Skip to main content
8x8 Support

Azure AD: 8x8 App Installation and Configuration

Objective

Installation and configuration of the 8x8 app for Azure AD.

Topics covered in this article are:

Applies To

  • 8x8 Admin Console
  • Microsoft Azure Active Directory (Azure AD)
  • Single Sign-On (SSO)
  • User Provisioning (SCIM)

Configuring User SSO Login

Note-Icon.png If you have already configured Azure SSO login to 8x8 applications, and want to apply SCIM user provisioning to 8x8 Admin Console, skip to User Provisioning Configuration (SCIM).

Add the 8x8 App to Azure

  1. Log in to the Azure Active Directory admin center.
  2. In Enterprise applications click New application.

clipboard_e31af4a3f0f77043026228e9f13247ff2.png

  1. In the Azure AD Gallery, search for 8x8. The icon will have a red background with white text. clipboard_eb5c06f111f813fe1a030c637ae79c9af.png
  2. Select the 8x8 app, optionally rename it, and click Create.
  3. Configure Single Sign-On by following the instructions in this link: Tutorial: Azure AD SSO integration with 8x8.

clipboard_e574b4bc1eb51f76aa750000732e8f2e5.png

Azure SSO Configuration

  1. In the Azure Active Directory admin center > Enterprise applications, click on 8x8 and click Single sign-on.
  2. Click SAML.

clipboard_e2a9ce005ac2ceebd5c0fd54915d0bed6.png

  1. In Basic SAML Configuration, click Edit.

clipboard_e097cb011f48a5c32a1b5c9f810af0081.png

In Basic SAML Configuration, perform the following steps:

  1. In Identifier (Entity ID), add the following URL into the blank field, and click the Default check box to set it as the default.
    • https://sso.8x8.com/saml2
  2. Click the trash can icon clipboard_e43efd60d554ec24f4ec713bbf6e78d4a.png for all pre-configured values for Identifier to remove them.

clipboard_e9f2a4b056715f7ba2f5408a0e9244f32.png

  1. In the Reply URL box, enter the same URL as for the Identifier:
    • https://sso.8x8.com/saml2

clipboard_e5554c3747edbc2cef63a62f4448f7520.png

Your Basic SAML Configuration should appear as in the screenshot below:

clipboard_e432de82ab5401f55fae8c6a09c5191a4.png

  1. Next, in SAML Signing Certificate > Certificate (Base64) click Download, and save the 8x8.cer certificate file onto your computer. You'll apply the certificate later, when configuring Single Sign-On in the 8x8 Admin Console.
    • Critical: Use only the Base64 certificate for configuring Single Sign-On Integration in the 8x8 Admin Console. User single sign-on will fail if you apply other available certificate types.

clipboard_e0b447bc86ec3871d0abaaf7c05eebc9b.png

  1. In Set up 8x8, click on Configuration URLs to expand the section (as needed).
  2. Individually click the Copy to clipboard icon clipboard_ebabe5ad7f23f5b15c49e13810fed747b.png for each of the URLs you will use, and paste them into a text editor. You'll need these URLs later, when configuring Single Sign-On Integration in the 8x8 Admin Console.
    • Login URL
    • Azure AD Identifier
    • Logout URL

Note that the Logout URL is optional for 8x8 SSO. If it is applied in 8x8 Admin Console, users logging out of 8x8 services will also be logged out of all Microsoft services.

clipboard_e6a7603d1f1745e48433d802eaed99346.png

Assigning Azure AD Users

  1. In the Azure portal, select Enterprise applications, and then select All applications.
  2. In the applications list, click 8x8.

clipboard_ed637f1ec8260d6b12edf085172913121.png

  1. In Manage, click Users and groups.
  2. Click Add user/group.

clipboard_e49bb8d2868ea98a78e010fc6fb55ffaf.png

  1. Click None Selected to open the Users and groups selection dialogue.
  2. Click on the users and/or groups you wish to log into 8x8 services using SSO.
  3. Click Select and then Assign to complete the assignment of the 8x8 app to users/groups.

clipboard_e15746af49cd46057cb5fa091d75db1cb.png

8x8 Admin Console Configuration

  1. First, log in to the 8x8 Admin Console.
  2. From the Home page, click Identity and Security.

clipboard_e9c7d3102b69fbc9354e35a92e481a2fb.png

  1. In Single Sign-On Integration (SSO), click the slider to enable clipboard_e819252ed97214f77c3f0475a87c8fb16.png SSO integration.
  2. Select Microsoft Azure AD.

