Inconvenient SharePoint Online links in private Yammer groups

We love Yammer! That being said, as a company we are quite small and we are not using it as we should but we are trying to. Having a discussion on a draft document that is stored in SharePoint for instance. This is where things got tricky I’ve noticed.

SharePoint permissions

As most companies do, we have an HR site collection in SharePoint Online that is accessible to Management and HR only. Most of the times HR documents can contain highly sensitive information. Not only the contents of the document but the filename as well.

Yammer private groups

Same as HR has a private site collection, we also created a private Yammer group (not listed in the directory) where discussion is possible regarding HR business. This private group is accessible to the same users that have permission to access our SharePoint HR site collection.

SharePoint link in Yammer group

When discussing a document we’re not uploading it to Yammer but we’re collaborating in SharePoint, making the link to the document available in the Yammer private group. This is where an employee contacted us that he was able to find a document on Yammer, he shouldn’t have access to. SAY WHAT!?

Indexing ‘from the web’ objects

After contacting Microsoft support this is what we have concluded. When a link from a trusted product (like SharePoint) is added to Yammer, a page for that link is created. This page contains the metadata of the link like the location (url) and the filename. Searching in Yammer for a term that matches the filename will show this page in the results. The discussion remains hidden for users that are not in the private group and also when the user clicks the link he will get an access denied. Still the filename of a document can be highly sensitive.

In this scenario is reproduced it.

Screen1

Posted MyHiddenFile in Hidden Library.

Screen2

Copied the link from SP into private yammer group.

Screen3

Logged in with different user without permissions I can search for MyHiddenFile in Yammer.

Screen4

I can view the object page in Yammer seeing metadata of the file.

Screen5

When clicking the link it gives an access denied (sorry for the Dutch).

Beware!

If you are using this type of collaboration you have to beware of this. It’s not likely that people are finding these documents using a search term that matches the filename but in case of HR sometimes a name of an employee is part of the filename. That makes it more a risk when the link is posted to Yammer.

Microsoft support has acknowledged: “we have identified that this issue is a product limitation at the moment”. This means that there is only a workaround for now and that is uploading the document into the private Yammer group instead of SharePoint.

I’ve made a suggestion in the Office 365 UserVoice for improving Yammer on this. You can give your vote here: https://office365.uservoice.com/forums/284493-yammer/suggestions/8625865-hide-metadata-from-sharepoint-links-in-private-gro

Leave a Reply

Your email address will not be published. Required fields are marked *