System for Cross-Domain Identity Management (SCIM)
The integration between users in the directory and Webex Control Hub uses the System for Cross-Domain Identity Management (SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.
Add Cisco Webex From the Azure Application Gallery
Before configuring Webex Control Hub for automatic user provisioning with Azure AD, you need to add Cisco Webex from the Azure AD application gallery to your list of managed applications.
If you already integrated Webex Control Hub with Azure for single sign-on (SSO), Cisco Webex is already added to your enterprise applications and you can skip this procedure. |
1 |
Sign in to the Azure portal at https://portal.azure.com with your administrator credentials. |
2 |
Go to Azure Active Directory for your organization. |
3 |
Go to Enterprise Applications and then click Add. |
4 |
Click Add an application from the gallery. |
5 |
In the search box, type Cisco Webex. ![]() |
6 |
In the results pane, select Cisco Webex, and then click Add to add the application. ![]() A message appears that says the application was added successfully. |
Configure Azure AD for User Synchronization
Use this procedure to set up provisioning from Azure AD and obtain a bearer token for your organization. The steps cover necessary and recommended administrative settings.
Before you begin
Get your organization ID from the customer view in Control Hub: click your organization name on the bottom left and then copy the value from Organization ID into a text file. You'll need this value when you enter the tenant URL. We will use this value as an example: a35bfbc6-ccbd-4a17-a488-72gf46c5420c.
1 |
Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications. |
||||
2 |
Choose Cisco Webex from your list of enterprise applications. |
||||
3 |
Go to Provisioning, and then change the Provisioning Mode to Automatic. |
||||
4 |
Enter the Tenant URL in this form:
Replace |
||||
5 |
Follow these steps to get the bearer token value for the Secret Token: |
||||
6 |
Return to the Azure portal and paste the token value into Secret Token. |
||||
7 |
Click Test Connection to make sure the organization and token are recognized by Azure AD. A successful result states that the credentials are authorized to enable user provisioning. |
||||
8 |
Enter a Notification Email and check the check box if you want to be notified of any errors when user provisioning occurs, and then click Save to capture the configuration changes that you made. |
||||
9 |
Click the link under Mappings if you want to check which Azure AD attributes are mapping on to attributes in the cloud.
|
||||
10 |
Choose a user synchronization scope so that you determine which users are synchronized to the Webex cloud. We recommend that you choose Sync only assigned Users and Groups. |
||||
11 |
Toggle Provisioning Status to On. |
What to do next
If you chose to synchronize all users to the cloud, you're finished and synchronized user accounts appear in Control Hub. From the customer view in https://admin.webex.com, go to Users, and then verify that the Azure Active Directory user accounts synchronized properly.Because this synchronization happens through an API, there is no status indication in Control Hub. You can check the logs in the Azure portal to see the status of the user synchronization.
Otherwise, follow the next procedure to manually choose specific users or a group of user to synchronize.
To get a record of any changes that relate to Azure AD user synchronization and isolate any potential issues, access the audit logs: under Activity, click Audit logs. This view shows every log, and you can filter on specific categories such as Account Provisioning for the Service filter and UserManagement for a Category filter.
Add Group of Users to Application in Azure AD
If you didn't choose all users and groups for the provisioning scope, use this procedure to choose users that you want to synchronize to the Webex cloud. This option lets you create a subset of users to access any applications in your Webex organization.
Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that are "assigned" to an application in Azure AD are synchronized to Control Hub.
1 |
From the Azure portal, go to Users and groups, and the choose Add Assignment. |
2 |
Search for the group of users that you want to add to the application.
|
3 |
Click Select and then click Assign. The list shows all the users that are assigned to your application when Azure AD runs a synchronization to the Webex cloud. |
4 |
From the customer view in https://admin.webex.com, go to Users, and then verify that the Azure Active Directory user accounts synchronized properly. Because this synchronization happens through an API, there is no status indication in Control Hub. You can check the logs in the Azure portal to see the status of the user synchronization. |
Remove Assigned Users from an Application
You can remove user assignments from Azure AD. This retains the Azure AD user accounts but removes those accounts from being able to access applications in your Webex organization.
1 |
From the Azure portal, go to Enterprise applications, and then choose the Webex application that you added. |
2 |
Choose a user or group of users from the list of those assigned to the application. |
3 |
Click Remove, and then click Yes to confirm the removal. Upon the next sync event, the user or group of users is removed from Webex application. |
Delete User from Azure AD
1 |
Go to Users, check a check box next to each user account that you want to delete, and then click Delete user. Users are moved to the Deleted users tab. In Control Hub, users are moved into a "soft delete" state and are not deleted immediately. They are also renamed. Azure Active Directory sends these changes to the Webex cloud. Control Hub then reflects this changes and marks the user as Inactive. All tokens are revoked for the user. |
||
2 |
To verify any records of the user deletion, go to Audit logs and then run a search on the User Management category or on the Delete user activity.
|
What to do next
You have 30 days to recover "soft" deleted users before they are permanently deleted. If you recover the user in Azure Active Directory, Control Hub reactivates the user and renames the user to the original email/UPN address.
If you do not recover the user, Azure Active Directory does a hard delete and the user is also removed from Control Hub. If the email address is readded to Azure Active Directory, a new user account is created.