Onboard user (Microsoft)#

Microsoft

Only for the Microsoft configuration.

Overview#

Onboarding a Microsoft user involves adding or syncing in users to Automate from the Microsoft portal (Microsoft Entra) with the correct licenses, moving users to the correct site, and provisioning them with the correct services.

Related topics

Onboarding elements#

The table describes the elements relevant for onboarding Microsoft users:

Element

Description

M365 User (Msoluser)

The base anchor for the user, and typically the first element pulled into Automate for a Microsoft user. Limited update options are available for this user. Automate can update usage location and licenses, depending on how the system is set up.

Usage location

Usage location is updated completely independent from licensing, provided a value for usage location is included in a configuration template (CFT) via Quick Add Group, Subscriber from Profile, or a field display policy (FDP).

If usage location updates aren’t required (either you’re not using it or the permissions don’t allow it), then exclude it from the CFT. The LicenseAssignment permission allows usage location update. Note that the Microsoft API sets the same usage location; it says it’s updating usage location even if permissions don’t exist.

Licenses

For onboarding, Quick User, Onboard user, or the field display policy (FDP) honors settings in the Quick Add Group configuration template (CFT) for the M365 user. Direct licenses are applied if they’re included.

If the CFT does not include any licenses, it won’t try to apply licenses. Regardless of the license settings in the CFT, usage location can still be set. If using group licenses, this overrides any direct licenses configured in the onboarding CFTs.

Msoluser onboarding scenarios#

The table describes Automate’s behavior for the M365 user (Msoluser) during onboarding, depending on whether templates exist in your Quick Add Group:

Scenario

Description

No M365 template in your Quick Add Group

Used when the LicenseAssignment permission is not assigned to the application. In this case:

  • Msoluser is left untouched - usage location and license is not updated.

M365 user template exists in your Quick Add Group

  • Usage location entry:

    • Automate updates the usage location according to definition in the CFT

  • License data (LicenseAssignment permission required):

    • Automate adds any license/s defined in the CFT (direct license assignment to the user)

    • Any existing licenses the user has (direct) are replaced with what was configured in the template

MS Group Add template exists in your Quick Add Group

Used to add group memberships to the user/s (for licensing or other purposes). The user is assigned to the group/s in the CFT, in addition to any existing group memberships the user has.

Common onboarding scenarios and setup#

The table describes example common onboarding scenarios and the setup required, whether using Quick User, Onboard user, or a field display policy (FDPs):

Example onboard scenario

Setup

No update to Msoluser at all (usage location and/or licenses)

Do NOT include a M365 template in the Quick Add Group.

Update usage location, no license update

  • Include a M365 CFT in your QAG. The CFT must include the usage location logic you require (for example, macro from site default, etc).

  • Leave the license fields blank in the CFT.

Update usage location, and update license (direct licensing)

Include a M365 CFT in your Quick Add Group that includes the usage location logic and licenses you require (e.g. macro from site default, etc).

Update usage location and group assignment (for license or other purposes)

  • Include a M365 CFT in your Quick Add Group that includes the usage location logic you require (e.g. macro from site default, etc.)

  • Include a Add Group CFT in your Quick Add Group that includes the groups you wish to add to the user.

Syncing in and onboarding Microsoft users#

Automate provides two onboarding sync options for Microsoft users:

Sync users to customer level, and then to sites

Configure Automate for Microsoft services

This option starts with an initial import of dial plans, policies, licenses, and Microsoft users, to the customer level (sync all to the tenant).

Then you will need to set up the configuration and user move criteria before moving users to the sites (set up model filter criteria, site defaults, quick add groups, user profiles, and number inventory).

Finally, you have two options to move users to the sites as fully provisioned users:

  • Run the overbuild to move multiple users to your sites at once.

  • Update single users via Microsoft Quick User

When moving users to site, the Automate automated workflow applies the required configuration, services, lines, policies, and licenses.

Sync users directly to sites

Sync to site with flow through provisioning

In this option, you run the initial sync together with flow through provisioning. In this case, you start by setting up the configuration and user move criteria before running the initial sync. That is, to set up the model filter criteria, site defaults, quick add groups, and user profiles.

In addition, you will need to:

  • Configure flow through provisioning criteria

  • Enable flow through in the Global Settings

Once changes are synced in from the Microsoft Cloud, Automate automated workflows move the tenant dial plan, policies, and licenses to the customer level, and moves users directly to the appropriate sites as fully provisioned users.

Note

  • Automate v21.2 introduced sync with flow through provisioning for Microsoft users. In 21.3, this feature extends the functionality to users synced in from LDAP and Cisco UCM.

  • Only Add is supported for syncs with flow through provisioning. Update and delete are not supported since the requirements may differ depending on the customer scenario.

  • For details on the generic flow through provisioning feature (which includes Microsoft, LDAP, or Cisco UCM users), see Flow through provisioning (FTP)

Related topics