Using Azure Active Directory for Single Sign On with Yammer


This is a pretty interesting topic that I think is going to be gaining momentum moving forward.  As many of you know, when you create a new o365 tenant you automatically get an Azure Active Directory (AAD) instance provisioned for you at the same time.  For those of you who have purchased an Enterprise o365 tenant, you now also receive a Yammer network with it (NOTE:  I'm not a licensing guy, I can't answer licensing questions, and there are different flavors of tenants and licenses that I can't and won't ever be able to explain).  If you're familiar with Yammer, you also know that today it also has its own user directory.  We typically will set up directory synchronization from an on premises Active Directory to Yammer to keep the directory up to date.  For authentication though, if you want single sign on we usually suggest using ADFS if you're a Windows shop.  Going forward though, Azure Active Directory is another alternative you can use.

The main reasons why you would want to use AAD instead of ADFS is one of time and money.  If you use ADFS, then you are responsible for building out a highly-available ADFS infrastructure.  That will mean 2 or more servers of any number of things:  ADFS, ADFS proxy, reverse proxy, firewall, and/or load balancer.  That can really add up when you think about the number of servers involved, the cost to acquire OS licenses, and the cost to patch, maintain and operate them.  On the other hand, AAD takes care of all of that infrastructure for you, and is included with any o365 tenant.  It's free up to about 500k users I think (again – I'm not a licensing guy so check if you are concerned).  You can also just create an AAD instance with a regular Azure subscription.

So if you are convinced of the goodness of AAD for this purpose, the good news is getting it set up is relatively straight-forward.  The steps you will want to do are:

  1. Add your on premise domain to your o365 subscription.
    1. Go to the o365 Admin pages and click on Domains

    2. Click on Add a Domain

    3. Follow the wizard to add your on premises domain to your o365 tenant

  2. Set up directory synchronization between your on premises Active Directory and o365

    1. Go to the o365 admin pages and click on Users and Groups, then AD synchronization set up

    2. Install AAD module for PowerShell

    3. Activate synchronization in tenant

    4. Install the dirsync tool and run

    5. After dirsync is completed, make at least one on premise user a Global Admin in o365

  3. Run the following PowerShell script using the AAD PS module:

Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address "https://saml.yammer.com/sp/ACS.saml2"
New-MsolServicePrincipal –ServicePrincipalNames @("yammer/sso") -DisplayName "Yammer Federation" -Addresses $replyUrl

You should see output afterwards that looks like this:

  4.  Capture the AppPrincipalID from the output and provide that along with your domain name (i.e. contoso.com) to Yammer support, along with the rest of the documentation they request with the SSO checklist they have at http://success.yammer.com/integrations/single-sign-on/.

You should be good to go at that point, and can do all of your authentication completely in the cloud using AAD.

Comments (29)

  1. Anonymous says:

    If I want to set up an Azure account with AAD and use that AAD with Yammer, do I need to set it up first or can I add Azure later and leverage the AAD I set up with O365?

  2. Sorry @Joshua, I haven’t done federation to Salesforce (yet) so I don’t have anything to share.

  3. Hi @Hugh, I didn’t forget the picture, this lousy blogging implementation now frequently just blocks the pictures that I *painstakingly* add to these posts (that’s not an exaggeration, it’s unreal how much work it is in 2014 to add pictures to a freakin’
    blog post). Also, I do not have a blog post about setting up Yammer Dirsync, although I suppose I could work on one when I get some spare time. It’s really not bad, there is documentation on the Yammer site how to do this and a wizard to help you set it up.
    In theory you could go without, but I would not (i.e. it would likely be much more fruitful to work past any blocking issues you may have with Yammer dirsync rather than trying to manually sync these directories). You would, at a minimum, still want to make
    sure you are syncing to Azure AD for example so you can use SAML authentication.

  4. Hey Tommy, Yammer and O365 user mapping is not a complete SSO solution so it doesn’t annul the necessity of configuring Azure AD. Also, user mapping functionality has been temporarily disabled; check this out –

    http://community.office365.com/en-us/w/yammer/temporary-disablement-of-office-365-and-yammer-user-mapping.aspx

  5. Massimo, It is not mandatory to have DirSync . DirSync comes into the picture only if you have existing users in your On-premise AD that you’d like to sync to your Office 365 tenant. Hope that helps?

