Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about...
-
Upload
lucinda-wood -
Category
Documents
-
view
221 -
download
0
Transcript of Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about...
Yammer Identity and User Management Martina GromOFC-B349
EM OFC WIN DBI
CDP TWC DEV AZR
Following this session at 18:30
in Hall 5Meet with Microsoft Product ExpertsSnacks and Beverages Served
Ask The Experts Key and floorplan
Cloud and Datacenter Platform
Data Platform and Business Intelligence
Developer Platform and Tools
Enterprise Mobility
Office 365
Windows
Microsoft Azure
Trustworthy Computing
About MeMartina GromOffice 365 MVP
Working on:The CloudOffice 365 DeploymentsEnterprise Social Engagements
ContactTwitter: @magromE-Mail: [email protected]: http://blog.atwork.atFacebook: https://www.facebook.com/groups/cloudusergroup/
AgendaIdentity ManagementYammer User and network internalsSingle Sign On User provisioning with Yammer Directory SyncYammer Directory SyncYammer Audit UsersBest practicesWrap up
Identity Management
Identity ManagementStarts normally with *a lot of* identitiesIs always a challengeWhich Identity to use when
Organizational Identity
Microsoft Identity
Yammer Identity
Active Directory
Own IDM
Yammer Identity managementImportant when you launch Yammer EnterpriseCreate an engaged and trusted communityDecide about User Profile SyncsVarious User and Admin Roles
Yammer Roles simply explainedUser Group
AdminNetwork Admin
Verified Admin
Creates messages, uploads files, share and likes messages.Creates Polls, PraisesInstant MessagingDelete own itemsCreate NotesInvite other users
Same as user andCreates groupsPost announcements in own groupsSet Group settings (name, picture, description)Member Management within GroupContent ModerationMark Notes and Files as Official within groupControl membership within group
Same as user and group admin andConfigure network settings, applicationsConfigure network designConfigure usage policy behaviorConfigure user profile fieldsInvite anyone (also external guests)See all groups (also unlisted)Delete any messagePost announcementsGrant and revoke Network Admin privilegesRemove or block users
Same as user, group admin and Network Admin andManage user account activityBulk update usersPerform integrationsMonitor keywordsSet data retention policyExport dataConfigure settingsAccess to all groupsExport contentIs an Office 365 Global Admin (Provisioned by default)
EngagementAn engaged user is “anyone who purposefully uses Yammer within a given time period”Engagement needs to occur across silos to achieve successUsers engage more when it’s simple, and the environment
is trusted
ComplianceDriven by the external environment, and the internal organizationAbout keeping bad guys out while enabling employees, contractors, and agents
Primary Outputs
DirSync or SSO, or both?
Directory Sync
Single Sign-On
Sweet spot
Provisioning Authentication
Users and Networks
External NetworkCollaboration
Yammer NetworksNetworks are private and secureNetworks are containers for users and groupsOnly users with a corporate email Address can joinExternal networks operate independently of email domain
con
toso
.com
Customer Network
Marketing
R&D Partnerships
Alumni fab
rica
m.c
om
Press and Media
Contoso and Fabricam
Collaboration
Guest Collaboration
Understanding Yammer UsersAlways belong to a home (canonical) networkSometimes users are also members of an external networkGuests get direct access to other home networksExist in a limited number of states during lifetime
Pending
ActiveSuspende
dDeleted
User profiles
User confirms email, enters name, chooses a password, uploads a photo, and selects some groups.
An initial engagement point for end users
Limited administrator controls
Users have control over the values that appear in their profile
Mass updates to user profiles
Available to verified administrators in YammerProfiles can be created with a default password
Bulk update Yammer User API
Requires code, but allows integration with other identity systems
Demo
Single Sign On
SSO benefits
The same credentials used in the enterprise are used by YammerMakes multi-factor authentication a possibility
Federation User convenience
A single set of credentials to rememberOne identity
Expected, but absent
Yammer delegates this responsibility to Directory Sync
Attribute exchange WS-Federation
SAML is the supported protocolADFS, Azure AD, and many other identity providers support this standard
No self-serviceIf you have a SAML 2.0 Identity Provider then configuration is pretty straightforwardTests happen against your Yammer network at a scheduled time
Deployment processProvide identity provider metadata
Yammer implements service provider configuration
Create Relying Party Trust with Yammer metadata
Test SSO
Make email address changesActivate SSO
These are kiosk workers who may not have email, but often have mobile devicesUsing SSO it is possible to enable “Users Without Emails” (UWE) modeMixed mode is possible in the same networkOnly some identity providers (IdPs) support this configuration
Frontline workers
Applications and SSOYammer Embed is SSO-aware and will redirect usersMobile applications support SSO using an in-app web browserLegacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an app
Yammer SSO, O365
Create a Yammer Service Principal for SSO
http://blogs.technet.com/b/speschka/archive/2014/01/08/using-azure-active-directory-for-single-sign-on-with-yammer.aspx
Demo
User provisioning with Yammer Directory Sync
Core Functions
Custom invite and welcome emails
Adds and invitations
Prepopulate user profile fieldsOverwrite upon update to AD
Profile updates
Suspend users when they are disabled or deleted in AD
Suspensions
Expected, but absent
Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow
Group synchronization
User profile lockdown
Users are always identifiableAD is optimal for the pre-population of fieldsDefault settings respect values users have entered in Yammer
Installs on a single serverNo database requiredAD and LDAP expertise required to configure custom filters (queries)First sync sends all data, subsequent syncs are incremental
Deploying Directory SyncInstall Directory
Sync
Connect to Yammer
Connect to AD
Validate user queries
Enable sync
Yammer Directory Sync
Custom queriesKeep it simpleStart by querying for emails belonging to just your domainsFilters are automatically added for objectCategory and objectClassDifficult to exclude users
// A good startmail=*@contoso.com
// Multiple domains, merged network(&(mail=*@contoso.com)(mail=*@contoso.co.uk))
// Redundant query(&(objectCategory=person)(objectClass=user)(mail=*))
// Is this replicated in AD?(&(mail=*@contoso.com)(!customAttribute=E))
Incremental syncsUSN-Changed is captured for each query after a successful syncThese values are used for subsequent LDAP queriesRemoving the incremental query cursor file forces a full sync
{ "35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": { "PropertyName": "usnchanged", "LastValue": 270047611 }, "f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName": "usnchanged", "LastValue": 269749469 } "371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName": "usnchanged", "LastValue": 279149469 } "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": { "PropertyName": "usnchanged", "LastValue": 270849469 }}
Configuration and log filesLocated at %programdata%\Yammer\DirSync
File Purpose
globalsettings.config.json Main settings file for Directory Sync
lastvalidation.json Output from the last validation
incrementalquerycursors.config.json
Stores cursor position for incremental syncs
service.log Log for the Windows Service
ui.log Log for the User Interface
Service and UI executable configuration files in %programfiles%(x86)\Yammer\Directory Sync allow you control log output settings.
