Block Yammer Access in Office 365

Since April 2016, Microsoft deprecated Yammer Single Sign On capabilities – up until this point, if you wanted to block users from accessing Yammer, you needed to configure a relying party trust in ADFS / SSO, and block all users who are not members of a specific group. While this feature worked well (in my experience), the updated process that Microsoft implemented is way better, and much easier to implement.

Now, instead of configuring Single Sign On, you only need to do three simple steps to prevent users from accessing Yammer:

1. Enforce Office 365 Identity in Yammer; (more info)
   
2. Block Office 365 users without Yammer licenses; and,
   
3. Remove the user’s Yammer license in Office 365. (more info)
   

The first two of these steps takes less than 5 minutes to complete, but it has an immediate and potentially large impact, so you need to make sure that these changes are planned and the impact accounted for before you do this. If you’re users are not using Yammer yet, all the better – click away!

Enabling Office 365 Identities in Yammer:

Log into your Yammer network, and select Network Admin – Security Settings. You need to be a network admin in order to even see these settings, and if you’re a Global Admin in Office 365, you’ll also be a Network Admin in Yammer, so you should be good to go.

On the Security Settings page, you’ll see a section for Enforcing Office 365 Identity in Yammer. If you’ve never selected either of these fields before, here’s what to expect:

1. When you enforce Office 365 Identities in Yammer, anyone who logged into Yammer with a Yammer account (or created one on their own), will no longer be able to log into your network in Yammer. This is a great way to start consolidating identities, as Yammer used to allow a combination of both Yammer and Office 365 accounts, and a user could have either, or both – quite messy!
   

Once you select the option to Enforce Office 365 Identities, you’ll be able to immediately log all users out, and force them to sign back in, this time with their Office 365 accounts. This is useful if you want to implement an immediate change, but keep in mind that users will be logged out immediately, so communicate this change, or you could have some unhappy users on your hands.

1. Once you are enforcing Office 365 Identities, you can go ahead and click the option to block Office 365 users without Yammer licenses. Once again, you’ll have the option to log all users out of Yammer, so plan your changes and communication accordingly. Note that you can enable both of these options at the same time – you don’t need to wait in between selecting the different options.
   

If you want to go for a softer approach, leave the option unchecked to log out all current users, and these users will be able to continue to use Yammer until the next time they try to log in, at which point, they will require a valid Office 365 account, and a Yammer license assigned to their account.

You still need to click Save before these setting take effect, so you have one last chance to back out if you’re not sure if you’re ready to kick everyone out of Yammer or not!

1. Now that you’ve got your identities consolidated to Office 365, and are blocking Office 365 users without Yammer licenses, simply log back in to Office 365, deselect the Yammer Enterprise option, and click Save.
   

Now when a user without a Yammer license attempts to connect to Yammer by logging in at http://yammer.com, this is what they’ll see:

Note that if you go about this from the opposite direction, removing a user’s license won’t prevent them from accessing Yammer if you haven’t done the first two options. Once you’ve got steps 1 and 2 completed, they will be immediately blocked from logging into Yammer, and will see the error message above.

Remove Yammer licenses globally through PowerShell:

Microsoft provides a script for removing a single user’s Yammer license through PowerShell, but here’s how you would achieve this if you wanted to disable Yammer for all users:

[powershell]
# Connect to the MSOL Service
$credential = Get-Credential
Connect-MsolService -Credential $credential

# Gather all licensed users into a variable
$yammerUsers = Get-MsolUser -All | Where {$_.IsLicensed -eq $true}

foreach ($y in $yammerUsers){
$LicenseDetails = (Get-MsolUser -UserPrincipalName $Y.UserPrincipalName).Licenses

foreach ($License in $LicenseDetails) {

$DisabledOptions = @()
$License.ServiceStatus | ForEach {

If ($_.ProvisioningStatus -eq "Disabled" -or `
$_.ServicePlan.ServiceName -like "*YAMMER*") {
$DisabledOptions += "$($_.ServicePlan.ServiceName)"

}

}

$LicenseOptions = New-MsolLicenseOptions -AccountSkuId $License.AccountSkuId -DisabledPlans $DisabledOptions
Set-MsolUserLicense -UserPrincipalName $y.UserPrincipalName -LicenseOptions $LicenseOptions

}
}
[/powershell]

Please note that this script will remove all Yammer licenses globally, and no-one will be able to log into Yammer until you have gone back and re-enabled their Yammer Enterprise license. The good news is that this change doesn’t delete anything in Yammer, and once a license has been reassigned in Office 365, users can log back in as normal. As always, scripts are provided without warranty or guarantee – be smart and test scripts before releasing them in the wild and making global changes to your tenant!