Saturday, March 10, 2018

Plan for Yammer SSO and DSync deprecation

Plan for Yammer SSO and DSync deprecation

tokb:Retire_Asset

Yammer single sign-on (SSO) and directory synchronization (DSync) are legacy tools that Yammer developed prior to being acquired by Microsoft. As Yammer gets closely integrated with Office 365, we are removing the need for customers to learn and maintain separate tools for Yammer. Instead, customers can use the familiar Office 365 tools to setup single sign-on (Office 365 sign-in with federated identity) and directory synchronization (Azure Active Directory Connect). Note that the Office 365 tool for sign-on can be configured yourself when compared to Yammer SSO which requires contacting the Yammer support team.

In this article:

Note: Some admins are current running into trouble with the Yammer DSync utility. For help troubleshooting, see KB: "Unexpected login failure" when you start the Yammer Directory Sync utility.

Deprecation schedule for Yammer SSO and DSync

Yammer SSO and DSync are now deprecated tools. Yammer networks that currently use Yammer SSO will need to transition to using Office 365 sign-in for Yammer. Networks using Yammer DSync will need to transition to using Azure Active Directory synchronization.

Important dates for this deprecation:

  • November 18, 2015:    Announcement to deprecate Yammer SSO and Yammer DSync tools.

  • April 1st, 2016:   Yammer networks will not be allowed to set up new configurations or make significant changes to configurations of SSO or DSync.

  • December 1st, 2016:   Yammer SSO and DSync will stop working.

After December 1st, 2016, if you do nothing, the following changes will take place:

  • Yammer SSO:   Yammer single sign-on will stop working. The network will start using Office 365 identity (if the network is associated with an Office 365 tenant) or Yammer identity (username and password sign-in).

  • Yammer DSync:   Yammer directory synchronization will stop working. No further changes to your on-premises Active Directory will be reflected in Yammer.

Yammer SSO scenarios and their replacement

If you are currently using Yammer SSO for specific scenarios or behaviors, you can transition to new methods to continue with similar functionality. The following table lists these scenarios or behaviors and the replacement for that behavior.

Yammer SSO scenario

Replacement

Login:    All network users are redirected to login with Active Directory Federation Services (AD FS). Users without Active Directory Federation Services (AD FS) credentials cannot login.

Use the Enforce Office 365 identity switch to make your network only allow Office 365/Azure Active Directory logins, then configure Office 365 federated identity. See Understanding Office 365 Identity and Azure Active Directory.

Login:    Network permalink and deep links take the user to authenticate with their Active Directory Federation Services (AD FS) provider

Set your network to use the Enforce Office 365 identity switch to align with this behavior.

Note: When Office 365 sign-in is enforced on a tenant with ADFS configured, the login redirection will send the user to the Office 365 login page, which might require the user to type their login email address before being redirected to their company's ADFS. This is required the first time a user logs into a given computer. Further logins will remember their email and redirect correctly, unless cookies are cleared or removed from the computer.

Login:    Users without email

Users without email can log in using their Office 365 credentials, with their user principal name (UPN) instead of their account name.

Signup:    Users trying to sign-up into the Yammer networks get redirected to login with their Active Directory Federation Services (AD FS) provider.

Set your network to use the Enforce Office 365 identity switch to match this behavior.

Block users:    Rules can be configured at the Active Directory Federation Services (AD FS) level to restrict certain users from accessing Yammer via SSO.

Restricting user access:   Yammer supports per-user licensing at the Azure Active Directory level, using the same licensing mechanisms supported today for other workloads, like SharePoint and Exchange. As an Office 365 administrator, you can use the Yammer license checkbox for any user to control their access to the Yammer service. More details on how to restrict access can be found here: Manage Yammer user licenses in Office 365.

Networks not connected to Office 365 tenants:    Networks can be connected to Office 365 tenants, but Yammer SSO also works in tenants not connected to Office 365.

You must activate your Yammer network through Office 365. As of December 1st, 2016, networks not associated with an Office 365 tenant will only support legacy Yammer identity (log in with email and password).

