Quick Yammer tip: controlling external group creation

What do IT pros usually do when they don’t understand something or don’t have a clear direction? KILL IT! Kill it before something happens that we don’t understand!!!!

I’ve seen this a lot with Yammer external groups. IT don’t want users creating external groups due to data leakage or other compliance/governance purposes, so disable the feature. The problem here is that this approach in Yammer also stops users accessing external groups hosted in other networks.

This scenario gives rise to “Shadow IT” as users tend to find their way around IT and will find other tools like Slack, Facebook, Google Groups, and any number of others.

In some instances, IT wants to block users accessing external groups in Yammer completely. Unfortunately, there’s a big problem with this approach because users then turn to LinkedIn as it is generally not blocked, and has a community / group aspect where IT has no control. Often people will use their own phones to access services blocked by the corporate firewall/proxy. Or in cases like Yammer they might get an account created in someone else’s Yammer network and join the groups anyway (I and a few others I know play host to such wayward users who still want to participate in conversations, but their IT department has disabled external groups).

There’s two things IT departments can do here:

Allow users to access external groups, but prevent their ability to create them.

If you check the checkbox in the picture below, external groups will no longer work.

What other users in those external groups will see is this:

In one external group I’m a member of we’ve turned it into a sport to use memes and GIFs to make light of people disappearing in this manner. (The organisation in the screenshot below had the name “Connect” as part of their name.)

So, what’s the tip here? There is a way to prevent the creation of external groups by users, but still allow them to join external groups they have been invited to. You can read more in this support article: https://support.office.com/en-us/article/Create-and-manage-external-groups-in-Yammer-9ccd15ce-0efc-4dc1-81bc-4a424ab6f92a

Unfortunately, it’s not a setting you can change yourself, and instead you’ll need to contact support from within the Office 365 admin panel.

Get your house in order

As I mentioned earlier, users tend to find their way around blocks and restrictions which is actually worse for governance and compliance than giving them access to something that isn’t completely managed in the first place.

As new services pop up that IT doesn’t necessarily know about, users will subscribe to them which results in more shadow IT. Sure you can block Facebook, Slack, but if you start blocking Google or LinkedIn that will cause real problems – and there are plenty of other community and group chat solutions out there.

So instead of burying your head in the sand and turning things off or blocking access – prioritise the compliance and governance frameworks needed to support the use of tools like Yammer or more recently Microsoft Teams. This may require actually investing the time and effort to build a robust policy as well as potentially procuring a third-party monitoring system, but it’s better to be on the front foot with appropriate guidance and measures than annoying users and losing control of data.

Comparing attachments to sharing guest links

For a number of years I have avoided the use of attachments where possible, and those who know me are aware that sending an email to me with an attachment will usually be replied with something like “could you not share this? Let me introduce you to OneDrive for Business…. again”.

Sometimes however it does make sense to send an attachment, especially where the document didn’t originate from you or in the case where you actually don’t care to keep the file.

The focus of this blog post is to compare sending attachments to external recipients, vs. sharing guest links from SharePoint Online or OneDrive for Business (or Office 365 Groups).

I often give the example of a new sales person I was recruiting with the assistance of an external consulting firm. We had completed all rounds of interviews and were ready to hire. I sent around the letter of offer rand employment agreement to two of my colleagues to check. One came back and said everything was ok. So instead of sending the document as an attachment in PDF I chose to share the file as a guest link from our SharePoint Online site with View Only access. I then left the office for a lunch meeting, leaving my computer at the office. While waiting at the tram stop I got an email from the other colleague informing me that I’d used the wrong word.

Instead of having to go back to the office, make the change, and then email an updated PDF – I simply opened the document on my phone, editing the document, and then closed the app. Because I’d shared a guest link to the file I didn’t have to email anybody anything, or even inform them!

The challenge of sharing guest links is that you have virtually no control of what happens to the content after you send out the link, so you cannot see who is accessing it and who else it has been shared with.

The same can be argued of email attachments. To simplify the comparison, I’ve put together the following table outlining the pros and cons of the two methods of sharing content with external people.

Emailing attachments Sharing guest links
  • Simple, easy to do
  • Any attachment type
  • Can apply Data Loss Prevention policies and Exchange transport rules to monitor for restricted content and audit or apply actions
  • Simple, easy to do
  • Any attachment type
  • Can specify expiration of link (eg. valid for xx days)
  • Can stop sharing at any time
  • Email stays to a few kilobytes when including URL instead of file
  • Can delay email being sent in the case of large attachment or bandwidth limitations
  • Cannot recall once email has left the organisation
  • Cannot stop document from being shared with others
  • No visibility into who is opening the link

While it is possible to also disable guest links and allow only name-based sharing with external parties (eg. where the external person must have an Office 365 or Microsoft account in order to access it), the purpose of this blog post was to compare the concept of blind sharing of files as is done via email attachments and sharing guest links.

Microsoft provides a good support page that outlines the different ways sites & files can be shared with people outside of your organisation.

To those organisations who choose not to enable sharing guest links because of fear of data leakage: unless you have set up DLP rules or implemented Azure Information Protection then it is a moot point as the data is unprotected regardless of transmission medium, and users will find a way to get the content to the other person one way or another.

Ideally organisations should approach sharing & security together – you shouldn’t have one without the other. Often organisations choose the security by obscurity route of “if I don’t give it to my users then it won’t happen”. Shadow IT has already proven that wrong (thank you Dropbox!), and so it is important that organisations promote new ways of working and provide their staff with the ability to simply and quickly share content with external parties – while making sure security is adhered to without requiring user intervention.