Martina Grom OFCB349 EM OFC WIN DBI CDP TWC DEV AZR Following this session at 1830 in Hall 5 Meet with Microsoft Product Experts Snacks and Beverages Served Ask The Experts Key and ID: 565833
Download Presentation The PPT/PDF document "Yammer Identity and User Management" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Yammer Identity and User Management
Martina Grom
OFC-B349Slide3
EM
OFC
WIN
DBI
CDP
TWC
DEV
AZR
Following this session at 18:30
in
Hall
5
Meet with Microsoft Product
ExpertsSnacks and Beverages Served
Ask The Experts
Key and
floorplanCloud and Datacenter PlatformData Platform and Business IntelligenceDeveloper Platform and ToolsEnterprise Mobility
Office 365Windows Microsoft AzureTrustworthy ComputingSlide4
About Me
Martina Grom
Office 365
MVP
Working on:The Cloud
Office 365 DeploymentsEnterprise Social EngagementsContactTwitter: @magromE-Mail: mg@atwork.atBlog: http://blog.atwork.atFacebook: https://www.facebook.com/groups/cloudusergroup/ Slide5
Agenda
Identity Management
Yammer
User
and
network internalsSingle Sign On User
provisioning with Yammer Directory SyncYammer Directory SyncYammer Audit UsersBest practicesWrap upSlide6
Identity ManagementSlide7
Identity Management
Starts normally
with *a lot of* identitiesIs
always a challenge
Which Identity to use when
Organizational Identity
Microsoft Identity
Yammer Identity
Active
Directory
Own IDMSlide8
Yammer Identity management
Important when you launch Yammer Enterprise
Create an engaged and trusted community
Decide about User Profile Syncs
Various User and Admin RolesSlide9
Yammer
Roles simply explained
User
Group Admin
Network
Admin
Verified
Admin
Creates messages, uploads
files, share and likes messages.
Creates Polls, Praises
Instant MessagingDelete own itemsCreate NotesInvite other users
Same as user andCreates groups
Post announcements in own groupsSet Group settings (name, picture, description)Member Management within Group
Content Moderation
Mark Notes and Files as Official within group
Control membership within groupSame as user and group admin and
Configure network settings, applicationsConfigure network designConfigure usage policy behavior
Configure user profile fieldsInvite anyone (also external guests)
See all groups (also unlisted)Delete any messagePost announcements
Grant and revoke Network Admin privilegesRemove or block users
Same as user, group admin and Network Admin andManage user account activityBulk update usersPerform integrations
Monitor keywordsSet data retention policyExport dataConfigure settingsAccess to all groupsExport contentIs an Office 365
Global Admin (Provisioned by default)Slide10
Engagement
An engaged user is “anyone who purposefully uses Yammer within a given time period”
Engagement needs to occur across silos to achieve success
Users engage more when it’s simple, and the environment
is
trusted
Compliance
Driven by the external environment, and the internal
organizationAbout
keeping bad guys out while enabling employees, contractors, and agents
Primary OutputsSlide11
DirSync or SSO, or both?
Directory Sync
Single Sign-On
Sweet spot
Provisioning
AuthenticationSlide12
Users and
NetworksSlide13
External Network
Collaboration
Yammer Networks
Networks are private and secure
Networks
are containers for users and groups
Only users with a corporate email Address can join
External networks operate independently of email domain
contoso.com
Customer Network
Marketing
R&D Partnerships
Alumni
fabricam.com
Press and Media
Contoso and
Fabricam
Collaboration
Guest CollaborationSlide14
Understanding Yammer Users
Always belong to a home (canonical) network
Sometimes users are
also members
of an external network
Guests get direct access to other home networks
Exist in a limited number of states during lifetime
Pending
Active
Suspended
DeletedSlide15
User
profiles
User confirms email, enters name, chooses a password, uploads a
photo,
and selects some groups.