  6. Yes, this requires both dirsync and yammer dir sync because they are two different directories at this time.

  7. @CJ-UK, The Azure AD metadata can be download from this URL –
    https://accounts.accesscontrol.windows.net//FederationMetadata/2007-06/FederationMetadata.xml

    Hope that helps?

  8. Ed (DareDevil57) says:

    thanks for sharing.

  9. Chris_Moon_AU says:

    Hi, I’m trying to follow the above instructions but seem to be caught in a loop with Yammer support as they’re asking for a metadata file which can be obtained from a URL, do you have any tips as to where I can find this URL? Cheers

  10. Anonymous says:

    Steve, this still requires both DirSync and Yammer Sync, correct?

  11. alexandrad9x says:

    Tao http://dichvuketoanlongbien.com/
    Rủa
    http://dichvuketoanlongbien.com/a2-96-dich-vu-ke-toan-tron-goi.html
    Thằng http://dichvuketoanlongbien.com/a2-98-dich-vu-ke-toan-thue.html
    Cờ
    http://dichvuketoanlongbien.com/a2-103-dich-vu-bao-cao-tai-chinh.html
    http://dichvuketoanlongbien.com/a2-97-dich-vu-quyet-toan-thue.html
    Nào
    http://dichvuketoanlongbien.com/a2-114-dich-vu-ke-toan-tai-29-quan-huyen.html
    Soi
    http://dichvuketoanlongbien.com/i780-dich-vu-ke-toan-thue-tron-goi-tai-bac-ninh.html
    Tài
    http://dichvuketoanlongbien.com/i779-dich-vu-ke-toan-thue-tron-goi-tai-bac-giang.html
    Khoản
    http://dichvuketoanlongbien.com/i778-dich-vu-ke-toan-thue-tron-goi-tai-phu-tho.html

    http://dichvuketoanlongbien.com/i781-dich-vu-ke-toan-thue-tron-goi-tai-hung-yen.html
    Link
    http://dichvuketoanlongbien.com/i782-dich-vu-ke-toan-thue-tron-goi-tai-vinh-phuc.html
    Của
    http://dichvuketoanlongbien.com/i783-dich-vu-ke-toan-thue-tron-goi-tai-hai-phong.html
    Tao. http://www.trungtamketoan.com.vn/
    Chúng
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-ha-noi.html
    Mày
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-tp-hcm.html
    Đủ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-quang-ninh.html
    Trình
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-duong.html
    Thì
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-giang.html
    Tự
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-bac-ninh.html
    Đi
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hai-phong.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-nam-dinh.html
    Làm.
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thai-binh.html
    Việc
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-thanh-hoa.html

    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-vinh-phuc.html
    Phải
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-hung-yen.html
    Rẻ
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-phu-tho.html
    Rách
    http://www.trungtamketoan.com.vn/p/trung-tam-dao-tao-ke-toan-tai-binh-duong.html
    Như http://www.tosvn.com
    Thế. http://iketoan247.blogspot.com
    Loại http://tailieuveketoan.blogspot.com
    Chó http://mauhinhnendep.blogspot.com
    Má. http://www.tosvn.com/search/label/Hack%20CF
    Tao http://www.tosvn.com/search/label/Hack%20AvatarStar
    Rủa http://www.tosvn.com/search/label/Hack%20Warcraft-Dota2
    Những http://hocketoan360.com/category/tai-lieu-ke-toan/
    Thằng http://iketoan247.blogspot.com/search/label/thong-tin-kinh-te
    Soi http://iketoan247.blogspot.com/search/label/tin-bai-ve-thue
    Tao http://hoclamketoan.edu.vn/
    Sẽ http://hoclamketoan.edu.vn/category/khoa-hoc-ke-toan
    Tan http://hoclamketoan.edu.vn/category/dich-vu-ke-toan
    Cửa http://hoclamketoan.edu.vn/category/hoc-lam-ke-toan
    Nát http://hoclamketoan.edu.vn/category/tai-lieu-ke-toan
    Nhà http://hocketoan360.com/
    Haha http://hocketoan360.com/category/khoa-hoc-ke-toan/
    http://hocketoan360.com/category/dich-vu-ke-toan/

  12. Anonymous says:

    Pingback from Thursday, January 9, 2014 on #WindowsAzure | Alexandre Brisebois

  13. Joshua Toon says:

    Is there anyway that you could post the instructions for configuring federation with Salesforce manually? I would like to configure it myself so that we could support the multiple SF orgs that we have.

