(2014-10-08) Setting Up Yammer DirSync
Posted by Jorge on 2014-10-08
If you are using Yammer somehow and you really care about provisioning, but also about deprovisioning, you need to implement some kind of directory synchronization between your on-premises AD and the YAMMER.COM cloud system. Now, the next question is: "how can you do that?".
If you already are using Azure AD/Office 365, you may already be using some directory synchronization tool such as the Directory Synchronization Tool (DirSync), Azure Active Directory Sync Services (ADDSync) or even Forefront Identity Manager (FIM) to provision and deprovision Azure AD/Office 365 accounts that can be used in Exchange Online, Lync Online and Sharepoint Online. So would you be able to use Azure AD/Office 365 accounts in Yammer? Well, no. If you have linked your Yammer tenant to your Azure AD/Office 365 tenant, then every Office 365 account automatically gets a Yammer license and with that Office 365 is able to map existing Office 365 accounts to existing Yammer accounts/ Nothing more, nothing less. So, how can you get directory synchronization between your on-premises AD and Yammer? You will have to implement the Yammer Directory Sync Service (DSync) to provision and deprovision (suspend) accounts into/from Yammer.
So, if you are using Office 365 and Yammer, you need to implement 2 different directory synchronization products, one for Azure AD/Office 365 and one for Yammer. Now keep in mind that when you use DSync to enable directory synchronization, you can see in Yammer (Admin –> User Management –> Directory Integration) you have done so when you see the following:
Figure 1: Directory Sync Being Enabled In Yammer
–
When using DSync you can also configure an e-mail invitation for new users when these are added to Yammer through DSync as you can see below.
Figure 2: E-mail Invitation
–
Now remember that when you are using Office 365 (Exchange Online) and Yammer at the same time, where a user’s mailbox is in Office 365, make sure to provision the mailbox first before provisioning the Yammer account so that you are certain the Yammer e-mail invitation reaches the user!
–
More info about directory synchronization between your on-premises AD and Azure AD/Office 365 or Yammer can be found through the following links:
- (2014-09-16) Azure Active Directory Sync Services Has Reached General Availability
- (2014-09-23) Upgrading Azure AD Sync From The Beta Version To RTM
- Simplified login to Yammer from Office 365
- Setting up Yammer Directory Sync With Office365
- Deploy Office 365 Directory Synchronization in Microsoft Azure
- Synchronize and authenticate users from your on-premises Active Directory to Yammer and Office 365
- Yammer – DirSync or AD FS (SSO) or Both?
- Yammer DSync != Office 365 DirSync
- Yammer Integrations
–
Now, let’s install Yammer DSync. The Yammer Directory Sync tool should be installed on a Windows Server that is on the internal network, and not in the DMZ network. The Yammer Directory Sync tool requires an outbound connection to YAMMER.COM and an inbound connection from every AD forest for which you need to synchronize identities from. Keeping that in mind, you therefore need to setup a Yammer service account and an AD service account for every connected AD forest. You also need to make sure the required ports are open. See the documentation and blog posts above to get that info.
–
Double-click the latest Yammer DSync MSI. By default the install folder on a x64 server is: "C:\Program Files (x86)\Yammer\Directory Sync\"
Figure 3: Yammer Installation Folder
–
Right after the installation finishes you will see the following screen. At the top enter the Yammer service account credentials and configure the proxy settings as needed. Either use a direct outbound connection or use an authenticated or unauthenticated proxied connection. After doing that, the [Login] button becomes available and you should click to validate the Yammer credentials and access to the Yammer network.
Figure 4: Yammer Directory Sync Setup – Yammer Settings
–
If you get to the next screen, that means the Yammer service account credentials and the proxy settings are correct. This will allow you to setup the connection to the first AD forest. As a hostname either provide the FQDN of a DC or the FQDN of the AD domain. If you choose the FQDN of a DC, you are fully depended on that single DC. If you choose the FQDN of the AD domain, by default all RWDCs in the AD domain are a source candidate for the Yammer Directory Sync tool. This will not be the case if you have configured branch RWDCs not to register that mnemonic (the host record for the AD domain for non-SRV aware clients) (also see: (2011-09-11) Service (SRV) Locator Records Registered By Windows Domain Controllers). In general only central RWDCs should register that mnemonic (the host record for the AD domain for non-SRV aware clients). For the connection service account, you can either use the so called "service user", which is the user account of the "Yammer Directory Sync v3.0" service (by default "Network Service") or you can use a custom AD service user account. After doing that, the [Login] button becomes available and you should click to validate the AD credentials for that AD domain/forest.
To be able to connect to a DC, you need at least the ports TCP:389 (LDAP) and TCP:3268 (GC) to be opened between the DirSync server and the targeted DC. To make the connection faster, you would also need to open in addition TCP:88 (Kerberos).
