Information Barrier in Microsoft Teams

During Lync and SFB times – restricting unauthorized communication to secured group within organization was a challenge – Organizations have to either purchase a tool to manage or put those secured users all together on a different environment was the only way… But now, with Information Barrier in Microsoft Teams – administrators can natively restrict communication by simply segmenting them into few set of user groups with simple policies

Information barrier in Teams are set of controls applied to segments (group of users) through policy, in order to prevent users from making unauthorized communication with another segments within Microsoft Teams.  By deploying Information Barrier, administrator can natively restrict communication between two group of user segment without depending or purchasing any additional tools. Basically there are two types of information barrier policy scenario that can be created in M365. They are allowed & blocked policies – below is the pictorial representation of the both the scenarios.

In this article we will discuss pre-requisite, deployment approach, the user experience post implementing Information Barriers, etc.,

Information Barrier Prerequisites

  • Make sure the user account attributes, such as group membership, department name, etc. are populated correctly in Azure Active Directory
  • Enable Scoped Directory search in Microsoft Teams
  • Turn-On Audit Logging
  • Remove address book policies1
  • Azure AD Modules installed
  • Access to Security & Compliance center PowerShell and AzureAD
  • Admin consent for information barriers in Microsoft Teams2
  • Information barriers are included in below subscriptions
    • Microsoft 365 E5/A5
    • Office 365 E5/A5
    • Office 365 Advanced Compliance
    • Microsoft 365 Compliance E5/A5
    • Microsoft 365 Insider Risk Management
  • To define or edit information barrier policies, you must be assigned one of the following roles:
    • Microsoft 365 global administrator
    • Office 365 global administrator
    • Compliance administrator
    • IB Compliance Management (this is a new role!)

Deployment Approach

Deployment Walkthrough

Creating Segments

Currently information barrier are managed using security and compliance center PowerShell – so here are the step by step instruction with sample screenshots

Step 1 : Run the command Import-Module ExchangeOnlineManagement from PowerShell

Step 2 : Connect to Security & Compliance Centre using the command Connect-IPPSSession -Credential $Cred (Be sure to get your creds to the variable $Cred

Step 3 : Create segments using the command New-OrganizationSegment

Note : Please ensure that the policies are defined two-ways. For example, if there is a policy where Segment1 cannot communicate with Segment2, then there must be another policy where Segment2 cannot communicate with Segment1.

Creating Information Barrier Policy

Step 3 : Create IB Policy using the command New-InformationBarrierPolicy – Make sure the state is set to “Inactive” while creating

Turning-On Information Barrier Policy

Step 1 : In-Order to turn-on we have to set the Information barrier policy status to “Active” using the command Set-InformationBarrierPolicy. Prior to set the state to active – make sure to capture the GUID using the command Get-InformationBarrierPolicy.

Step 2 : Once the policy is set to active – Run the command Start-InformationBarrierPoliciesApplication

Testing & User Experience :

When information barrier policies are in place, users who should not communicate or share files with other specific users won’t be able to find, select, chat, or call those users. With information barriers, restrictions are in place to prevent unauthorized communication.

Below are impacts post implementing IB Policies

  • Starting a chat session with someone
  • Inviting someone to join a meeting
  • Sharing a screen
  • Placing a call
  • Starting a group chat
  • Sharing a file with another user
  • Access to file through sharing link
  • Searching for a user
  • Adding a member to a team

Additional Info :

  1. Before you define and apply information barrier policies, make sure no Exchange address book policies are in place. Information barriers are based on address book policies, but the two kinds of policies are not compatible. If you do have such policies, make sure to remove your address book policies first. Once information barrier policies are enabled and you have hierarchical address book enabled, all users who are not included in an information barrier segment will see the hierarchical address book in Exchange online.
  2. Admin consent for information barriers in Microsoft Teams – When your policies are in place, information barriers can remove people from chat sessions they are not supposed to be in. This helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.

Run the following PowerShell cmdlets:

Connect-AzureAD
$appId=”bcf62038-e005-436d-b970-2a472f8c1982″
$sp=Get-AzADServicePrincipal -ServicePrincipalName $appId
if ($sp -eq $null) { New-AzADServicePrincipal -ApplicationId $appId }
Start-Process  https://login.microsoftonline.com/common/adminconsent?client_id=$appId

When prompted, sign in using your work or school account for Office 365.

In the Permissions requested dialog box, review the information, and then choose Accept.

SharePoint, OneDrive & Teams : When a team is created, a SharePoint site is provisioned and associated with Microsoft Teams for the files experience. Information barrier policies are not enabled on SharePoint site and files by default. To enable Information Barrier policies, the administrator has to fill out a form, requesting that IB policies be enabled on SharePoint and OneDrive. If the Information Barrier policy is turned on in SharePoint and OneDrive, then the IB policies will work on SharePoint sites provisioned when a team is created with Microsoft Teams.

Reference : https://docs.microsoft.com/en-us/sharepoint/information-barriers#prerequisites

1 thought on “Information Barrier in Microsoft Teams

  1. Your style is so unique in comparison to other people I’ve read stuff from. I appreciate you for posting when you have the opportunity, Guess I’ll just book mark this web site.|

Leave a Reply

Your email address will not be published. Required fields are marked *