Using Azure Active Directory for Single Sign On with Yammer

This is a pretty interesting topic that I think is going to be gaining momentum moving forward.  As many of you know, when you create a new o365 tenant you automatically get an Azure Active Directory (AAD) instance provisioned for you at the same time.  For those of you who have purchased an Enterprise o365 tenant, you now also receive a Yammer network with it (NOTE:  I’m not a licensing guy, I can’t answer licensing questions, and there are different flavors of tenants and licenses that I can’t and won’t ever be able to explain).  If you’re familiar with Yammer, you also know that today it also has its own user directory.  We typically will set up directory synchronization from an on premises Active Directory to Yammer to keep the directory up to date.  For authentication though, if you want single sign on we usually suggest using ADFS if you’re a Windows shop.  Going forward though, Azure Active Directory is another alternative you can use.

The main reasons why you would want to use AAD instead of ADFS is one of time and money.  If you use ADFS, then you are responsible for building out a highly-available ADFS infrastructure.  That will mean 2 or more servers of any number of things:  ADFS, ADFS proxy, reverse proxy, firewall, and/or load balancer.  That can really add up when you think about the number of servers involved, the cost to acquire OS licenses, and the cost to patch, maintain and operate them.  On the other hand, AAD takes care of all of that infrastructure for you, and is included with any o365 tenant.  It’s free up to about 500k users I think (again – I’m not a licensing guy so check if you are concerned).  You can also just create an AAD instance with a regular Azure subscription.

So if you are convinced of the goodness of AAD for this purpose, the good news is getting it set up is relatively straight-forward.  The steps you will want to do are:

  1. Add your on premise domain to your o365 subscription.
    1. Go to the o365 Admin pages and click on Domains

    2. Click on Add a Domain

    3. Follow the wizard to add your on premises domain to your o365 tenant

  2. Set up directory synchronization between your on premises Active Directory and o365

    1. Go to the o365 admin pages and click on Users and Groups, then AD synchronization set up

    2. Install AAD module for PowerShell

    3. Activate synchronization in tenant

    4. Install the dirsync tool and run

    5. After dirsync is completed, make at least one on premise user a Global Admin in o365

  3. Run the following PowerShell script using the AAD PS module:

Connect-MsolService
Import-Module MSOnlineExtended -Force
$replyUrl = New-MsolServicePrincipalAddresses –Address “https://saml.yammer.com/sp/ACS.saml2
New-MsolServicePrincipal –ServicePrincipalNames @(“yammer/sso”) -DisplayName “Yammer Federation” -Addresses $replyUrl

You should see output afterwards that looks like this:

  4.  Capture the AppPrincipalID from the output and provide that along with your domain name (i.e. contoso.com) to Yammer support, along with the rest of the documentation they request with the SSO checklist they have at http://success.yammer.com/integrations/single-sign-on/.

You should be good to go at that point, and can do all of your authentication completely in the cloud using AAD.

3 thoughts on “Using Azure Active Directory for Single Sign On with Yammer

    • Hey Joe, not exactly sure what you mean there. AAD has broad support as an OAuth2 compatible security provider for many applications. With ASP.NET (MVC or web forms) it’s pretty easy to get it up and going, but the process is somewhat different. Most if it (if not all with VS 2015) is managed in a wizard in Visual Studio for you.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s