Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When Viva Engage becomes a core service for your organization, users need to sign in seamlessly like any other Microsoft 365 service.
To streamline user management, enforce Microsoft 365 identity in Viva Engage to maintain a single identity for all your users. It's easy to implement single sign-on (SSO) capabilities for Microsoft 365, including Viva Engage. Doing so also simplifies your users' experience signing in to Viva Engage and all their other apps.
SSO requires that Viva Engage admins configure the following capabilities:
- Password hash sync - Pass-through authentication or Microsoft Entra ID.
How it works
The following flowchart shows what happens when a user signs in to Viva Engage.
Here's an account of the user's sign-in experience:
The user tries to sign in to Viva Engage, and gets a sign-in dialog box.
The user enters their email address.
When you enforce Microsoft 365 identity, the user just signs in with their Microsoft 365 identity. If your Microsoft 365 tenant implements the federated identity model, the user uses SSO as they do for all other Microsoft 365 apps.
When Microsoft 365 identity isn't enforced, user sign-in is more complicated, because they don't use SSO:
- If their email address corresponds to a Microsoft 365 account, they can sign in with their Microsoft 365 identity;
- If their email address doesn't correspond to a Microsoft 365 account, they sign in with their Viva Engage identity.
The following table compares the user sign-in behavior when you enforce Microsoft 365 identity, or when it isn't enforced. By default, Microsoft 365 identity isn't enforced.
| Is Microsoft 365 identity enforced? | Is the user's email address tied to a Microsoft 365 account? | What happens when the user signs in |
|---|---|---|
| Yes | Yes | The user is prompted to sign in with their Microsoft 365 identity. |
| No | Yes | The user is prompted to sign in with their Microsoft 365 identity. |
| No | No | The user is prompted to sign in with their Viva Engage identity (email and password). |
Microsoft 365 identity enforcement in Viva Engage
It's easy to start enforcing Microsoft 365 identities in Viva Engage. Enabling enforcement signs off all current users' sessions in Viva Engage. Before you take action, make sure your Engage users can continue working smoothly:
- All current Viva Engage users must have a corresponding Microsoft 365 identity. When you enforce Microsoft 365 identities for Viva Engage, any user without that identity is locked out of Viva Engage. Ensure that all of your current Viva Engage users have their Microsoft 365 identities. To do so, go to the data export page in the Viva Engage admin center and export all users. Compare that list to the list of users in Microsoft 365 and make any needed changes.
- Tell your users about this change. Inform all your users that you're switching to Microsoft 365 identities, because it can disrupt their day-to-day usage of Viva Engage. See the following sample email for suggested text.
Effects of Microsoft 365 identity enforcement in Viva Engage
Enforcing user requirements for an eligible Viva Engage license is irreversible.
To ensure access, assign either of the following service plans to each of your Viva Engage users:
- Viva Engage Core (recommended)
- Yammer Enterprise
For full details, see Manage Viva Engage Core user licenses in Microsoft 365.
Requirements
Use the following software tools and environment to work with Microsoft 365 identity enforcement:
- The Global administrator role, which you need to sign into Viva Engage. This role can perform all tasks described in this guide. See Manage admin roles in Viva Engage.
Note
Users with the O365 tenant admin role (O365_Tenant_Admin, also called Global administrator) can enforce licenses using this script. Attempts to enforce without this role cause an error.
Use of PowerShell (version 5.1 or above recommended). If necessary, see Install PowerShell on Windows, Linux, and macOS. Ensure that your user account has privileges to run scripts.
The machine where you expect to run the script must have full network access to Viva Engage. (It's also required if outbound network access is restricted.) See Microsoft 365 URLs and IP address ranges.
As noted, all Viva Engage users need the Viva Engage Core (recommended) or Yammer Enterprise service plan.
Enforcement with a PowerShell script
The License Enforcement PowerShell script queries the current license state for all users and enforces user licenses on the network. You can find the script in the Microsoft FastTrack GitHub repository. The repo also offers additional information.
Important
The License Enforcement PowerShell script makes irreversible changes to the Viva Engage network. Before executing this script, ensure the correct licensing for all network users.
To ensure that only authorized users can perform enforcement, the REST API endpoint applies strict controls.
