Manage information barriers policies
After you have defined information barriers (IB) policies, you may need to make changes to those policies or to your user segments, as part of troubleshooting or as regular maintenance.
Tip
If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview trials hub. Learn details about signing up and trial terms.
What do you want to do?
Action | Description |
---|---|
Edit user account attributes | Fill in attributes in Microsoft Entra ID that can be used to define segments. Edit user account attributes when users aren't included in segments they should be, to change which segments users are in, or to define segments using different attributes. |
Edit a segment | Edit segments when you want to change how a segment is defined. For example, you might have originally defined segments using Department and now want to use another attribute, such as MemberOf. |
Edit a policy | Edit an information barriers policy when you want to change how a policy works. For example, instead of blocking communications between two segments, you might decide you want to allow communications to occur only between certain segments. |
Set a policy to inactive status | Set a policy to inactive status when you want to make changes to a policy, or when you don't want a policy to be in effect. |
Remove a policy | Remove an information barriers policy when you no longer need a particular policy in place. |
Remove a segment | Remove an information barriers segment when you no longer need a particular segment. |
Remove a policy and a segment | Remove an information barriers policy and a segment at the same time. |
Stop a policy application | Take this action when you want to stop the process of applying information barriers policies. Stopping a policy application isn't instant, and it doesn't undo policies that are already applied to users. |
Enable or disable user discoverability | Enable or disable if users are displayed in the people picker. |
Define policies for information barriers | Define an information barriers policy when you don't already have such policies in place, and you must restrict or limit communications between specific groups of users. |
Troubleshooting information barriers | Refer to this article when you run into unexpected issues with information barriers. |
Important
To perform the tasks described in this article, you must be assigned an appropriate role, such as one of the following:
- Microsoft 365 Enterprise Global Administrator
- Global Administrator
- Compliance Administrator
- IB Compliance Management (this is a new role!)
To learn more about prerequisites for information barriers, see Prerequisites (for information barriers policies).
Make sure to connect to the Security & Compliance PowerShell.
Important
Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.
Edit user account attributes
Use this procedure to edit attributes that are used for segmenting users. For example, if you're using a Department attribute, and one or more user accounts don't currently have any values listed for Department, you must edit those user accounts to include Department information. User account attributes are used for defining segments so that information barriers policies can be assigned.
To view details for a specific user account, such as attribute values and assigned segment(s), use the Get-InformationBarrierRecipientStatus cmdlet with Identity parameters.
Syntax Example Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>
You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID.
(You can also use this cmdlet for a single user:Get-InformationBarrierRecipientStatus -Identity <value>
)Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw
In this example, we refer to two user accounts in Office 365: meganb for Megan, and alexw for Alex.Determine which attribute you want to edit for your user account profile(s). For more information, see Attributes for information barriers policies.
Edit one or more user accounts to include values for the attribute you selected in the previous step. To take this action, use one of the following procedures:
To edit a single account, see Add or update a user's profile information using Microsoft Entra ID.
To edit multiple accounts (or use PowerShell to edit a single account), see Configure user account properties with Office 365 PowerShell.
Edit a segment
Use this procedure edit the definition of a user segment. For example, you might change the name of a segment, or the filter that is used to determine who's included in the segment.
To view all existing segments, use the Get-OrganizationSegment cmdlet.
Syntax:
Get-OrganizationSegment
You'll see a list of segments and details for each, such as segment type, its UserGroupFilter value, who created or last modified it, GUID, and so on.
Tip
Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).
To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.
Syntax Example Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'"
Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'HRDept'"
In this example, we updated the department name to HRDept for the segment with GUID c96e0837-c232-4a8a-841e-ef45787d8fcd.When you have finished editing segments for your organization, you can either define or edit information barriers policies.
Edit a policy
To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.
Syntax:
Get-InformationBarrierPolicy
In the list of results, identify the policy that you want to change. Note the policy's GUID and name.
Use the Set-InformationBarrierPolicy cmdlet with an Identity parameter, and specify the changes you want to make.
