Manage information barriers policies

After you have defined information barriers (IB) policies, you may need to make changes to those policies or to your user segments, as part of troubleshooting or as regular maintenance.

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.

What do you want to do?

Action Description
Edit user account attributes Fill in attributes in Microsoft Entra ID that can be used to define segments.
Edit user account attributes when users aren't included in segments they should be, to change which segments users are in, or to define segments using different attributes.
Edit a segment Edit segments when you want to change how a segment is defined.
For example, you might have originally defined segments using Department and now want to use another attribute, such as MemberOf.
Edit a policy Edit an information barriers policy when you want to change how a policy works.
For example, instead of blocking communications between two segments, you might decide you want to allow communications to occur only between certain segments.
Set a policy to inactive status Set a policy to inactive status when you want to make changes to a policy, or when you don't want a policy to be in effect.
Remove a policy Remove an information barriers policy when you no longer need a particular policy in place.
Remove a segment Remove an information barriers segment when you no longer need a particular segment.
Remove a policy and a segment Remove an information barriers policy and a segment at the same time.
Stop a policy application Take this action when you want to stop the process of applying information barriers policies.
Stopping a policy application isn't instant, and it doesn't undo policies that are already applied to users.
Enable or disable user discoverability Enable or disable if users are displayed in the people picker.
Define policies for information barriers Define an information barriers policy when you don't already have such policies in place, and you must restrict or limit communications between specific groups of users.
Troubleshooting information barriers Refer to this article when you run into unexpected issues with information barriers.

Important

To perform the tasks described in this article, you must be assigned an appropriate role, such as one of the following:
- Microsoft 365 Enterprise Global Administrator
- Global Administrator
- Compliance Administrator
- IB Compliance Management (this is a new role!)

To learn more about prerequisites for information barriers, see Prerequisites (for information barriers policies).

Make sure to connect to the Security & Compliance PowerShell.

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

Edit user account attributes

Use this procedure to edit attributes that are used for segmenting users. For example, if you're using a Department attribute, and one or more user accounts don't currently have any values listed for Department, you must edit those user accounts to include Department information. User account attributes are used for defining segments so that information barriers policies can be assigned.

  1. To view details for a specific user account, such as attribute values and assigned segment(s), use the Get-InformationBarrierRecipientStatus cmdlet with Identity parameters.

    Syntax Example
    Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>
    You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID.
    (You can also use this cmdlet for a single user: Get-InformationBarrierRecipientStatus -Identity <value>)
    Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw
    In this example, we refer to two user accounts in Office 365: meganb for Megan, and alexw for Alex.
  2. Determine which attribute you want to edit for your user account profile(s). For more information, see Attributes for information barriers policies.

  3. Edit one or more user accounts to include values for the attribute you selected in the previous step. To take this action, use one of the following procedures:

Edit a segment

Use this procedure edit the definition of a user segment. For example, you might change the name of a segment, or the filter that is used to determine who's included in the segment.

  1. To view all existing segments, use the Get-OrganizationSegment cmdlet.

    Syntax: Get-OrganizationSegment

    You'll see a list of segments and details for each, such as segment type, its UserGroupFilter value, who created or last modified it, GUID, and so on.

    Tip

    Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).

  2. To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.

    Syntax Example
    Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'" Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'HRDept'"
    In this example, we updated the department name to HRDept for the segment with GUID c96e0837-c232-4a8a-841e-ef45787d8fcd.
  3. When you have finished editing segments for your organization, you can either define or edit information barriers policies.

Edit a policy

  1. To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.

    Syntax: Get-InformationBarrierPolicy

    In the list of results, identify the policy that you want to change. Note the policy's GUID and name.

  2. Use the Set-InformationBarrierPolicy cmdlet with an Identity parameter, and specify the changes you want to make.

    Example: Suppose a policy was defined to block the Research segment from communicating with the Sales and Marketing segments. The policy was defined by using this cmdlet: New-InformationBarrierPolicy -Name "Research-SalesMarketing" -AssignedSegment "Research" -SegmentsBlocked "Sales","Marketing"

    Suppose we want to change it so that users in the Research segment can only communicate with users in the HR segment. To make this change, we use this cmdlet: Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -SegmentsAllowed "HR"

    In this example, we changed SegmentsBlocked to SegmentsAllowed and specified the HR segment.

  3. When you have finished editing a policy, make sure to apply your changes. (See Apply information barriers policies.)

Set a policy to inactive status

  1. To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.

    Syntax: Get-InformationBarrierPolicy

    In the list of results, identify the policy that you want to change (or remove). Note the policy's GUID and name.

  2. To set the policy's status to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.

    Syntax Example
    Set-InformationBarrierPolicy -Identity GUID -State Inactive Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c9377247 -State Inactive
    In this example, the information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c9377247 is set to an inactive status.
  3. To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.

    Syntax: Start-InformationBarrierPoliciesApplication

    Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.

  4. At this point, one or more information barriers policies are set to inactive status. From here, you can do any of the following actions:

Remove a policy

  1. To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.

    Syntax: Get-InformationBarrierPolicy

    In the list of results, identify the policy that you want to remove. Note the policy's GUID and name.

  2. Make sure the policy is set to inactive status. To set the policy's status to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.

