Yammer Identity and User Management Martina GromOFC-B349

EM OFC WIN DBI

CDP TWC DEV AZR

Following this session at 18:30

in Hall 5Meet with Microsoft Product ExpertsSnacks and Beverages Served

Ask The Experts Key and floorplan

Cloud and Datacenter Platform

Data Platform and Business Intelligence

Developer Platform and Tools

Enterprise Mobility

Office 365

Windows

Microsoft Azure

Trustworthy Computing

About MeMartina GromOffice 365 MVP

Working on:The CloudOffice 365 DeploymentsEnterprise Social Engagements

ContactTwitter: @magromE-Mail: mg@atwork.atBlog: http://blog.atwork.atFacebook: https://www.facebook.com/groups/cloudusergroup/

AgendaIdentity ManagementYammer User and network internalsSingle Sign On User provisioning with Yammer Directory SyncYammer Directory SyncYammer Audit UsersBest practicesWrap up

Identity Management

Identity ManagementStarts normally with *a lot of* identitiesIs always a challengeWhich Identity to use when

Organizational Identity

Microsoft Identity

Yammer Identity

Active Directory

Own IDM

Yammer Identity managementImportant when you launch Yammer EnterpriseCreate an engaged and trusted communityDecide about User Profile SyncsVarious User and Admin Roles

Yammer Roles simply explainedUser Group

AdminNetwork Admin

Verified Admin

Creates messages, uploads files, share and likes messages.Creates Polls, PraisesInstant MessagingDelete own itemsCreate NotesInvite other users

Same as user andCreates groupsPost announcements in own groupsSet Group settings (name, picture, description)Member Management within GroupContent ModerationMark Notes and Files as Official within groupControl membership within group

Same as user and group admin andConfigure network settings, applicationsConfigure network designConfigure usage policy behaviorConfigure user profile fieldsInvite anyone (also external guests)See all groups (also unlisted)Delete any messagePost announcementsGrant and revoke Network Admin privilegesRemove or block users

Same as user, group admin and Network Admin andManage user account activityBulk update usersPerform integrationsMonitor keywordsSet data retention policyExport dataConfigure settingsAccess to all groupsExport contentIs an Office 365 Global Admin (Provisioned by default)

EngagementAn engaged user is “anyone who purposefully uses Yammer within a given time period”Engagement needs to occur across silos to achieve successUsers engage more when it’s simple, and the environment

is trusted

ComplianceDriven by the external environment, and the internal organizationAbout keeping bad guys out while enabling employees, contractors, and agents

Primary Outputs

DirSync or SSO, or both?

Directory Sync

Single Sign-On

Sweet spot

Provisioning Authentication

Users and Networks

External NetworkCollaboration

Yammer NetworksNetworks are private and secureNetworks are containers for users and groupsOnly users with a corporate email Address can joinExternal networks operate independently of email domain

con

toso

.com

Customer Network

Marketing

R&D Partnerships

Alumni fab

rica

m.c

om

Press and Media

Contoso and Fabricam

Collaboration

Guest Collaboration

Understanding Yammer UsersAlways belong to a home (canonical) networkSometimes users are also members of an external networkGuests get direct access to other home networksExist in a limited number of states during lifetime

Pending

ActiveSuspende

dDeleted

User profiles

User confirms email, enters name, chooses a password, uploads a photo, and selects some groups.

An initial engagement point for end users

Limited administrator controls

Users have control over the values that appear in their profile

Mass updates to user profiles

Available to verified administrators in YammerProfiles can be created with a default password

Bulk update Yammer User API

Requires code, but allows integration with other identity systems

Demo

Single Sign On

SSO benefits

The same credentials used in the enterprise are used by YammerMakes multi-factor authentication a possibility

Federation User convenience

A single set of credentials to rememberOne identity

Expected, but absent

Yammer delegates this responsibility to Directory Sync

Attribute exchange WS-Federation

SAML is the supported protocolADFS, Azure AD, and many other identity providers support this standard

No self-serviceIf you have a SAML 2.0 Identity Provider then configuration is pretty straightforwardTests happen against your Yammer network at a scheduled time

Deployment processProvide identity provider metadata

Yammer implements service provider configuration

Create Relying Party Trust with Yammer metadata

Test SSO

Make email address changesActivate SSO

These are kiosk workers who may not have email, but often have mobile devicesUsing SSO it is possible to enable “Users Without Emails” (UWE) modeMixed mode is possible in the same networkOnly some identity providers (IdPs) support this configuration

Frontline workers

Applications and SSOYammer Embed is SSO-aware and will redirect usersMobile applications support SSO using an in-app web browserLegacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an app

Yammer SSO, O365

Create a Yammer Service Principal for SSO

http://blogs.technet.com/b/speschka/archive/2014/01/08/using-azure-active-directory-for-single-sign-on-with-yammer.aspx

Demo

User provisioning with Yammer Directory Sync

Core Functions

Custom invite and welcome emails

Adds and invitations

Prepopulate user profile fieldsOverwrite upon update to AD

Profile updates

Suspend users when they are disabled or deleted in AD

Suspensions

Expected, but absent

Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow

Group synchronization

User profile lockdown

Users are always identifiableAD is optimal for the pre-population of fieldsDefault settings respect values users have entered in Yammer