Example: Suppose a policy was defined to block the Research segment from communicating with the Sales and Marketing segments. The policy was defined by using this cmdlet:
New-InformationBarrierPolicy -Name "Research-SalesMarketing" -AssignedSegment "Research" -SegmentsBlocked "Sales","Marketing"
Suppose we want to change it so that users in the Research segment can only communicate with users in the HR segment. To make this change, we use this cmdlet:
Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -SegmentsAllowed "HR"
In this example, we changed SegmentsBlocked to SegmentsAllowed and specified the HR segment.
When you have finished editing a policy, make sure to apply your changes. (See Apply information barriers policies.)
Set a policy to inactive status
To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.
Syntax:
Get-InformationBarrierPolicy
In the list of results, identify the policy that you want to change (or remove). Note the policy's GUID and name.
To set the policy's status to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.
Syntax Example Set-InformationBarrierPolicy -Identity GUID -State Inactive
Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c9377247 -State Inactive
In this example, the information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c9377247 is set to an inactive status.To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.
Syntax:
Start-InformationBarrierPoliciesApplication
Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.
At this point, one or more information barriers policies are set to inactive status. From here, you can do any of the following actions:
- Keep it as is (a policy set to inactive status has no effect on users)
- Edit a policy
- Remove a policy
Remove a policy
To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.
Syntax:
Get-InformationBarrierPolicy
In the list of results, identify the policy that you want to remove. Note the policy's GUID and name.
Make sure the policy is set to inactive status. To set the policy's status to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.
Syntax Example Set-InformationBarrierPolicy -Identity GUID -State Inactive
Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c9377247 -State Inactive
In this example, we set an information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c9377247 to an inactive status.To apply your changes on the policy, use the Start-InformationBarrierPoliciesApplication cmdlet.
Syntax:
Start-InformationBarrierPoliciesApplication
Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.
Use the Remove-InformationBarrierPolicy cmdlet with an Identity parameter.
Syntax Example Remove-InformationBarrierPolicy -Identity GUID
Remove-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471
In this example, we're removing the policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471.When prompted, confirm the change.
Remove a segment
To view all existing segments, use the Get-OrganizationSegment cmdlet.
Syntax:
Get-OrganizationSegment
You'll see a list of segments and details for each, such as segment type, its UserGroupFilter value, who created or last modified it, GUID, and so on.
Tip
Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).
Identify the segment to be removed and make sure the IB policy associated with the segment has been removed. See the Remove a policy procedure for details.
Edit the segment that will be removed to remove the relationship of users to that segment. This action updates the segment definition and removes all users from the segment. You'll use the UserGroupFilter parameter to disassociate users from the segment prior to removal.
To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.
Syntax Example Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'"
Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'FakeDept'"
In this example, for the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, we defined the department name as FakeDept to remove users from the segment. This example uses the Department attribute, but you can use other attributes as appropriate. The example uses FakeDept because this doesn't exist and is certain to not contain any users.To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.
Syntax:
Start-InformationBarrierPoliciesApplication -CleanupGroupSegmentLink
Note
The CleanupGroupSegmentLink attribute removes group associations with the segment with no user associations.
Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.
To remove a segment, use the Remove-OrganizationSegment cmdlet with the Identity parameter and relevant details.
Syntax Example Remove-OrganizationSegment -Identity GUID
Remove-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
In this example, the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, was removed.
Remove a policy and segment
To view a list of current information barriers policies, use the Get-InformationBarrierPolicy cmdlet.
Syntax:
Get-InformationBarrierPolicy
In the list of results, identify the policy that you want to remove. Note the policy's GUID and name.
To view all existing segments, use the Get-OrganizationSegment cmdlet.
Syntax:
Get-OrganizationSegment
You'll see a list of segments and details for each, such as segment type, its UserGroupFilter parameter value, who created or last modified it, GUID, and so on.
Tip
Print or save your list of segments for reference later. For example, if you want to edit a segment, you will need to know its name or identify value (this is used with the Identity parameter).
