Install and configure the 8x8 app for Azure AD.
- 8x8 Admin Console
- Microsoft Azure Active Directory (Azure AD)
If you already have the 8x8 app installed into your Azure AD environment (for example, you are already using Single Sign-On) you can skip the installation step and start at User Provisioning Configuration
Install the application
- Log in to the Azure Active Directory Admin Center.
- In Enterprise applications go to New application.
- In the App Gallery, search for 8x8.
- Select the app, optionally rename it, and click Create.
- Configure Single Sign-On by following the instructions in this link: Tutorial: Azure AD SSO integration with 8x8.
- In the Azure portal, on the 8x8 application integration page, find the Manage section and select Single sign-on.
- Select SAML.
- Click Edit.
On the Basic SAML Configuration section, perform the following steps:
- Remove any pre-configured values for Identifier and replace with a single value: https://sso.8x8.com/saml2
- Ensure the "Default" check-box is checked against this one remaining Identifier
- In the Reply URL box enter "https://sso.8x8.com/saml2"
4. On the Set up single sign-on with SAML page, in the SAML Signing Certificate section, find Certificate (Base64) and select Download to download the certificate and save it on your computer. You will use the certificate later in the tutorial in the Configure 8x8 SSO section.
5. On the Set up 8x8 section, copy the URL(s) and you will use these URL values later in the tutorial.
Assign Azure AD users
In the Azure portal, select Enterprise Applications, and then select All applications.
In the applications list, select 8x8.
In the app's overview page, find the Manage section and select Users and groups.
Select Add user, then select Users and groups in the Add Assignment dialog.
In the Users and groups dialog, select the users from the Users list, then click the Select button at the bottom of the screen.
In the Add Assignment dialog, click the Assign button.
Configure 8x8 Admin Console
Log in to 8x8 Admin Console.
From the Home page, click Identity Management.
Check Single Sign On (SSO) then select Microsoft Azure AD.
Copy the three URLs and signing certificate from the Set up Single Sign-On with SAML page in Azure AD into the Microsoft Azure AD SAML Settings section in 8x8 Admin Console.
a. Copy Login URL to IDP Login URL.
b. Copy Azure AD Identifier to IDP Issuer URL/URN.
c. Copy Logout URL to IDP Logout URL.
d. Download Certificate (Base64) and upload to Certificate.
e. Click Save.
User Provisioning Configuration
1. Configure an authentication token in Admin Console.
a. Go to https://login.8x8.com.
b. Enter your credentials and click Login.
c. In the 8x8 Application Panel, select the Admin Console tile.
d. Select the Identity Management tile.
e. In the Microsoft Azure AD User Provisioning section, click Show user provisioning information.
f. Copy the 8x8 URL and 8x8 API Token field values as you need these values to complete the next section.
2. Configure the 8x8 app in Azure AD
a. Log back in to the Azure Active Directory Admin Center.
b. In the Provisioning blade of your installed app, click Get started
c. Change the Provisioning Mode to Automatic.
d, Paste the 8x8 URL value you copied from Admin Console, in the previous section, into the Tenant URL field.
e. Paste the 8x8 API Token value you copied from Admin Console, in the previous section, into the Secret Token field.
f. Click Test Connection
g. Click Save.
User Provisioning Configuration Options
Create a user
To create a user in 8x8 assign them to the 8x8 App. They appear in Admin Console when the next Azure AD sync cycle runs.
Note: 8x8 recommends that each AD user to be assigned to 8x8 has their Office (physicalDeliveryOfficeName) attribute set to the name of the 8x8 Site they belong to. You can copy the site name from Admin Console.
Note: Azure AD provisioning activity typically runs on a 40 minute cycle. Please allow one hour between assigning a user to the 8x8 app before the user appears in Admin Console.
Any unlicensed 8x8 users are visible along with their contact number to the licensed users in their corporate directory. If you do not intend to assign an 8x8 license to the created user then no further action is required.
To configure a user with an X Series service you must sign into Admin Console and assign an X Series license to the user. Then edit the user individually , or in bulk, using the Edit feature.
Whenever an Azure AD user that has been assigned to the 8x8 app is updated, Azure AD pushes any changes to 8x8 as required automatically.
Deactivate and activate a user
If a user has their Block sign in (isSoftDeleted) attribute set to Yes in Azure AD, they are deactivated in 8x8 and are no longer able to make or receive phone calls (except Emergency calls). They are also not able to log in to any applications. Existing login sessions expire within half an hour. The user is not deleted and they retain their X Series license and settings.
