You can add Webex to Azure Active Directory (Azure AD) and then synchronize users from the directory in to your organization managed in Control Hub. The synchronization requires no on-premises infrastructure or connectors. This integration keeps your user list in sync whenever a user is created, updated, or removed from the application in Azure AD.
System for Cross-domain Identity Management (SCIM)
The integration between users in the directory and Control Hub uses the System for Cross-domain Identity Management ( SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.
Azure AD doesn't synchronize null values. If you set an attribute value to NULL, it is not deleted or patched with a NULL value in Webex. If this limitation affects your users, contact Microsoft for support.
Please remove these attributes from the Okta mapping or remove the update from the sync configuration.
Before configuring Webex Control Hub for automatic user provisioning with Azure AD, you need to add Cisco Webex from the Azure AD application gallery to your list of managed applications.
If you already integrated Webex Control Hub with Azure for single sign-on (SSO), Cisco Webex is already added to your enterprise applications and you can skip this procedure.
Sign in to the Azure portal at https://portal.azure.com with your administrator credentials.
Go to Azure Active Directory for your organization.
Go to Enterprise Applications and then click Add.
Click Add an application from the gallery.
In the search box, type Cisco Webex.
In the results pane, select Cisco Webex, and then click Add to add the application.
A message appears that says the application was added successfully.
To make sure that the Webex application you've added for synchronization doesn't show up in the user portal, open the new application, go to Properties, and set Visible to users? to No.
This procedure lets you choose users to synchronize to the Webex cloud.
Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups of users that are "assigned" to an application in Azure AD are synchronized to Control Hub.
Webex can synchronize the users in an Azure AD group, but doesn't synchronize the group object itself.
If you are configuring your integration for the first time, we recommend you assign one user for testing, and then add other users and groups after a successful test.
Open the Cisco Webex application in the Azure portal, then go to Users and groups.
Click Add Assignment.
Find the users/groups you want to add to the application:
Click Select and then click Assign.
Repeat these steps until you have all the groups and users you want to synchronize with Webex.
Use this procedure to set up provisioning from Azure AD and obtain a bearer token for your organization. The steps cover necessary and recommended administrative settings.
If your organization enforces that all users must have a verified domain, then future sync doesn't allow user creation for unverified domains. Most Webex for Government organizations require verified domains.
Before you begin
Get your organization ID from the customer view in Control Hub. Click your organization name on the bottom left and then copy the Organization ID into a text file. You need this value when you enter the tenant URL. We use this value as an example in this article:
Sign in to the Azure portal and then go to .
Choose Cisco Webex from your list of enterprise applications.
Go to Provisioning, and then change the Provisioning Mode to Automatic.
The Webex App includes some default mappings between Azure AD user attributes and Webex user attributes. These attributes are enough to create users, but you can add more as described later in this article.
Enter the Tenant URL.
The following table shows the URL for your Webex offer. Replace
For example, your tenant URL might look like this:
Follow these steps to get the bearer token value for the Secret Token:
Return to the Azure portal and paste the token value into Secret Token.
Click Test Connection to make sure that Azure AD recognizes the organization and token.
A successful result states that the credentials are authorized to enable user provisioning.
Enter a Notification Email and check the box to get email when there are provisioning errors.
What to do next
For info on making changes to the synchronized organization, see the Manage Synchronized Azure Active Directory Users help article.
Follow this procedure to map additional user attributes from Azure to Webex, or to change existing user attribute mappings.
Azure to Webex mapping does not synchronize every single user detail. Some aspects of user data are not synchronized:
We recommend that you do not change the default attribute mappings unless absolutely necessary. The value that you map as the username is particularly important. Webex uses the user's email address as their username. By default, we map userPrincipalName (UPN) in Azure AD to email address (username) in Control Hub.
If the userPrincipalName does not map to the email in Control Hub, users are provisioned into Control Hub as new users instead of matching existing users. If you want to use another Azure user attribute that is in email address format instead of UPN, you must change that default mapping in Azure AD from userPrincipalName to the appropriate Azure AD user attribute.
Before you begin
You have added and configured the Cisco Webex app to your Azure Active Directory, and tested the connection.
You can modify the user attribute mappings before or after you start synchronizing users.
Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.
Open the Cisco Webex application.
Select the Provisioning page, expand the Mappings section, and click Provision Azure Active Directory Users.
Check the Show advanced options check box and then click Edit attribute list for CiscoWebEx.
Choose the Webex attributes to be populated from Azure user attributes. The attributes and mappings are shown later in this procedure.
After selecting the Webex attributes, click Save, and then Yes to confirm.
The Attribute Mapping page opens, so you can map Azure AD user attributes to the Webex user attributes you chose.
Near the bottom of the page, click Add new mapping.
Choose Direct mapping. Select the Source attribute (Azure attribute) and the Target attribute (Webex attribute), and then click OK.
Repeat the previous two steps until you have added or modified all the mappings you need, then click Save and Yes to confirm your new mappings.
Your mappings are done and the Webex users will be created or updated on the next synchronization.