Yammer Domain Restriction

Hello JoBetzer,

Thank you for reaching out to us.

To restrict the domain in Yammer first you need to remove the domain from Office 365 tenant then that will be removed from Yammer as well, because the domain Sync is one way from Office 365 to the Yammer.

You can try one other work around as to remove the license of the user which are having the email address with that particular domain, then enable the settings block the users without Yammer enterprise license under network admin -> Security Settings.

https://support.office.com/en-us/article/Manage-Yammer-user-licenses-in-Office-365-34a67e3a-3fd8-4e54-bffb-dd5ad0e48590?ui=en-US&rs=en-US&ad=US#startblocking

Unfortunately there is on way around to block the single domain in Yammer.

Regards,

Sushil Dhiwa.

Microsoft Yammer support team. 

Thank you for the reply. The information is helpful for our enterprise users. 

To clarify, what I need to do from a security perspective is block legacy Yammer users/identity (email and password login). We have enforced Office 365 Identity in Yammer which enables management of our corporate presence.

However, that challenge that needs to be solved is the potential of Data Leakage/Data Loss due to the ability to transfer files with legacy Yammer identities to Yammer domains we do not own.

Example: Corporate Yammer domain is Worldcompany.com, this is our global / office 365 presence. From a security perspective we have enforced conditional access, licensing models, and enforce Office 365 Identity in Yammer. When a user logs into Yammer, whether from a corporate office or remote, the login is enforced through Office 365, redirected to our corporate presence, etc. and everything is good.

But, if a corporate user logs in with a basic/legacy account that is not corporate managed, such as *** Email address is removed for privacy ***, users can login, transfer files to any Yammer groups they belong to and create a data breach.

I am trying to block users with legacy yammer accounts from logging in from our corporate network where they have access to sensitive files (30000+ users globally).

I do see from logs, that all file sharing is directed to the URL file.yammer.com or files.yammer.com (cant remember which), and the header also shows the referrer is either https://www.yammer.com/worldcompany.com which should be allowed, or https://www.yammer.com/anyotherco.com which should be blocked.

Everything I have researched says NOT to block at the proxy, or restrict to only https://www.yammer.com/worldcompany.com, because it will break Yammer functionality, otherwise I would just create a deny-all www.yammer.com and create a white list entry for www.yammer.com/worldcompany.com and be done.

We have the core skill set to implement any solution, it is just identifying the proper approach.

Thoughts anyone?

Hi,

Greetings...!!

Thank you for your reply. You can either allow users to access your Yammer network or completely block them. If you want to block the users, you would see an option "Block Office 365 users without Yammer licenses" (if you have enforced Office 365 identity). If you check this option and revoke the Yammer licenses of the users in Office 365 admin center, all the users whose licenses are revoked will be blocked from accessing your Yammer network.

Please let me know if this action plan works for you. If you want to discuss the issue in detail, you can create a Service request with Yammer and we will be glad to help you. Please feel free to reply for any query regarding Yammer.

Thanks and Regards,

Manish

Microsoft Yammer Support

If only it was so simple.

The issue is not managing our corporate presence, or restricting access to our Enterprise Yammer service. The issue is that when the company allows Yammer.com access through our Firewalls and Proxy, anyone on the corporate network can log into any external Yammer network we do not own.

This needs to be allowed from within the corporate network:

Corporate domain = CorpYammer.com       URL = www.yammer.com/CorpYammer.com

While making sure that employees on the corporate network cannot access other Yammer domains:

Personal Domain = TheSmiths.com             URL = www.yammer.com /TheSmiths.com

Business Domain = OtherBusiness.com       URL = www.yammer.com/OtherBusiness.com                    

Yammer security controls, Office 365 manage the Corporate Domain, but does not address the risk from the corporate network. Yammer is managed!

External Yammer domains are not secured from the network layer, a huge miss by Microsoft, as all I have to do is log into any Yammer network my business does not own and start uploading sensitive files, PCI, HIPAA, GLBA, PII, it does not matter what I upload, Yammer does not have the security controls to restrict.

I need a network layer solution on how to only allow the corporate Yammer domain. Or has this not been thought of by anyone?

The only option so far is to implement a Firewall/Proxy block of Yammer.com and kill the application.

Hello,

I apologize for a huge delay in response.

You can try with the IP restriction in the Yammer network for more security reason as mentioned below.

Extract from the article :-    IP range restrictions.

Specifying one or more authorized IP ranges allows you to limit access to your Yammer network to only your corporate LAN or other trusted networks. Any users who attempt to log on from a web browser with an IP address outside of the range(s) configured here will be blocked. You can input a starting and ending IP range that you would like to allow, and assign a name to each range.

Typically, users using mobile clients will be outside of the authorized IP range (unless the mobile client is using Wi-Fi on a trusted network). To allow access from mobile clients, select the Allow login option. This still restricts web logins outside of your trusted IP range, but it allows mobile client logins from outside the IP range. If you select Deny login, users outside of the trusted IP range will be unable to access Yammer via clients.

Please refer the article:-

https://support.office.com/en-us/article/Monitoring-your-Yammer-data-Yammer-admin-guide-8c4651fa-12c2-4ced-b4ea-2200c0a630ed

Regards,

Sushil Dhiwa.

Microsoft Yammer support team.

Hi @JoBetzer,

Were you successful in implementing the rules on your proxy to block all Yammer URLs, with the exception of your own company network?

Thanks,

CloudNovum

Yes, we were. 

The web security team had reported that they were not able to implement the control using our Cisco IronPort proxy farms, which led to my initial inquiry to Microsoft.  Microsoft weighed in that it should be achievable but no direction on the approach.

I did identify that Cisco does not use standard regex coding, which ultimately was the issue with the web team being unable to block. So, I created my allow and block rules using regex, then researched Cisco syntax, modified the allow / block rules accordingly and successfully implemented tenant restriction based upon domain. Key consideration when creating the block is understanding the yammer pattern for identifying domains is consistent.

Solution Approach:

This design decrypts all proxy traffic that is routed to Yammer.com, looks at the URL properties of the traffic and then enforces either an allow or a block rule based upon the Yammer domain.

Allow Rule Function: All traffic that matches the allow rule (approved domains) is subsequently encrypted and forwarded, enabling full yammer functionality.

Block Rule Function: All traffic that does not explicitly match the allow rule is then inspected against the block rule and prevented from being routed to yammer. Blocked domains are presented a “This Page Cannot Be Displayed”

Regex Rule Set:

Allow Rule:

www\.yammer\.com/approvedomain\.com/

www\.yammer\.com/approvedomain\.com/.*

www\.yammer\.com/approvedomain2\.com/   

www\.yammer\.com/approvedomain2\.com/.*   

Block Rule:

www\.yammer\.com/.*\..*/