Configure Azure Active Directory (Azure AD) for User Single Sign-On (SSO) and User Provisioning
- Configuration Manager
- Microsoft Azure Active Directory (Azure AD)
- SSO allows users to authenticate into any 8x8 application using their corporate Azure AD credentials.
- User Provisioning allows:
- Users from Azure AD to be created in 8x8 automatically without the need to re-key common user details.
- Updates to user details made in Azure AD to be automatically pushed to 8x8.
- Deactivation of users in 8x8 by disabling their account in Azure AD.
- Existing users created directly in Configuration Manager can be linked to their Azure AD counterparts.
To use the 8x8 Azure AD Integration you need:
- Any 8x8 X Series subscription
- Azure Active Directory of any subscription level
Note: On-premise Active Directory is not supported directly, but can be used in a “hybrid” Azure AD environment where users are synced from on-premise AD to Azure AD via an Azure AD Connect agent.
Known limitations for the current release:
- Assignment of X Series licenses must still be completed from Configuration Manager, either individually or in bulk using a CSV upload.
- The user’s phone and extension numbers set in Configuration Manager cannot be synced back to Azure AD through the 8x8 app. This is due to limitations of Microsoft’s implementation of User Provisioning which does not allow for data to be retrieved back into Azure AD.
- The Users site cannot be modified once it set.
- Deleting a user in Azure AD does not delete that user in Configuration Manager. You must delete the user manually from Configuration Manager.
Considerations for existing deployments
Several factors to consider for existing deployments include managing user names and separating Single Sign-On from user provisioning.
If you already have several 8x8 users set up in Configuration Manager and their usernames (as shown in Configuration Manager) are different from their usernames in Azure AD, please read this section carefully.
In order to link existing 8x8 users with their Azure AD equivalents, they must have the same username in Azure AD and Configuration Manager. If your users already log in to 8x8 apps with their Azure AD credentials via SSO, then their 8x8 usernames can be updated to match with no disruption to the users. However, if your users currently log in with their 8x8 username (for example, they are not using their Azure AD credentials via Single Sign-On) then we strongly recommend enabling SSO and switching your users over to logging in with their Azure AD credentials via Single Sign-On before enabling user provisioning. This allows alignment of the usernames without further disruption and also provides the benefits of Single Sign-On.
Separation of Single Sign-On from user provisioning
If you already have an established user base using an earlier version of the application for Single Sign-On and you want to phase in user provisioning with a smaller subset of users, you can install a second instance of the 8x8 app into your Azure AD environment, with one configured for SSO and the other configured for User Provisioning. With this scheme you can assign users or groups to the two apps independently.
If you already have the 8x8 app installed into your Azure AD environment (for example, you are already using Single Sign-On) you can skip the installation step and start a Configure an authentication token in Configuration Manager.
Note: If you want to have independent control of Single Sign-On and User Provisioning, you can install a second instance of the app into your environment, with one configured for Single Sign-On and the other configured for User Provisioning. With this scheme you can assign users or groups to the two apps independently.
Install the 8x8 app in Azure Active Directory Admin Center
- Log in to the Azure Active Directory Admin Center.
- In Enterprise applications go to New application.
- In the App Gallery, search for 8x8.
- Select the app, optionally rename it, and click Create.
Configure Single Sign-On by following the instructions in this link: Tutorial: Azure AD SSO integration with 8x8.
If you do not want users to be signed out of all their Microsoft apps if they chose to log out of their 8x8 account, leave the Single Sign-On logout URL blank in Configuration Manager.
Configure an authentication token in Configuration Manager
- Go to https://login.8x8.com.
- Enter your credentials and click Login.
- In the 8x8 Application Panel, select the Virtual Office Config Mgr tile.
- Select the Identity Management tile.
- In the Microsoft Azure AD User Provisioning section, click Show user provisioning information.
Copy the 8x8 URL and 8x8 API Token field values as you need these values to complete the next section.
Configure the 8x8 app in Azure AD
- Log back in to the Azure Active Directory Admin Center.
- In the Provisioning blade of your installed app, click Get started .
- Change the Provisioning Mode to Automatic.
- Paste the 8x8 URL value you copied from Configuration Manager, in the previous section, into the Tenant URL field.
- Paste the 8x8 API Token value you copied from Configuration Manager, in the previous section, into the Secret Token field.
- Click Test Connection.
- Click Save.