If you manage your users and groups in Microsoft Azure Active Directory, use the Azure AD Wizard App in Control Hub to synchronize users and groups with Webex.
 | You can't currently use Azure AD Wizard App with Webex for Government. We’ll add support for Webex for Government in the future. Some of the features described in this article aren’t yet available to all customers. They will be available soon. |
| 1 |
Sign in to Control Hub with a full admin account. | ||||||||||
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. | ||||||||||
| 3 |
Click Set up to start the configuration. 
| ||||||||||
| 4 |
Authenticate the Azure AD admin account with the Azure AD configuration. Ensure that you use an account that has the permissions described in the next step. | ||||||||||
| 5 |
Review the permissions and click Accept to grant the account authorization to access your Azure AD tenant. Cisco Webex Identity is an Azure AD enterprise application in Azure AD. The Wizard App connects to this application to access Azure AD graph APIs. The permissions required to access it are the minimum permissions needed to support and use it. 
| ||||||||||
| 6 |
For SMB customers, accept the default settings by checking the Sync defaults check box and clicking Proceed. For enterprise customers, go to the next step and continue the configuration. If you accept the default settings, it means that you want to:
 | ||||||||||
| 7 |
For Enterprise customers (more than 1000 users), or the customers who want to configure the settings manually, click the Attributes tab, and map the attributes. Click Save. You can map other user attributes from Azure to Webex, or change existing user attribute mappings using the Attributes page. You can customize the mapping by ensuring that you configure it correctly. The value that you map as the username is important. Webex uses the user's email address as their username. By default, the userPrincipalName (UPN) in Azure AD maps to the email address (username) in Control Hub.
| ||||||||||
| 8 |
Add users to the synchronization scope by clicking the Users tab. You can input the username to search and add the user in the synchronization scope. You can also remove a user from the sync scope by clicking the right side Recycle Bin icon. Click Save. If you want to select all users from Azure AD, select Select all users. If you select it, you don't need to select groups in the scope as this option synchronizes the groups at the same time. 
Click Save. | ||||||||||
| 9 |
On the Groups tab, you can search for individual groups and add them to Webex.
Click Save.
| ||||||||||
| 10 |
On the More tab, you can configure some advanced synchronization options:
| ||||||||||
| 11 |
You can decide if you want to allow synchronization to take place immediately or at a later stage. If you select the Allow now option, it applies all settings to the upcoming synchronization. If you select the Save and allow later option, synchronization doesn’t start until you allow auto-sync. 
| ||||||||||
| 12 |
The application communicates with Azure AD to set up the configuration and schedules the synchronization. 
|
- Active: the synchronization was successful.
- Quarantine: the synchronization job was quarantined in Azure AD after multiple failures. See the Azure AD documentation for more information.
- NotRun: this status appears only after first setup. The service has not yet run after first setup.
You can also click View summary to see additional information such as the time and date of the last synchronization, and the number of users synced, skipped, or failed:
Users
- Synced: shows the number of users successfully synced to Webex.
- Skipped: shows the number of users that were skipped in the last synchronization. For example, new users in Azure AD that were not added to the Azure AD Wizard App sync scope. These users were not synced to Webex; add them in the sync scope to sync them to Webex.
- Failed: shows the number of users that failed to sync. Check the Azure AD application provision audit log for more information about why these users failed to sync. If you need to sync these users immediately, you can provision users on demand.
Groups
- Synced: shows the number of groups successfully synced to Webex and created in Control Hub.
- To Be Synced: this status indicates that all of the users in a group have not yet been added. The users must first be successfully synced to Webex.
