Using MSAL with Yammer Groups API
Published Aug 17 2020 11:49 AM 20K Views
Microsoft

Update: Oct 6, 2020

---

Thank you all for the feedback on this blog, and through other sources. Some customers and partners won’t be able to fully transition to using MSAL 2.0 because of the lack of Application Permissions in Azure Active Directory (AAD). This feature allows running an app in the background without requiring users to sign in.

As such, we’re removing the December 1 for exclusive support of AAD tokens with the Groups API. Groups API will continue to support both the legacy Yammer OAuth Tokens and AAD tokens until further notice.

We encourage using AAD tokens with Yammer where applicable (e.g.Single Page JS Application, Server Side Application). We will publish further updates here. Thank you.

---

Starting December 1 2020, Yammer Groups API endpoints  will only support the usage of Azure Active Directory (AAD) tokens.  Yammer Groups API endpoints will no longer support the usage of Yammer OAuth tokens. Microsoft recommends that customers and partners transition to using Microsoft Authentication Library (MSAL) and AAD tokens with the Yammer API.

 

Last year, we announced Native Mode, which gets your network ready to experience Microsoft 365 integrations. Native Mode requires that all your users are created in AAD, all Groups are Microsoft 365 Connected and all Yammer Files are stored in SharePoint Online. With the move to files in SharePoint, Yammer Files API started require using AAD tokens.

 

As Yammer continues its journey to integrate into the Microsoft 365 ecosystem, there will be even more shared Yammer experiences across Microsoft 365, such as with Teams, Outlook, and other applications. All of these require using AAD tokens. Yammer's OAuth token cannot be accepted to conduct these operations. Over time all Yammer API endpoints will be changed to exclusively support AAD tokens.

 

Starting December 1, 2020, Yammer Group API endpoints that are used to Update, Delete Groups, and manage Group Membership and Group Admins will only support AAD tokens. Using Yammer OAuth tokens will result in a bad request response from the server. Create and Read operations will be supported with Yammer OAuth tokens, however using AAD tokens for all API scenarios with Yammer is strongly recommended. 

 

The change is applicable to the following documented Yammer Groups API endpoints:

And also applicable to undocumented Yammer Groups endpoints:

  • CreateGroup: POST /api/v1/groups(.:format)
  • UpdateGroup: PUT /api/v1/groups/:id(.:format)
  • DeleteGroup: DELETE /api/v1/groups/:id(.:format)
  • AddGroupMember: POST /api/v1/group_memberships(.:format)
  • RemoveGroupMember: DELETE /api/v1/group_memberships(.:format)
  • MakeAdmin: POST /api/v1/groups/:id/make_admin(.:format)
  • RevokeAdmin: POST /api/v1/groups/:id/revoke_admin(.:format)

Notes:

  • All Connected Yammer Groups (including Yammer networks in Native Mode) will require AAD tokens. Using the Yammer OAuth tokens will return a rejected response.
  • In non-Native Yammer networks, users without Group creation rights in AAD will be able to create unconnected Yammer Groups.

What should you do?

  1. Use MSAL to authenticate with Yammer: Microsoft recommends that customers and partners transition their apps to authenticate using the Microsoft Authentication Library (MSAL) to acquire AAD tokens from the Microsoft Identity Platform to operate with the Yammer API. MSAL is available for .NET, JavaScript, Android, and iOS, which support many different application architectures and platforms. Learn about MSAL here.
  2. Set up AAD Client Application: Follow these instructions to set up a client application and assign Delegated Yammer API Permissions to access Yammer APIs.

Notes:

  • Yammer supports Delegated Permissions in Azure Active Directory. This means that your application will access the Yammer API as the signed-in user. Application permissions are currently not supported by Yammer in Azure Active Directory.
  • Enabling user_impersonation allows the application to access the Yammer platform on behalf of the signed-in user.
  • External networks are not supported with MSAL 2.0

Application types:

  • Client-side Single-page JavaScript Application: If you are using a Single Page AAD App that uses the Implicit Grant Flow, then your AAD App will need to be mapped to its corresponding Yammer platform Application. Please provide details about your Yammer and AAD App through a request to Microsoft Support. This is required to ensure that your application is not affected by Cross-Origin Resource Sharing (CORS) permissions issues. Learn about CORS here
  • Server-side application: Using the Microsoft identity platform implementation of OAuth 2.0, you can add sign-in and API access to your mobile and desktop apps   If you are running a server-side app that requires the usage of long-lived AAD tokens, then use the Microsoft Identity Platform OAuth 2.0 authorization code flow to acquire AAD Access Tokens, with a Refresh Token. This enables your app to request a new AAD access token without requiring any user interaction. Take a look at these sample apps that support MSAL 2.0. 

Resources:  

We’re committed to working with the developer community in transitioning to the new world of AAD tokens! Please check out the resources below, post your questions/comments here, or email api@yammer.com.

10 Comments
Co-Authors
Version history
Last update:
‎May 04 2021 01:21 PM
Updated by: