.. _onboard-user-ms:
Onboard user (Microsoft)
---------------------------
:bdg-primary:`Microsoft`
.. _24.1-PB1|EKB-21135:
.. _24.2|EKB-15162:
.. _25.4|EKB-27248:
Overview
.............
Onboarding a Microsoft user involves adding or syncing in users to Automate from the Microsoft portal
(Microsoft Entra) with the correct licenses, moving users to the correct site, and
provisioning them with the correct services.
.. note::
During Microsoft user onboarding, vendor-specific username fields (such as Microsoft 365 and Microsoft Teams
usernames) on the system user are automatically populated and maintained by the provisioning workflows.
These identity values are derived from the Microsoft tenant and service configuration and are not manually
entered or updated as part of the onboarding process.
A Microsoft user is onboarded to a site via **Microsoft User Services** > **Onboard User**.
.. rubric:: Related topics
* :ref:`microsoft-quick-start`
* :ref:`offboarding-ms`
* *Microsoft license management and alerting* in the Core Feature Guide
* :ref:`prevent-duplicate-numbers`
* :ref:`onboard-offboard-to-move-ms-user-between-sites`
Onboarding elements
'''''''''''''''''''''''
The table describes the elements relevant for onboarding Microsoft users:
.. tabularcolumns:: |p{5cm}|p{10cm}|
+----------------------+------------------------------------------------------------------------------+
| Element | Description |
+======================+==============================================================================+
| M365 User (Msoluser) | The base anchor for the user, and typically the first element pulled into |
| | Automate for a Microsoft user. Limited update options are available for this |
| | user. Automate can update usage location and licenses, depending on how |
| | the system is set up. |
+----------------------+------------------------------------------------------------------------------+
| Usage location | Usage location is updated completely independent from licensing, provided a |
| | value for usage location is included in a configuration template (CFT) via |
| | Quick Add Group, Subscriber from Profile, or a field display policy (FDP). |
| | |
| | If usage location updates aren't required (either you're not using it or |
| | the permissions don't allow it), then exclude it from the CFT. The |
| | `LicenseAssignment` permission allows usage location update. Note that the |
| | Microsoft API sets the same usage location; it says it's updating usage |
| | location even if permissions don't exist. |
+----------------------+------------------------------------------------------------------------------+
| Licenses | For onboarding, Quick User, Onboard user, or the field |
| | display policy (FDP) honors settings in the Quick Add Group configuration |
| | template (CFT) for the M365 user. Direct licenses are applied if they're |
| | included. |
| | |
| | If the CFT does not include any licenses, it won't try to apply licenses. |
| | Regardless of the license settings in the CFT, usage location can still be |
| | set. If using group licenses, this overrides any direct licenses configured |
| | in the onboarding CFTs. |
+----------------------+------------------------------------------------------------------------------+
Msoluser onboarding scenarios
'''''''''''''''''''''''''''''''''
The table describes Automate's behavior for the M365 user (``Msoluser``) during onboarding, depending
on whether templates exist in your Quick Add Group:
.. tabularcolumns:: |p{5cm}|p{10cm}|
+---------------------------------------------------+--------------------------------------------------------------------------------+
| Scenario | Description |
+===================================================+================================================================================+
| No M365 template in your Quick Add Group | Used when the `LicenseAssignment` permission is not assigned to the |
| | application. In this case: |
| | |
| | * `Msoluser` is left untouched - usage location and license is |
| | not updated. |
+---------------------------------------------------+--------------------------------------------------------------------------------+
| M365 user template exists in your Quick Add Group | * Usage location entry: |
| | |
| | * Automate updates the usage location according to definition in the CFT |
| | |
| | * License data (`LicenseAssignment` permission required): |
| | |
| | * Automate adds any license/s defined in the CFT (direct license assignment |
| | to the user) |
| | * Any existing licenses the user has (direct) are replaced with what was |
| | configured in the template |
+---------------------------------------------------+--------------------------------------------------------------------------------+
| MS Group Add template exists in your Quick Add | Used to add group memberships to the user/s (for licensing or other purposes). |
