top of page

Do not miss new blog posts! Subscribe to new posts, news, and updates.

Thank you for joining our Blog subscription!

Writer's pictureLuc Marolt

What are Information Barriers in Microsoft Purview and how to make them work

According to Microsoft: “Microsoft Purview Information Barriers (IB) is a compliance solution that allows you to restrict two-way communication and collaboration between groups and users in Microsoft Teams, SharePoint, and OneDrive.”


This may include situations or scenarios where you want to restrict communication and collaboration between two groups to avoid a conflict of interest from occurring in your organization. This may also include situations when you need to restrict communication and collaboration between certain people inside your organization to safeguard internal information.


Some examples:

  • Finance personnel working on confidential company information should not communicate or share files with certain groups within their organization

  • An internal team with trade secret material should not call or chat online with people in certain groups within their organization

Note: IBs only apply to people within the tenant. If you exclude a department from using MS Teams to communicate with another department you could still invite selected people with an external guest account to the team. Sharing documents with external people is defined in the external sharing settings and is not affected by IBs.



How will this affect your tenant?

Depending on the M365 application, information barriers can determine and prevent the following kinds of unauthorized collaborations:


MS Teams:

  • Adding a user to a team or channel

  • User access to team or channel content

  • User access to 1:1 and group chats

  • User access to meetings

  • Users won't be visible in the people picker

SharePoint:

  • Adding a user to a site

  • User access to a site or site content

  • Sharing a site or site content with other users

OneDrive:

  • User access to OneDrive or stored content

  • Sharing OneDrive or stored content with other users


In this blog we are going to elaborate on when this could be interesting for you and how to configure it to make it work efficiently.

Configuring IB using the MS Purview portal

The easiest and quickest way to set up an IB is to use the MS Purview portal.

Example scenario: nobody can communicate directly with the Finance department, except members of the HR department.

First we need to set up 2 “Segments”: Finance and HR. This can be done by selecting the Department property from Exchange.







Next we need to define a “Policy”

Note: In the Allowed segment section it is important to include Finance (in this case) or we will get an error when submitting the policy. This because Finance should be able to communicate with itself.

Important: The Allowed and Blocked status for segments can't be changed after creating a policy. To change the status after you create a policy, you must delete the policy and create a new one.

Communication (Email, Teams) Collaboration (SharePoint, OneDrive) would be restricted based on this policy, but NOT before you set the policy to “active” status and “apply” the policy.


Configuration for information barriers on SharePoint and OneDrive

If you're configuring IB for SharePoint and OneDrive, you'll need to enable IB on these services AFTER the policy has been created. You'll also need to enable IB on these services if you're configuring IB for Microsoft Teams. When a team is created in Microsoft Teams, a SharePoint site is automatically created and associated with Microsoft Teams for the files experience. IB policies aren't honoured on this new SharePoint site and files by default.

A first thing we can do is applying IB “Modes”. When using information barriers with SharePoint and OneDrive, the following IB modes are supported: “Open,” “Implicit”, “Explicit” and “Owner moderated”.


Information barriers modes and SharePoint sites

Information barriers modes help strengthen access, sharing, and membership of a site based on its IB mode and segments associated with the site.

Sharing sites for IB modes

When a site has no segments and site's information barriers mode is set to e.g. Open:

The site and its contents can be shared based on the information barrier policy applied to the user. For example, if a user in HR is allowed to communicate with users in Research, the user will be able to share the site with those users.

Access to sites by users is based on the IB mode of the site

For a user to access SharePoint sites that have segments and site's information barriers mode is e.g. Explicit:

The user's segment must match a segment that is associated with the site AND the user must have access permission to the site. Non-segment users can't access a site associated with segments. They'll see an error message.


In the SharePoint admin centre:

To view the complete list of segments associated with a site, select the site, and then select the Policies tab. To edit the segments associated with the site, select Edit, add or remove segments, and then select Save.


Information barriers modes and OneDrive

Sharing files from OneDrive

When a OneDrive has information barriers segments and the mode is set to e.g. Explicit:

  • The option to share with Anyone with the link is disabled

  • The option to share with Company-wide link is disabled

  • Files and folders can be shared only with users whose segment matches that of the OneDrive

Accessing shared files from OneDrive

For a segmented user to access content in a OneDrive that has segments and the IB mode set as e.g. Mixed:

The user's segment must match a segment that is associated with the OneDrive AND the files must be shared with the user. For an unsegmented user to access content in a OneDrive that has segments and the IB mode set as Mixed, the user must have site access permissions.


Manage segments on a user's OneDrive

To associate a segment with a OneDrive, run the following command in the SharePoint Online Management Shell. A OneDrive can have up to 100 associated segments:

Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>

Example:

Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111


When you add segments to a OneDrive, the site's IB mode is automatically updated to Explicit. An error will appear if you attempt to associate a segment that isn't compatible with the existing segments on the OneDrive.

Warning:

If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. Be careful not to associate any segments with the OneDrive of a non-segment user.


Does your company need some support to design and launch complianceinitiatives? Contact us and talk to one of our experts or request a demo.We are excited to show you Infotechtion teamwork and information governance solutions!

Comments


bottom of page