    Syntax Example
    Set-InformationBarrierPolicy -Identity GUID -State Inactive Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c9377247 -State Inactive
    In this example, we set an information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c9377247 to an inactive status.
  3. To apply your changes on the policy, use the Start-InformationBarrierPoliciesApplication cmdlet.

    Syntax: Start-InformationBarrierPoliciesApplication

    Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.

  4. Use the Remove-InformationBarrierPolicy cmdlet with an Identity parameter.

    Syntax Example
    Remove-InformationBarrierPolicy -Identity GUID Remove-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471
    In this example, we're removing the policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471.

    When prompted, confirm the change.

Remove a segment

  1. To view all existing segments, use the Get-OrganizationSegment cmdlet.

    Syntax: Get-OrganizationSegment

    You'll see a list of segments and details for each, such as segment type, its UserGroupFilter value, who created or last modified it, GUID, and so on.

    Tip

    Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).

  2. Identify the segment to be removed and make sure the IB policy associated with the segment has been removed. See the Remove a policy procedure for details.

  3. Edit the segment that will be removed to remove the relationship of users to that segment. This action updates the segment definition and removes all users from the segment. You'll use the UserGroupFilter parameter to disassociate users from the segment prior to removal.

    To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.

    Syntax Example
    Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'" Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'FakeDept'"
    In this example, for the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, we defined the department name as FakeDept to remove users from the segment. This example uses the Department attribute, but you can use other attributes as appropriate. The example uses FakeDept because this doesn't exist and is certain to not contain any users.
  4. To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.

    Syntax: Start-InformationBarrierPoliciesApplication -CleanupGroupSegmentLink

    Note

    The CleanupGroupSegmentLink attribute removes group associations with the segment with no user associations.

    Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.

  5. To remove a segment, use the Remove-OrganizationSegment cmdlet with the Identity parameter and relevant details.

    Syntax Example
    Remove-OrganizationSegment -Identity GUID Remove-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
    In this example, the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, was removed.

Remove a policy and segment

  1. To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.

    Syntax: Get-InformationBarrierPolicy

    In the list of results, identify the policy that you want to remove. Note the policy's GUID and name.

  2. To view all existing segments, use the Get-OrganizationSegment cmdlet.

    Syntax: Get-OrganizationSegment

    You'll see a list of segments and details for each, such as segment type, its UserGroupFilter parameter value, who created or last modified it, GUID, and so on.

    Tip

    Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).

  3. To set the status of the policy to be removed to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.

    Syntax Example
    Set-InformationBarrierPolicy -Identity GUID -State Inactive Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -State Inactive
    In this example, we set an information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471 to an inactive status.
  4. Edit the segment that will be removed to remove the relationship of users to that segment. This action updates the segment definition and removes all users from the segment. You'll use the UserGroupFilter parameter to disassociate users from the segment prior to removal.

    To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.

    Syntax Example
    Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'" Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'FakeDept'"
    In this example, for the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, we updated the department name to FakeDept to remove users from the segment. This example uses the Department attribute, but you can use other attributes as appropriate. The example uses FakeDept because this doesn't exist and is certain to contain no users.
  5. To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.

    Syntax: Start-InformationBarrierPoliciesApplication -CleanupGroupSegmentLink

    Note

    The CleanupGroupSegmentLink attribute removes group associations with the segment with no user associations.

    Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.

  6. Use the Remove-InformationBarrierPolicy cmdlet with an Identity parameter.

    Syntax Example
    Remove-InformationBarrierPolicy -Identity GUID Remove-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471
    In this example, the policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471 is removed.

    When prompted, confirm the change.

  7. To remove a segment, use the Remove-OrganizationSegment cmdlet with the Identity parameter and relevant details.

    Syntax Example
    Remove-OrganizationSegment -Identity GUID Remove-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
    In this example, the segment with GUID c96e0837-c232-4a8a-841e-ef45787d8fcd was removed.

Stop a policy application

After you have started applying information barriers policies, if you want to stop those policies from being applied, use the following procedure. It will take approximately 30-35 minutes for the process to begin.

  1. To view the status of the most recent information barriers policy application, use the Get-InformationBarrierPoliciesApplicationStatus cmdlet.

    Syntax: Get-InformationBarrierPoliciesApplicationStatus

    Note the application's GUID.

  2. Use the Stop-InformationBarrierPoliciesApplication cmdlet with an Identity parameter.

    Syntax Example
    Stop-InformationBarrierPoliciesApplication -Identity GUID Stop-InformationBarrierPoliciesApplication -Identity 46237888-12ca-42e3-a541-3fcb7b5231d1

    In this example, we're stopping information barriers policies from being applied.

Enable or disable user discoverability

Important

Support for enabling or disabling search restrictions is only available when your organization isn't in Legacy mode. Organizations in Legacy mode cannot enable or disable search restrictions. Enabling or disabling search restrictions requires additional actions to change the information barriers mode for your organization. For more information, see Use multi-segment support in information barriers) for details.

Organizations in Legacy mode are eligible to upgrade to the newest version of information barriers in the future. For more information, see the information barriers roadmap.

To enable the people picker search restriction using PowerShell, complete the following steps:

  1. Use the Set-PolicyConfig cmdlet to enable the people picker restriction:
Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Enabled'

To disable the people picker search restriction using PowerShell, complete the following steps:

  1. Use the Set-PolicyConfig cmdlet to disable the people picker restriction:
Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Disabled'

Resources