Overview of security and compliance in Yammer

Yammer Enterprise administrative tools help you protect your Yammer data and comply with evolving legal and regulatory standards, including GDPR.

For information about policies, tools, and best practices for all of Office 365, see Overview of security and compliance in Office 365.

Yammer Enterprise offers admins security and compliance tools that aren't part of the free Yammer Basic. Items marked with an asterisk (*) aren't available in Yammer Basic. The Security FAQ section of this article describes security, privacy, and business continuity features that apply to both Yammer Basic and Yammer Enterprise.

Security Admin Features

How To
Set password policies and logical firewalls to control access to Yammer.
Manage Yammer security settings *
Manage users and maintain single identity for users across all of Office 365.
Add, block, or remove Yammer users *
Enforce office 365 identity for Yammer users *
Provide secured access to Yammer on iOS and Android devices, and control device access to protect corporate data by using Microsoft Intune.
Monitor account activity and device usage for a single user*
Manage Yammer with Microsoft Intune *
Use multiple levels of admin roles so you can assign the correct permissions to match employee's roles.
Manage Yammer admins *
Prevent or limit file uploads Configure your Yammer network *
Control external network access.
Manage Yammer security settings *
Track changes to users, groups, and admins.
Track Yammer Events in the Office 365 Audit log and with the Management Activity API *

Compliance Admin Features

How To
Comply with GDPR requirements.
Manage GDPR data subject requests in Yammer Enterprise *
Manage GPPR data subject requests in Yammer Basic
View compliance reports. Yammer is Tier-C compliant in the Office 365 Compliance Framework, which covers SOC 1, HIPAA, EU Model Clauses, IRAP, and (SEC) Rule 17a-4(f).
Compliance Framework Documentation for Office 365*
Control data retention policies, and view private messages if needed for discovery purposes.
Manage Yammer data compliance *
Export data to review compliance issues
Export data from Yammer Enterprise *
Export data from Yammer Basic
Track changes to users, admins, and groups.
Track Yammer Events in the Office 365 Audit log and with the Management Activity API *

Keep content appropriate and available to only those who should see it

How To
Set up a usage policy to ensure only appropriate content is posted.
Set up a Yammer usage policy *
Monitor keywords for unacceptable or inappropriate content so you can intervene if necessary.
Monitor Keywords*
Monitor private content in Yammer *
Prevent specific data from being sent to external participants.
Disable external messaging in a Yammer network *

Monitor usage

How To
Monitor Yammer admin and user transactions.
Track Yammer Events in the Office 365 Audit log and with the Management Activity API *
Gain insight into how people in your organization use Yammer. Reports and APIs make information available to admins, and group insights and seen counts are available for community managers, group admins, and members.
Activity Reports in the Microsoft 365 admin center*
Office 365 Reports in the Admin Center - Yammer activity report*
Microsoft 365 Reports in the Admin Center - Yammer groups activity report*
Office 365 Adoption content pack*
Microsoft Graph reporting APIs
View group insights in Yammer
View seen counts in Yammer

Stay organized and current with organizational changes

How To
Use Microsoft 365 group naming policies to enforce consistent group naming.
Microsoft 365 Groups naming policy*
For large organizations, use dynamic groups to update group membership automatically as people join, leave, or move within your organization.
Create a dynamic group in Yammer *
Set expiration policies for Office 365 connected Yammer groups. When set, group owners are prompted to renew the groups if they still need them.
Microsoft 365 Group Expiration policy*

Security FAQ

Q: Who can access the Yammer network?

A: Only users with a valid and verified company email address can join your Yammer network. Yammer has functionality to create external networks to collaborate securely with third parties.

Q: What endpoints need to be reachable for Yammer users?

A: As of October 22, 2018, all Yammer users need to be able to access *.yammer.com. Don't use a list of IP address ranges to control access to Yammer since they may change and create access problems for users. For information about the October 2018 change, see Using hard-coded IP addresses for Yammer isn't recommended.

For complete Office 365 URL and IP address ranges info, see Office 365 endpoints.

Q: Where is the data hosted?

A: Yammer data is hosted in Microsoft managed datacenters. See Where is your data located to find the data centers for the country in which your company is located. Yammer operates out of Microsoft's global network of data centers. These centers have 24/7/365 video surveillance, biometric and pin-based locks, strict personnel access controls and detailed visitor-entry logs.

For more information, see Yammer data residency.

Q: What's Yammer's privacy policy? How do you treat my data?

A: Our privacy policy is publicly shared and available here, as part of the: Microsoft Online Services Privacy Statement.

Q: What is Yammer's security policy?

A: Yammer is included in the Microsoft Trust Center.

Q: Who has access to the data?

A: Only employees with a legitimate business need can access customer data, and all access is on an approval‐only basis. All access is logged and regularly audited.

Q: Is the data encrypted?

A: All data in transit into and out of the production environment is always encrypted. Communication with Yammer is over HTTPS (TLS 1.2 supported) regardless of user endpoint (web, desktop app, mobile app, API). In addition to being encrypted in transit, Yammer data is encrypted at rest with AES-256 bit key encryption.

