28 Feb Configuring Microsoft Entra SSO for YMCS
Previously Yealink Management Cloud Service only provided support for native Yealink Identity’s within YMCS for managing Yealink devices. With the recent update to the service Yealink now supports the ability for administrators to use their Corporate or Company Microsoft Entra Identity’s to login to YMCS.
This is an important and great addition to the service as it allows organisations to retain control over what services their administrators have access to. It also helps prevent duplication of Identities within other systems that can make Identity and Access Management (IAM) more difficult as the best practice would be to integrate these services into your IAM tooling and workflows which in some cases isn’t a straight forward task depending on APIs, middleware and such like.
Using corporate identities also helps to keep an organisation secure by ensuring a consistent application of organisation Identity Access Security & Governance, for example Conditional Access or MFA.
Important
SSO is only supported in the new YMCS service. You will not see the SSO configuration options in legacy tenants. You will need to log a ticket with Yealink to get your tenant migrated to the new service – Yealink Ticket
Microsoft Entra ID Configuration
To configure your YMCS tenant to communicate with your Microsoft Entra ID tenant an Enterprise Application must be configured. Browse to Enterprise Applications in the Entra ID portal and click Create Your Own Application. Give the app a name and ensure Register an application to integrate with Microsoft Entra ID (App you’re developing) is selected. Click Create.
On the next page select Accounts in this organizational directory only ( YourTenantName – Single tenant) and click Register.
Browse to App Registrations and you should see the new App you just created. Click the App and make a note of the Application (client) ID and the Directory (tenant) ID. These will be used in YMCS to enable SSO in a later step.
While in the app click Authentication and then Add a Platform and in the navigation pane select Web.
Yealink uses different sign-in endpoints for each major region EU, US and AU (Asia). As my tenant is in Europe i’m using the https://eu.ymcs.yealink.com/manager/front/auth/signin-oidc Login Address URL and https://eu.ymcs.yealink.com/manager/front/auth/logout Logout Address URL as my Redirection URIs. This tells Entra ID where to redirect the access tokens for login and logout from YMCS. Note depending on your region replace the URIs with the appropriate URL below:
Lastly ensure the ID tokens (used for implicit and hybrid flows) box is checked and click Configure.
YMCS SSO Tenant Config
Browse to Single Sign-On and toggle the Single Sign-On button to on and enter your Client and Tenant ID.
You’ll need to create a new account so the Microsoft Account can login. Browse to Sub Accounts click Add and ensure when you create the new account External is selected
Select the Microsoft SSO and enter the Email/UPN of the sub account you just added.
The first time you login you’ll be promoted to accept the permissions so YMCS can read your account details.