Overview

You can synchronize and manage users from cloud Active Directory (for example, Azure AD) into on-premises or cloud hosted UC infrastructure like Cisco Unified Communications Manager (Unified Communications Manager) and Cisco Unity Connection (Unity Connection) with the Webex Cloud-Connected UC Directory Service. During synchronization, the system imports a list of users and associated user data from the Azure Active Directory (or a similar Cloud Directory service) that is synchronized into the Webex Common Identity Service. You must select the Unity Connection cluster from Control Hub that needs synchronization, select the appropriate Unity Connection User ID field mapping, and then select the required synchronization agreement to perform synchronization.

You must activate Directory Service for each cluster in Webex Cloud-Connected UC to allow synchronization and management of users from cloud into Unity Connection.

By default, Directory Service is not enabled for all the onboarded clusters.
1

From the customer view in Control Hub, go to Services > Connected UC. On the UC Management card, click Inventory.

The list of cluster groups appears with the description, status, clusters, and nodes.

2

Click Details next to the cluster group to which the node belongs.

The Inventory page appears, showing the list of clusters belonging to the selected cluster group.

3

Click Details next to the cluster to which the particular product node belongs.

The Node name with the version, product, and status appears.

4

Click the ellipsis icon next to Event History and choose Service Management.

The Service Management page appears with the list of services.

5

Use the toggle button to enable the Directory Service.

6

Click Submit.

Directory service

Directory service

Use the Directory Service card to synchronize users from cloud-based directories into Unity Connection.

1

From the customer view in Control Hub, go to Services > Connected UC.

2

On the Directory Service card, click View clusters. The Directory Service page appears.

You can view the list of cluster details on this page.

View cluster details

View cluster details

From the Cluster selection page in Directory Service, choose a cluster to which you want to synchronize the user data with.

The Cluster selection page also provides the cluster details, status of provisioning, last synchronized state, the associated product, and the reason for failure, if any. You can select the local time zone; by default, the browser time zone is selected.

Cluster Details

Description

Cluster Name

The name of the cluster.

Status

Status of synchronization.

Last synced

Date of the last synchronization.

Product

Details of the product.

Webex Cloud-Connected UC Directory Service synchronization allows you to import end user data from Webex Common Identity Service into the Unity Connection database to display in the End User Configuration window.

Ensure that you don’t perform any provisioning operations during the scheduled Webex Cloud-Connected UC module upgrade.

In case you perform provisioning during module upgrade, steps 1, 2, or 3 might show error states after a certain period and the retry button appears after sometime. You can re-initiate provisioning by selecting the Retry button. Ensure that you verify the cluster status for upgrade completion before you retry provisioning.

1

From the Cluster selection page in Directory Service, choose a cluster that you want to provision for enabling synchronization.

2

Click Start Provisioning.

3

In the Field Mapping configuration window, ensure that the mapping chosen for the Unity Connection User ID field uniquely identifies the user within the cluster after you start provisioning.

4

Choose the appropriate Unity Connection User ID field mapping for synchronizing the user from Webex:

  • User ID field in Unity Connection maps to email ID of the user in Webex.

  • Mail ID field in Unity Connection maps to email ID of the user in Webex.

  • User ID field in Unity Connection maps to email ID without domain part of the user in Webex.

    New user account will be created if the mapping cannot be done successfully for an existing user account in Unity Connection. Email ID (or the ID part of the Email ID) of the user will be used as the unique identifier for the newly created user account.
5

Click Next.

6

Select an agreement from the drop-down list for creating a new synchronization agreement.

Once the new synchronization agreement is created, all the existing synchronization agreement(s) pointing to the on-premises directory are deleted. You can make changes to the new synchronization agreement after it’s created.

7

In the Agreement Preview section, review the agreement details (existing external LDAP directory details available in the Unity Connection) before you start the synchronization.

You can view the following details:

  • Group information

  • Applied Feature group template with universal line and device templates

  • Line and mask details to synced phone numbers for inserted users

  • Newly provisioned users and their extensions

  • Standard User Fields to be Synchronized section

  • Hostname or IP address of the directory server

Click Next to select the group filter.