  14. Adam Toth says:

    So, if I also wanted SSO for all my Office365 services (Exchange, SharePoint Online, Lync), does the AAD support all of those as well, so I can effectively eliminate my ADFS 2.0 infrastructure? What are the PowerShell commands to get Office365 to use AAD instead of the typical commands for ADFS 2.0?

    This requires the password synchronization in the DirSync tool, correct?

    And one other question, with AAD and DirSync, if I disable an account in on-premises AD, I have to wait for a sync to occur before that account is unable to login to a service using AAD for authentication, correct? Rather than an immediate rejection if I was using ADFS.

  15. Hugh Simpson-Wells says:

    Great post – thanks. You say "You should see output afterwards that looks like this:" but then I don’t see the output. Is that my browser, or did you forget it? Also, you say in answer here that "this requires both dirsync and yammer dir sync because they
    are two different directories". Do you have a post about setting up Yammer Dir Sync? And just out of interest, could you live without it as long as you are prepared to invite users manually – or is that just absurd?

  16. Joran Markx says:

    Great post! Is it really a requirement to have Dirsync for Office and Yammer enabled? I would like SSO between O365 and Yammer with AAD/ADFS using AAD Users. And if this is not possible, can you explain why this would not work? Thanks in advance!

  17. Anonymous says:

    I posted a while back regarding how to configure Yammer and Azure Active Directory (AAD) together so

  18. RV says:

    I guess we need a paid Azure Tenant for using this functionality in an enterprise.

  19. Neil says:

    I’m curious – would it be possible to configure Yammer with SSO directly to AAD as shown here but without the on-premise DirSync for Yammer or AAD? It would be great if Yammer could share the credentials used for Office 365 (not on-prem). In my scenario I’m unable to configure AAD DirSync, but Yammer DirSync might be possible. Thank you!

  20. Anonymous says:

    Pingback from SSO with Yammer (Single Sign On para Yammer) | Sara Barbosa

  21. Massimo says:

    Not sure I understood. Is it mandatory to have DirSync for Yammer/WAAD Federation?

  22. Massimo says:

    Yes Israel, it helps! 🙂 Thank you very much!

  23. Andres Bucheli says:

    is the Single Sign On with Yammer work with the ADFS on Windows Server 2012 R2??

  24. Carlton says:

    Mike,
    Thanks for the post. I tried running your powershell script above, but get the following error message:

    New-MsolServicePrincipalAddresses : A positional parameter cannot be found
    that accepts argument ‘â?Address https://saml.yammer.com/sp/ACS.saml2
    New-MsolServicePrincipal â?ServicePrincipalNames’.
    At D:tempYammer.ps1:3 char:13
    + $replyUrl = New-MsolServicePrincipalAddresses â?"Address
    "https://saml.yammer.co
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ~~~
    + CategoryInfo : InvalidArgument: (:) [New-MsolServicePrincipalAd
    dresses], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Online.Adm
    inistration.Automation.NewServicePrincipalAddresses

