Section 16 – Implement and manage Microsoft Purview Information Barriers (IBs)

Plan for IBs

This table summarizes the features where Information Barriers (IB) policies can restrict communication and collaboration within your organization.

Feature	Microsoft Teams	SharePoint & OneDrive	Exchange Online
Communication	Yes	No	No
Searching for users	Yes	No	No
Chat (individual & group)	Yes	No	No
Meetings	Yes	No	No
Collaboration	Yes	Yes	No
Adding members	Yes	Yes	No
Sharing files/content	Yes	Yes	No
Accessing content	No	Yes	No

Additional Notes:

• Information barriers only support two-way restrictions. Users in separate segments cannot communicate/collaborate even if one initiates.
• For email communication restrictions, use Exchange mail flow rules.
• Information barriers in Exchange differ based on your organization’s mode (single-segment, multi-segment, or legacy).

Create and manage IB segments and policies

To manage IB policies, you must be assigned one of the following roles:

• Microsoft 365 global administrator
• Office 365 global administrator
• Compliance administrator
• IB Compliance Management

Object/Concept	Description
User Account Attributes	Details defined in Microsoft Entra ID (or Exchange Online) like department, job title, location, etc. Used to assign users/groups to segments.
Segments	Sets of users or groups defined in the compliance portal or PowerShell based on user attributes. Up to 5,000 segments supported (except Legacy mode). Users can be assigned to a maximum of 10 segments.
Legacy Mode	An older version of IB with limitations. Supports a maximum of 250 segments and users can only be assigned to one segment.
IB Policies	Define communication limitations. Two types: Block policies: Prevent communication between segments. Allow policies: Allow communication between specific segments.
Non-IB Users/Groups	Users and groups not included in IB segments and policies. Their visibility depends on IB mode and policy type.
Policy Application	Applying defined IB policies to your organization.
Modern Groups	The only group type currently supported by IB. Distribution Lists/Security Groups are treated as non-IB.
Hidden/Disabled User/Guest Accounts	Accounts with communication restrictions. Legacy mode: Prevented from communicating with all users. Other modes: Hidden automatically, but behavior can be changed.

Creating a New Information Barrier Segment in Microsoft Purview

Here’s how to create a new segment to group users based on specific criteria in the Microsoft Purview portal:

1. Accessing Information Barriers:

• Log in to the Microsoft Purview portal with your organization’s admin credentials.
• Locate the Information Barriers solution card. If it’s not readily visible, click View all solutions within the Risk & Compliance section, and then select Information Barriers.

2. Creating a New Segment:

• On the Information Barriers page, navigate to the Segments section.
• Click New segment to begin defining a new user group.

3. Naming Your Segment:

• Assign a clear and descriptive name to your segment. This name cannot be changed later, so choose wisely.
• Click Next to proceed.

4. Defining User Attributes:

• On the User group filter page, click Add to configure the criteria for including users in this segment.
• Select a user attribute (e.g., Department, Location) from the available list.

5. Specifying Conditions:

• Choose either Equal or Not equal for the selected attribute.
• Enter the specific value that defines membership in this segment (e.g., Department: Marketing).
• Use Add condition to build more complex criteria with additional attribute filters.
• Click the delete icon to remove unnecessary attributes or conditions.

6. Adding More Filters (Optional):

• Repeat steps 4 and 5 to add more user attributes and conditions for a more granular segment definition. You can define multiple filters to refine your user group.
• Click Next once you’ve established your desired criteria.

7. Reviewing and Finalizing:

• The Review your settings page provides an overview of your segment configuration. Review the details and any suggestions or warnings presented.
• Click Edit to modify any attribute or condition if needed.
• If everything looks good, click Submit to create the new segment.

Read more from Learn on how to manage the policies

Configure Teams, SharePoint, and OneDrive to enforce IBs, including setting barrier modes

Teams policies and SharePoint sites

When a team is created, a SharePoint site is provisioned and associated with Microsoft Teams for the files experience. Information barrier policies aren’t honored on this SharePoint site and files by default.

Information barrier modes and Teams

Information barriers modes help strengthen who can be added to or removed from a Team. When using information barriers with Teams, the following IB modes are supported:

• Open: This configuration is the default IB mode for all existing groups that were provisioned before information barriers were enabled. In this mode, there are no IB policies applicable.
• Implicit: This configuration is the default IB mode when a Team is provisioned after enabling information barriers. Implicit mode allows you to add all compatible users in the group.
• Owner Moderated: This mode is set on a team when you want to allow collaboration between incompatible segment users that are moderated by the owner. The team owner can add new members per their IB policy.