The PowerShell license enforcement script accepts two parameters:
| Parameter | Details |
|---|---|
action |
Uses the values enforce_user_license or fetch_current_license_state |
token |
Must be a valid Entra ID token from a user with permission to execute operations. |
Note
After you enable enforcement on a network, it can't be disabled.
Alternate method for getting an Entra ID token
To authenticate your identity and to authorize script actions, you need an Entra ID token. You can capture the token for the logged in user, or you can register an application in Entra ID and get a token by following developer guidance. Since license enforcement is a one-time activity, we suggest capturing the token from your browser using the Developer Tools.
Take the following steps to get an Entra ID token from your browser that you can use with this script:
As the Global administrator, go to https://engage.cloud.microsoft.com and sign in with your admin credentials.
Right-select anywhere on the page and choose the Inspect button.
Select the Networks tab and filter requests using the graph keyword.
Select any call and go to the Headers page.
Copy the token given in the Authorization request header. Don't include the Bearer prefix. Keep it for the next procedure.
Run the PowerShell script
Take the following steps for a successful script run:
Open a terminal window and go to the path where
BlockUsersWithoutLicense.ps1script resides.To fetch the current license enforcement status, use the following syntax in PowerShell:
./BlockUsersWithoutLicense.ps1 fetch_current_license_state <Token you previously copied>To enforce license check, use the following syntax in PowerShell:
./BlockUsersWithoutLicense.ps1 enforce_user_license <Token you previously copied>
Output examples
If you don’t have the O365_Tenant_Admin user role, running the script gives the following error:
{
"method": "GET",
"url": "https://www.yammer.com/api/v1/networks/fetch_current_enforce_license_state",
"status": 403,
"status_description": null,
"www_authenticate": null,
"response_headers": {},
"response_body": "\n{\n \"success\": false,\n \"error\": \"Only O365 Tenant Admins can access this endpoint!\"\n}",
"exception_type": "Microsoft.PowerShell.Commands.HttpResponseException",
"exception_message": "Response status code does not indicate success: 403 (Forbidden).",
"stack": "at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)"
}
If you fetch with the valid user, it produces true if the license check is already enforced and false if it isn't already enforced:
{"enforce_user_license":true}
{"enforce_user_license":false}
Enforce a license with a valid user and the license check is not yet enforced:
{"enforce_user_license":true}
Enforce a license with a valid user, and the license check is already enforced:
```json
{"success":true,"message":"User license check already enforced"}
Frequently asked questions
Once Microsoft 365 Identity Enforcement is set to Committed Enforcement, can I revert it?
Important
At this point, reverting the Enforce Microsoft 365 Identity setting disrupts the user experience, because users who sign in with their user names and passwords can't access their connected resources. We do not recommend reverting this setting.
When an organization commits to Microsoft 365 identity enforcement, with one Microsoft 365 tenant tied to a single Viva Engage tenant, the network enables connected communities. This configuration creates a Viva Engage community that's associated with a connected Microsoft 365 community. Tenant users can take advantage of community software tools such as SharePoint, Planner, and OneNote.
How does this change affect guest accounts?
The identity enforcement doesn't affect network guests, who continue to follow the sign-in settings and requirements of their home network.
How long does it take for this setting to be applied?
Enforcement of Microsoft 365 identity applies immediately after you enable the setting.
We use the same Active Directory Federated Services (ADFS) configuration in Viva Engage and Microsoft 365. Should we sign out users during the transition?
Yes. The collective sign out ensures all users who sign back on after the transition can just reconnect to their Microsoft 365 identity. Microsoft 365 identity connects users to lifecycle management from Microsoft 365. Users get a consistent experience, with more tools like Microsoft 365 suite navigation.
What is the user sign out experience when I enforce Microsoft 365 identities?
Users receive an immediate sign out of their web and mobile sessions. All users just sign back in again with their Microsoft 365 identity credentials. They also get restored access to all their apps, devices, and browser sessions.
How do I audit and clean up Viva Engage users when compared to Microsoft 365 and Microsoft Entra ID?
You can audit Viva Engage users in any of your Microsoft 365-connected networks and take appropriate action. See more information and examples in How to audit Viva Engage users in networks connected to Microsoft 365.