Configure information barriers in Microsoft Purview
Microsoft Purview Information Barriers (IB) policies can play an integral part in an organization. However, they can also cause issues when improperly configured. For example, if an organization improperly configures an IB policy, it can prevent collaboration when it actually wants to allow collaboration. As such, it's critical that administrators understand the capabilities and consequences of IB policies.
Organizations can configure IB policies using the Microsoft Purview compliance portal or by using Security and Compliance PowerShell. For organizations configuring IB for the first time, Microsoft recommends they use the Information Barriers solution in the Microsoft Purview compliance portal. However, if you're managing an existing IB configuration and you're comfortable using PowerShell, you still have this option.
Configuration concepts
When an organization configures information barriers, it must be familiar with the following objects and concepts:
User account attributes. You define these attributes in Microsoft Entra ID (or Exchange Online). These attributes can include department, job title, location, team name, and other job profile details. You assign users or groups to segments with these attributes. See the list of IB supported attributes for details.
Note
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
Segments. Segments are attributes that an administrator uses to define the IB policy for a group. Organizations take these attributes from the list of attributes that a group is part of. For example, an organization defines a segment called HR using a value in the Department attribute. Defining segments doesn't affect users. It just sets the stage for defining and applying information barrier policies.
Information barrier policies. IB policies determine communication limits or restrictions. When you define IB policies, you choose from two kinds of policies:
Block policies. Prevent one segment from communicating with another segment.
Allow policies. Allow one segment to communicate with only certain other segments.
Note
For allow policies, non-IB groups and users won't be visible to users included in IB segments and policies. If you need non-IB groups and users to be visible to users included in IB segments and policies, you must use block policies.
Policy application. After an organization defines all IB policies, it must then apply them.
Visibility of non-IB users and groups. Non-IB users and groups are users and groups excluded from IB segments and policies. Depending on the type of IB policies (block or allow), the behavior for these users and groups differs in Microsoft Teams, SharePoint, OneDrive, and in your global address list.
- Users included in IB segments and policies can't see non-IB groups and users, unless Allow policies include them.
- Users included in IB segments and policies can see non-IB groups and users, even if Block policies include them.
Group support. Information barriers only support Microsoft 365 Groups. The system treats Distribution lists and Security groups as non-IB groups.
Hidden/disabled user accounts. When an organization hides or disables users' accounts, Microsoft Purview automatically sets the HiddenFromAddressListEnabled parameter to True. In IB-enabled organizations, these accounts can't communicate with other user accounts. In Microsoft Teams, it locks all chats that include these accounts, or it automatically removes the users from conversations.
Planning information barrier policies
Organizations must consider the following questions before configuring IB policies:
- What are the legal or industry regulations regarding the groups inside your organization?
- Are there any groups that it should prevent from communicating with another group?
- Are there any groups that it should allow to only communicate with one or two other groups?
These questions can help an organization get a picture on what IB policies they must implement inside their organization. Once they begin creating policies, they can separate the policies into two types:
- Block policies. These policies prevent one group from communicating with another group.
- Allow policies. These policies allow a group to communicate with only certain groups.
When determining how to segment the groups, create a list of policies for each of these two types. Then create a list of segments for your organization.
Configure information barriers for Microsoft 365
Organizations should use the following steps to configure Microsoft Purview Information Barriers.
Step | What's involved |
---|---|
Step 1: Make sure you meet prerequisites. | - Verify that you have the required licenses and permissions. - Verify that your directory includes data for segmenting users. - Enable search by name for Microsoft Teams. - Make sure you turn on audit logging. - Make sure no Exchange address book policies are in place. - Optionally use PowerShell. - Provide administrator consent for Microsoft Teams. |
Step 2: Segment users in your organization. | - Determine what policies you need. - Make a list of segments to define. - Identify which attributes to use. - Define segments in terms of policy filters. |
Step 3: Define information barrier policies. | - Define your policies (don't apply yet). - Choose from two kinds (block or allow). |
Step 4: Apply information barrier policies. | - Set policies to active status. - Run the policy application. - View policy status. |
Step 5: Configuration for information barriers on SharePoint and OneDrive (optional). | - Configure IB for SharePoint and OneDrive. |
Step 6: Information barriers modes (optional). | - Update IB modes if applicable. |
Identify segments
In addition to an organization's initial list of policies, it should make a list of segments. The users that an organization plans to include in IB policies should belong to a segment.
Warning
Plan your segments carefully because a user can only be in one segment. Also, each segment can have only one information barrier policy applied.
An organization should identify the attributes in its directory data that it plans to use to define segments. For example, it can use Department, MemberOf, or any of the supported IB attributes. The organization should ensure that it has values in the attribute it selects for users. If an organization's directory data doesn't have values for the attributes it wants to use, then it must update the user accounts to include that information before it can proceed with configuring IB. For more information, see the supported attributes for IB.
Create IB policies
When an organization creates IB policies, it must determine whether it needs to prevent communications between certain segments or limit communications to certain segments. Ideally, an organization should use the minimum number of IB policies to ensure it's compliant with internal, legal, and industry requirements. Organizations can use the Microsoft Purview compliance portal or PowerShell to create and apply IB policies.
Tip
For user experience consistency, Microsoft recommends using Block policies for most scenarios if possible.
An organization should define its list of user segments and the IB policies it wants to define. It should then select one of the following scenarios and follow the corresponding steps.
- Scenario 1: Block communications between segments.
- Scenario 2: Allow a segment to communicate only with one other segment.
Important
An organization should ensure that as it defines policies, it doesn't assign more than one policy to a segment. For example, if it defines one policy for a segment called Sales, it shouldn't define another policy for the Sales segment. And as it defines IB policies, the organization should ensure that it sets those policies to Inactive status until it's ready to apply them. When an organization defines or edits policies, it doesn't affect users until it sets those policies to Active status and applies them.