clipboard_e7917a604c30a99b2f74ffa39033af62f.png

  1. Now you'll apply the URLs and signing certificate that you previously obtained from the 8x8 app in Azure:
    1. Copy and paste the Azure Login URL to the 8x8 Sign-in page URL field.
    2. Copy and paste the Azure Azure AD Identifier to the 8x8 IDP Issuer URL/URN field.
    3. (Optional) Copy and paste the Azure Logout URL to the 8x8 Sign-out page URL field.
    4. In Certificate in use, click on Click to attach and select the Base64 certificate file that you previously downloaded from Azure.
    5. Click Save to apply your 8x8 SSO configuration.

clipboard_ed33b90842ad01f39d65b2b0577ee9eea.png

User Provisioning Configuration (SCIM)

Important-Icon.png

IMPORTANT:

New users provisioned through any SCIM process – such as through Azure or Okta – must be manually assigned an 8x8 X Series license in the 8x8 Admin Console. The SCIM user provisioning process does not apply X series licenses to users.

ALSO:

New users who are provisioned through SCIM will not automatically be made visible in the Company directory. This must also be manually configured for the user(s) in the 8x8 Admin Console.

8x8 Admin Console

  1. First, log in to the 8x8 Admin Console.
  2. From the Home page, click Identity and Security.

clipboard_e9c7d3102b69fbc9354e35a92e481a2fb.png

  1. In User Provisioning Integration (SCIM), click the slider to enable clipboard_e819252ed97214f77c3f0475a87c8fb16.png SCIM integration.
  2. Select Microsoft Azure AD.
  3. In the Microsoft Azure AD User Provisioning section, click the Copy button clipboard_eff69243f2ed10d6b2b6c64acfe0bd2eb.png for each of the following sections and paste the copied information into a text editor. You'll apply this information in Azure to enable provisioning of users to 8x8:
    • 8x8 URL
    • 8x8 API Token

clipboard_e415924839f384608ab91c04e9094aa0f.png

  1. Click Advanced settings to expand that section.
  2. Click the drop-down menu and select the appropriate user retrieval option:
    • All users
      • Retrieves users created in and synced from Azure and users created directly in 8x8 Admin Console, thereby allowing Azure to take control of 8x8 user profiles if the login IDs in both locations are identical.
    • Only users created by the identity provider
      • Limits user retrieval to only those users created in and synced from Azure.

clipboard_e19fd4b2594531b4aefb362ce28abcd69.png

  1. Click Save to complete your changes in the 8x8 Admin Console.

Azure Active Directory

  1. Return to the Azure Active Directory admin center.
  2. Navigate to the Provisioning blade of your installed 8x8 app.

clipboard_e4a6485b4ababe6d01c79bf54f2b8399f.png

  1. Click Get started.

clipboard_e70252a27aa7b71b4bbd432d4442a5b6d.png

  1. Change the Provisioning Mode to Automatic.
  2. Paste the 8x8 URL value you copied from 8x8 Admin Console in the previous section into the Tenant URL field.
  3. Paste the 8x8 API Token value you copied from 8x8 Admin Console in the previous section into the Secret Token field.

clipboard_e980f0b6897ed014710c831ea48c7761b.png

  1. Click Test Connection. You should receive a success confirmation message.
  2. Click Save to complete this configuration.

clipboard_ef12ab108e3ac41a419ffd44df27568c0.png

User Provisioning Configuration Options

Create a user

To create a user in 8x8, assign them to the 8x8 App. New users will appear in Admin Console when the next Azure AD sync cycle runs.

Note-Icon.png

Note: 8x8 recommends that each AD user to be assigned to 8x8 has their Office attribute (physicalDeliveryOfficeName) set to the name of the 8x8 Site they belong to. For this, you can simply copy the site name from Admin Console into.

Note: Azure AD provisioning activity typically runs on a 40 minute cycle. Please allow one hour between assigning a user to the 8x8 app before the user appears in Admin Console.

Any unlicensed 8x8 users are visible along with their contact number to the licensed users in their corporate directory. If you do not intend to assign an 8x8 license to the created user then no further action is required.

To configure a user with an X Series service you must sign into Admin Console and assign an X Series license to the user. Then edit the user individually , or in bulk, using the Edit feature.

User changes

Whenever an Azure AD user that has been assigned to the 8x8 app is updated, Azure AD automatically pushes any changes to 8x8.

Deactivate and activate a user

If a user has their Block sign in (isSoftDeleted) attribute set to Yes in Azure AD, they are deactivated in 8x8 and are no longer able to make or receive phone calls (except Emergency calls). They are also not able to log in to any applications. Existing login sessions expire within half an hour. The user is not deleted and they retain their X Series license and settings.

