Resolve communication issues in Information Barriers
Microsoft Purview Information Barriers can help your organization remain compliant with legal requirements and industry regulations. For example, you can use information barriers to restrict communication between specific groups of users to avoid a conflict of interest.
The following sections provide troubleshooting steps for various issues that you might experience.
Important
Before you troubleshoot Information Barriers issues, make sure that you have the appropriate subscriptions and permissions, meet the necessary prerequisites, and connect to Security & Compliance Center PowerShell.
Issue: Users are unexpectedly blocked from communicating with others in Teams
Your users report unexpected issues when they try to communicate with others by using Microsoft Teams. For example:
- A user searches for, but can't find, another user in Teams.
- A user can find, but can't select, another user in Teams.
- A user can see another user but can't send messages to that user in Teams.
What to do
Determine whether the users are affected by an Information Barriers policy. Depending on how policies are configured, information barriers might be working as expected. Or, you might have to refine your organization's policies.
Use the Get-InformationBarrierRecipientStatus cmdlet together with the Identity parameter.
Syntax Example Get-InformationBarrierRecipientStatus -Identity
You can use any identity value that uniquely identifies each recipient, such as Name, Alias, Distinguished name (DN), Canonical DN, Email address, or GUID.Get-InformationBarrierRecipientStatus -Identity meganb
This example uses an alias (meganb) for the Identity parameter. This cmdlet returns information that indicates whether the user is affected by an Information Barriers policy. (Look for *ExoPolicyId: <GUID>.)If the users aren't included in Information Barriers policies, contact Microsoft Support. Otherwise, go to the next step.
Determine which segments are included in an Information Barriers policy. To do this, use the Get-InformationBarrierPolicy cmdlet together with the Identity parameter.
Syntax Example Get-InformationBarrierPolicy
Use details, such as the policy GUID (ExoPolicyId) you received during the previous step, as an identity value.Get-InformationBarrierPolicy -Identity b42c3d0f-xyxy-4506-xyxy-bf2853b5df6f
This example provides detailed information about the Information Barriers policy that has ExoPolicyIdb42c3d0f-xyxy-4506-xyxy-bf2853b5df6f
.After you run the cmdlet, examine the results for AssignedSegment, SegmentsAllowed, and SegmentsBlocked values.
For example, after you run the Get-InformationBarrierPolicy cmdlet, you see the following in the results:
AssignedSegment : Sales
SegmentsAllowed : {}
SegmentsBlocked : {Research}In this case, you can see that an Information Barriers policy affects people who are in the Sales and Research segments. People in Sales are prevented from communicating with people in Research.
If this seems correct, then the information barriers are working as expected. If not, go to the next step.
Make sure that your segments are defined correctly. To do this, use the Get-OrganizationSegment cmdlet, and review the list of results.
Syntax Example Get-OrganizationSegment
Use this cmdlet with the Identity parameter.Get-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
In this example, we're getting information about the segment that has GUIDc96e0837-c232-4a8a-841e-ef45787d8fcd
.Review the details for the segment. If necessary, edit a segment, and then reuse the Start-InformationBarrierPoliciesApplication cmdlet.
If you're still having issues when you use your Information Barriers policy, contact Microsoft Support.
Issue: Communication is allowed between users who should be blocked in Teams
Although information barriers are defined, active, and applied, people who shouldn't be able to communicate with each other are able to chat with and call each other in Teams.
What to do
Verify that the users in question are included in an Information Barriers policy.
Use the Get-InformationBarrierRecipientStatus cmdlet together with the Identity and Identity2 parameters.
Syntax* Example Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>
You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID.Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw
This example refers to two user accounts in Microsoft 365:meganb
for Megan, andalexw
for Alex.Tip
You can also use this cmdlet for a single user:
Get-InformationBarrierRecipientStatus -Identity <value>
Review the findings. The Get-InformationBarrierRecipientStatus cmdlet returns information about users, such as attribute values and any Information Barriers policies that are applied.
Take your next steps, as described in the following table.
Result What to do next No segments are listed for the selected users - Use one of the following methods:
- Assign users to an existing segment by editing their user profiles in Microsoft Entra ID
- Define a segment by using a supported attribute for information barriers, then either define a new policy or edit an existing policy to include that segment.
- Run the Start-InformationBarrierPoliciesApplication cmdlet to apply all active Information Barriers policies.
Segments are listed but no information barrier policies are assigned to those segments - Use one of the following methods:
- Define a new information barrier policy for each applicable segment.
- Edit an existing information barrier policy to assign it to the applicable segment.
- Run the Start-InformationBarrierPoliciesApplication cmdlet to apply all active Information Barriers policies.
Segments are listed and each is included in an information barrier policy - Run the Get-InformationBarrierPolicy cmdlet to verify that information barrier policies are active.
- Run the Get-InformationBarrierPoliciesApplicationStatus cmdlet to verify that the policies are applied.
- Run the Start-InformationBarrierPoliciesApplication cmdlet to apply all active Information Barriers policies.
- Use one of the following methods:
Issue: I want to remove a single user from an Information Barriers policy
Information Barriers policies are in effect, and one or more users are unexpectedly blocked from communicating with others in Microsoft Teams. Instead of removing Information Barriers policies altogether, you can remove one or more individual users from Information Barriers policies.
What to do
Information Barriers policies are assigned to segments of users. Segments are defined by using certain attributes in user account profiles. If you must remove a policy from a single user, consider editing that user's profile in Microsoft Entra so that the user is no longer included in a segment that's affected by information barriers.
Use the Get-InformationBarrierRecipientStatus cmdlet together with Identity and Identity2 parameters. This cmdlet returns information about users, such as attribute values and any Information Barriers policies that are applied.
Syntax Example Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>
You can use any value that uniquely identifies each user, such as name, alias, distinguished name, canonical domain name, email address, or GUID.Get-InformationBarrierRecipientStatus -Identity meganb -Identity2 alexw
This example refers to two user accounts in Microsoft 365:meganb
for Megan, andalexw
for Alex.Get-InformationBarrierRecipientStatus -Identity <value>
You can use any value that uniquely identifies the user, such as name, alias, distinguished name, canonical domain name, email address, or GUID.Get-InformationBarrierRecipientStatus -Identity jeanp
This example refers to a single account in Microsoft 365:jeanp
.Review the results to learn whether Information Barriers policies are assigned, and to which segments the users belong.
To remove a user from a segment that's affected by information barriers, update the user's profile information in Microsoft Entra ID.
Wait about 30 minutes for the FwdSync operation to finish. Or, run the Start-InformationBarrierPoliciesApplication cmdlet to apply all active Information Barriers policies.
Issue: The Information Barriers application process takes too long
After running the Start-InformationBarrierPoliciesApplication cmdlet, the process takes a long time to finish.
What to do
Keep in mind that when you run the policy application cmdlet, Information Barriers policies are being applied (or removed) user by user for all accounts in your organization. If you have many users, the process takes a while to run. (As a general guideline, it takes about one hour to process 5,000 user accounts.)
Use the Get-InformationBarrierPoliciesApplicationStatus cmdlet to view the status of the most recent policy application.
For the most recent policy application For all policy applications Get-InformationBarrierPoliciesApplicationStatus
Get-InformationBarrierPoliciesApplicationStatus -All $true
This command displays information about whether a policy application finished, failed, or is in progress.
Depending on the results of the previous step, take one of the following steps.
Status Next step Not started If more than 45 minutes have passed since the Start-InformationBarrierPoliciesApplication cmdlet was run, review your audit log to see whether policy definitions contain any errors, or the application didn't start for some other reason. Failed If the application failed, review your audit log. Also review your segments and policies. Are any users assigned to more than one segment? Are any segments assigned more than one policy? If it's necessary, edit segments or edit policies, and then run the Start-InformationBarrierPoliciesApplication cmdlet again. In progress If the application is still in progress, allow more time for it to finish. If several days have passed since the application was started, gather your audit logs, and then contact Microsoft Support.
Issue: Information Barriers policies aren't applied at all
You have defined segments, defined Information Barriers policies, and tried to apply those policies. However, when you run the Get-InformationBarrierPoliciesApplicationStatus cmdlet, you can see that policy application failed.
What to do
Make sure that your organization doesn't have Exchange address book policies in place. Such policies prevent Information Barriers policies from being applied.
Connect to Exchange Online PowerShell.
Run the Get-AddressBookPolicy cmdlet, and review the results.
Results Next step Exchange address book policies are listed Remove address book policies. No address book policies exist Review your audit logs to determine why the policy application failed. View the status of user accounts, segments, policies, or policy application.
Issue: Information Barriers policy isn't applied to all designated users
After you define segments and Information Barriers policies, and you try to apply those policies, you might learn that the policy is applied to some recipients but not to others. When you run the Get-InformationBarrierPoliciesApplicationStatus cmdlet, search the output for text that resembles the following:
Identity:
<application guid>
Total Recipients: 81527
Failed Recipients: 2
Failure Category: None
Status: Complete
What to do
Search in the audit log for
<application guid>
. You can copy this PowerShell code and modify it by substituting your variables:$detailedLogs = Search-UnifiedAuditLog -EndDate <yyyy-mm-ddThh:mm:ss> -StartDate <yyyy-mm-ddThh:mm:ss> -RecordType InformationBarrierPolicyApplication -ResultSize 1000 |?{$_.AuditData.Contains(<application guid>)}
Check the detailed output from the audit log for the values of the UserId and ErrorDetails fields. Doing this provides the reason for the failure. You can copy this PowerShell code and modify it by substituting your variables.
$detailedLogs[1] | FL
For example:
"UserId": User1
"ErrorDetails": "Status: IBPolicyConflict. Error: IB segment "segment id1" and IB segment "segment id2" has conflict and cannot be assigned to the recipient."Usually, you learn that a user was included in more than one segment. You can fix this issue by updating segment membership. To do this, use the Set-OrganizationSegment cmdlet together with the
UserGroupFilter
parameter.