8

From the Select groups drop-down list, select the specific group(s) that you want to synchronize. Click the Select all groups check box if you want to select all the user groups.

By default, all the users are synchronized. If you don't select any group, all the users and associated user data will be synchronized automatically.

For Nested groups in a directory, users must select the subset user group specifically during provisioning as they aren’t included by default with the parent group. You need to verify for any repetitive nesting (if any) to ensure that only the required users are included during provisioning.

Any modifications to the synchronization agreement, for example, removing a target user or group will not be propagated during periodic synchronization. You should disable the Directory Service for that cluster from Control Hub and then re-provision the cluster again with the new or modified synchronization agreement.

9

Click Next to prepare the synchronization process.

10

In the Enable Synchronization window, enable the synchronization once the system successfully copies the user data into a temporary storage space in Unity Connection and a new synchronization agreement is created (after steps 1 and 2 as seen in the below screenshot).

11

The Download report download option allows you to view the results partially. To fetch the complete reports for the Unity Connection cluster, execute the following CLI command: file get activelog /cm/trace/CIService/log4j/DryRunResults.csv. Here, the dry run result for Unity Connection shows the following:

For Fresh Azure AD deployments:

  • New Users—Users are not present in Cisco Unified CM database on Unity Connection server but present in Webex Identity Service.

  • Matched Users—Users are present in Cisco Unified CM database on Unity Connection server and in Webex Identity Service.

  • CUC Matched Users—Users present on Webex Identity Service and imported in ‘Unity Connection Database’ on Unity Connection node.

  • Mismatched Users—Users are present in Cisco Unified CM database on Unity Connection server and are not present in Webex Identity Service.

For On-premises AD to Azure AD Migrations:

  1. User ID field in Unity Connection maps to email ID of the user in Webex. All dry run report fields are same as Fresh Azure AD deployments.

  2. Mail ID field in Unity Connection maps to email ID of the user in Webex. All dry run report fields are same as Fresh Azure AD deployments.

  3. User ID field in Unity Connection maps to email ID without domain part of the user in Webex:

    • New Users—Users with User ID without domain part are not present in Cisco Unified CM database on Unity Connection server but present in Webex Identity Service.

    • Matched Users—Users with User ID without domain part are present in Cisco Unified CM database on Unity Connection server and in Webex Identity Service.

    • CUC Matched Users—Users with User ID without domain part are present on Webex Identity Service and imported in ‘Unity Connection Database’ on Unity Connection node.

    • Mismatched Users—Users with User ID without domain part are present in Cisco Unified CM database on Unity Connection server and are not present in Webex Identity Service.

You can check the report and decide whether you want to retain the same list of users and add or delete users. Based on the decision, you can stop the process and revert the provisioning changes.
Any updates made to the user data in the cloud directory after Directory Synchronization will be updated in the next synchronization period. This is because the cloud directory is synchronized periodically once in a day.
12

After the synchronization agreement verification, click Preview in Unity Connection to sign in to your on-premises infrastructure and make changes to the newly created synchronization agreement.

VPN access is required.
13

Check the check box to agree to the terms that the synchronization agreement is reviewed and verified in Unity Connection.

14

Click Enable Synchronization to proceed with the synchronization.

During synchronization, you won’t be able to perform any action until completion. Once the synchronization is completed for a particular cluster, the Directory Service page lists this cluster with a Provisioned state. At this point, you've successfully authorized Azure AD to provision and synchronize Webex users into UC infrastructure and completed the steps to set up synchronization.

15

After the initial provisioning is completed, periodic synchronization happens every 24 hours. Any changes made in the cloud directory will be propagated to the clusters during this period.

You must enable synchronization within 20 hours from the time the new agreement is created. LDAP synchronized users become inactive and removed after 24 hours of inactivity. Users won’t be able to log in and use the Unity Connection services.

