Preserving the confidentiality and integrity of your information is one of Yammer’s highest priorities. Yammer maintains a deep culture of security and utilizes an iterative approach in designing and improving security procedures and controls. We continuously analyze the effectiveness of our security policies to ensure we are providing optimal protection for our customers. Please consult your Yammer contact for the latest security overview and collateral. For more details, please refer to Yammer’s Information Security Policy.
This article is part of the Yammer admin guide
Important: Yammer SSO and Yammer DSync are being deprecated and will stop working after December 1st, 2016. You will not be able to set up new configurations with Yammer SSO and DSync after April 1st, 2016.
Instead of Yammer SSO, we recommend that you use Office 365 sign-in for Yammer.
Instead of Yammer DSync, we recommend that you use Azure AD Connect. For more information, see Integrating your on-premises identities with Azure Active Directory and Understanding Office 365 Identity and Azure Active Directory.
For more information about the deprecation and how to transition out of Yammer SSO and Yammer DSync, see Plan for Yammer SSO and DSync deprecation.
Section 1 – Security
Q: Who can access the Yammer network?
A: Only users with a valid and verified company email address can join your Yammer network. Yammer has functionality to create External networks to collaborate securely with third parties.
Q: Where is the data hosted?
A: As of May 16, 2015, Yammer data is hosted in Microsoft managed datacenters. See Microsoft Cloud Infrastructure and Operations overview for information about security, privacy, and compliance.
Q: Can you share your security policy?
Q: Who has access to the data?
A: Only employees with a legitimate business need can access customer data, and all access is on an approval‐only basis. All access is logged and regularly audited.
Q: Is the data encrypted?
A: All data in transit into and out of the production environment is encrypted at all times. Communication with Yammer is over HTTPS (TLS 1.2 supported) regardless of user endpoint (web, desktop app, mobile app, API). In addition to being encrypted in transit, Yammer data is encrypted at REST with AES-256 bit key encryption.
Q: What is Yammer’s architecture?
A: Yammer's architecture is driven by the needs of an Enterprise Social Network (ESN). An ESN is successful only if users adopt and engage with the platform. As such, Yammer is architected and developed in a way to support adoption and engagement, allowing rapid iterations of technology.
Yammer is a set of loose components, coupled with APIs. These are developed and released independently using a variety of different best-in-class codes and technologies. Yammer is a public cloud, SaaS, multitenant architecture only. We use a data-driven, rapidly iterating development approach to measure the success of the platform using the key metrics of end-user engagement and adoption.
Q: Who owns the data posted in the Yammer network?
A: Data posted into a free Yammer network is owned by the individuals posting that data. Those users are the data controllers for their content. Under Yammer Enterprise, the company becomes the data controller, and ownership of all data transfers to the company. Yammer is a data processor and has no rights to any content or responsibilities for the data posted within a Yammer network.
Q: Do you comply with the data protection act in my country?
A: It is the data controller's responsibility to comply with the data protection legislation that affects them. Yammer has controls in place to facilitate data controllers' (individuals and companies) compliance with their data protection legislation.
Q: Can we perform an on‐site visit or audit of your facilities?
A: Yammer does not permit customers to perform on‐site audits. With over 200,000 customers, this is not feasible, and it is also a risk to the security of the service. We will answer any security questions openly and transparently.
Q: Do you conduct third‐party audits or testing?
A: Penetration tests of the Yammer infrastructure are conducted yearly as part of Office 365.
Q: How is data separated from other customers?
A: Yammer is a true multitenant model. As such, customers’ data is logically separated with strict controls to ensure separation of tenant data.
Q: Can I enforce multifactor authentication?
A: By using a SAML 1.1- or 2.0-compliant identity provider.
Q: What is the difference between security of an enterprise social network and Facebook?
A: Your Yammer network is private to your company. Only users with a valid and verified email address for your company can join your Yammer network. Yammer was built from the ground up as an Enterprise Social Network with security built‐in at every level and a high degree of control available as well as integration with corporate security systems such as Active Directory and single sign-on.
Q: What is the difference between security of Yammer Basic and Yammer Enterprise?
A: The underlying security of both is identical. Yammer Enterprise brings more administrative control and provides the ability to integrate with other systems (e.g. Active Directory, Active Directory Federation Services, SharePoint, Salesforce).
For details of the administrative controls available in Yammer Enterprise, see, Enterprise integrations.
Q: Does Yammer sell our data?
A: No. Yammer does not mine or sell any customer data. All data belongs to the customer (either the user or the company, dependent on the Yammer version in use).
Q: Can I export all my data?
A: Yammer Enterprise allows all messages, notes, and uploaded files to be exported, along with their metadata. The data export can also include any content that has been deleted, if the Soft Delete data retention option has been configured.