An initial engagement point for end users
Limited administrator controls
Users have control over the values that appear in their profileSlide16
Mass
updates
to u
ser p
rofiles
Available to verified administrators in Yammer
Profiles can be created with a default password
Bulk update
Yammer User API
Requires code, but allows integration with
other identity systemsSlide17
DemoSlide18
Single Sign
OnSlide19
SSO b
enefits
The same credentials used in the enterprise are used by Yammer
Makes multi-factor authentication a possibility
Federation
User convenience
A single set of credentials to
remember
One identitySlide20
Expected, but absent
Yammer delegates this responsibility to Directory Sync
Attribute exchange
WS-Federation
SAML is the supported protocol
ADFS, Azure AD, and many other identity providers support this standardSlide21
No self-service
If you have
a SAML 2.0 Identity Provider then
configuration is pretty straightforward
Tests happen against your Yammer network at a scheduled time
Deployment processSlide22
These are kiosk workers who may not have email, but often have mobile devices
Using SSO it is possible to enable “Users Without Emails” (UWE) mode
Mixed mode is possible in the same network
Only some identity providers (IdPs) support this configuration
Frontline workersSlide23
Applications and SSO
Yammer Embed is SSO-aware and will redirect users
Mobile applications support SSO using an in-app web browser
Legacy apps require a temporary password available from the App Directory after authenticationDevelopers should specify the network permalink to kick off SSO flow when authorizing an appSlide24
Yammer SSO, O365Slide25
Create a Yammer Service Principal
for SSO
http://blogs.technet.com/b/speschka/archive/2014/01/08/using-azure-active-directory-for-single-sign-on-with-yammer.aspx
Slide26Slide27
DemoSlide28
User provisioning
with Yammer Directory SyncSlide29
Core Functions
Custom invite and welcome emails
Adds and invitations
Prepopulate user profile fields
Overwrite upon update to AD
Profile updates
Suspend users when they are disabled or deleted in AD
SuspensionsSlide30
Expected, but absent
Not a good fit for a social scenario where users are empowered to create groups that fit with their workflow
Group synchronization
User profile
l
ockdown
Users are always identifiable
AD is optimal for the pre-population of fields
Default settings respect values users have entered in YammerSlide31
Installs on a single server
No database required
AD and LDAP
expertise required to configure custom filters (queries)
First sync sends all data, subsequent syncs are incremental
Deploying Directory SyncSlide32
Yammer Directory
SyncSlide33
Custom
queries
Keep
it simple
Start by querying for emails belonging to just your domains
Filters are automatically added for objectCategory and objectClass
Difficult to exclude users
// A good start
mail=*@contoso.com
// Multiple domains, merged network
(&(mail=*@contoso.com)(mail=*@contoso.co.uk))
// Redundant query
(&(
objectCategory=person)(objectClass=user)
(mail=*))
// Is this replicated in AD?
(&(mail=*@contoso.com)(!customAttribute=E)
)Slide34
Incremental syncs
USN-Changed is captured for each query after a successful sync
These values are used for subsequent LDAP queries
Removing the incremental query cursor file forces a full sync
{
"35ac4db9-c0ab-4cab-8cc6-6276ef3a7931": {
"
PropertyName
": "
usnchanged
",
"
LastValue": 270047611 },
"f7d21d81-87c8-4c11-9f06-6dc095f881cf": { "PropertyName
": "
usnchanged
", "LastValue": 269749469 }
"371eff67-0ce8-4e1e-bba3-c7a98982552a": { "PropertyName
": "usnchanged", "
LastValue": 279149469
} "ec7829ef-a25c-47e8-8ff4-f0d6552b6a74": {
"PropertyName": "
usnchanged", "LastValue
": 270849469
}}Slide35
Configuration and log files
Located at
%
programdata
%\Yammer\DirSync
File
Purposeglobalsettings.config.jsonMain settings file for Directory Synclastvalidation.jsonOutput from the last validationincrementalquerycursors.config.json
Stores cursor position for incremental syncsservice.logLog for the Windows Serviceui.logLog for the User Interface
Service and UI
executable configuration files in
%
programfiles
%(x86)\Yammer\Directory Sync allow you control log output settings.Slide36
DemoSlide37
Yammer Audit UsersSlide38
