Examine information barriers in OneDrive
Microsoft Purview Information Barriers are policies in Microsoft 365 that a compliance administrator can configure to prevent users from communicating and collaborating with each other. This solution is useful if, for example, one division is handling information that it shouldn't share with specific other divisions. Another example is when an organization wants to prevent or isolate a division from collaborating with all users outside of the division.
Organizations often use information barriers in highly regulated industries. Organizations with compliance requirements, such as finance, legal, and government also commonly use them.
For OneDrive, information barriers can determine and prevent the following kinds of unauthorized collaborations:
- User access to OneDrive or stored content.
- Sharing OneDrive or stored content with other users.
Information barriers modes and OneDrive
When an organization enables information barriers on SharePoint and OneDrive, IB policies automatically protect the OneDrive of segmented users. Information barrier modes help strengthen access, sharing, and membership of a OneDrive site based on its IB mode and segments associated with the OneDrive.
SharePoint administrators or Microsoft 365 Global administrators typically set the information barrier mode of OneDrive sites. The site owner may have permissions to configure some settings related to OneDrive, but an administrator with the appropriate permissions must create and manage the Information Barrier policies.
The following table identifies the IB modes that OneDrive supports.
| Mode | Description |
|---|---|
| Open | When a nonsegmented user configures their OneDrive, the administrator sets the site's IB mode as Open, by default. There are no segments associated with the site. |
| Owner Moderated | When a site's owner/moderator uses OneDrive for collaboration with incompatible users, the administrator can set the OneDrive's IB mode as Owner Moderated. For more information, see Owner Moderated site. |
| Explicit | When a segmented user configures their OneDrive within 24 hours of enablement, an administrator can set the site's IB mode as Explicit by default. The user's segment and other segments that are compatible with the user's segment and with each other get associated with the user's OneDrive. |
| Inferred | When an administrator configures a segmented user's OneDrive so that the user can share it with unsegmented users, the admin can set the site's IB mode as Inferred. This mode is an opt-in mode the administrator can set on OneDrive of a segmented user. |
Sharing files from OneDrive
Open
When a OneDrive has no segments and its IB mode as Open:
- The site owner or other users with appropriate permissions can share files and folders based on the information barrier policy applied to the user and the sharing setting for the OneDrive.
Owner Moderated
When an administrator set a site's IB mode to Owner Moderated:
- The system disables the option to share with Anyone with the link.
- The system disables the option to share with Company-wide link.
- The site owner can share the site and its content with existing members.
- The site owner can only share the site and its content per their IB policy.
Explicit
When a OneDrive has information barriers segments, and an administrator set its IB mode to Explicit:
- The system disables the option to share with Anyone with the link.
- The system disables the option to share with Company-wide link.
- The site owner or other users with appropriate permissions can only share files and folders with users whose segment matches that of the OneDrive.
Inferred
When a OneDrive has information barriers segments, and an administrator set its IB mode to Inferred:
- The system disables the option to share with Anyone with the link.
- The system disables the option to share with Company-wide link.
- The site owner or other users with appropriate permissions can share files and folders with users whose segment matches that of the OneDrive and unsegmented users in the tenant.
Accessing shared files from OneDrive
Open mode
When a user wants to access content in a OneDrive that has no segments, and an administrator set its IB mode to Open:
- The site owner or other users with appropriate permissions must share the files with the user.
Owner Moderated mode
When a user wants to access a SharePoint site, and an administrator set the IB mode to Owner Moderated:
- The user has site access permissions.
Explicit mode
When a user wants to access content in a OneDrive that has segments, and an administrator set its IB mode to Explicit:
The user's segment must match a segment associated with the OneDrive.
AND
The site owner or other users with appropriate permissions must share the files with the user.
Note
By default, nonsegment users can access shared OneDrive files only from other nonsegment users with IB modes as Open. They can't access shared files from OneDrive that have segment(s) applied and the IB mode is Explicit.
Inferred mode
When a segmented user wants to access content in a OneDrive that has segments, and an administrator set its IB mode to Inferred:
The user's segment must match a segment associated with the OneDrive.
AND
The site owner or other users with appropriate permissions must share the files with the user.
When an unsegmented user wants to access content in a OneDrive that has segments, and an administrator set its IB mode to Inferred:
- The user must have site access permissions.
Example scenario
The following example illustrates three segments at Contoso: HR, Sales, and Research. Contoso's SharePoint administrator created an information barrier policy that blocks communication and collaboration between the Sales and Research segments.
When OneDrive applies a segment to a user, within 24 hours the system automatically associates that segment with the user's OneDrive. Other segments deemed compatible with the user's segment and with each other also get associated with the OneDrive. A OneDrive site can have up to 100 segments associated with it. A Global or SharePoint administrator can manage these segments using PowerShell.
The following table shows the effects of this example configuration at Contoso.
| Components | HR users | Sales users | Research users | Nonsegment users |
|---|---|---|---|---|
| Segments associated with OneDrive | HR | Sales, HR | Research, HR | None |
| IB mode on OneDrive | Explicit | Explicit | Explicit | Open |
| Share OneDrive content with... | HR only | Sales and HR | Research and HR | Anyone based on the sharing settings selected. |
| Who can access OneDrive | HR only | Sales and HR | Research and HR | Anyone the administrator shared the content with. |
Enable SharePoint and OneDrive information barriers in your organization
SharePoint administrators or Global administrators can enable information barriers in SharePoint and OneDrive in an organization. They can enable information barriers for SharePoint and OneDrive in a single action. They can't enable information barriers separately for each service. Complete the following steps to enable information barriers for your organization:
Download and install the latest version of SharePoint Online Management Shell.
