Summary

Cisco Webex Video Integration for Microsoft Teams enables Cisco and SIP-capable video devices to join Microsoft Teams meetings.

Here's how the integration enhances the device user's experience when they join Microsoft Teams meetings hosted in your organization:

  • Webex meeting experience—multi-screen with flexible layout options

  • Participant list showing both Microsoft and video integration participants

  • Bi-directional content sharing between the device and Microsoft Teams

  • Recording indicator on the device

When you deploy the video integration with the Cisco Webex Hybrid Calendar Service, your video devices also get the One Button to Push (OBTP) simplified meeting join experience.

Architecture Overview

The Microsoft Cloud Video Interop (CVI) program enables partners like Cisco to deliver services that join telepresence devices to Microsoft Teams meetings.

CVI Architecture image based on https://docs.microsoft.com/en-us/microsoftteams/cloud-video-interop
Figure 1: Solution Architecture

Cisco Webex Video Interoperability for Microsoft Teams is a Microsoft Qualified third-party Cloud Video Interop solution built on the Cisco Webex cloud platform.. The CVI partner capabilities in the Cisco Webex cloud are available anywhere callers can make business-to-business calls to the public Internet. The common Cisco Webex services provide administration, calling infrastructure, interactive voice response systems, and lobbies. Cisco Webex media clusters located around the world provide transcoding, protocol translations, and the Teams Bot roles.

With this architecture, video devices place calls to specific SIP URIs hosted by Cisco Webex. Cisco Webex services answer the calls and assign them to geographically relevant media clusters running in Microsoft Azure. The IVR gathers meeting details if needed, and the Microsoft Teams’ Media CVI bot in the Cisco Webex media cluster makes the connection to the Microsoft Teams meeting infrastructure. The media clusters provide the back-to-back connectivity between the participant connected through Webex and the rest of the conference hosted on Microsoft Teams. The entire solution operates as a cloud service.

You can enhance the user experience by adding other Cisco Webex services. For example, the Hybrid Calendar Service automatically pushes meeting details and simplified Join buttons to the video devices when it’s time to join the meeting.

Data Handling

The video integration uses the following data to connect devices to Microsoft Teams meetings and provide in-meeting features:

  • Enterprise app registration: During provisioning, an administrator uses the Cisco Webex Video Integration application to grant permissions to access the organization’s Microsoft tenant when using the Microsoft Graph API. For more information, see Cisco Webex Video Integration in the Microsoft Azure Portal.

  • A Cisco-provisioned "tenant key": Used in SIP addresses to identify the organization hosting the meeting a caller is trying to reach.

  • VTC conference ID: Microsoft assigns this meeting-specific ID when creating the meeting. The video integration uses this ID and the tenant ID to look up the meeting join URL from the Microsoft Graph API.

  • Customer’s Microsoft tenant ID: Used to identify the target Microsoft organization when communicating to the Microsoft Graph API. Also used in the service's administrative interface to identify the provisioned Microsoft tenant.

  • Microsoft tenant-verified domain names: Used as labels in the service's administrative interface to identify the provisioned Microsoft tenant.

  • Meeting information: When a participant requests to join a Microsoft Teams meeting through the video integration, the service retrieves details for that meeting including the meeting subject, organizer, date/time, and connection details. Once connected, the service retrieves real-time information such as participant labels, capabilities, and the status of participants connected to the Teams meeting from the Microsoft Graph API and uses them to facilitate the live meeting.

    When you enable the Hybrid Calendar Service for a mailbox, the calendar service uses the alternate dialing URL, located in the body of calendar entries that include it, to identity the meeting "tenant key" and VTC conference ID.

  • Real-time media and content: When a participant joins a Microsoft Teams meeting through the video integration, Cisco Webex and Microsoft Teams exchange encoded audio, video, and high-frame rate content to enable the two-way audio and video experience between them.

If you deploy the video integration with the Hybrid Calendar Service, also see the Cisco Webex Hybrid Calendar Service with Office 365 Integration Reference.

Authentication and Authorization

Cisco Webex interacts with your Microsoft Teams environment using the Microsoft Graph API. The cloud-based Microsoft identity provider (IdP) handles authentication for the Microsoft Graph API. Requests to the Microsoft Graph API are authorized by presenting bearer tokens issued by the Microsoft IdP. All communication to the Microsoft IdP and Graph API uses TLS-secured web connections.

To interact with Microsoft Teams media as a service, you register the Cisco Webex video integration as an application-hosted media bot homed in a Microsoft 365 tenant managed by Cisco. Teams bots require prior authorization to be able to communicate with an organization’s Microsoft 365 tenant. During initial configuration, the service requests authorization for a predefined set of permissions. An administrator grants these application permissions by approving the Cisco Webex Video Integration Azure AD application through the Microsoft admin consent flow described below.

Once approved, the Cisco Webex service can request bearer tokens with the correct permissions and customer scope from the Microsoft OAuth v2.0 IdP. The service then uses the bearer tokens to authorize requests to the Microsoft Graph API for provisioning details, health checks, and operation of the Teams bot.