If you already have set up a Cisco Webex Enterprise App in Azure AD, you can migrate all of your configurations over to the Azure AD Wizard App automatically. You can manage Azure AD all in Control Hub without losing any of your previous configurations.
| 1 |
Sign in to Control Hub with a full admin account. | ||||||||||
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. | ||||||||||
| 3 |
Click Set up to start the configuration. | ||||||||||
| 4 |
Authenticate the Azure AD admin account with the Azure AD configuration. Ensure that you use an account that has the permissions described in the next step. | ||||||||||
| 5 |
Review the permissions and click Accept to grant the account authorization to access your Azure AD tenant. Cisco Webex Identity Synchronization is an Azure AD enterprise application in Azure AD. The Wizard App connects to this application to access Azure AD graph APIs. The permissions required to access it are the minimum permissions needed to support and use it.
| ||||||||||
| 6 |
Select Migrate existing app. | ||||||||||
| 7 |
After accepting additional read-only permission requests, select the existing app that you want to migrate over to the Wizard App, and then select Proceed.
| ||||||||||
| 8 |
After the migration completes, we recommend that you perform a dry run before enabling auto-sync to make sure there aren't any errors. |
Before enabling auto-sync, we recommend that you perform a dry run first to make sure that there aren't any errors. Once the dry run completes, you can download a dry-run report to see detailed information. The available columns in the report are:
| Column name | Description |
|---|---|
| Object Type | Type of object in Azure AD, such as user or group. |
| Action Type | Type of action that will be performed to the object during a synchronization. Possible action types are:
|
| Azure ID | ID of the object in Azure AD. |
| Azure Name | Name of the object in Azure AD. |
| Webex Name | Name of the object in Webex. |
| Reason | Reason for why an action type will occur during a synchronization. |
| 1 |
Sign in to Control Hub with a full admin account. |
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. |
| 3 |
Click on the three vertical dots next to the instance you want to sync, and then select Dry-run. |
| 4 |
Once the dry run completes, click on Download summary to download the report as a CSV file. |
The Azure AD Wizard and its corresponding backend service checks if auto-sync is enabled, to determine when to sync users or groups from Azure AD to Webex. Enable Auto Sync to allow the auto provision user and group synchronization. When you disable Auto Sync the Wizard App doesn't sync anything to Webex, but the existing configuration is preserved.
| 1 |
Log in to Control Hub as the full org admin. |
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. |
| 3 |
Switch the toggle to the right to enable Auto Sync. Disable it by switching the Auto Sync toggle to the left. |
| 1 |
Log in to Control Hub as the full org admin. | ||
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. | ||
| 3 |
Click Edit configuration. 
| ||
| 4 |
Customize the attribute mapping by selecting an attribute from the left column that originates from Azure AD. The destination attribute in Webex Cloud is in the right column. See Azure AD Wizard App attributes mapping for more information about mapping attributes. 
| ||
| 5 |
On the Users and Groups tabs, add or remove users and groups from the synchronization scope.
| ||
| 6 |
On the More tab change your preferences if required. | ||
| 7 |
Click Save to save the modified configuration.
|
Change how the Cisco Webex Identity instance name appears in the Azure AD enterprise application list.
| 1 |
Log in to Control Hub as the full org admin. |
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. |
| 3 |
Click Edit instance name.
|
| 4 |
Enter the new instance name and then click Save. |
When you delete the Azure AD Wizard App, it removes the configuration for Azure AD synchronization. The configuration is not retained by Webex or Azure AD. If you want to use Azure AD synchronization in the future, you'll need to do a full reconfiguration.
Before you begin
| 1 |
Log in to Control Hub as the full org admin. |
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. |
| 3 |
Click Delete instance.
|
| 4 |
In the Delete Azure AD Instance? page, select Revoke Azure AD admin consent if you want to remove the consent agreement from Webex. If you select this option, you must enter your credentials and grant the permissions again. 
|
| 5 |
Click Delete. |
You can provision a user to Webex immediately, independently of an Azure AD synchronization, and instantly check the result. This helps when troubleshooting problems during setup.