After the Azure AD provisioning is completed for a certain cluster, you cannot create any new synchronization agreements or modify any configuration settings for the same cluster except for the group settings. If you want to create a new synchronization agreement for the same cluster, you should go to the Service Management page and disable the Directory Service. You can then create a new agreement for provisioning.

If synchronization fails for any reason, the latest provisioning changes will reflect in the next synchronization period the next day.

  • If you are using Azure IdP during SSO authentication after successful provisioning, ensure that you configure the right Claims in the Azure IdP. For example, during provisioning, if option 1 is selected for the userid mapping, ensure that user.userprincipalname is set as the UID in the ‘Additional Claims’ section.

  • The following attributes are synced from Webex Common Identity Service into Unity Connection: userName, emails, name, displayName, title, phoneNumbers, department, manager.

  • Any updates made to the user data in the cloud directory after Directory Synchronization will be updated in the next synchronization period. This is because the cloud directory is synchronized periodically once in a day.

  • Single sign-on (SSO) must be used for logins. This document only covers single sign-on (SSO) integration.

  • After reprovisioning, if you see that the users marked as Mismatched Users are the same as New Users (users sharing the same mail ID), we recommend that you wait for a maximum of 48 hours for the synchronization changes to take effect.

    1. Disable the Directory Service from the Service Management page in Control Hub.

    2. Disable the Enable Synchronizing from LDAP Server check box in the LDAP System.

    3. Enable the Directory Service from the Service Management page in Control Hub.

Provision status

Provision status

On the Directory Service dashboard, you can view and track the status of your cluster and review errors.

The following table lists the provision status, description, and the corresponding actions.

Table 1. Provisioning Status

Provision Status

Description

Processing

The provisioning is in progress.

Action Required

Take necessary steps if there's any manual intervention required for a particular cluster. For example,

  • If you want to continue or abandon synchronization after dry run.

  • After the new agreement is created, check for any notifications, and take necessary actions as required.

Error

If there's any action required in the 'Enable Synchronization' wizard, check them and if required, take necessary actions.

In the event of errors during any stages of provisioning, the administrator should audit the Events History page in Cisco Webex Control Hub for the service: Directory Service. This helps you to isolate, debug, and troubleshoot the possible issues. To access events, see Access the Event History for Hybrid Services.

For more information on the various events types and their details, see the 'Events and Possible Resolutions' table below.

Provisioned

The cluster provisioning is complete.

Not provisioned

The cluster provisioning hasn’t started yet.

Table 2. Events and Resolutions

Events

Action Required

Periodic Sync Failed

Ensure that you wait for the completion of next day's periodic synchronization. Verify that the synchronization is completed successfully. If the issue persists, contact Cisco TAC support.

Data Copy Failure

Click Retry button to continue data transfer. If the issue persists, contact Cisco TAC support.

Sync Agreement Failure

Click Retry button to retry the synchronization agreement creation. If the issue persists, contact Cisco TAC support.

Skipping Periodic Sync

No action required.

Data Transfer has Failed

Click Retry button to continue data transfer. If the issue persists, contact Cisco TAC support.

User Sync Mismatched

Check the Directory Synchronization logs in Unity Connection for errors in User synchronization or contact Cisco TAC support for further assistance.

Users Provisioned Successfully

No action required.

Periodic Sync Data Transfer Successful

No action required.

Failed to fetch user details of some of the selected groups from Webex Common Identity.

Navigate to the Dashboard and select the cluster to get the failed groups details by clicking on the download link provided. Verify whether the users are present in Webex Common Identity and click Retry. Contact Cisco TAC support for further assistance.

Failed to fetch user details of all the selected groups from Webex Common Identity.

Click Retry button to continue data transfer. If the issue persists, contact Cisco TAC support for further assistance.

You can import Azure AD users manually from Import Users in Cisco Unity Connection after cluster provisioning is done from Control Hub.

Two ways of importing Users are as follows:

1

In Cisco Unity Connection Administration, expand Users and select Import Users.

2

On the Import Users page, import the Azure AD user accounts to create Unity Connection users.