When you unblock a sign-in for a user in Azure AD it also re-activates that user in 8x8.
Delete a user
Deleting a user in Azure AD is a two-stage process:
- Initial deletion is a soft-delete which moves the user to the “Deleted users” blade in Azure AD. This causes the user to be deactivated in 8x8 (This is similar to blocking sign-in from Azure AD).
- When a user is fully deleted from Azure AD, nothing further happens to the 8x8 user. If the user had not already been deactivated, then the user is deactivated at this point, but not deleted. It is not possible to delete an 8x8 user via the integration, you need to do this individually in Admin Console.
Administration restrictions in 8x8 Admin Console
When a user is created in 8x8 via the Azure AD app, 8x8 considers the user to be owned by Azure AD. This activates some administration restrictions in Admin Console, specifically preventing any changes to the key user attributes that are mastered in AD:
- First name
- Last name
- Email address
- Deactivation and Activation
These restrictions are there to ensure your 8x8 users do not become out of sync with Azure AD.
Unassign users from the 8x8 app
When a user is unassigned from the 8x8 app in Azure AD, they are deactivated in the 8x8 app but not deleted.
Link an existing 8x8 user to Azure AD
If you create a user in 8x8 Admin Console directly, and there is an equivalent user in Azure AD, then assigning the Azure AD user to the 8x8 app in Azure AD is enough to link them providing the following criteria are met:
Their Username in Admin Console matches their User name (userPrincipalName) in AD.
Upon initial assignment to the 8x8 app, Azure AD checks if the user’s attributes are in sync and updates the 8x8 user accordingly. At this point, Admin Console considers the user to be owned by Azure AD and prevents any changes to those attributes that are mapped from Azure AD. This restriction avoids data inconsistency by enforcing that changes are only made to the master data source of the user.
Disable the integration
If you want to disable the integration temporarily, there is a setting for this in the application’s Provisioning blade in Azure AD.
User provisioning configuration Options
Each 8x8 user created through the 8x8 Azure AD app must be associated with a Site before they can be assigned an X Series license. To do this, you need to ensure that the Office (physicalDeliveryOfficeName) attribute contains the exact name of one of your Sites from Admin Console.
In the default installation, Site is set from the Office (physicalDeliveryOfficeName) attribute in AD, but you can change this in app mappings to suit your AD environment if required.
If your 8x8 installation has only one Site, you can opt to hard-code its name in the 8x8 application's attribute mappings using a “Constant” mapping type. This avoids the need to set the Office (physicalDeliveryOfficeName) attribute for each user.
Note: A user's site cannot be modified once set
Note: If you change the name of any of your Sites in 8x8 Admin Console, the synchronization of users is broken until their Office (physicalDeliveryOfficeName) attribute matches in AD
In the default installation, the AD user’s Office phone (telephoneNumber) and Mobile phone (mobile) attributes are passed to 8x8 as contact numbers and will be displayed to other 8x8 users in the following places:
- Company directory of 8x8 Work for Desktop and Mobile
- Contact Center directory
- Switchboard Pro directory
Note: Contact numbers are not displayed in the directory of physical desk phones.
User provisioning attribute mappings
Default attribute mappings
This table shows the default set of attribute mappings for user provisioning.
|Azure AD Attribute||Azure AD Portal Name||System for Cross-domain
Identity Management (SCIM) Attribute
|8x8 Admin Console Name|
|objectID||Object ID||externalId||Not visible in Admin Console|
|Not visible in AD portal||emails[type eq "work"].value|
|Not([IsSoftDeleted])||Block sign in||active||User is greyed out|
|Last name||First name||name.givenName||givenName|
|First name||Last name||name.familyName||surname|
|jobTitle||Job title||title||Job title|
|mobile||Mobile phone||phoneNumbers[type eq "mobile"].value||Personal contact number|
|telephoneNumber||Office phone||phoneNumbers[type eq "work"].value||Not visible in Admin Console|
Advanced attribute mappings
This table displays additional attributes that are available but not mapped by default. Instructions for configuration of advanced mappings is outside the scope of this guide.
|System for Cross-domain
Identity Management (SCIM) Attribute
|Suggested Azure AD attribute||Notes|
|locale||PreferredLanguage||PreferredLanguage may be set through the AzureAD powershell module|
|timezone||User extension attribute|