Q: Is Yammer covered under the materials in the O365 Trust Center?
A: Yes it is. See Office 365 Trust Center.
Section 2 ‐ Management
Q: What administrative controls are available to help me manage Yammer?
A: For details of the administrative controls available in Yammer Enterprise, see Enterprise integrations.
Q: How do I manage Yammer on mobile devices?
A: Yammer is available for all major mobile platforms, including Windows Phone, iPhone, iPad, and Android. Users can install the Yammer application from their respective app store. Yammer offers session management capabilities so that a user or administrator can end any Yammer session on any device if required.
Q: How can I manage my users?
A: Only users with a valid and verified company email address can join your Yammer network.
In a free Yammer network, users can invite their colleagues with the same email address suffix to collaborate. Users can also suspend other users from having access to the Yammer network.
In Yammer Enterprise, administrators can provision and remove users in bulk using a .csv file and also to synchronize with Active Directory to automatically add users who are not already on Yammer and remove users from Yammer if their Active Directory account is disabled or deleted.
See Bulk Update Users for further information on Bulk Update.
See Plan for Yammer Directory Sync for further information on AD Sync.
Q: What AD attributes are passed by AD Sync to Yammer?
A: See here for the AD Sync implementation guide: Plan for Yammer Directory Sync.
Q: We have multiple Active Directory forests. Can you sync from all of them?
A: Yes. The sync tool can be configured to use multiple Active Directory forests or domains as data sources. See Plan for Yammer Directory Sync for further details.
Q: How can users without email addresses access Yammer?
A: Yammer works with many large organizations where it is important to hear the voice of all workers, including those without email addresses. In this case, Yammer can grant these users access based on a unique identifier.
Section 3 ‐ Deployment
Q: Can I run a pilot or trial of Yammer?
A: Yammer has a free offering that should be used to run all trials. This is available for anyone to sign up for with their corporate email account at http://about.yammer.com. An Enterprise Social Network (ESN) is successful only if users adopt and engage with the platform. As such, your trial of an ESN should focus on use cases, adoption, and engagement rather than features.
Q: Is Yammer affected by latency?
A: Yammer is focused on delivering a great user experience to encourage adoption and engagement of the platform, because such a great deal of work has been done to minimize the effects of latency. We encourage customers to try Yammer using the free service to assess the performance for themselves.
Q: What happens to content and users when a Yammer network is upgraded from Free to Enterprise?
A: All content remains in place and all users remain: The Yammer Free network becomes your Yammer Enterprise network, so there is no migration. The functionality for users remains the same. They might notice a new masthead, logo, and usage policy when an administrator puts these in place.
Q: What is the difference between the Basic and Enterprise versions?
A: Yammer is available as a freemium service with most features available free to users with a valid email address from their organization. The main differences are:
Data ownership: Users in the basic version, the organization on the enterprise.
Integrations: Limited access to the API in the basic version, full access to all integrations (Yammer App Directory and APIs) in the enterprise version.
Admin: Users manage their own profile and content in the free version. In the enterprise version, two levels of admin can manage users, configure the network, monitor and export content or enable and disable some features. Analytics, announcements, and domain merge are available.
Customization: None in the basic version, ability to set up a header, logo, and choose color in the enterprise version.
Compliance: None in the basic version, data export, monitoring, or deletion by admin in the enterprise version.
Support: Online technical support in the free version, Microsoft support, SLA and access to the Yammer Customer Network in the enterprise version.
Q: Can my company’s multiple email SMTP domains be merged together into one Yammer network?
A: Yes. By default, SMTP email suffixes have their own Yammer network. This is in place to ensure that data stays within a certain organization. However, many large organizations have multiple SMTP email domains and, as a result, multiple Yammer networks. Under Yammer Enterprise, these Yammer networks can be merged together so when the user logs on, they enter a single Yammer network for all their colleagues, regardless of which company SMTP email address was used to log on.
Q: What file types can be uploaded to Yammer?
A: There are no restrictions on the file types that can be uploaded.
Q: Why am I seeing different features, colors, or a different layout than my colleagues?
A: As part of Yammer development methodology, we A/B test all aspects of Yammer and derive the winner using data. The tests are performed on a subset of users across all networks, so these changes don't occur at the network level until they're tested and launched.
Q: What’s the roadmap for Yammer?
A: Yammer rapid release and iterative development methodology means that change is a constant. The items currently being developed and their stage of development and testing are available here: Office 365 Roadmap.
Q: What are the limitations of the solution (number of users, networks, documents, storage, access, and so on)?
A: Yammer is designed as a SaaS, multitenant environment with scale in mind. The only limit is that of file size. An individual file cannot be larger than 5 GB in Yammer Enterprise (100 MB Yammer Free.) Yammer supports unlimited users, unlimited files, unlimited external networks, and unlimited document types.