Smart Yammer Group Membership Using AAD?

%3CLINGO-SUB%20id%3D%22lingo-sub-57838%22%20slang%3D%22en-US%22%3ESmart%20Yammer%20Group%20Membership%20Using%20AAD%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-57838%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20business%20requirement%20to%20ensure%20that%20only%20management%20approved%20users%20can%20be%20added%20to%20certain%20%22secret%22%20Yammer%20groups.%26nbsp%3B%20Is%20there%20a%20way%20to%20prevent%20a%20Yammer%20group%20owner%20from%20accidentally%20adding%20a%20non-approved%26nbsp%3Buser%20to%20a%20group%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%20is%20an%20example.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20created%20a%20Yammer%20group%20called%20ProjectCondor.%26nbsp%3B%20Only%20the%20following%20people%20approved%20by%20management%20are%20allowed%20to%20have%20access%20to%20this%20ProjectCondor%20Yammer%20group%3A%20Aaron%2C%20Brett%2C%20%26amp%3B%20Bart.%26nbsp%3B%20The%20Yammer%20group%20owner%2C%20Aaron%2C%20attempts%20to%20add%20Sue%20to%20the%20Yammer%20group.%26nbsp%3B%20Since%20Sue%20has%20not%20been%20approved%20by%20management%2C%20a%20mechanism%20should%20prevent%20Aaron%20from%20adding%20Sue%20to%20the%20Yammer%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20mechanism%20in%20this%20case%20would%20ideally%20be%20an%20AAD%20group%20because%20we%20already%20have%20an%20internal%20approval%20process%20for%20AAD%20group%20membership%20requests.%26nbsp%3B%20On%20about%20to%20add%20a%20member%20to%20a%20Yammer%20group%2C%20Yammer%20checks%20whether%20there%20is%20an%20associated%20AAD%20group%20tied%20to%20the%20Yammer%20group.%26nbsp%3B%20If%20there%20is%2C%20it%20checks%20whether%20the%20person%20being%20added%20to%20the%20Yammer%20group%20is%20listed%20in%20the%20AAD%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20tool%20then%20to%20control%20membership%20to%20the%20ProjectCondor%20Yammer%20group%26nbsp%3Bagainst%20an%20AAD%20group%20would%20be%20ideal%20where%20the%20business%20owner%20only%20needs%20to%20manage%20their%20AAD%20group%20such%20that%20new%20and%20removed%20AAD%20group%20members%20are%26nbsp%3Bsubsequently%20added%20and%20removed%20from%20the%20Yammer%20group%20automatically.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20Flow%20be%20used%20to%20get%20management%20approval%20for%20Yammer%20group%20membership%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EToday%2C%20each%20Yammer%20group%20owner%20would%20have%20to%20manually%20check%20the%20AAD%20group%20before%20adding%20a%20member%20and%20routinely%20review%20AAD%20group%20membership%20to%20ensure%20members%20are%20promptly%20removed%20from%20the%20Yammer%20group.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20reading%20what%20I%20wrote%2C%20I%20know%20it%20sounds%20convoluted%2C%20but%20when%20attempting%20to%20use%20O365%20for%20sensitive%20information%20and%20protect%20us%20from%20ourselves%2C%20it%20is%20not%20always%20straight%20forward.%26nbsp%3B%20I%20see%20a%20similar%20use%20case%20existing%20for%20other%20O365%20workloads.%26nbsp%3B%20In%20fact%2C%20imagine%20using%20AAD%20dynamic%20groups%20to%20drive%20a%20division%20or%20department's%20Yammer%20group%20or%20SharePoint%20site.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-57838%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EYammer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Contributor

We have a business requirement to ensure that only management approved users can be added to certain "secret" Yammer groups.  Is there a way to prevent a Yammer group owner from accidentally adding a non-approved user to a group?

 

Here is an example.

 

I created a Yammer group called ProjectCondor.  Only the following people approved by management are allowed to have access to this ProjectCondor Yammer group: Aaron, Brett, & Bart.  The Yammer group owner, Aaron, attempts to add Sue to the Yammer group.  Since Sue has not been approved by management, a mechanism should prevent Aaron from adding Sue to the Yammer group.

 

The mechanism in this case would ideally be an AAD group because we already have an internal approval process for AAD group membership requests.  On about to add a member to a Yammer group, Yammer checks whether there is an associated AAD group tied to the Yammer group.  If there is, it checks whether the person being added to the Yammer group is listed in the AAD group.

 

A tool then to control membership to the ProjectCondor Yammer group against an AAD group would be ideal where the business owner only needs to manage their AAD group such that new and removed AAD group members are subsequently added and removed from the Yammer group automatically.

 

Could Flow be used to get management approval for Yammer group membership?

 

Today, each Yammer group owner would have to manually check the AAD group before adding a member and routinely review AAD group membership to ensure members are promptly removed from the Yammer group.

 

After reading what I wrote, I know it sounds convoluted, but when attempting to use O365 for sensitive information and protect us from ourselves, it is not always straight forward.  I see a similar use case existing for other O365 workloads.  In fact, imagine using AAD dynamic groups to drive a division or department's Yammer group or SharePoint site.

0 Replies