Different Scenarios
Active users from Basic Network
Yammer DirSync does not run
regulary
LDAP filter is too specificSlide39
DemoSlide40
Best PracticesSlide41
Planning
Will disturb few workers
An opportunity to give a better first experience with SSO
New Network
Established Network
Always start with SSO
Implement Directory Sync in suspend-only mode initially
Enable
adds
and updates laterSlide42
Best practices for SSO
Support mobile devices
Ensure your identity provider supports failover
Involve a (friendly) range of users in testing
Test from inside and outside your network
Communicate with your users
Email mismatches between Yammer and the SAML assertion can happen. This can be detected and fixed ahead of time.Slide43
Best practices for Directory Sync
Become friends with your Active Directory administrator(s)
Customize the activation and welcome emails
Understand and review the validation report
Include only users with email addresses matching your domain(s)
Prepare for DR with a
standby
instance
Understand attribute mappings and preferences, and how these will impact your Yammer Network
Document configuration for transition to BAUSlide44
Wrap
upSlide45
Identity futures
Users can access Yammer from O365 without logging into Yammer
Simplified login
Users can more easily move between Yammer and O365
O365 Navigation
Being looked at, but this is a long term item
Yammer Directory Sync replacementSlide46
Recommendations
Decide about the best SSO option
Implement Yammer SSO and Directory Sync
Go with SSO before Directory Sync*
Use a simple Directory Sync configuration
Merge in front to avoid operating multiple Yammer networks.Follow the Yammer Release Schedule for identity updatesSlide47
Documentation
Single Sign-On
http://success.yammer.com/integrations/single-sign-on/
Directory Synchttp://success.yammer.com/integrations/directory-sync/
Slide48
“Knowledge
increases by sharing – so pass it on.”Slide49
Breakout
Sessions
OFC-B223 The Microsoft Roadmap for Enterprise
Social –
Tuesday @17:00 (8.0–D3)
OFC-B219 Introducing Delve and the Office Graph – Wednesday @8:30 (8.0–D1)OFC-B342 Microsoft SharePoint Server 2013 on Premises and Yammer Deployment Guidance – Wednesday @15:15 (8.0–D3)OFC-B349 Yammer Identity and User Management
– Thursday @17:00 (8.0-E7)ResourcesEnterprise Social Resource Center
http://enterprisesocial.com Office 365 Customer Success Center http://success.office.com Technical Resources
http://aka.ms/yamtn Office 365 Public Roadmap http://office.microsoft.com/roadmap
Enterprise Social Related content
Find Me Later a
t
Ask the Experts
and
@magrom
! Slide50
#
worklikeanetwork
Sign up and get started with
Yammer
www.yammer.com
1
Enterprise Social Resource Center
http://
enterprisesocial.com
2
Check out the Success Center http://success.office.com
3
Next StepsSlide51
Technical Network
Join the conversation!
Share
tips and best practices
with other
Office 365
experts
http://aka.ms/o365technetworkSlide52
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http
://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide53
Managing Office 365 Identities and Services
5
Office 365
Deploying
Office
365 Services
Classroom
training
Exams
+
Introduction
to
Office 365
Managing Office 365 Identities and Requirements
FLC
40041
Online
training
Managing Office 365 Identities and Services
Office 365
Fundamentals
http://bit.ly
/
O365-Cert
http://bit.ly
/
O365-MVA
http://bit.ly
/
O365-Training
Get
certified for
1/2 the price at TechEd Europe 2014!
http://bit.ly
/
TechEd-
CertDeal
MOC
20346
Designing for
Office
365
Infrastructure
MOC
10968
3
EXAM
346
EXAM
347
MVA
MVASlide54
TechEd Mobile app
for session evaluations
is
currently offline
SUBMIT YOUR TECHED EVALUATIONS
Fill out an evaluation via
CommNet Station/PC:
Schedule Builder
LogIn
:
europe.msteched.com/catalog
We value your feedback!Slide55
EM
OFC
WIN
DBI
CDP
TWC
DEV
AZR
Following this session at 18:30
in
Hall
5
Meet with Microsoft Product
ExpertsSnacks and Beverages Served
Ask The Experts
Key and
floorplanCloud and Datacenter PlatformData Platform and Business IntelligenceDeveloper Platform and ToolsEnterprise Mobility
Office 365Windows Microsoft AzureTrustworthy ComputingSlide56
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.