Once you've set up synchronization with Azure Active Directory (Azure AD), you can manage who and what you're synchronizing into your Webex organization by using the Cisco Webex application in the Azure portal. This article describes how common changes in the portal impact your Webex organization. It also walks you through making some of those changes.
Action in Azure Admin Portal
Result in Webex Organization
Delete user (user goes to Recycle Bin)
Webex renames the user and marks the user as Inactive in your organization.
If you don't recover the user within 30 days, Azure AD does a permanent deletion, and Webex deletes the user from your organization.
For more info, see the Delete User from Azure AD and from Your Webex Organization section of this article.
Restore a recently deleted user from Recycle Bin
Webex reactivates the user and changes the username back to the original value.
Delete user from Recycle Bin
Webex deletes the user from your organization.
Remove user from Webex application
Webex marks the user as Inactive.
Block user from signing in to Azure
Webex marks the user as Inactive.
Change user attributes (for example, display name)
Webex updates the user attributes.
Changes show in Control Hub as soon as you refresh the user view.
Assign a new user to the Webex application
Webex creates the user.
Assign an existing Webex user to the Webex application
Webex updates the user and adds an attribute for "externalId" (by default, mapped to the Azure AD objectID attribute).
Follow this procedure to map additional user attributes from Azure to Webex, or to change existing user attribute mappings.
We recommend that you do not change the default attribute mappings unless absolutely necessary. The value that you map as the username is particularly important. Webex uses the user's email address as their username. By default, we map userPrincipalName (UPN) in Azure AD to email address (username) in Control Hub.
If the userPrincipalName does not map to the email in Control Hub, users are provisioned into Control Hub as new users instead of matching existing users. If you want to use another Azure user attribute that is in email address format instead of UPN, you must change that default mapping in Azure AD from userPrincipalName to the appropriate Azure AD user attribute.
Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.
Open the Cisco Webex application.
Select the Provisioning page, expand the Mappings section, and click Provision Azure Active Directory Users.
Check the Show advanced options check box and then click Edit attribute list for CiscoWebEx.
Choose the Webex attributes to be populated from Azure user attributes. The attributes and mappings are shown later in this procedure.
After selecting the Webex attributes, click Save, and then Yes to confirm.
The Attribute Mapping page opens, so you can map Azure AD user attributes to the Webex user attributes you chose.
Near the bottom of the page, click Add new mapping.
Choose Direct mapping. Select the Source attribute (Azure attribute) and the Target attribute (Webex attribute), and then click OK.
Repeat the previous two steps until you have added or modified all the mappings you need, then click Save and Yes to confirm your new mappings.
This procedure lets you add users or groups to synchronize to the Webex cloud.
Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups of users that are "assigned" to an application in Azure AD are synchronized to Control Hub.
Webex can synchronize the users in an Azure AD group, but doesn't synchronize the group object itself.
Open the Cisco Webex application in the Azure portal, then go to Users and groups.
Click Add Assignment.
Find the users/groups you want to add to the application:
Click Select and then click Assign.
Repeat these steps until you have all the groups and users you want to synchronize with Webex.
You can remove user assignments from Azure AD. This retains the Azure AD user accounts but removes those accounts from being able to access applications and services in your Webex organization.
When you remove the user assignment, Webex marks the user as Inactive.
From the Azure portal, go to Enterprise applications, and then choose the Webex application that you added.
Choose a user or group of users from the list of those assigned to the application.
Click Remove, and then click Yes to confirm the removal.
Upon the next sync event, the user or group of users is removed from Webex application.
Azure AD moves the user to the Deleted Users page (also known as the Active Directory recycle bin).
Azure AD changes the user's userPrincipalName (UPN), adding a string of digits to the beginning.
The update triggers Webex to rename the user and mark the user as Inactive in your organization.
Webex revokes the user tokens.
At this point, the user is "soft" deleted and remains in the Active Directory recycle bin for up to 30 days. If you restore the user from the recycle bin, Control Hub reactivates the user, restores the tokens, and renames the user to the original email/UPN address.
If you delete the user from the Active Directory recycle bin, or you take no action and the 30 days elapse, Azure AD permanently deletes the user. The permanent deletion triggers Webex to remove the user. (As part of the removal, Webex sends the user data to its archive service where compliance officers can view the user data subject to your organization's data retention policy.)
If you later re-add a permanently deleted user's email address to Azure AD, Webex creates an entirely new account.
Go to Users, check a check box next to each user account that you want to delete, and then click Delete user.
Users are moved to the Deleted users tab.
In Control Hub, users are moved into a "soft delete" state and are not deleted immediately. They are also renamed. Azure AD sends these changes to the Webex cloud. Control Hub then reflects this changes and marks the user as Inactive. All tokens are revoked for the user.
To verify any records of the user deletion, go to Audit logs and then run a search on the User Management category or on the Delete user activity.