  1. Select LDAP Directory in the Find End Users In field.

  2. Select the template on which the new user is based.

  3. Specify the Alias, First Name, or Last Name of the Azure AD user accounts that you want to import.

  4. Check the check boxes against the user accounts that you want to import and select Import Selected.

1

In Cisco Unity Connection Administration, expand Tools and select Bulk Administration Tool.

2

To add Unity Connection users, perform the following steps on the Bulk Administration Tool page:

  1. From Select Operation, select Export.

  2. From Select Object Type, select Users from LDAP Directory.

  3. Enter the values in all the required fields.

  4. Select Submit.

    This creates a CSV file with the Azure AD user data. Open the CSV file in a spreadsheet application or in a text editor and edit the data as applicable. Now, import the data from the CSV file.

  5. From Select Operation, select Create.

  6. From Select Object Type, select Users with Mailbox.

  7. Enter the values in all the required fields.

  8. Select Submit.

3

When import is complete, review the file that you specified in the Failed Objects Filename field to verify that all users are created successfully.

This section provides the necessary information and solutions to resolve some of the common issues that you might face during the various stages of synchronizing users from Control Hub into the Unity Connection database.

Mismatched users

If you see mismatched users, enable synchronization within 20 hours after the new agreement is created. The existing users are marked inactive and are deleted from Unified CM after 24 hours of inactivity.

Error—Data Copy Failed. Please Retry

  • Communication between Cloud-Connected UC and Webex cloud is disrupted or unable to fetch user data from Webex cloud.

    Solution: To confirm whether your connectivity is successful to Cisco Cloud, check the status to these services at: https://status.webex.com/. Click Retry.

  • Communication between Cloud-Connected UC and Unity Connection is disrupted or unable to push user data to Unity Connection database.

    Solution: Check the network connectivity between Cloud-Connected UC and Unity Connection and click Retry. If the issue persists, contact Cisco TAC support.

Error—Failed to Create Synchronization Agreement. Please Retry

  • Communication between Cloud-Connected UC and Unity Connection is disrupted or unable to push the synchronization agreement data into the Unity Connection database.

    Solution: Check the network connectivity between Cloud-Connected UC and Unity Connection and click Retry. If the issue persists, contact Cisco TAC support.

  • Synchronization agreement wasn't created successfully.

Error–Failed to Enable Directory Synchronization. Please Retry

  • Communication between Cloud-Connected UC and Unity Connection is disrupted, and the Cisco DirSync Service isn't triggered.

    Solution: Check the network connectivity between Cloud-Connected UC and Unity Connection and click Retry. If the issue persists, contact Cisco TAC support.

Unable to get Synchronization agreement details. Please try after some time.

Communication between Cloud-Connected UC and Unity Connection is disrupted.

Solution: Check the network connectivity between Cloud-Connected UC and Unity Connection and click Retry. If the issue persists, contact Cisco TAC support.

Failed to fetch user data for selected groups

During first time provisioning, you might encounter issues in downloading user data from any of the specific group(s) that you had selected for synchronization. On the error message, click the download link to view details of the failed group information.

You can also download failed group information for clusters that are already provisioned from the Events History page in Cisco Webex Control Hub. Navigate to the Dashboard and select the cluster to get the failed groups details by clicking on the download link provided. Verify whether the users are present in Webex Common Identity and click Retry. Contact Cisco TAC support for further assistance.

Known issues and limitations for Unity Connection

Known issues and limitations for Unity Connection

If you're experiencing an issue with this feature, check to see if it's something that we already know about and have a recommended workaround.

  • You can disable the Directory Service for a cluster from Control Hub and then re-enable the cluster again. We recommend that you wait for at least 60 seconds before activating the Directory Service for synchronization.

  • After deletion, in case you want to onboard the same Unity Connection cluster to the organization again, you must first disable the Directory Service and then re-provision the same cluster.

  • During provisioning, the group details list doesn't populate due to synchronization issues with Webex Common Identity Service. Users are recommended to abandon provisioning and retry after some time.