Installs on a single serverNo database requiredAD and LDAP expertise required to configure custom filters (queries)First sync sends all data, subsequent syncs are incremental

Deploying Directory SyncInstall Directory

Sync

Connect to Yammer

Connect to AD

Validate user queries

Enable sync

Yammer Directory Sync

Custom queriesKeep it simpleStart by querying for emails belonging to just your domainsFilters are automatically added for objectCategory and objectClassDifficult to exclude users

// A good startmail=*@contoso.com

// Multiple domains, merged network(&(mail=*@contoso.com)(mail=*@contoso.co.uk))

// Redundant query(&(objectCategory=person)(objectClass=user)(mail=*))

// Is this replicated in AD?(&(mail=*@contoso.com)(!customAttribute=E))

Incremental syncsUSN-Changed is captured for each query after a successful syncThese values are used for subsequent LDAP queriesRemoving the incremental query cursor file forces a full sync

{ "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": { "PropertyName": "usnchanged", "LastValue": 270849469 }}

Configuration and log filesLocated at %programdata%\Yammer\DirSync

File Purpose

globalsettings.config.json Main settings file for Directory Sync

lastvalidation.json Output from the last validation

incrementalquerycursors.config.json

Stores cursor position for incremental syncs

service.log Log for the Windows Service

ui.log Log for the User Interface

Service and UI executable configuration files in %programfiles%(x86)\Yammer\Directory Sync allow you control log output settings.

Demo

Yammer Audit Users

Different Scenarios

Active users from Basic Network

Yammer DirSync does not run regulary

LDAP filter is too specific

Demo

Best Practices

Planning

Will disturb few workersAn opportunity to give a better first experience with SSO

New Network Established Network

Always start with SSOImplement Directory Sync in suspend-only mode initiallyEnable adds and updates later

Best practices for SSO

Support mobile devices

Ensure your identity provider supports failover

Involve a (friendly) range of users in testing

Test from inside and outside your network

Communicate with your users

Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.

Best practices for Directory Sync

Become friends with your Active Directory administrator(s)

Customize the activation and welcome emails

Understand and review the validation report

Include only users with email addresses matching your domain(s)

Prepare for DR with a standby instance

Understand attribute mappings and preferences, and how these will impact your Yammer Network

Document configuration for transition to BAU

Wrap up

Identity futures

Users can access Yammer from O365 without logging into Yammer

Simplified login

Users can more easily move between Yammer and O365

O365 Navigation

Being looked at, but this is a long term item

Yammer Directory Sync replacement

Recommendations1. Decide about the best SSO option2. Implement Yammer SSO and Directory

Sync3. Go with SSO before Directory Sync*4. Use a simple Directory Sync configuration5. Merge in front to avoid operating multiple

Yammer networks.6. Follow the Yammer Release Schedule for

identity updates

DocumentationSingle Sign-On

http://success.yammer.com/integrations/single-sign-on/

Directory Sync

http://success.yammer.com/integrations/directory-sync/

“Knowledge increases by sharing – so pass it on.”

Breakout SessionsOFC-B223 The Microsoft Roadmap for Enterprise Social – Tuesday @17:00 (8.0–D3)OFC-B219 Introducing Delve and the Office Graph – Wednesday @8:30 (8.0–D1)OFC-B342 Microsoft SharePoint Server 2013 on Premises and Yammer Deployment Guidance – Wednesday @15:15 (8.0–D3)OFC-B349 Yammer Identity and User Management – Thursday @17:00 (8.0-E7)

ResourcesEnterprise Social Resource Center http://enterprisesocial.com Office 365 Customer Success Center http://success.office.com Technical Resources http://aka.ms/yamtn Office 365 Public Roadmap http://office.microsoft.com/roadmap

Enterprise Social Related content

Find Me Later at Ask the Experts and @magrom!

#worklikeanetwork

Sign up and get started with Yammer www.yammer.com1

Enterprise Social Resource Center http://enterprisesocial.com 2

Check out the Success Center http://success.office.com 3

Next Steps

Technical Network

Join the conversation!Share tips and best

practices with other Office 365 expertshttp://aka.ms/o365technetwork

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Managing Office 365 Identities and Services

5

Office 365

Deploying Office 365 Services

Classroomtraining

Exams

+

Introduction to Office 365

Managing Office 365 Identities and Requirements

FLC

40041

Onlinetraining

Managing Office 365 Identities and ServicesOffice 365 Fundamentals

http://bit.ly/O365-Cert

http://bit.ly/O365-MVA

http://bit.ly/O365-Training

Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal

MOC

20346 Designing for Office

365 Infrastructure

MOC

10968

3

EXAM

346EXAM

347

MVA MVA

TechEd Mobile app for session evaluations is currently offline

SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via

CommNet Station/PC: Schedule Builder

LogIn: europe.msteched.com/catalog

We value your feedback!

EM OFC WIN DBI

CDP TWC DEV AZR

Following this session at 18:30

in Hall 5Meet with Microsoft Product ExpertsSnacks and Beverages Served

Ask The Experts Key and floorplan

Cloud and Datacenter Platform

Data Platform and Business Intelligence

Developer Platform and Tools

Enterprise Mobility

Office 365

Windows

Microsoft Azure

Trustworthy Computing

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.