Teams created before activating an information barrier policy in your tenant are automatically set to Open mode by default. Once you activate IB policies on your tenant, you’re required to update mode of your existing teams to Implicit to ensure that existing teams are IB-compliant. For more information about updating modes, see Change information barriers modes with a PowerShell script.

Use the Set-UnifiedGroup cmdlet with the InformationBarrierMode parameter that corresponds to the mode you want to use for your segments. Allowed list of values for the InformationBarrierMode parameter are Open, Implicit, and Owner Moderated.

For example, to configure the Implicit mode for a Microsoft 365 Group, you’ll use the following PowerShell command:

To update the mode from Open to Implicit for all existing teams, use this PowerShell script.

If you change the Open mode configuration on existing Teams-connected groups to meet compliance requirements for your organization, you’ll need to update the IB modes for associated SharePoint sites connected to the Teams team.

IB policy application in Teams

IB policy application is a background IB processor for Teams that gets a notification when there are changes to either users (policy or segment changes) or groups (mode changes). The following steps outline the processing flow:

• The policy application receives a group change notification when mode is updated and retrieves the message thread and Group IDs applicable to the update.
• If the message thread exists, processing is scheduled and all members are fetched from the team, and underlying group and are sent to downstream Teams components for IB evaluation.
• The mode on the group and the IB policies per user are evaluated and the results are sent to the policy application.
• Policy application removes the non-compliant users from the group and team.

Information Barriers Modes and OneDrive/SharePoint

Information barriers (IB) modes control access, sharing, and membership based on segments associated with a OneDrive or SharePoint site. Here’s a breakdown of the modes:

Mode	Description	OneDrive Example	SharePoint Example
Open	No segment restrictions.	Default for non-segmented users.	Default for sites without segments (e.g., company picnic site).
Owner Moderated	Collaboration between incompatible segments requires site owner/moderator approval.	Collaboration between Sales and Marketing (incompatible segments) with the VP of HR moderating.	Collaboration between Sales and Research (incompatible segments) with the VP of HR moderating.
Explicit	Access limited to users and segments explicitly assigned to the site.	User’s OneDrive is automatically set to Explicit within 24 hours of IB enabling. Only user’s segment and compatible segments can access.	Research site accessible only to users in the Research segment.
Mixed (OneDrive Only)	Segmented OneDrive can be shared with unsegmented users (optional).	Marketing user (segmented) can share OneDrive with non-segmented users (optional, admin approval needed).	Not applicable (SharePoint doesn’t have Mixed mode).

Enabling Information Barriers (IB) in SharePoint and OneDrive

Who can enable IB?

• SharePoint Administrators or Global Administrators

Steps to Enable IB:

1. Install/Update SharePoint Online Management Shell:
   • Download the latest version from the Microsoft Download Center (https://www.microsoft.com/en-us/download/details.aspx?id=35588).
   • Choose the appropriate architecture (x64 or x86) for your Windows version.
   • Uninstall any previous versions if needed (Add or Remove Programs).
   • Run the installer and follow the setup wizard.
2. Connect to SharePoint Online:
   • Use your Global Administrator or SharePoint Administrator credentials.
   • Refer to “Getting started with SharePoint Online Management Shell” for specific instructions.
3. Enable IB with PowerShell:
   • Run the following command: Set-SPOTenant -InformationBarriersSuspension $false
4. Wait for Changes to Take Effect (Approx. 1 Hour)

Additional Notes:

• Implicit Mode Access Control (Before March 15, 2022):
  • If IB was enabled before this date, access for Implicit mode in Teams-connected sites is based on associated segments.
• Enabling Microsoft 365 Group Membership Control (Optional):
  • Run this command to enable group membership-based access control for all Implicit mode Teams sites: Set-SPOTenant -IBImplicitGroupBased $true
• Multi-Geo Considerations:
  • For Microsoft 365 Multi-Geo environments, run the IB enablement command for each geo-location.

