may need to remove a verified domain or release a claimed domain from your organization, for example, if your organization sold a domain or you ran a trial with a test domain and the trial finished. You can remove a domain at any time.
Before you begin
If your organization uses Webex Hybrid Call Service, you may affect the service if you remove a verified domain that is contained in your users' on-premises directory URIs.
From the customer view in https://admin.webex.com, go to Organization Settings and scroll to Domains.
Click more beside the domain you want to remove, and choose one:
After you release a claimed domain, it's possible for new users with that domain to join an organization than your own. This behavior does not affect users who are already in your organization.
Removing a domain means that it's no longer verified or claimed in your organization.
The security of Webex for Government requires the following configurations in your organization:
You must claim your domains.
This requirement prevents people from using your domains to join other, potentially less secure, organizations. So
firstname.lastname@example.org only join your organization after you claim
The procedure for claiming your domain is the same as for non-Webex for Government organizations. It is described in the other parts of this article.
You may not share any domain claims with any other organizations, even other organizations that you own.
We enforce this behavior for security reasons. Specifically:
Sharing a domain claim between the Commercial identity store and Webex for Government identity store is strictly prohibited for United States-based government entities at the federal, state, local, and tribal levels.
This restriction is required by our Webex for Government Authorization to Operate (ATO).