How Changes in Azure AD Affect Your Webex Organization

Action in Azure Admin Portal

Result in Webex Organization

Delete user (user goes to Recycle Bin)

Webex renames the user and marks the user as Inactive in your organization.

If you don't recover the user within 30 days, Azure AD does a permanent deletion, and Webex deletes the user from your organization.

For more info, see the Delete User from Azure AD and from Your Webex Organization section of this article.

Restore a recently deleted user from Recycle Bin

Webex reactivates the user and changes the username back to the original value.

Delete user from Recycle Bin

(permanent delete)

Webex deletes the user from your organization.

Remove user from Webex application

Webex marks the user as Inactive.

Block user from signing in to Azure

Webex marks the user as Inactive.

Change user attributes (for example, display name)

Webex updates the user attributes.

Changes show in Control Hub as soon as you refresh the user view.


 

Changes take up to 72 hours to show in the Webex app. To force synchronization, desktop users can try to clear the app local cache:

Assign a new user to the Webex application

Webex creates the user.

Assign an existing Webex user to the Webex application

Webex updates the user and adds an attribute for "externalId" (by default, mapped to the Azure AD objectID attribute).

Follow this procedure to map additional user attributes from Azure to Webex, or to change existing user attribute mappings.

We recommend that you do not change the default attribute mappings unless absolutely necessary. The value that you map as the username is particularly important. Webex uses the user's email address as their username. By default, we map userPrincipalName (UPN) in Azure AD to email address (username) in Control Hub.

If the userPrincipalName does not map to the email in Control Hub, users are provisioned into Control Hub as new users instead of matching existing users. If you want to use another Azure user attribute that is in email address format instead of UPN, you must change that default mapping in Azure AD from userPrincipalName to the appropriate Azure AD user attribute.

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Open the Cisco Webex application.

3

Select the Provisioning page, expand the Mappings section, and click Provision Azure Active Directory Users.

4

Check the Show advanced options check box and then click Edit attribute list for CiscoWebEx.

5

Choose the Webex attributes to be populated from Azure user attributes. The attributes and mappings are shown later in this procedure.

6

After selecting the Webex attributes, click Save, and then Yes to confirm.

The Attribute Mapping page opens, so you can map Azure AD user attributes to the Webex user attributes you chose.

7

Near the bottom of the page, click Add new mapping.

8

Choose Direct mapping. Select the Source attribute (Azure attribute) and the Target attribute (Webex attribute), and then click OK.

Table 1. Azure to Webex Mappings

Azure Active Directory Attribute (source)

Webex User Attribute (target)

Attributes Populated by Default

userPrincipalName

userName

Switch([IsSoftd], , "False", "True", "True", "False")

active

displayName

displayName

surname

name.familyName

givenName

name.givenName

objectId

externalId

Additional Available Attributes

jobTitle

title

usageLocation

addresses[type eq "work"].country

city

addresses[type eq "work"].locality

streetAddress

addresses[type eq "work"].streetAddress

state

addresses[type eq "work"].region

postalCode

addresses[type eq "work"].postalCode

telephoneNumber

phoneNumbers[type eq "work"].value

mobile

phoneNumbers[type eq "mobile"].value

facsimileTelephoneNumber

phoneNumbers[type eq "fax"].value

9

Repeat the previous two steps until you have added or modified all the mappings you need, then click Save and Yes to confirm your new mappings.


 

You can Restore default mappings if you want to start again.

Webex updates user attributes during the next user synchronization.

This procedure lets you add users or groups to synchronize to the Webex cloud.

Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups of users that are "assigned" to an application in Azure AD are synchronized to Control Hub.


Webex can synchronize the users in an Azure AD group, but doesn't synchronize the group object itself.

1

Open the Cisco Webex application in the Azure portal, then go to Users and groups.

2

Click Add Assignment.

3

Find the users/groups you want to add to the application:

  • Find individual users to assign to the application.
  • Find a group of users to assign to the application.
4

Click Select and then click Assign.

Repeat these steps until you have all the groups and users you want to synchronize with Webex.

You can remove user assignments from Azure AD. This retains the Azure AD user accounts but removes those accounts from being able to access applications and services in your Webex organization.

When you remove the user assignment, Webex marks the user as Inactive.

1

From the Azure portal, go to Enterprise applications, and then choose the Webex application that you added.

2

Choose a user or group of users from the list of those assigned to the application.

3

Click Remove, and then click Yes to confirm the removal.

Upon the next sync event, the user or group of users is removed from Webex application.

When you delete a user from Azure AD, the following events happen:
  • Azure AD moves the user to the Deleted Users page (also known as the Active Directory recycle bin).

  • Azure AD changes the user's userPrincipalName (UPN), adding a string of digits to the beginning.

  • The update triggers Webex to rename the user and mark the user as Inactive in your organization.

  • Webex revokes the user tokens.

At this point, the user is "soft" deleted and remains in the Active Directory recycle bin for up to 30 days. If you restore the user from the recycle bin, Control Hub reactivates the user, restores the tokens, and renames the user to the original email/UPN address.

If you delete the user from the Active Directory recycle bin, or you take no action and the 30 days elapse, Azure AD permanently deletes the user. The permanent deletion triggers Webex to remove the user. (As part of the removal, Webex sends the user data to its archive service where compliance officers can view the user data subject to your organization's data retention policy.)

If you later re-add a permanently deleted user's email address to Azure AD, Webex creates an entirely new account.

1

Go to Users, check a check box next to each user account that you want to delete, and then click Delete user.

Users are moved to the Deleted users tab.

In Control Hub, users are moved into a "soft delete" state and are not deleted immediately. They are also renamed. Azure AD sends these changes to the Webex cloud. Control Hub then reflects this changes and marks the user as Inactive. All tokens are revoked for the user.

2

To verify any records of the user deletion, go to Audit logs and then run a search on the User Management category or on the Delete user activity.


 

When you open a deleted user audit log and click Target(s), you'll see the userPrincipalName has a string of numbers and characters before the @.

If you're performing any eDiscovery actions in Control Hub, you must get the userPrincipalName from the audit logs in Azure AD. For more information on eDiscovery, see Ensure Regulatory Compliance of Webex App and Meetings Content.