Investigate issues with IB policies

Step	Description
1. Gather Information	* Define the symptoms (blocked communication, access issues). * Identify affected users/segments. * Review relevant IB policies and intended restrictions. * Check for recent changes to IB policies, segments, user attributes, or Microsoft Teams settings.
2. Analyze Permissions	* Verify OneDrive/SharePoint permissions based on IB mode for affected users. * Ensure Teams settings (Open, Implicit, Owner Moderated) align with IB policy goals and user segment compatibility.
3. Utilize Audit Logs	* Review Microsoft Purview compliance portal audit logs for IB policy evaluation activity related to the issue. * Check Teams audit logs (if enabled) for communication attempts and potential IB policy blocks.
4. Leverage PowerShell Cmdlets (Optional)	* Use Get-IBPolicy to retrieve details of specific IB policies and identify configuration errors. * Use Get-UnifiedGroup to retrieve information about a Microsoft 365 group (including IB mode) for Teams-related troubleshooting.
5. Consider Additional Factors	* Evaluate potential limitations due to Legacy mode (if applicable). Consider upgrading to the latest version. * Ensure scoped directory search is enabled in Microsoft Teams (a prerequisite for IB policy function).
6. Troubleshooting Resources	* Refer to Microsoft’s official IB troubleshooting documentation: https://learn.microsoft.com/en-us/purview/information-barriers * Contact Microsoft support for further assistance if needed.

Debugging Information Barrier (IB) Policy Issues

Gather Evidence:

• Symptoms: Identify communication blocks (full, specific actions), access issues (teams, channels, sites).
• Affected Users/Segments: Narrow down the scope (segment-wide or isolated).
• Policy Review: Analyze intended restrictions (allowed/blocked communication between segments), check for conflicting “allow” policies.
• Recent Changes: Investigate modifications to IB policies, segments, user attributes, or Teams settings that might have caused the issue.

Permission Verification:

• OneDrive/SharePoint:
  • Open Mode: Full access (no IB restrictions).
  • Implicit Mode: Access for users within the same and compatible segments.
  • Explicit Mode: Access only for explicitly assigned users and segments.
  • Mixed Mode (OneDrive): Segmented user can optionally share with unsegmented users (requires admin approval).
• Teams Settings:
  • Open Mode: No IB restrictions on adding members or communication.
  • Implicit Mode: Allows adding compatible users within the group.
  • Owner Moderated Mode: Requires owner/moderator approval for collaboration between incompatible segments.

Leverage Audit Logs:

• Microsoft Purview: Analyze audit logs for IB policy evaluation activity (timestamps, users, policy names). Filter logs to pinpoint relevant entries.
• Microsoft Teams Audit Logs (if enabled): Check for communication attempts and potential IB policy blocks related to affected users during the timeframe.

Optional: PowerShell Cmdlets

• Get-IBPolicy: Retrieve details of specific IB policies to identify configuration errors.
• Get-UnifiedGroup: Retrieve information about a Microsoft 365 group (name, members, IB mode) for Teams-related troubleshooting.

Additional Considerations:

• Legacy Mode: Limitations might exist compared to the latest version. Upgrading could resolve the issue.
• Scoped Directory Search: Ensure it’s enabled in Microsoft Teams (a prerequisite for IB policies to function).

Closure

What it does: IB policies restrict communication and collaboration within your organization based on user segments.

Where it applies:

• Microsoft Teams: Chat, meetings, adding members
• SharePoint & OneDrive: Sharing files/content, accessing content (with limitations)
• Exchange Online: Not directly affected (use mail flow rules)

Key Concepts:

• Segments: Groups of users defined by attributes like department.
• Policies: Define communication restrictions (block or allow) between segments.
• Legacy Mode: Older version with limitations (upgrade recommended).
• Modern Groups: The only group type currently supported by IB.

Creating Segments:

• Use the Microsoft Purview portal to define segments based on user attributes.
• Up to 5,000 segments supported (except Legacy mode).

IB Modes (SharePoint & OneDrive):

• Open: Full access, no restrictions.
• Implicit: Access for users within the same and compatible segments.
• Explicit: Access only for assigned users and segments.
• Mixed (OneDrive): Segmented user can optionally share with unsegmented users (requires approval).

IB Modes (Teams):

• Open: No restrictions on adding members or communication (default for existing teams).
• Implicit: Allows adding compatible users within the group (default for new teams).
• Owner Moderated: Requires owner/moderator approval for collaboration between incompatible segments.

Troubleshooting IB Issues:

1. Gather information about the symptoms and affected users.
2. Analyze permissions and review relevant policies.
3. Utilize audit logs for insights into IB activity.
4. Consider optional PowerShell cmdlets for detailed information.
5. Check for limitations due to Legacy mode or disabled scoped directory search.
6. Refer to Microsoft’s documentation or support for further assistance.

Link to main post