| Group | The user is assigned to the group/s in the CFT, in addition to any existing |
| | group memberships the user has. |
+---------------------------------------------------+--------------------------------------------------------------------------------+
Common onboarding scenarios and setup
''''''''''''''''''''''''''''''''''''''''
The table describes example common onboarding scenarios and the setup required, whether using Quick User,
Onboard user, or a field display policy (FDPs):
.. tabularcolumns:: |p{5cm}|p{10cm}|
+---------------------------------------------------------------+-----------------------------------------------------------+
| Example onboard scenario | Setup |
+===============================================================+===========================================================+
| No update to Msoluser at all (usage location and/or licenses) | Do NOT include a *M365* template in the Quick Add Group. |
+---------------------------------------------------------------+-----------------------------------------------------------+
| Update usage location, no license update | * Include a *M365* CFT in your QAG. The CFT must include |
| | the usage location logic you require (for example, |
| | macro from site default, etc). |
| | * Leave the license fields blank in the CFT. |
+---------------------------------------------------------------+-----------------------------------------------------------+
| Update usage location, and update license (direct licensing) | Include a *M365* CFT in your Quick Add Group that |
| | includes the usage location logic and licenses you |
| | require (e.g. macro from site default, etc). |
+---------------------------------------------------------------+-----------------------------------------------------------+
| Update usage location and group assignment (for license or | * Include a *M365* CFT in your Quick Add Group that |
| other purposes) | includes the usage location logic you require (e.g. |
| | macro from site default, etc.) |
| | * Include a *Add Group* CFT in your Quick Add Group that |
| | includes the groups you wish to add to the user. |
+---------------------------------------------------------------+-----------------------------------------------------------+
Syncing in and onboarding Microsoft users
...........................................
Automate provides two onboarding sync options for Microsoft users:
=============================================== =====================================================================================
Sync users to customer level, and then to sites This option starts with an initial import of dial plans, policies, licenses,
and Microsoft users, to the customer level (sync all to the tenant).
Then you will need to set up the configuration and user
move criteria before moving users to the sites (set up model filter criteria,
site defaults, quick add groups, user profiles, and number inventory).
Finally, you have two options to move users to the sites as fully
provisioned users:
* Run the overbuild to move multiple users to your sites at once.
* Update single users via Microsoft Quick User
When moving users to site, the Automate automated workflow applies the
required configuration, services, lines, policies, and licenses.
Sync users directly to sites In this option, you run the initial sync together with flow through
provisioning. In this case, you start by setting up the configuration and
user move criteria before running the initial sync. That is, to set up
the model filter criteria, site defaults, quick add groups,
and user profiles.
In addition, you will need to:
* Configure flow through provisioning criteria
* Enable flow through in the Global Settings
Once changes are synced in from the Microsoft Cloud, Automate automated
workflows move the tenant dial plan, policies, and licenses to the customer
level, and moves users directly to the appropriate sites as fully
provisioned users.
=============================================== =====================================================================================
.. note::
* Automate v21.2 introduced sync with flow through provisioning for Microsoft users. In 21.3,
this feature extends the functionality to users synced in from LDAP and Cisco UCM.
* Only *Add* is supported for syncs with flow through provisioning. Update and delete are
not supported since the requirements may differ depending on the customer scenario.
* For details on the generic flow through provisioning feature (which includes Microsoft, LDAP, or
Cisco UCM users), see :ref:`flow-through-provisioning`
.. rubric:: Related topics
* :ref:`prevent-duplicate-numbers`
*
.. raw:: latex
Sync to site with flow through provisioning in the User Guide
.. raw:: html
Sync to site with flow through provisioning
*
.. raw:: latex
Configure Automate for Microsoft services in the User Guide
.. raw:: html
Configure Automate for Microsoft services