Separation of business units in Microsoft 365 - with Information Barriers!
Krähe mit HutIn a company, there may be areas that, for whatever reason, are not allowed to exchange information with each other, e.g., highly sensitive data. Another example could be the strict separation of pilot scenarios in which different areas of the company are supposed to test certain functions, but mutual access is not permitted.
In these cases, information barriers (IB) can be set up to create virtual barriers between these areas and prevent employees from communicating and collaborating with each other.
What are Information Barriers?
Information barriers are a compliance feature within Microsoft 365 that restrict the exchange of data and information between defined users or company departments. This can help prevent unwanted data leakage and restrict the disclosure of confidential information.
Information barriers are applied to Teams, SharePoint Online, and OneDrive for Business. Exchange Online is not affected. This means that other measures (such as Purview confidentiality labels with corresponding policies) must be taken for Exchange Online to apply similar protection.
Licensing
Using information barriers requires a license for each user of the service. One of the following packages or add-ons can be assigned for this purpose:
- Office 365 E5
- Microsoft 365 A1 or higher
- Microsoft 365 E5/F5
- Microsoft Purview Suite
- Insider Risk Management addon
Permissions
Configuring information barriers requires one of the following roles, although it is recommended to use the minimum required role:
| Role | Permission |
|---|---|
| IB Compliance Management | Manage the solution Information Barriers |
| Compliance Administrator | Full access to all Purview solutions |
| Global Administrator | Full access to all services |
In addition, permissions may be required if special user attributes are to be maintained for segmentation or Microsoft 365 groups are to be created (e.g., user administrator or group administrator). It is recommended to assign segments based on groups, as this is the easiest way to keep track of them. In addition, existing groups should not be reused for this purpose; instead, new groups should be created explicitly to avoid creating dependencies.
Prerequisites
Define the desired goals
Before implementation begins, it is important to define which constraints should be achieved and what must not be restricted. The following questions, among others, are relevant in this regard:
- Should employees be completely separated from each other (i.e., no communication, file sharing, adding to Teams/SharePoint sites, etc.) or should some functions remain available?
- Should the use of files in Teams/SharePoint Online/OneDrive be generally prohibited, or should files be able to be uploaded and used?
Once the goals are clearly defined, a corresponding implementation plan can be designed.
Enable auditing protocols
Audit logs are enabled by default in Microsoft 365. However, in older Microsoft tenants, it may be the case that they have not yet been enabled. This can be checked in the Purview portal. If no activation banner is displayed, monitoring logs are enabled.
Enable Exchange address book policies for Teams
Information barriers use Exchange address book policies in the background to restrict mutual visibility among segment members. This is not enabled by default and must therefore be explicitly activated.
Note: After activation, it takes up to 24 hours for the function to actually become active! Do not proceed with the configuration before this time has elapsed!
- Open the Teams Admin Center
- Switch to the “Search by name” section
- Enable “Restrict directory search with an Exchange address book policy”
Enable support in SharePoint Online
Information barriers are disabled by default in SharePoint Online and must first be enabled. This can only be done via PowerShell:
# Check if the needed module is installed and install, if not
if (!(Get-InstalledModule Microsoft.Online.SharePoint.PowerShell -ErrorAction SilentlyContinue)){Install-Module Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser}
# Connect to SharePoint Online
Connect-SPOService -URL <SharePoint admin site URL, i.e. https://contoso-admin.sharepoint.com>
# Enable support for information barriers
Set-SPOTenant -InformationBarriersSuspension $false -IBImplicitGroupBased $trueNote: After executing the commands, it may take up to 1 hour for the settings to take effect. Only then can you proceed with configuring IB mode for the sites, if necessary!
Create groups (optional)
If you decide to use groups to assign users, you must create Microsoft 365 groups for this purpose, as Purview is technically dependent on Exchange Online and Exchange Online can only process email-enabled groups.
The groups can be created as usual via the Entra Admin Center. Important: For all groups, the default welcome message that is sent when users are added should be deactivated. Alternatively, users should be informed accordingly before being added to avoid confusion and an increased volume of helpdesk requests.
