Restricting access to Yammer

A couple of months ago, Matt Ballantine wrote about Enterprise Social Media and the need to focus on building an audience:

“Internal communications people can fall into the trap of believing that what they produce is content rather than advertising. Internal communications appears to be the only form of direct marketing to which there is no legal right to opt out.

The challenge then with Enterprise Social Networks, especially when they are treated as an internal media channel, is that if all you are pushing out is advertising (and yes, the latest interview with the CEO about the next 5 year strategy is advertising) you are trying to build an audience on marketing alone.”

So, cue Yammer, Microsoft’s Enterprise Social Networking product, purchased a few years ago and slowly being integrated into Office 365…

Yammer comes in two flavours:

  • Yammer Basic is a bit like the wild west – users sign up with their corporate email accounts and a network is formed, using company resources, but over which the company has no control.
  • Yammer Enterprise is a paid product, included in certain Office 365 Enterprise subscriptions, which provides a level of administrative control.

Yammer tile from Office 365But, here’s the gotcha – once you activate Yammer on your Office 365 subscription, a Yammer tile will appear on the Office 365 App Launcher and you have no way to turn it off.

I was recently working with a customer who had activated Yammer on their domains (to shut down the anarchy of Yammer Basic) but who wasn’t ready to start using the product yet (going back to Matt’s point about building an audience – i.e. launching the platform in a controlled manner, with appropriate business sponsorship and support).

Disabling logon to Yammer

With a Yammer tile in Office 365 but no way to turn it off, I was left looking at options for restricting access to Yammer:

  1. Use block lists to prevent users from logging on. That doesn’t scale and would be an administrative nightmare, so it’s not really a credible option.
  2. Disable Yammer in ADFS using a claims transformation rule (more information on TechNet). This would have been a nice idea except that Yammer SSO is deprecated since support for Office 365 authentication was introduced (it’s still supported, but not being developed). Denying access to Yammer on the Office 365 Identity Platform relying party trust meant that I also denied access to other Office 365 services!
  3. Use PowerShell to modify user licences except that doesn’t work – changes to the YAMMER_ENTERPRISE plan do not have any effect.
  4. Use Yammer’s logical firewall to block access based on IP address (thanks to Steve Rush for the suggestion). This is a bit crude but it works – just make sure there is a range for which access is allowed, so you can still get in and administer the network when you are ready to start using it!

Blocking access to Yammer via IP - end user experience

[This is an edited version of a post that was originally published at markwilson.it]

About the author