  25. SDF says:

    http://www.shopbestgoods.com/
    http://www.nike-jordanshoes.com/
    http://www.beatsbydreoutlet.net/
    http://www.michaelkorsus.com/
    http://www.polo-tshirts.com/
    http://www.northsclearance.com/
    http://www.ralph-laurensale.com/
    http://www.gucci-shoesuk2014.com/
    http://www.michael-korsusa.com/
    http://www.polo-outlets.com/
    http://www.ralphslauren.co.uk/
    http://www.marcjacobsonsale.com/
    http://www.mcmworldwides.com/
    http://www.salongchamppairs.com/
    http://www.canada-gooser.com/
    http://www.burberryoutlet2014.com/
    http://www.michaelkors.so/
    http://www.hermes-outletonline.com/
    http://www.oakley-sunglassoutlet.com/
    http://www.north-faceoutlets.net/
    http://www.moncler-clearance.com/
    http://www.woolrich-clearance.com/
    http://www.barbour-jacketsoutlet.com/
    http://www.moncler-jacketsoutletonline.com/
    http://www.monsterbeatsbydres.net/
    http://www.louis-vuittonblackfriday.com/
    http://www.lv-guccishoesfactory.com/
    http://www.mcmoutlet-jp.com/
    http://www.cheapdiscountoutlet.com/
    http://coachoutlet.iwopop.com/
    http://www.coachsfactoryoutlet.com/
    http://www.coach-blackfriday2014.com/
    http://www.coach-storeoutletonline.com/
    http://www.coach-factorysoutletonline.com/
    http://www.coachccoachoutlet.com/
    http://www.coach-factories.net/
    http://www.coach-pursesoutletonline.com/
    http://www.llouisvuitton-factory.net/
    http://www.coach-outletsusa.com/
    http://www.mksfactoryoutlet.com/
    http://www.zxcoachoutlet.com/
    http://www.mischristmas.com/
    http://www.misblackfriday.com/
    http://www.bestcustomsonline.com/
    http://www.newoutletonlinemall.com/
    http://www.clickmichaelkors.com/
    http://www.cmichaelkorsoutlet.com/
    http://www.ralphlaurenepolo.com/
    http://michaelkorsoutlet.mischristmas.com/
    http://mcmbackpack.mischristmas.com/
    http://monsterbeats.mischristmas.com/
    http://northfaceoutlet.mischristmas.com/
    http://mk.misblackfriday.com/
    http://coachoutlet.misblackfriday.com/
    http://coachfactory.misblackfriday.com/
    http://uggaustralia.misblackfriday.com/
    http://coachpurses.misblackfriday.com/
    http://coachusa.misblackfriday.com/
    http://coach.misblackfriday.com/
    http://michaelkorss.misblackfriday.com/
    http://michaelkors.misblackfriday.com/
    http://airmax.misblackfriday.com/
    http://michael-kors.misblackfriday.com/

    http://t.co/1PJuejI1ys
    http://t.co/FYm2MxWwLM
    https://twitter.com/CoachOutlet2014
    https://www.facebook.com/pages/Coach-Factory-Outlet-Online-Store-Michael-Kors-Outlet-Online-Sale-75-Off/712060898859091
    https://www.facebook.com/pages/Ralph-Lauren-Polo-Outlet-Online-Sale/1404100279810690

  26. Libor says:

    thank you for sharing. Does anybody know what AD attribute is used to log-in in this scenario when the SSO is enabled? When you use an ADFS then the email address attribute is used to authenticate. Is it the same here or is it the UPN that is used to login?
    The last question is regarding the users who dont have an email address, thus this attribute is missing in AD for their user object. Can Azure AD SSO fit this scenario? Would it work if their user object in AD was populated with an email address that will
    be just for log in purposes although in reality those users would not have an email box? I know that for ADFS in this scenario where users dont have an email you have to modify ADFS incoming claims with a customized attribute that is used to log in. (here
    is the link to watch a video that mentions that:
    http://channel9.msdn.com/Events/SharePoint-Conference/2014/SPC368 ) Does anybody come across this scenario?
    thanks a lot.

  27. m88 says:

    m88 : http://m88en.com
    M88.com offer online sports games Asia, Sports Betting Asia, Sports Betting Sites Asia.

    m88asia : http://m88en.net
    Link to M88BET phone: m88en.com. – Register and Open Betting Account and Membership M88BET.

    m88bet : http://www.linkm88vip.com
    MANSION88 the house is one of the largest and most prestigious. Appeared quite early in the Asian market, the so-MANSION88 currently attracts more players.

    link m88 : http://m88wiki.com
    Home the M88 is the official sponsor of the football club in the Premier League
    Wish you happy with the new M88
    m88 casino online : http://m88free.com

    Modern Thai restaurant combines outstanding traditional cuisine and a subtle modern decor with a warm welcoming ambience. Thai Restaurants in Brisbane :
    http://www.watersidethainoodles.com.au , traveller reviews of Brisbane Thai restaurants and search by price, location, and more..