When you unblock a sign-in for a user in Azure AD it also re-activates that user in 8x8.

Delete a user

Deleting a user in Azure AD is a two-stage process:

  1. Initial deletion is a soft-delete which moves the user to the “Deleted users” blade in Azure AD. This causes the user to be deactivated in 8x8 (This is similar to blocking sign-in from Azure AD).
  2. When a user is fully deleted from Azure AD, nothing further happens to the 8x8 user. If the user had not already been deactivated, then the user is deactivated at this point, but not deleted. It is not possible to delete an 8x8 user via the integration, you need to do this individually in Admin Console.

Administration restrictions in 8x8 Admin Console

When a user is created in 8x8 via the Azure AD app, 8x8 considers the user to be owned by Azure AD. This activates some administration restrictions in Admin Console, specifically preventing any changes to the key user attributes that are mastered in AD:

  • Username
  • First name
  • Last name
  • Email address
  • Deactivation and Activation

These restrictions are there to ensure your 8x8 users do not become out of sync with Azure AD.

Unassign users from the 8x8 app

When a user is unassigned from the 8x8 app in Azure AD, they are deactivated in the 8x8 app but not deleted.

Link an existing 8x8 user to Azure AD

If you create a user in 8x8 Admin Console directly, and there is an equivalent user in Azure AD, then assigning the Azure AD user to the 8x8 app in Azure AD is enough to link them providing the following criteria are met:

  • Their Username in Admin Console matches their User name (userPrincipalName) in Azure AD.
  • Upon initial assignment to the 8x8 app, Azure AD checks if the user’s attributes are in sync and updates the 8x8 user accordingly. At this point, Admin Console considers the user to be owned by Azure AD and prevents any changes to those attributes that are mapped from Azure AD. This restriction avoids data inconsistency by enforcing that changes are only made to the master data source of the user.

Disable the integration

If you want to temporarily disable the integration, navigate to the app in Azure AD. Click Stop provisioning and OK to confirm. 

clipboard_e1e755d863f1f77a03502b748d9aaeac8.png

Site

Each 8x8 user created through the 8x8 Azure AD app must be associated with a Site before they can be assigned an X Series license. To do this, you need to ensure that the Office (physicalDeliveryOfficeName) attribute contains the exact name of one of your Sites from Admin Console.

In the default installation, Site is set from the Office (physicalDeliveryOfficeName) attribute in AD, but you can change this in app mappings to suit your AD environment if required.

If your 8x8 installation has only one Site, you can opt to hard-code its name in the 8x8 application's attribute mappings using a “Constant” mapping type. This avoids the need to set the Office (physicalDeliveryOfficeName) attribute for each user.

Important-Icon.png

Note: A user's site cannot be modified once it is set.

Note: If you change the name of any of your Sites in 8x8 Admin Console, the synchronization of users is broken until their Office (physicalDeliveryOfficeName) attribute matches in AD.

Contact numbers

In the default installation, the AD user’s Office phone (telephoneNumber) and Mobile phone (mobile) attributes are passed to 8x8 as contact numbers and will be displayed to other 8x8 users in the following places:

  • Company directory of 8x8 Work for Desktop and Mobile
  • Contact Center directory
  • Switchboard Pro directory

Note: Contact numbers are not displayed in the directory of physical desk phones.

User Provisioning Attribute Mappings

Default attribute mappings

This table shows the default set of attribute mappings for user provisioning.

Azure AD Attribute Azure AD Portal Name System for Cross-domain
Identity Management (SCIM) Attribute
8x8 Admin Console Name
userPrincipalName User name userName Username
objectID Object ID externalId Not visible in Admin Console
mail Not visible in AD portal emails[type eq "work"].value Email
Not([IsSoftDeleted]) Block sign in active User is greyed out
Last name First name name.givenName givenName
First name Last name name.familyName surname
jobTitle Job title title Job title
department Department urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department Department
mobile Mobile phone phoneNumbers[type eq "mobile"].value Personal contact number
telephoneNumber Office phone phoneNumbers[type eq "work"].value Not visible in Admin Console
physicalDeliveryOfficeName Office urn:8x8:scim:schemas:extension:8x8user:2.0:User:site Site

Advanced attribute mappings

This table displays additional attributes that are available but not mapped by default. Instructions for configuration of advanced mappings is outside the scope of this guide.

System for Cross-domain
Identity Management (SCIM) Attribute
Suggested Azure AD attribute Notes
locale PreferredLanguage PreferredLanguage may be set through the AzureAD powershell module
timezone User extension attribute