Configure Azure Active Directory (Azure AD) for User Single Sign-On (SSO) and User Provisioning
- 8x8 Admin Console
- Microsoft Azure Active Directory (Azure AD)
- SSO allows users to authenticate into any 8x8 application using their corporate Azure AD credentials.
- User Provisioning allows:
- Users from Azure AD to be created in 8x8 automatically without the need to re-key common user details.
- Updates to user details made in Azure AD to be automatically pushed to 8x8.
- Deactivation of users in 8x8 by disabling their account in Azure AD.
- Existing users created directly in 8x8 Admin Console can be linked to their Azure AD counterparts.
To use the 8x8 Azure AD Integration you need:
- Any 8x8 X Series subscription
- Azure Active Directory of any subscription level
Note: On-premise Active Directory is not supported directly, but can be used in a “hybrid” Azure AD environment where users are synced from on-premise AD to Azure AD via an Azure AD Connect agent.
Known limitations for the current release:
- Assignment of X Series licenses must still be completed from 8x8 Admin Console, either individually or in bulk using a CSV upload.
- The user’s phone and extension numbers set in 8x8 Admin Console cannot be synced back to Azure AD through the 8x8 app. This is due to limitations of Microsoft’s implementation of User Provisioning which does not allow for data to be retrieved back into Azure AD.
- The Users site cannot be modified once it set.
- Deleting a user in Azure AD does not delete that user in 8x8 Admin Console. You must delete the user manually from 8x8 Admin Console.
Considerations for existing deployments
Several factors to consider for existing deployments include managing user names and separating Single Sign-On from user provisioning.
If you already have several 8x8 users set up in 8x8 Admin Console and their usernames (as shown in 8x8 Admin Console) are different from their usernames in Azure AD, please read this section carefully.
In order to link existing 8x8 users with their Azure AD equivalents, they must have the same username in both Azure AD and 8x8 Admin Console. If your users already log in to 8x8 apps with their Azure AD credentials via SSO, then their 8x8 usernames can be updated to match with no disruption to the users. However, if your users currently log in with their 8x8 username (for example, they are not using their Azure AD credentials via Single Sign-On) then we strongly recommend enabling SSO and switching your users over to logging in with their Azure AD credentials via Single Sign-On before enabling user provisioning. This allows alignment of the usernames without further disruption and also provides the benefits of Single Sign-On.
Separation of Single Sign-On from user provisioning
If you already have an established user base using an earlier version of the application for Single Sign-On and you want to phase in user provisioning with a smaller subset of users, you can install a second instance of the 8x8 app into your Azure AD environment, with one configured for SSO and the other configured for User Provisioning. With this scheme you can assign users or groups to the two apps independently.
If you already have the 8x8 app installed into your Azure AD environment (for example, you are already using Single Sign-On) you can skip the installation step and start a Configure an authentication token in 8x8 Admin Console
Note: If you want to have independent control of Single Sign-On and User Provisioning, you can install a second instance of the app into your environment, with one configured for Single Sign-On and the other configured for User Provisioning. With this scheme you can assign users or groups to the two apps independently.
Install the 8x8 app in Azure Active Directory Admin Center
- Log in to the Azure Active Directory Admin Center.
- In Enterprise applications go to New application.
- In the App Gallery, search for 8x8.
- Select the app, optionally rename it, and click Create.
Configure 8x8 Admin Console Identity Management
- Configure 8x8 Single sign-on using the instructions in this Microsoft article:
IMPORTANT: It is critical that during the 8x8 app configuration, you use the following URL:
- Identifier (Entity ID): https://sso.8x8.com/saml2
- Reply URL (Assertion Consumer Service URL): https://sso.8x8.com/saml2
Note: If you do not want users to be signed out of all Microsoft apps if they chose to log out of their 8x8 account, leave the IDP Logout URL blank in 8x8 Admin Console.
An error message stating Please enter an identifier which is unique indicates that you already have an app installed which uses this URL. In practice, you should require only one 8x8 app.
Configure an authentication token in 8x8 Admin Console
- Navigate to the 8x8 Admin Console at https://admin.8x8.com.
- Enter your credentials and click Login.
- From Home, click on Identity Management.
- Single Sign on > Microsoft Azure AD should already have been enabled and configured.
- In the Microsoft Azure AD User Provisioning section at the bottom, click Show user provisioning information as needed.
- One at a time, click on the Copy button for the 8x8 URL and 8x8 API Token fields, and paste/save the information into a text editor or in Azure. You'll need these values to complete the next section.
Configure the 8x8 app in Azure AD
- Return to the Azure Active Directory Admin Center.
- In the Provisioning blade of your installed 8x8 app, click Get started.
- Change the Provisioning Mode to Automatic.
- Paste the 8x8 URL value you copied from 8x8 Admin Console in the previous section into the Tenant URL field.
- Paste the 8x8 API Token value you copied from 8x8 Admin Console in the previous section into the Secret Token field.
- Click Test Connection. You should receive a success confirmation message.
- Click Save to complete this configuration.