Solved: Re: AD Azure integration with Control Hub - Inactive users sync behavi

Cristian Boboc · ‎02-10-2022

We have a customer with Webex Control Hub integrated with MS Azure for user synchronization and management. As per the documentation, when the users are deleted or removed from Webex applications (removed from the AD group which has assigned the Webex application) users should become Inactive in Control Hub and be deleted after 30 days. In our situation, after the users are removed from the AD security group, users became Inactive but Webex doesn't delete them after 30 days.

Is this the proper behavior? Do we need to add some configuration in Azure to have Inactive users deleted after 30 days? Is there a way to automate the deletion of Inactive users instead of deleting them manually?

Here are the documentation info regarding Azure integration and User status:

"Remove user from Webex application --> Webex marks the user as Inactive"

"Inactive—The user has been deactivated and can no longer access Webex services --> Users are automatically deleted if they have been in Inactive state (deactivated) for 30 days"

I tried to get an answer from a few Cisco engineers but nobody can answer the question. The documentation and behavior regarding Directory Connector is accurate and behavior for Inactive as expected (I have some other customers in this situation).

- Manage Synchronized Azure Active Directory Users (webex.com)

Webex - Users list in Control Hub

Cristian Boboc · ‎09-02-2022

Here are some updates to our issue.

1. Any user which is added using the Azure integration will behave as per the documentation (users will be deleted after 30 days of Inactive status).

2. Users which were added using the Directory Connector integration will not be deleted after 30 days of Inactive. You need to delete them manually. This is what we did for our customer.

3. When Directory connector integration is enabled/active no other integration can be performed for User Synchronization or manually adding/deleting users from Control Hub.

4. When you enable Azure or other cloud integration after you had Directory Connector make sure you are using the same attribute to match user email address in Control Hub. Usually the default attribute used in Azure is UPN but in our situation we need to change the AZURE to Mail attribute (this was used by Directory Connector). If is a difference between the UPN and Mail then you will get 2 accounts for the same user (one from Directory Connector which was using Mail attribute and one from Azure which is using UPN by default)

View solution in original post

Cristian Boboc · ‎09-02-2022

Here are some updates to our issue.

1. Any user which is added using the Azure integration will behave as per the documentation (users will be deleted after 30 days of Inactive status).

2. Users which were added using the Directory Connector integration will not be deleted after 30 days of Inactive. You need to delete them manually. This is what we did for our customer.

3. When Directory connector integration is enabled/active no other integration can be performed for User Synchronization or manually adding/deleting users from Control Hub.

4. When you enable Azure or other cloud integration after you had Directory Connector make sure you are using the same attribute to match user email address in Control Hub. Usually the default attribute used in Azure is UPN but in our situation we need to change the AZURE to Mail attribute (this was used by Directory Connector). If is a difference between the UPN and Mail then you will get 2 accounts for the same user (one from Directory Connector which was using Mail attribute and one from Azure which is using UPN by default)

Nithin Eluvathingal · ‎02-11-2022

Have you read the below part of the guide.

Cristian Boboc · ‎02-11-2022

Thank you Nithin for join this discussion.

I already read all documentations regarding the integration with Azure. Your notes are referring to Deleted users/accounts in AD where users will be deleted from CH after 30 days: If you delete the user from the Active Directory recycle bin, or you take no action and the 30 days elapse, Azure AD permanently deletes the user. The permanent deletion triggers Webex to remove the user.

My problem is with Remove user from Webex application --> Webex marks the user as Inactive.

Removing the user from Webex application (including the AD group which is assigned for Webex application in Azure) should be similar like deleting the user or not allowing the user to have a Webex account on the corporate Org.

I open a case with TAC and hope to get a resolution.

d.haeni · ‎09-02-2022

@Cristian Boboc , what was your finding after that TAC case? I feel like I'm in the exact same position as you are/were.

Cristian Boboc · ‎02-10-2022

Thank you for your answer.

Indeed in our case the users are just moved from the AD security group in Azure.

The documentation leave room for a lots of interpretation:

"Remove user from Webex application --> Webex marks the user as Inactive"

In another document Cisco says that users will be Inactive indefinitely only when account is disabled not Removed from Webex application:

User statuses can be the following:

Active—The user verified their email address and has signed in at least once.
Verified—The user's email address is verified, but they haven't signed in. Their status changes to Active when they sign in.
Not Verified—The user hasn't verified their email address. You can resend another verification email to the user.

Inactive—The user has been deactivated and can no longer access Webex services.

Users are automatically deleted if they have been in Inactive state (deactivated) for 30 days.

The exception to this is users who are synchronized into Webex from Active Directory:

When users are deleted from AD and then you synchronize with Webex, the users become Inactive, but are only held in Inactive state for 7 days before being deleted from Webex.
When user accounts are disabled in AD and then you synchronize with Webex, the users become Inactive and are held in Inactive state indefinitely.

Customer migrated from Directory Connector integration to Azure integration and now they feel like more tasks for them to manage the users in Control Hub. If there is not an option to have the Inactive users deleted automatically from Control Hub it will be big concern.

b.winter · ‎02-10-2022

I think, we can all agree, that the docs aren't always as clear as we would like them to be ':-)'

Taking your notes, I would guess, you are hitting the second exception.

But here again, it would be unclear to me, which "actions" are described as "disable" (really disable the user in AD, remove the user from Security group, remove the user from the search base, ...)

dhanley · ‎02-10-2022

If you using directory connector, it will sync users to azure active directory against their email. To actually remove them from control hub, you will need to move users to an ou that directory connector does not sync with. They will then be removed from control hub.

Cristian Boboc · ‎02-10-2022

Hi,

In our situation we have an integration with Azure (cloud) and users which are removed from the AD group in Azure becomes Inactive but they are not deleted after 30 days.

With Directory Connector integration indeed the behavior is as expected (Inactive users will be deleted in 30 days).

b.winter · ‎02-10-2022

As I have understood it, the automatic deletion only happens, when you really delete the users in AD. But not, if you just remove the user from the application.

As I have understood your question correctly, you are just taking the "privilege" from the user (you don't delete it in AD).

Therefore, Webex only marks the user as inactive in Control Hub.

These are 2 different scenarios.

AD Azure integration with Control Hub - Inactive users sync behavior