To set the status of the policy to be removed to inactive, use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Inactive.
Syntax Example Set-InformationBarrierPolicy -Identity GUID -State Inactive
Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -State Inactive
In this example, we set an information barriers policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471 to an inactive status.Edit the segment that will be removed to remove the relationship of users to that segment. This action updates the segment definition and removes all users from the segment. You'll use the UserGroupFilter parameter to disassociate users from the segment prior to removal.
To edit a segment, use the Set-OrganizationSegment cmdlet with the Identity parameter and relevant details.
Syntax Example Set-OrganizationSegment -Identity GUID -UserGroupFilter "attribute -eq 'attributevalue'"
Set-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd -UserGroupFilter "Department -eq 'FakeDept'"
In this example, for the segment that has the GUID c96e0837-c232-4a8a-841e-ef45787d8fcd, we updated the department name to FakeDept to remove users from the segment. This example uses the Department attribute, but you can use other attributes as appropriate. The example uses FakeDept because this doesn't exist and is certain to contain no users.To apply your changes, use the Start-InformationBarrierPoliciesApplication cmdlet.
Syntax:
Start-InformationBarrierPoliciesApplication -CleanupGroupSegmentLink
Note
The CleanupGroupSegmentLink attribute removes group associations with the segment with no user associations.
Changes are applied user-by-user for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. As a general guideline, it takes about an hour to process 5,000 user accounts.
Use the Remove-InformationBarrierPolicy cmdlet with an Identity parameter.
Syntax Example Remove-InformationBarrierPolicy -Identity GUID
Remove-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471
In this example, the policy that has GUID 43c37853-ea10-4b90-a23d-ab8c93772471 is removed.When prompted, confirm the change.
To remove a segment, use the Remove-OrganizationSegment cmdlet with the Identity parameter and relevant details.
Syntax Example Remove-OrganizationSegment -Identity GUID
Remove-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
In this example, the segment with GUID c96e0837-c232-4a8a-841e-ef45787d8fcd was removed.
Stop a policy application
After you have started applying information barriers policies, if you want to stop those policies from being applied, use the following procedure. It will take approximately 30-35 minutes for the process to begin.
To view the status of the most recent information barriers policy application, use the Get-InformationBarrierPoliciesApplicationStatus cmdlet.
Syntax:
Get-InformationBarrierPoliciesApplicationStatus
Note the application's GUID.
Use the Stop-InformationBarrierPoliciesApplication cmdlet with an Identity parameter.
Syntax Example Stop-InformationBarrierPoliciesApplication -Identity GUID
Stop-InformationBarrierPoliciesApplication -Identity 46237888-12ca-42e3-a541-3fcb7b5231d1
In this example, we're stopping information barriers policies from being applied.
Enable or disable user discoverability
Important
Support for enabling or disabling search restrictions is only available when your organization isn't in Legacy mode. Organizations in Legacy mode cannot enable or disable search restrictions. Enabling or disabling search restrictions requires additional actions to change the information barriers mode for your organization. For more information, see Use multi-segment support in information barriers) for details.
Organizations in Legacy mode are eligible to upgrade to the newest version of information barriers in the future. For more information, see the information barriers roadmap.
To enable the people picker search restriction using PowerShell, complete the following steps:
- Use the Set-PolicyConfig cmdlet to enable the people picker restriction:
Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Enabled'
To disable the people picker search restriction using PowerShell, complete the following steps:
- Use the Set-PolicyConfig cmdlet to disable the people picker restriction:
Set-PolicyConfig -InformationBarrierPeopleSearchRestriction 'Disabled'
Resources
- Get an overview of information barriers
- Define policies for information barriers
- Learn more about information barriers in Microsoft Teams
- Learn more about information barriers in SharePoint Online
- Learn more about information barriers in OneDrive
- Use multi-segment support in information barriers
- Attributes for IB policies
- Troubleshooting information barriers