In this article i will give you a guide on enabling and turning on Microsoft Purview Information barriers (IB) , with fokus on Microsoft Teams – this can be relevant across many sectors and industries catering for legal requirements, aswell as in schools and/ or higher education as a means to contain students in segments.
What are IB’s
Office 365 Information Barriers are like the bouncers of the digital office party that is Microsoft Teams, SharePoint, and OneDrive.
- Purpose? To stop unwanted mingling! Imagine keeping the gossipy sales team away from the secret-keeping R&D crew. It’s like keeping the cats away from the goldfish bowl.
- What they do? They’re the strict parent saying, “No chatting, calling, or file-sharing for you two!”
- Setting Rules: Admins play matchmaker (or anti-matchmaker), deciding who can and can’t mingle based on things like what team jersey (department) they wear.
- Enforcer: Once the rule is set, Office 365 turns into the ultimate gatekeeper, keeping an eagle eye out for rule-breakers.
- Memory like an elephant: Every move, every block – it’s all noted down for that “I told you so” moment.
In short, Information Barriers are the digital equivalent of “You shall not pass!” in the world of Office 365.
Common scenarioes
- Education: Students in one school aren’t able to look up contact details for students of other schools.
- Legal: Maintaining the confidentiality of data that is obtained by the lawyer of one client and preventing it from being accessed by a lawyer for the same firm who represents a different client.
- Government: Information access and control are limited across departments and groups.
- Professional services: A group of people in a company is only able to chat with a client or a specific customer via guest access during a customer engagement.
Required subscriptions and permissions
Before you get started with IB, you should confirm your Microsoft 365 subscription and any add-ons. To access and use IB, your organization must have supporting subscriptions or add-ons. For more information, see the subscription requirements for information barriers. In this link https://aka.ms/M365EnterprisePlans
The required permissions to configure this are any of the following:
- Microsoft 365 global administrator
- Office 365 global administrator
- Compliance administrator
- IB Compliance Management
- Teams administrator (for turning on Search by name in TAC)
The plan for this Information Barrier design
Department (IB segment) | CAN communicate with | CANNOT communicate with |
Consultants | Everyone | N/A |
HR | Everyone | N/A |
Development | Consultants, HR | Research |
Research | Consultants, HR | Development |
To cater for this plan, we must define and implement theese two IB policies:
- An IB policy designed to prevent Developmen from communicating with Research
- Another IB policy to prevent Research from communicating with Development.
For this scenario, it’s not necessary to define IB policies for Consultants and HR – as they can communicate with everyone.
To define the scopes i will use the existing Entra ID attributes in the department attribute.
Its fully up to you which of the available attributes in Entra ID you want to utilize for building the segments These attributes can include department, job title, location, team name, and other job profile details. You’ll assign users or groups to segments with these attributes.
Segments are sets of groups or users that are defined in the compliance portal or by using PowerShell that uses selected group or user account attributes.
Your organization can have up to 5,000 segments and users can be assigned to a maximum of 10 segments.
Please note this article assumes your tenant is in legacy mode – in the future multiple-segment will be a more common configuration – but still not available for all tenants.
Check out more details on Multi-segment feature here: https://learn.microsoft.com/en-us/purview/information-barriers-multi-segment#check-the-ib-mode-for-your-organization
You can check the setting in your tenant by doing the following:
Connect to exchange-online powershell
Microsoft Teams
To enable Microsoft Teams to respect IB policyes its mandatory to enable Search by name – not this can take up to 24 hours to take effect.
Read more on this requirement here: https://learn.microsoft.com/en-us/MicrosoftTeams/teams-scoped-directory-search
To turn on search by name
- In the Microsoft Teams admin center, select Teams > Teams settings.
- Under Search by name, next to Scope directory search using an Exchange address book policy, turn the toggle On.
For Microsoft Teams, information barriers can determine and prevent the following kinds of unauthorized collaborations:
- Adding a user to a team or channel
- User access to team or channel content
- User access to 1:1 and group chats
- User access to meetings
- Prevents lookups and discovery, users won’t be visible in the people picker.
Lets start working
This is all perfectly doable in Powershell – but i will use the Purview portal to advertise a bit for that
In powershell the 2 cmd-lets used are New-OrganizationSegment and New-InformationBarrierPolicy – both part of the compliance module.
So hop over to the Purview Admins portal:
https://compliance.microsoft.com/
Go to Information barriers – and then lets create the first segment we need.
Although for the scope defined in my plan i really only need 2 segments – but i will go ahead and create all 4 departments to cater for future usecases. – Remember the attribute can be departmental, geographical or whatever suits your specific need.
Choose a name – click next – set the attribute – click next and youre done.
After you defined the segments -. its time to build the actual policyes.
Go to Polices section.
And create new – give the policy a name – to prevent colliding with other types for instance retention policyes I always append IB at the end to designate this as a IB policy
First page define the scope for the policy, meaning the department that should be affected by it.
Click next and the select the policy, if it should be allowed og blocked – and the specific department thats in scope for the block/ allow policy
So to create the policy for Research – the first scope would be Research, and the for “communication and collaboration details” select “Blocked” and department “Development
So now we have 2 policyes running as active
Only thing missing is policy application and wait.
To apply policyes go to “Policy application” and click apply all – depending on the size of your directory i might take some time
Allow 30 minutes for the system to start applying the policies. The system applies policies user by user. The system processes about 5,000 user accounts per hour.
After policyes are created its possible to toggle them active / Inactive, either in the GUI or by means of Powershell Set-InformationBarrierPolicy -Identity GUID -State Active
Thats it – your Teams usage is now monitored and controlled by your own tenant bouncer 🙂
Examples of user experience
As a user in the Research department, I try to makle a Teams call to a user in Development department
Here as a user in the Development dept. I try to create a chat with a user in the research dept.
So what about Sharepoint and Onedrive
The policyes do apply to both, BUT you must enable it in your tenant – and for Sharepoint its important to understand the main changes are enabling this.
And there are some different IB modes in sharepoint that you need to understand.
For SharePoint, information barriers can determine and prevent the following kinds of unauthorized collaborations:
- Adding a user to a site
- User access to a site or site content
- Sharing a site or site content with other users
The 4 different modes are:
Mode | Description | Examples |
---|---|---|
Open | When a SharePoint site doesn’t have segments, the site’s IB mode is automatically set as Open. See this section for details on managing segments with the Open mode configuration. | A Team site created for picnic event for your organization. |
Owner Moderated | When a SharePoint site is created for collaboration between incompatible segments moderated by the site owner, the site’s IB mode should be set as Owner Moderated. See this section for details on managing Owner Moderated site. | A site is created for collaboration between VP of Sales and Research in the presence of VP of HR (site owner). |
Implicit | When a site is provisioned by Microsoft Teams, the site’s IB mode is set as Implicit by default. A SharePoint Administrator or Global Administrator can’t manage segments with the Implicit mode configuration. | A Team is created for all Sales segment users to collaborate with each other. |
Explicit | When segment is added to a SharePoint site either via end-user site creation experience or by a SharePoint Administrator adding segment to a site, the site’s IB mode is set as Explicit. See this section for details on managing segments with the Explicit mode configuration. | A research site is created for Research segm |
The Sharepoint / Onedrive modes and settings are very well described in this article https://learn.microsoft.com/en-us/purview/information-barriers-sharepoint
Thats it for now on Purview information barriers.