Authorization and Microsoft Admin Consent

In Cisco Webex Control Hub, only administrators with the Full Administrator role can set up the video integration service for an organization. The provisioning process requires authentication and consent by a Global administrator for the Office 365 tenant to which your users belong. The application permissions required to operate the Teams bot can only be granted by a Global administrator of the Microsoft tenant using the following admin consent flow. (For detailed setup steps see Deploy the Cisco Webex Video Integration for Microsoft Teams.)

The flow includes the following high-level steps:

  1. The administrator signs into Cisco Webex Control Hub and starts the video integration setup.

  2. The setup process redirects the browser to the Microsoft cloud for authentication and consent.

  3. The Global administrator for the Microsoft tenant signs in.

    Once signed in, the administrator sees the application permission details (application name, vendor domain, and the requested permissions).

  4. The administrator agrees to give access to the Cisco Webex Video Integration application by clicking Accept.

  5. The setup process verifies that the access was granted by an administrator with appropriate permissions. If successful, the user is redirected back to Control Hub, which shows the tailored PowerShell commands needed to complete the Microsoft Teams configuration.

  6. The administrator completes the Microsoft Teams configuration using PowerShell, and closes the Control Hub panel.

  7. The setup process tests a Microsoft Graph API call for the organization. If successful, the setup is complete. If not, the administrator can try the authorization process again.

Permissions Granted

The Cisco Webex Video Integration for Microsoft Teams requires an explicit set of permissions in your Microsoft tenant. These permissions are not customizable and are based on the requirements for application media bots in Microsoft Teams. Completing the consent flow grants the integration the following required permissions:

Permission

Usage

Read domains (Domain.Read.All)

Allows the service to read the tenant’s verified domain names. Control Hub uses the domain names to identify the tenant that the service is linked to.

Initiate outgoing 1-to-1 calls from the app (Calls.Initiate.All)

Allows creation of calls by the bot to Microsoft Teams users. (Reserved for future use.)

Initiate outgoing group calls from the app (Calls.InitiateGroupCall.All)

Allows creation of calls by the bot to a group of Microsoft Teams users. (Reserved for future use.)

Join group calls and meetings as an app (Calls.JoinGroupCall.All)

Allows the bot to join group calls and scheduled meetings in your organization with the privileges of a directory user. Used for joining participants who are authorized to bypass the Microsoft Teams lobby.

Join group calls and meetings as a guest (Calls.JoinGroupCallAsGuest.All)

Allows the bot to join group calls and scheduled meetings in your organization as a guest. Used for joining participants who aren’t authorized to bypass the Microsoft Teams lobby.

Access media streams in a call as an app (Calls.AccessMedia.All)

Allows the bot to get direct access to media streams in a call, without a signed-in user.

Read online meeting details (OnlineMeetings.Read.All)

Allows the service to read Online Meeting details in your organization. Used to look up and resolve VTC Conference IDs to Microsoft Teams meetings.

Sign in and read user profile (User.read)

Required for the other permissions listed. The integration does not use it directly.

Microsoft Graph Permissions Reference: https://docs.microsoft.com/en-us/graph/permissions-reference

Microsoft Meeting Bots Overview: https://docs.microsoft.com/en-us/microsoftteams/platform/bots/calls-and-meetings/calls-meetings-bots-overview

Access to Meetings

Participants connecting through the video integration are normally treated as guest users to Microsoft Teams meetings and may be placed in a lobby (waiting room). A Microsoft Teams user must manually admit a participant who is in the lobby before the participant can hear or see other participants.

You can control the Microsoft Teams lobby behavior through meeting policies set by an administrator in Microsoft Teams and through meeting options set by the meeting organizer. By default, Microsoft Teams guest users must use the lobby. For more information on Teams meetings policies, see Manage meeting policies in Teams.

If the Anonymous users can join a meeting setting is set to off, only trusted participants who are allowed lobby bypass will be able to join the meeting through the Cisco Webex video integration.

Lobby Bypass for Trusted Participants

Participants connecting to the video integration using any of the following methods are treated as trusted participants and join Microsoft Teams meetings without being placed in a lobby:

  • Devices registered to your Cisco Webex organization as Webex registered devices

  • Calling from SIP domains that have been added and verified as owned by your organization in Control Hub

Trusted participants are treated as participants within your organization. Participants connecting through these trusted paths can bypass the lobby if the organizer has restricted the Teams meeting lobby settings. If the Who can bypass the lobby? meeting option is set to 'Organizers and me' or 'People I invite', trusted participants attempting to join are ignored and all VIMT callers are placed in the Teams meeting lobby when joining a meeting.

For more information on the adding and verifying SIP domains, see Domain Verification Process for SIP Video Devices.

Cisco Webex Video Integration in the Microsoft Azure Portal

Once you have authorized the video integration service to access your Office 365 tenant, no additional upkeep is necessary, but you can verify its presence and scope in the enterprise applications list in the Microsoft Azure Active Directory admin center.


 

No physical application or software runs in your tenant as part of this integration. The enterprise application entry serves as the definition and placeholder for the authorization granted to the Cisco Webex application identity.

Click the application name, then click Permissions to see the permissions that the application has in the tenant.

Additional Reference Material