Improve Office 365 sign-in for Yammer with auto-acceleration policy

To improve the Office 365 sign-in experience for Yammer, use the Auto-acceleration policy to accelerate directly to the ADFS federated domain, bypassing the Office 365 login page.

Prerequisites

  • You must be a global administrator in Office 365 to run the PowerShell commands.

  • Download and Install the Azure Active Directory V2 PowerShell Module.

  • Open administrative AAD Powershell and run following commands:

    Important

    The Save-Module command will download the module from the Internet. You need a working internet connection on the computer where you are running these commands.

    Save-Module -Name AzureAD -Path <path>

    Install-Module -Name AzureAD

Enable policy

  1. Run the following commands:

    Connect to Tenant's Azure AD. This command will prompt you for credentials. Sign in using admin credentials.

    connect-AzureAD [-tenantID | -tenantDomain] <tenant name>

    Example sign-in using admin credentials.

  2. Check that no policy of the same name exists already.

    get-AzureADPolicy

  3. Create a new policy:

  • If you have a single federated domain that will authenticate users for applications, set HRD policy by running the following command:

     New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":        {`"AccelerateToFederatedDomain`":true}}") -DisplayName
  BasicAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy

    If you have multiple federated domains and have a preferred domain for your application against which users will authenticate, set Policy by typing the following command:

    ` New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`":true,`"PreferredDomain`":`"contoso.com`"}}")
-    Displ`ayName BasicAutoAccelerationPolicy -Type HomeRealmDiscoveryPolicy

  1. Note object-id of policy you've just created

    get-AzureADPolicy

    Example output of new policy.

  2. Note ObjectId of servicePrincipal for Yammer application (Redirect output to a text file for easy search). The AppDisplayName would be "Office 365 Yammer" with AppID of 00000005-00000ff1-ce00-000000000000

    Get-AzureADServicePrincipal -All $true | fl > output.txt

    Command line for redirecting output to a text file.

    Example of output to a text file.

  3. Finally, Add the policy for Yammer service.

    Add-AzureADServicePrincipalPolicy -ID <ObjectID of the Service Principal copied from #5> -RefObjectId <ObjectId of the Policy copied from #4>

    Command line for adding the policy for Yammer service.

List of commands in order

These are the commands you must run to enable the policy. Run them one line at a time and review the output after each command:

Connect-AzureAD -TenantDomain <Tenant-Name>
get-AzureADPolicy
$PolicyId = New-AzureADPolicy -Definition
@("{`"HomeRealmDiscoveryPolicy`":{`"AccelerateToFederatedDomain`"
:true}}") -DisplayName BasicAutoAccelerationPolicyforYammer -Type HomeRealmDiscoveryPolicy
get-AzureADPolicy
$yamObjectId = Get-AzureADServicePrincipal -All $true | ?{$_.AppDisplayName -eq 'Office 365 Yammer'}
Add-AzureADServicePrincipalPolicy -Id $yamObjectId.ObjectId - RefObjectId $PolicyId.Id

Note: Change the third command shown above if you have multiple federated domain.

Testing

In a new in-private browser session, sign in to Yammer with user credentials from the federated domain. Check that sign in flow skips AAD page and goes straight to ADFS sign in page. If it does, success!

Scenarios

The following table summarizes the authorization flows for this policy.

Login Flow without policy Flow with policy
Yammer.com
Email address > Azure AD login > ADFS login
Email address > ADFS login
Yammer.com/mycompany.com
Email address > Azure AD login > ADFS login
Email address > ADFS login