Yammer DSync scenarios and their replacement

If you are currently using Yammer DSync for specific scenarios or behaviors, you can transition to new methods to continue with similar functionality. The following table lists these scenarios or behaviors and the replacement for that behavior.

Yammer DSync scenario

Replacement

Provisioning:    Users get bulk-created in Yammer by the Yammer DSync tool. Then each user signs up to the Yammer services in a multi-step sign-up process.

Users get bulk-created in Office 365 by the Azure Active Directory Connect tool. Then each user accesses the Yammer service without the need for a separate sign-up process.

Mapping:   Yammer users are mapped to Active Directory via email addresses, but only primary email is synced into Yammer.

Users are mapped to an Office 365 user by using their primary email, proxy addresses and user principal name (UPN), in that order.

User property sync:    User property changes from on-premises Active Directoryare synchronized to Yammer by the Yammer DSync tool. The field sync mapping is configurable.

User property changes from on-premises Active Directory get reflected in Azure Active Directory by the Azure Active Directory Connect tool. The field sync mapping is configurable - more information here: Changes to Synchronization Rules. All key properties from Azure Active Directory users will be synchronized with Yammer.

For more details, see Manage Yammer users across their life cycle from Office 365.

User lifecycle:    Users are suspended in Yammer when suspended or deleted in on-premises Active Directory.

The ability to Manage Yammer users across their life cycle from Office 365 is available today.

Notifications:    Admins have the possibility of creating a message that gets sent to users when the account is created for the first time in Yammer.

This functionality will not be supported.

Reports:    An admin can visit the network administration section to get a report of users in the network that were not originally created via sync.

This functionality will not be supported, and won't be needed because Office 365 and Azure Active Directory integration includes both login and sync, which ensures that a network marked for Enforce Office 365 identity only allows access to users within the Office 365 directory, and with Yammer licenses.

Networks not connected to Office 365:   Yammer DSync works in networks not connected to Office 365.

Networks not associated with Office 365 will not have support for directory synchronization.

How to transition to using Office 365 sign-in for Yammer and Azure Active Directory sync

Follow this process to transition from using Yammer SSO and Yammer DSync to using Office 365 sign-in for Yammer and Azure Active Directory sync.

Flowchart showing four steps to replace Yammer SSO and Yammer DSync with Office 365 sign-in for Yammer and Azure Active Directory Connect.
  1. Ensure that all the domains associated with your Yammer network are verified in your Office 365 tenant.

    If you have domains in Yammer that are not in Office 365, you will need to verify and add these domains to Office 365. This is a pre-requisite to the next step. In order to see which domains are part of your Yammer network, go to the Network Admin section in Yammer and navigate to Network Migration page. The first step of Network Migration lists the domains that are currently associated with the Yammer network and calls out which of those have already been added to the Office 365 tenant. To add more domains to Office 365, see Add a TXT or MX record for verification.

  2. Ensure that your Office 365 directory contains all of the users in your company.

    You can either use Azure Active Directory Connect to sync with your on-premises Active Directory or manually manage them. For more about Azure Active Directory Connect, see Integrating your on-premises identities with Azure Active Directory.

  3. Review your Azure Active Directory Connect and Office 365 and Active Directory Federation Services (AD FS) configuration and ensure that it meets your needs.

    Use the Azure Active Directory Connect tool to change settings as needed. For more information about sign-in options for Azure Active Directory Connect, see Custom installation of Azure AD Connect.

  4. Switch your Yammer network to Enforce Office 365 identity for authentication and management.

    You do not need to call support to switch from SSO to enforcing Office 365 identity; the Enforce Office 365 identity switch overrides any SSO configuration.

Related Topics

Yammer SSO and DSync deprecation - FAQ
Understanding Office 365 Identity and Azure Active Directory
Manage Yammer users across their life cycle from Office 365
Enforce Office 365 identity for Yammer users

No comments:

Post a Comment