Restricting access to Yammer

A few days ago, Matt Ballantine wrote about Enterprise Social Media and the need to focus on building an audience:

Internal communications people can fall into the trap of believing that what they produce is content rather than advertising. Internal communications appears to be the only form of direct marketing to which there is no legal right to opt out.

 

The challenge then with Enterprise Social Networks, especially when they are treated as an internal media channel, is that if all you are pushing out is advertising (and yes, the latest interview with the CEO about the next 5 year strategy is advertising) you are trying to build an audience on marketing alone.

So, cue Yammer, Microsoft’s Enterprise Social Networking product, purchased a few years ago and slowly being integrated into Office 365…

As I wrote back in July, Yammer comes in two flavours:

  • Yammer Basic is a bit like the wild west – users sign up with their corporate email accounts and a network is formed, using company resources, but over which the company has no control.
  • Yammer Enterprise is a paid product, included in certain Office 365 Enterprise subscriptions, which provides a level of administrative control.

Yammer tile from Office 365But, here’s the gotcha – once you activate Yammer on your Office 365 subscription, a Yammer tile will appear on the Office 365 App Launcher and you have no way to turn it off.

I was recently working with a customer who had activated Yammer on their domains (to shut down the anarchy of Yammer Basic) but who wasn’t ready to start using the product yet (going back to Matt’s point about building an audience – i.e. launching the platform in a controlled manner, with appropriate business sponsorship and support).

Disabling logon to Yammer

With a Yammer tile in Office 365 but no way to turn it off, I was left looking at options for restricting access to Yammer:

  1. Use block lists to prevent users from logging on. That doesn’t scale and would be an administrative nightmare, so it’s not really a credible option.
  2. Disable Yammer in ADFS using a claims transformation rule (more information on TechNet). This would have been a nice idea except that Yammer SSO is deprecated since support for Office 365 authentication was introduced (it’s still supported, but not being developed). Denying access to Yammer on the Office 365 Identity Platform relying party trust meant that I also denied access to other Office 365 services!
  3. Use PowerShell to modify user licences except that doesn’t work – changes to the YAMMER_ENTERPRISE plan do not have any effect.
  4. Use Yammer’s logical firewall to block access based on IP address (thanks to Steve Rush for the suggestion). This is a bit crude but it works – just make sure there is a range for which access is allowed, so you can still get in and administer the network when you are ready to start using it!

Blocking access to Yammer via IP - end user experience

6 thoughts on “Restricting access to Yammer


  1. The is a ” Block Office 365 users without Yammer licenses” option in Yammer now in the Yammer security settings right below the Enforce office 365 identity in Yammer. Which actually works.


  2. That’s interesting Will – does that mean it’s now possible to remove Yammer licenses from Office 365 Enterprise users (previously Yammer was automatically selected and greyed out)


  3. In O365 Enterprise E3 and E1 licence there is now an option whereby you can switch off the Yammer tile by switching off the Yammer licence.
    You just expand the main O365 Ent licence for a particular user and it shows all the O365 parts. :)
    Next time user logs in the Tile has gone.


  4. Thanks for the update Mark – you’re right that there are now new options for managing Yammer licences in Office 365 – it’s a fast-moving field and anything I blog on the topic is likely to be out of date a few months later!


  5. Hi Mark – we had the original restriction in place (as you outlined in your post) and it continued to work perfectly. However, we are now in a place where we want to incrementally add users to Yammer and so the “blanket” block needed to be lifted. Thankfully, as Mark Scowcroft points out, Microsoft have got their act together and now offer proper access controls to Yammer which we have now employed.


  6. Thanks for the update Grainger – that’s good to hear :-).

    Yep, it’s a constantly moving feast. I haven’t managed to keep completely up to date with all of the conditional access changes in Office 365 (including Yammer) but I do know the controls are getting better.

Leave a Reply