# Check if the needed module is installed and install, if not
if (!(Get-InstalledModule ExchangeOnlineManagement -ErrorAction SilentlyContinue)){Install-Module ExchangeOnlineManagement -Scope CurrentUser}
# Connect to Exchange Online
Connect-ExchangeOnline
# Create group and disable welcome message
New-UnifiedGroup -DisplayName <Name der Gruppe> -Alias <Alias der Gruppe>
Set-UnifiedGroup -Identity <Name der Gruppe> -UnifiedGroupWelcomeMessageEnabled:$falseConfiguration of information barriers
Setting the segment parameters
Users must be added to so-called segments in order to separate them from each other on this basis. Segments can be formed on the basis of user attributes or group memberships, for example.
Accordingly, it must be determined how users are to be assigned to a segment. The corresponding attribute or the groups created for this purpose must then be used for this.
Create segments
Next, the segments must be created via the Purview portal:
- Open the Purview-Portal
- Choose “+ New Segment”
- Assign names, e.g., names of the Entra ID group or in accordance with any existing naming concept (e.g., ABC-PVW-IBA-SEG-<Description>).
- Select the selected attribute or “Member of” as the group filter if a group is to be used. ATTENTION: For a group, either the ID or the email address must be stored; the name does not work!
- Complete creation and repeat steps for additional segment(s).
Users are not yet assigned to segments; this only happens after a policy has been created and activated.
Create a policy
After creating the segments, a policy must be created that defines whether communication between the segments should be allowed or blocked.
IMPORTANT: A policy must be created in all cases—even if communication is to be allowed. Otherwise, users will not be assigned to the segments; this only happens after a policy has been activated!
- Open the Purview-Portal aufrufen
- Choose “+ Create policy” auswählen
- Assign names, e.g., mode and names of Entra ID groups or according to an existing naming concept (e.g., ABC-PVW-IBA-POL-ALLOW-<segment1>-<segment2>)
- Assign one of the segments (only one segment can be assigned in this step)
- Select the desired mode under “Communication and collaboration”
- Under “Select segment”…
- …select all segments if the mode is configured as “Allowed”
- …select only the other segment if the mode is configured as “Blocked”
- Leave the policy status as “Disabled” for now and complete the creation process.
Configuring explicit mode for SharePoint sites
If communication between users via Teams is to remain permitted, but users must be prevented from inviting each other to their Teams and SharePoint sites, the sites must be actively assigned to the respective segment. This is referred to as explicit mode.
The configuration can be done via the SharePoint Admin Center using the properties of the respective site or via PowerShell. If the company uses many sites, setup via PowerShell is more effective:
# Connect to Purview and SharePoint Online
Connect-IPPSSession
Connect-SPOService -URL <SharePoint admin site URL, i.e. https://contoso-admin.sharepoint.com>
# Retrieve segment IDs
Get-OrganizationSegment | ft Name, EXOSegmentID
# Configure SharePoint site with segment
Set-SPOSite -Identity <Site-URL> -AddInformationSegment <Segment-GUID>Start processing
Once all preparatory work is complete, the policy can be activated and processing started. This step is mandatory; otherwise, the configuration will not be applied. Processing is started using the following PowerShell command:
# Start application for information barrier policies
Start-InformationBarrierPoliciesApplicationProcessing may take some time depending on the number of users and sites. Typically, 5000 users require approximately 1 hour of processing. Once the policy is enabled, the following commands can be used to check if a user is assigned to a segment:
# Connect to Exchange Online
Connect-ExchangeOnline
# Check if mailbox has been assigned a segment
Get-Recipient -Identity <E-Mail-Adresse> | fl *segment*Disable file upload (optional)
In some situations, it may also be necessary to globally disable file uploads in Teams, SharePoint Online, and OneDrive. The following article shows how this works: Use Teams for audio/video only? Works!
Remove Information Barriers
If information barriers are to be removed at a later date, it is important to carry out the steps in the correct order:
- Set the policy to “Disabled”.
- Reconfigure segments so that no users are assigned to them (e.g., by entering incorrect data or configuring an empty group).
- Wait for the cleanup process to complete or run it immediately using the following PowerShell command:
# Start cleanup manually
Start-InformationBarrierPoliciesApplication -Cleanupgroupsegmentlink- Delete policy
- Delete segments
- Clean up the attribute for all users or delete any created groups.
Liked this article? Share it!