Demo
Yammer Audit Users
Different Scenarios
Active users from Basic Network
Yammer DirSync does not run regulary
LDAP filter is too specific
Demo
Best Practices
Planning
Will disturb few workersAn opportunity to give a better first experience with SSO
New Network Established Network
Always start with SSOImplement Directory Sync in suspend-only mode initiallyEnable adds and updates later
Best practices for SSO
Support mobile devices
Ensure your identity provider supports failover
Involve a (friendly) range of users in testing
Test from inside and outside your network
Communicate with your users
Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.
Best practices for Directory Sync
Become friends with your Active Directory administrator(s)
Customize the activation and welcome emails
Understand and review the validation report
Include only users with email addresses matching your domain(s)
Prepare for DR with a standby instance
Understand attribute mappings and preferences, and how these will impact your Yammer Network
Document configuration for transition to BAU
Wrap up
Identity futures
Users can access Yammer from O365 without logging into Yammer
Simplified login
Users can more easily move between Yammer and O365
O365 Navigation
Being looked at, but this is a long term item
Yammer Directory Sync replacement
Recommendations1. Decide about the best SSO option2. Implement Yammer SSO and Directory
Sync3. Go with SSO before Directory Sync*4. Use a simple Directory Sync configuration5. Merge in front to avoid operating multiple
Yammer networks.6. Follow the Yammer Release Schedule for
identity updates
DocumentationSingle Sign-On
http://success.yammer.com/integrations/single-sign-on/
Directory Sync
http://success.yammer.com/integrations/directory-sync/
“Knowledge increases by sharing – so pass it on.”
Breakout SessionsOFC-B223 The Microsoft Roadmap for Enterprise Social – Tuesday @17:00 (8.0–D3)OFC-B219 Introducing Delve and the Office Graph – Wednesday @8:30 (8.0–D1)OFC-B342 Microsoft SharePoint Server 2013 on Premises and Yammer Deployment Guidance – Wednesday @15:15 (8.0–D3)OFC-B349 Yammer Identity and User Management – Thursday @17:00 (8.0-E7)
ResourcesEnterprise Social Resource Center http://enterprisesocial.com Office 365 Customer Success Center http://success.office.com Technical Resources http://aka.ms/yamtn Office 365 Public Roadmap http://office.microsoft.com/roadmap
Enterprise Social Related content
Find Me Later at Ask the Experts and @magrom!
#worklikeanetwork
Sign up and get started with Yammer www.yammer.com1
Enterprise Social Resource Center http://enterprisesocial.com 2
Check out the Success Center http://success.office.com 3
Next Steps
Technical Network
Join the conversation!Share tips and best
practices with other Office 365 expertshttp://aka.ms/o365technetwork
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Managing Office 365 Identities and Services
5
Office 365
Deploying Office 365 Services
Classroomtraining
Exams
+
Introduction to Office 365
Managing Office 365 Identities and Requirements
FLC
40041
Onlinetraining
Managing Office 365 Identities and ServicesOffice 365 Fundamentals
http://bit.ly/O365-Cert
http://bit.ly/O365-MVA
http://bit.ly/O365-Training
Get certified for 1/2 the price at TechEd Europe 2014!http://bit.ly/TechEd-CertDeal
MOC
20346 Designing for Office
365 Infrastructure
MOC
10968
3
EXAM
346EXAM
347
MVA MVA
TechEd Mobile app for session evaluations is currently offline
SUBMIT YOUR TECHED EVALUATIONSFill out an evaluation via
CommNet Station/PC: Schedule Builder
LogIn: europe.msteched.com/catalog
We value your feedback!
EM OFC WIN DBI
CDP TWC DEV AZR
Following this session at 18:30
in Hall 5Meet with Microsoft Product ExpertsSnacks and Beverages Served
Ask The Experts Key and floorplan
Cloud and Datacenter Platform
Data Platform and Business Intelligence
Developer Platform and Tools
Enterprise Mobility
Office 365
Windows
Microsoft Azure
Trustworthy Computing
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.