.. _VOSS-Automate-configuration-and-sync-for-microsoft:

Configure Automate for Microsoft services
----------------------------------------------------

.. _21.1|VOSS-847:
.. _21.3-PB1|VOSS-1072|EKB-12847:
.. _21.3-PB1|VOSS-1072|EKB-12791:
.. _25.2|VOSS-1445:
.. _25.3|EKB-22640:




Overview 
...............

.. index:: Flowchart;Configure VOSS Automate for Microsoft Services

When using Automate with Microsoft (as a single or multiple vendor deployment scenario), you'll need 
to configure several settings in Automate before importing Microsoft users, licenses, policies, and 
dialplans. 


.. note:: 

   For details on the generic flow through provisioning feature (which includes Microsoft, LDAP, or 
   CUCM users), see :ref:`flow-through-provisioning`


The flowchart sets out the initial configuration of Automate for Microsoft services. 


.. include:: configuration-and-sync-for-microsoft.uml


.. rubric:: Related topics

* 
  .. raw:: latex

     Microsoft overview in the Core Feature Guide

  .. raw:: html

     <a href="concepts-microsoft-overview.html">Microsoft overview</a> 

* 
  .. raw:: latex

     Sync to site with flow through provisioning in the Core Feature Guide

  .. raw:: html
  
     <a href="sync-ms-users-to-sites.html#sync-to-site-with-flow-through-provisioning">Sync to site with flow through provisioning</a> 

* :ref:`sync-to-customer-then-site`
* :ref:`flow-through-provisioning`
* :ref:`onboard-user-ms`




Automate configuration and sync workflow steps 
.................................................


This procedure describes the high-level workflow for configuring Automate for Microsoft services and 
for syncing in users, licenses, policies, and dialplans. 

.. rubric:: Prerequisites

* :ref:`ms-quick-start-step1`
* Consider whether you want to :ref:`prevent-duplicate-numbers`


1. Log in to the Admin portal as provider admin. 
2. Configure the hierarchy to add customers for the tenant setup.  
#. In the Global Settings, enable Microsoft, and disable *Enable HCS Dialplan Rules*. 
   
   * In **Global Settings**, **Enabled Services** tab, enable Microsoft.
   * If you have a Microsoft-only environment, on the **Number 
     Inventory** tab, set the following to *No* (False): **Enforce HCS Dialplan Rules** 
    
     .. note:: 
       
       HSC dialplan is relevant only when using Cisco (in a single vendor or multi vendor installation).  

#. Configure role-based access controls to apply to users on import (add Microsoft admin users, roles, 
   and menu layouts).

   * Add an admin user. See :ref:`role-based-access-admins`.
   * Configure menu layouts, See :ref:`create-a-menu-layout`.
   * Add user roles, and choose menu layouts for the roles. See :ref:`role-management`.
   
   .. note:: 
      
      Automate allows an admin user to set up pre-defined role-based configuration, which will 
      be applied to users on import. This allows users to be auto-provisioned on import, with the 
      correct services, lines, policies, and licenses. 
  
      When preparing for import, you'll need to create the admin users, service profiles, user 
      roles, and role-based menu layouts (to hide or display 
      functionality for different categories of users). For example, you can assign a Microsoft-only 
      user role (``MicrosoftOnlyRole``) in a Microsoft-only scenario. 
 
#. Configure the SMTP server to allow emails to users (if required). See :ref:`SMTP-server`.

#. Configure the Microsoft tenant, one for each customer. See :ref:`ms-tenant-setup`

   .. note:: 
      
      The tenant configuration defines how Automate connects to the Microsoft Cloud to allow syncing of 
      data between Automate and Microsoft Azure, Microsoft 365, Microsoft Teams, and Microsoft Exchange. 
      Saving the tenant creates the default syncs and schedules.

#. Configure network device lists (NDLs). You'll add Microsoft tenant details to the NDLs. NDLs are 
   required for creating sites. See :ref:`configure-network-device-list`

#. Sync in Microsoft users. 

   * Go to the tenant configuration screen, then, choose a sync option: 

     * Click **Action > Sync All** to run a full pull sync (syncs in the tenant dialplan, 
       policies, licenses, and Microsoft users to the customer level).
     
     * Click **Action > Sync New Users** to sync in new or updated users *only* (add new users, or update existing users).  

       For **Sync New Users**: 
        
       New users are synced in for the following models:

       * ``device/msgraph/MsolUser``
       * ``device/msteamsonline/CsOnlineUser``
       * ``device/msteamsonline/ApplicationInstance``

       Existing users are updated (add, modify, delete) for the following models: 

       * ``device/msgraph/MsolUser``
       * ``device/msteamsonline/CsOnlineUser``

   .. note:: 

      * If you're using flow through provisioning for Microsoft users, additional steps are required 
        before running the initial sync. See :ref:`sync-to-site-with-flow-through`
      
        You will need to enable the *Sync New Users* sync method initially (if you've upgraded to 21.3-PB1). 
        To do this, save the tenant instance on this screen first so that the necessary data sync instances 
        are created. These data syncs can be identified by the name format: ``SyncMSTeamsOnlineUsers__<tenant>``,
        with **Update** and **Remove** operations disabled by default.
      
      * Automate issues a warning when it detects an ``in`` condition for ``UserPrincipalName`` used 
        alongside other ``CsOnlineUser`` filters during sync and filtering. In Microsoft tenants with 
        auto-filter enabled, the expected records may not be returned if your MsolUser cache is not up to date.
        See "Microsoft syncs" in the Best Practices Guide.


.. rubric:: Next steps

* :ref:`ms-quick-start-step3`




.. rubric:: Related topics 

* :ref:`ms-tenant-setup`
* 
  .. raw:: latex

     Microsoft syncs in the Best Practices Guide

  .. raw:: html

     <a href="best-practices/microsoft-syncs.html">Microsoft syncs</a>