Figure 5: AD Connection Settings For The First AD Domain/Forest
–
If you get to the next screen, that means the hostname and AD credentials are correct. You will now have the possibility to add connections for other AD domains/forests.
Figure 6: One AD Domain/Forest Added – The Possibility To Connect Additional AD Domains/Forests
–
In this case I wanted to add an additional AD domain/forest as you can see below. The same logic applies as when providing connection settings for the first AD domain/forest. After doing that, the [Login] button becomes available and you should click to validate the AD credentials for that AD domain/forest.
Figure 7: AD Connection Settings For An Additional AD Domain/Forest
–
If you get to the next screen, that means the hostname and AD credentials are correct. You will now have the possibility to add connections for other AD domains/forests.
Figure 8: Two AD Domain/Forest Added – The Possibility To Connect Additional AD Domains/Forests
–
When done of adding AD domains/forest, click the [Validate] button on the left and you will get to the next screen.
Figure 9: Starting Validation – Importing Data From The Connected AD Domains/Forests
–
If you would continue by clicking the [Start Validation] button the Yammer Directory Sync tool will import ALL USERS from all configured AD domains/forests. If you want to scope specific OUs only you should stop the Yammer Directory Sync setup by clicking the red cross in the upper right corner. Even if you do not want to scope users at OU level, you must still stop the Yammer Directory Sync setup by clicking the red cross in the upper right corner as otherwise, you might go nuts in the trying to start synchronization in a later stage. Therefore, now stop the Yammer Directory Sync setup.
–
The Yammer Directory Sync configuration by default is stored in the folder "C:\ProgramData\Yammer\DirSync". You can also find that out yourself by right-clicking the Yammer icon in the tray area and selecting "About".
Figure 10: Accessing The Yammer Advanced Configuration
–
Now click on the [Advanced Configuration] button.
Figure 11: Accessing The Yammer Advanced Configuration
–
This will open the folder "C:\ProgramData\Yammer\DirSync" where the Yammer Directory Sync configuration is stored, including log files. The file "globalsettings.config.json" holds the complete Yammer Directory Sync configuration.
For the ADCORP.LAB AD domain/forest I just specified the source OU
Figure 12: Specifying A Source OU For The ADCORP.LAB AD Domain/Forest
–
For the PARTNER.LAN AD domain/forest I just specified the source OU
Figure 13: Specifying A Source OU For The PARTNER.LAN AD Domain/Forest
–
If you need to modify the filter, or specify additional OUs, check the Yammer Directory Sync Advanced Configuration Guide first.
–
Now in the file "globalsettings.config.json" search for (without the quotes) "EmailNotificationSettings" . By default you will find the following.
Figure 14: Default E-mail Notification Settings
–
As you can see the default "FromAddress" may not match the from address you want/need to use. If your e-mail system only accepts authentication from accounts with valid mailboxes, you cannot use the default "FromAddress". To be able to send mails/notification you need to change the "FromAddress". Now change it to a value that will be accepted by your e-mail system and save the file "globalsettings.config.json".
You can also find that out yourself by right-clicking the Yammer icon in the tray area and selecting "Open".
Figure 15: Re-opening The Yammer Directory Sync Setup
–
When everything is correct you will right away to the validation page.
Figure 16: Starting Validation – Importing Data From The Connected AD Domains/Forests
–
Click the [Start Validation] button and you will see something similar too:
Figure 17: Validation Result Of The Yammer Directory Sync Tool
–
When the validation is done you can click the [Sync] button on the left and you will get to the next screen. The following e-mail settings are used when the Yammer Directory Sync tool encounters issues.
Figure 18: Configuring The E-mail Settings
–
In the server field enter the SMTP server of your e-mail system. If you are using Office 365, then enter "smtp.office365.com".
In the port field enter the SMTP port of your e-mail system. If you are using Office 365, then enter "587".
If your e-mail system requires SSL, then check it.
Enter the credentials (username and password) of the account to connect to the e-mail system.
Enter the e-mail address of one or more recipients eligible to receive test notifications.
As a final test, click the [Send Test Email] button.
If everything is OK, then you will the following:
Figure 19: Successful Configuration Of The E-mail Settings
–
Now click the [Apply] button and you will see something similar to:
Figure 20: Enabling The Yammer Directory Sync
–
Finish it by clicking the [Enable Sync] button and you will something similar to:
Figure 21: Finished Configuration Of The Yammer Directory Sync Tool
–
Close the window by clicking the red cross in the upper right corner. You’re done!
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
benwaynet said
Can’t azure active directory sync yammer yet? If you have dirsync setup for your o365 your using WAAD on the backend.
LikeLike
Jorge said
nope. AADSync is for Azure AD only. For Yammer currently you still need Yammer DSync
LikeLike
benwaynet said
Thanks 😦
LikeLike