| 1 |
Log in to Control Hub as the full org admin. |
| 2 |
Go to Organization Settings and then scroll down to the Directory Synchronization section. |
| 3 |
Click Provision a user on demand.
|
| 4 |
Search for and select the user you want to provision, and click
Provision. |
| 5 |
One of following results appear when it completes:
|
| 6 |
Click Re-try to provision the same user again, if it skipped or failed. |
| 7 |
Click Provision another user to return to the provisioning page. |
| 8 |
Click Done when you are finished. |
The customers may have hundreds of domains verified in Azure AD. While they integrate with Control hub, if they want to import the verified domains from Azure AD to Control Hub. This can save many efforts in the maintenance or setup process.
| 1 |
Go to the Domain secion in the Organization Settings tab in Control Hub. |
| 2 |
Click Add with Azure AD. 
|
| 3 |
In the Add verified domains page, search and select the domains to add. 
|
| 4 |
Click Add. The verfied domains are a part of the verified domain list. 
|
The Azure AD Wizard App can support and synchronize any changes you make to your attribute
expressions. For example, in Azure AD, you can map the displayName so that it
displays both the surname and givenName attributes. These
changes appear in the Wizard App.
You can find more information on mapping attribute expressions in Azure AD on the Microsoft help site.
Use the following table for information on specific Azure AD attributes.
|
Azure Active Directory Attribute (source) |
Webex User Attribute (target) | Description |
|---|---|---|
|
userPrincipalName |
userName |
It’s the unique ID of the user in Webex. It is an email formatted. |
|
displayName |
displayName |
User's name that displays on the Webex application. |
|
surname |
name.familyName |
|
|
givenName |
name.givenName |
|
|
objectId |
externalId |
It is the user's UID in Azure ID. Generally, it is a 16-Bytes string. We do not recommend that you change this mapping. |
|
jobTitle |
title |
|
|
usageLocation |
addresses[type eq "work"].country |
We recommend using Usagelocation mapping to addresses [type eq "work"].country. If you choose another attribute, you should ensure the attribute values are in compliance with the standards. For example, USA should be US. China should be CN, and so on. |
|
city |
addresses[type eq "work"].locality |
|
|
streetAddress |
addresses[type eq "work"].streetAddress |
|
|
state |
addresses[type eq "work"].region |
|
|
postalCode |
addresses[type eq "work"].postalCode |
|
|
telephoneNumber |
phoneNumbers[type eq "work"].value |
|
|
mobile |
phoneNumbers[type eq "mobile"].value |
|
|
facsimileTelephoneNumber |
phoneNumbers[type eq "fax"].value |
|
|
manager |
manager |
Syncs manager information of users to Webex so that users can always see the correct manager information on a user's contact card. When a user is created, Azure AD checks if the user's manager object is in Webex Identity or not. If no, the user's manager attribute is ignored. If there is a manager attribute, two conditions must be met for the attribute to show on the user's contact card:
These conditions check the update to the user's manager attribute when a user's authentication token is expired. |
How can I migrate to Azure AD Wizard App from Cisco Directory Connector provision?
During setup, the Wizard App detects whether your organization uses Directory Connector. If it is enabled, a dialog box where you can choose to use Azure AD and block Directory Connector. Click Block to confirm that you want to continue the Azure AD Wizard App configuration.
You can also choose to disable Directory Connector before configuring the Wizard App. After configuration, the Wizard App manages user profiles. However, the Wizard App only manages the users who were added to the synchronization scope; you cannot use the Wizard App to manage users synced by Directory Connector that were not part of the synchronization scope.
Can I configure single sign-on with Microsoft Azure?
You can configure a single sign-on (SSO) integration between a Control Hub customer organization and a deployment that uses Microsoft Azure as an identity provider.
When does the user avatar update in Webex?
The user avatars are synced to Webex when the user is created in Webex Identity. This update relies on the user's avatar being updated in Azure AD. The Wizard App then retrieves the new avatar from Azure AD.
