Share via

Yammer Domain Restriction

Anonymous
2017-07-21T18:42:49+00:00

Like Office 365 Tenant Restriction (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-tenant-restrictions)- Our company wants to make sure that our corporate employees are restricted to only gaining access to our Yammer Enterprise Environment.

After reviewing proxy logs and Office 365 Audit logs, there appears there are two methods we could employ to achieve this type of security requirement:

  1. Implement HTTPS packet inspection for all yammer.com traffic and only allow traffic that has the following value in the Header: Referer https://www.yammer.com/companyXYZ.com/ - all other referral domains would be blocked
  2. Implement HTTPS packet inspection for all yammer authentication for the URL https://www.yammer.com/oauth2/authorize?client\_id=[:**client\_id**]&response\_type=code&redirect\_uri=[:redirect\_uri] – the client_id would have to equal COMPANY’s Yammer ID or the request would be blocked

As no one has posted a solution on how to enforce Yammer Domain Restrictions (or at least that I can find), does anyone have an opinion of the validity of this approach?

We use CISCO M1070 proxies (IronPort), and uses the web proxy to implement Office 365 Tenant restriction successfully.

Microsoft 365 and Office | Install, redeem, activate | For home | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2017-12-06T14:22:01+00:00

    Yes, we were. 

    The web security team had reported that they were not able to implement the control using our Cisco IronPort proxy farms, which led to my initial inquiry to Microsoft.  Microsoft weighed in that it should be achievable but no direction on the approach.

    I did identify that Cisco does not use standard regex coding, which ultimately was the issue with the web team being unable to block. So, I created my allow and block rules using regex, then researched Cisco syntax, modified the allow / block rules accordingly and successfully implemented tenant restriction based upon domain. Key consideration when creating the block is understanding the yammer pattern for identifying domains is consistent.

    Solution Approach:

    This design decrypts all proxy traffic that is routed to Yammer.com, looks at the URL properties of the traffic and then enforces either an allow or a block rule based upon the Yammer domain.

    Allow Rule Function: All traffic that matches the allow rule (approved domains) is subsequently encrypted and forwarded, enabling full yammer functionality.

    Block Rule Function: All traffic that does not explicitly match the allow rule is then inspected against the block rule and prevented from being routed to yammer. Blocked domains are presented a “This Page Cannot Be Displayed”

    Regex Rule Set:

    Allow Rule:

    www.yammer.com/approvedomain.com/

    www.yammer.com/approvedomain.com/.*

    www.yammer.com/approvedomain2.com/   

    www.yammer.com/approvedomain2.com/.*   

    Block Rule:

    www.yammer.com/.*..*/

    www.yammer.com/.*..*/.*

    0 comments
  2. Anonymous
    2017-12-06T09:45:18+00:00

    Hi @JoBetzer,

    Were you successful in implementing the rules on your proxy to block all Yammer URLs, with the exception of your own company network?

    Thanks,

    CloudNovum

    0 comments
  3. Anonymous
    2017-10-06T01:02:12+00:00

    Hello,

    I apologize for a huge delay in response.

    You can try with the IP restriction in the Yammer network for more security reason as mentioned below.

    Extract from the article :- **** IP range restrictions.

    Specifying one or more authorized IP ranges allows you to limit access to your Yammer network to only your corporate LAN or other trusted networks. Any users who attempt to log on from a web browser with an IP address outside of the range(s) configured here will be blocked. You can input a starting and ending IP range that you would like to allow, and assign a name to each range.

    Typically, users using mobile clients will be outside of the authorized IP range (unless the mobile client is using Wi-Fi on a trusted network). To allow access from mobile clients, select the Allow login option. This still restricts web logins outside of your trusted IP range, but it allows mobile client logins from outside the IP range. If you select Deny login, users outside of the trusted IP range will be unable to access Yammer via clients.

    Please refer the article:-

    https://support.office.com/en-us/article/Monitoring-your-Yammer-data-Yammer-admin-guide-8c4651fa-12c2-4ced-b4ea-2200c0a630ed

    Regards,

    Sushil Dhiwa.

    Microsoft Yammer support team.

    0 comments
  4. Anonymous
    2017-07-26T13:49:19+00:00

    If only it was so simple.

    The issue is not managing our corporate presence, or restricting access to our Enterprise Yammer service. The issue is that when the company allows Yammer.com access through our Firewalls and Proxy, anyone on the corporate network can log into any external Yammer network we do not own.

    This needs to be allowed from within the corporate network:

    Corporate domain = CorpYammer.com       URL = www.yammer.com/CorpYammer.com

    While making sure that employees on the corporate network cannot access other Yammer domains:

    Personal Domain = TheSmiths.com             URL = www.yammer.com /TheSmiths.com

    Business Domain = OtherBusiness.com       URL = www.yammer.com/OtherBusiness.com                    

    Yammer security controls, Office 365 manage the Corporate Domain, but does not address the risk from the corporate network. Yammer is managed!

    External Yammer domains are not secured from the network layer, a huge miss by Microsoft, as all I have to do is log into any Yammer network my business does not own and start uploading sensitive files, PCI, HIPAA, GLBA, PII, it does not matter what I upload, Yammer does not have the security controls to restrict.

    I need a network layer solution on how to only allow the corporate Yammer domain. Or has this not been thought of by anyone?

    The only option so far is to implement a Firewall/Proxy block of Yammer.com and kill the application.

    0 comments
  5. Anonymous
    2017-07-26T09:21:34+00:00

    Hi,

    Greetings...!!

    Thank you for your reply. You can either allow users to access your Yammer network or completely block them. If you want to block the users, you would see an option "Block Office 365 users without Yammer licenses" (if you have enforced Office 365 identity). If you check this option and revoke the Yammer licenses of the users in Office 365 admin center, all the users whose licenses are revoked will be blocked from accessing your Yammer network.

    Please let me know if this action plan works for you. If you want to discuss the issue in detail, you can create a Service request with Yammer and we will be glad to help you. Please feel free to reply for any query regarding Yammer.

    Thanks and Regards,

    Manish

    Microsoft Yammer Support

    0 comments