Connect to SharePoint Online as a global admin or SharePoint admin in Microsoft 365.
To enable information barriers in SharePoint and OneDrive, run the following command:
Set-SPOTenant -InformationBarriersSuspension $falseAfter you enable information barriers for SharePoint and OneDrive in your organization, wait for approximately 1 hour for the changes to take effect.
If you enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.
To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode Teams-connected sites in your tenant, run the following command:
Set-SPOTenant -IBImplicitGroupBased $true
If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.
Manage segments on a user's OneDrive
Caution
If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. Be careful not to associate any segments with the OneDrive of a nonsegment user.
Warning
If the user's segment changes, your changes may get overwritten.
To associate a segment with a OneDrive, run the following command in the SharePoint Online Management Shell. A OneDrive can have up to 100 associated segments.
Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>
For example:
Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111
When you add segments to a OneDrive, the system automatically sets the site's IB mode to Explicit. An error appears if you attempt to associate a segment that isn't compatible with the existing segments on the OneDrive.
To remove segment from a OneDrive, run the following command.
Set-SPOSite -Identity <site URL> -RemoveInformationSegment <segment GUID>
For example:
Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111
If an administrator removes all the segments of a OneDrive site, the system automatically sets the IB mode of the OneDrive site to Open.
Effects of changes to user segments
If a user's segment changes, OneDrive automatically updates the segment and IB mode within 24 hours.
Example 1: User's segment updated from Research to Sales. The user's OneDrive appears as follows within 24 hours:
- Segment: Sales, HR
- IB mode: Explicit
Example 2: User's segment updated from HR to None. The user's OneDrive appears as follows within 24 hours:
- Segment: None
- IB mode: Open
Effects of changes to information barrier policies
If a compliance administrator changes an existing policy, the change may affect the compatibility of the segments associated with the OneDrive.
For example, segments that were once compatible may no longer be compatible. A SharePoint admin must change the segments associated with an affected site accordingly. Learn how to create an information barriers policy compliance report in PowerShell.
If a policy changes after you share files, do the sharing links still work? Only if the user attempting to access the shared files has a segment applied that matches a segment associated with the OneDrive.
View the segments associated with a user's OneDrive
A global or SharePoint admin can view and change the segments associated with a user's OneDrive.
Connect to the Security & Compliance PowerShell as a Microsoft 365 Global administrator.
Run the following command to get the list of segments and their GUIDs.
Get-OrganizationSegment | ft Name, EXOSegmentIDSave the list of segments. The following table identifies the segments for the Contoso scenario that this training unit presented earlier.
Name EXOSegmentId Sales a9592060-c856-4301-b60f-bf9a04990d4d Research 27d20a85-1c1b-4af2-bf45-a41093b5d111 HR a17efb47-e3c9-4d85-a188-1cd59c83de32 If not previously completed, download and install the latest SharePoint Online Management Shell. If you installed a previous version of the SharePoint Online Management Shell, follow the instructions in the Enable SharePoint and OneDrive information barriers in your organization article.
Connect to SharePoint as a global admin or SharePoint admin in Microsoft 365.
Run the following command:
Get-SPOSite -Identity <site URL> | Select InformationSegmentFor example:
Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select Info
Manage the IB mode of a user's OneDrive
To view the IB mode of a OneDrive site, run the following command in the SharePoint Online Management Shell as a SharePoint admin or global administrator:
Get-SPOSite -Identity <site URL> | Select InformationBarriersMode
For example:
Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationBarriersMode
An organization's SharePoint admin or global administrator also has the ability to manage the IB mode of a OneDrive site to meet the needs of the organization with new IB modes.
Set the IB mode to Owner Moderated mode
Owner Moderated mode allows an incompatible segment user access to a OneDrive. For example, you want to allow both Sales and Research segment users to access an HR user's OneDrive. Owner Moderated is applicable to a OneDrive site that allows incompatible segment users access to OneDrive in the presence of a moderator/owner. Only the site owner has the capability to invite incompatible segment users on the same site.
To update a OneDrive site IB mode to Owner Moderated, run the following PowerShell command:
Set-SPOSite -Identity <siteurl> InformationBarriersMode OwnerModerated
You can't set a OneDrive site to Owner Moderated IB mode on a site with segments. You must remove the segments before setting the IB mode as Owner Moderated. Users can access an Owner Moderated site if they have site access permissions. Only the site owner of an Owner Moderated OneDrive site can share its contents per their IB policy.
Set the IB mode to Inferred mode
Inferred mode allows unsegmented users to access a OneDrive associated with segments. For example, you want to allow HR segment and unsegmented users to access an HR user's OneDrive. Inferred mode is applicable to a OneDrive site that allows segmented and unsegmented users access to OneDrive.
To update a OneDrive site IB Mode to Inferred, run the following PowerShell command:
Set-SPOSite -Identity <siteurl> InformationBarriersMode Inferred
You can set Inferred IB mode on a site without segments. You must add segments before setting the IB mode as Inferred.