Current versions of the Yammer iOS and Android mobile apps use Apple and Google services for final delivery to end user devices. To ensure confidentiality of information between the Yammer service and the device we use Push Notification Encryption to protect notifications in transit. Encrypted notifications are available for the Yammer iOS mobile app version 7.36.0 or later. They're also available for the Yammer Android mobile app version 5.6.5 or later.

Q: What is Yammer's architecture?

A: Yammer's architecture is driven by the needs of an Enterprise Social Network (ESN). An ESN is successful only if users adopt and engage with the platform. As such, Yammer is architected and developed in a way to support adoption and engagement, allowing rapid iterations of technology.

Yammer is a set of loose components, coupled with APIs. These are developed and released independently using many different best-in-class codes and technologies. Yammer is a public cloud, SaaS, multitenant architecture only. We use a data-driven, rapidly iterating development approach to measure the success of the platform using the key metrics of end-user engagement and adoption.

Q: Who owns the data posted in the Yammer network?

A: Data posted into a free Yammer Basic network is owned by the individuals posting that data. Those users are the data controllers for their content. Under Yammer Enterprise, the company is the data controller, and ownership of all data transfers to the company. Yammer is a data processor and has no rights to any content or responsibilities for the data posted within a Yammer network.

Q: Do you comply with the data protection act in my country?

A: It's the data controller's responsibility to comply with the data protection legislation that affects them. Yammer has controls in place to facilitate data controllers' (individuals and companies) compliance with their data protection legislation.

Q: Can we perform an on‐site visit or audit of your facilities?

A: Yammer doesn't permit customers to perform on‐site audits. With over 200,000 customers, audits aren't feasible. It's also a risk to the security of the service. We'll answer any security questions openly and transparently.

Q: Do you conduct third‐party audits or testing?

A: Penetration tests of the Yammer infrastructure are conducted yearly as part of Office 365.

Q: How is data separated from other customers?

A: Yammer is a true multi-tenant model. As such, customers' data is logically separated with strict controls to ensure separation of tenant data. The web application servers of Yammer are physically and logically separated from servers that store customer data.

Q: What is the difference between the security of an enterprise social network and Facebook?

A: Your Yammer network is private to your company. Only users with a valid and verified email address for your company can join your Yammer network. Yammer was created as an Enterprise Social Network with security built‐in at every level and a high degree of control available. It includes integration with corporate security systems such as Active Directory and single sign-on.

Q: What is the difference between security of Yammer Basic and Yammer Enterprise?

A: The underlying security of both is identical. Yammer Enterprise brings more administrative control. It also provides the ability to integrate with other systems (such as Active Directory, Active Directory Federation Services, SharePoint, Microsoft Dynamics CRM, Salesforce).

For details of the security-related administrative controls available in Yammer Enterprise, see the tables at the beginning of this article.

Q: Does Yammer sell our data?

A: No. Yammer doesn't mine or sell any customer data. All data belongs to the customer (either the user or the organization, dependent on the Yammer version in use).

Q: Can I export all my data?

A: In Yammer Enterprise, verified admins can export messages and uploaded files that are stored in Yammer, along with their metadata. The data export can also include any content that has been deleted, if the Archive data retention option has been configured.

Yammer files that are stored in SharePoint must be exported by using Office 365 content search and export. Use Content Search in Office 365 to find the files, and then Export the Content Search Results.

Q: What are Yammer's business continuity features?

A: Your data is backed up multiple times a day and protected with strong encryption on disk. Backups are transferred off-site over SSH and properly deleted after six months.

Q: Is Yammer covered under the materials in the Office 365 Trust Center?

A: Yes it is. See Office 365 Trust Center.

Q: Is Yammer security independently verified?

A: Yes. ISO27001 is the global standard in information security. Independent auditors have verified that Yammer meets the rigorous set of physical, logical, process, and management controls defined by the ISO 27001 standard.

Yammer participates in the Microsoft Online Services Bug Bounty, which allows thousands of security researchers to test Yammer and help make our products even safer for users.

User Management FAQs

Q: Can I enforce multifactor authentication?

A: For Yammer Enterprise, if you enforce Office 365 identity in Yammer. For more information, see Set up multi-factor authentication for Office 365 users and Enforce office 365 identity for Yammer users.

Q: How do I manage Yammer on mobile devices?

A: Yammer is available for major mobile platforms, including the iPhone, iPad, and Android. Users can install the Yammer application from their respective app store.

Yammer Enterprise offers session management capabilities so that a user or administrator can end any Yammer session on any device if needed.

Yammer Enterprise devices can be managed with Microsoft Intune. For more information, see Manage Yammer with Microsoft Intune.

Q: How can I manage my users?

A: Only users with a valid and verified company email address can join your Yammer network.

In a free Yammer Basic network, users can invite their colleagues with the same email address suffix to collaborate. Users can also suspend other users from having access to the Yammer network.

In Yammer Enterprise, administrators can provision and remove users in bulk using a .csv file and also to synchronize with Azure Active Directory to automatically add users who aren't already on Yammer and remove users from Yammer if their Active Directory account is disabled or deleted.

For more information, see Manage Yammer users across their lifecycle from Office 365 and Bulk update users by importing a .CSV file.

Q: How can users without email addresses access Yammer?

A: Yammer works with many large organizations where it's important to hear the voice of all workers, including those without email addresses. In this case, Yammer can grant these users access based on a unique identifier.