On Day 12 of Cybersecurity awareness month, learn how to restrict unauthorized users/groups from communicating with each other using information barriers & enhance security within Microsoft 365.
Stay tuned for more blog posts in our M365 Cybersecurity blog series.
Microsoft 365 offers a robust set of tools to facilitate team collaboration. However, there are instances where it’s crucial to establish boundaries to prevent potential issues. For example, we might want to prevent conflicts of interest that could harm the organization or ensure that employees do not share sensitive information with unauthorized individuals within or outside the environment. To address these concerns, Microsoft 365 provides a solution called information barriers.
In an age where information is power, one’s control over the flow of information is essential.
– Suzy Kassem
As the quote goes, it is important to keep control over user communication to safeguard sensitive information in your organization. Let’s explore how we can effectively utilize this security feature within Microsoft 365 to achieve this.
Understand Information Barriers in Microsoft 365
Microsoft Purview information barriers (IB) will allow/restrict individual users or groups from communicating with each other in Microsoft Teams (chats and channels), SharePoint, and OneDrive. IB can help organizations keep their secrets safe by preventing people from communicating with each other when they shouldn’t. It is especially important in regulated industries, where they follow strict rules about who can share what information. Information barrier policies can also help organizations avoid conflicts of interest.
Prerequisites for Creating and Managing Information Barriers
- You must have one of the following licenses to create an information barrier policy.
- Microsoft 365 E5/A5 subscription
- Office 365 E5/A5/A3/A1 subscription
- Office 365 Advanced Compliance add-on
- Microsoft 365 E3/A3/A1 subscription + the Microsoft 365 E5/A5 Compliance add-on
- Microsoft 365 E3/A3/A1 subscription + the Microsoft 365 E5/A5 Insider Risk Management add-on
- To manage information barrier policies, you need to be assigned any one of the following roles.
- Global administrator
- Compliance administrator
- IB Compliance Management
- Verify that your directory includes data for segmenting users.
- Enable scoped directory search for Microsoft Teams.
- Turn on audit logging.
- Provide admin consent for Microsoft Teams.
- Enable information barrier for SharePoint & OneDrive.
- Make sure no Exchange address book policies are in place.
How do Information Barrier Policies Work?
To understand the functioning of Microsoft 365 information barriers, one needs familiarity with the following objects and concepts.
Information barrier attributes: User account attributes contain information about each user, such as their department, job title, location, member of, etc. These are defined either in Microsoft Entra ID or in Exchange Online.
Segments: Segments in the Microsoft 365 Defender portal are users/groups categorized based on specific user account attributes/group names that you choose. Creating segments is essential to prevent communication between other segments.
Information barrier policies: Allow/block IB policies are used to allow or prevent communication between configured segments.
Policy application: After defining all the policies, the final step is the Information barrier policy application. It takes up to 30 mins for the policy application to start.
Note: If you are changing or removing a policy, as the changes are applied individually to each user account, it may take up to 24 hours to completely update the change in the organization.
How to Implement Information Barriers in Microsoft 365?
Administrators can configure IB using the Microsoft Purview compliance portal or Office 365 Security & Compliance PowerShell. Implementing information barriers requires the following steps.
Step 1: Segment users in your organization.
Step 2: Create IB policies.
Step 3: Apply information barrier policies.
Step 4: Information barrier modes (optional).
For more information on creating and applying IB policies, refer to this link.
How Information Barriers Modes Impact Microsoft 365 User Communication?
Information barrier modes in Microsoft 365 help to control who can access, share, and belong to a resource based on the resource’s information barrier. They are supported across different M365 services. Let’s discuss them one by one.
IB modes | SharePoint | OneDrive | Microsoft Teams | Exchange Online |
Open | Default mode when a SharePoint site doesn’t have segments. Sharing: – The site and its contents can be shared based on the information barrier policy applied to the user. Access: – The user has site access permissions. | When a user who doesn’t belong to any specific segment provisions their OneDrive, the default Information Barrier (IB) mode for the OneDrive site is set to “Open,” and there are no segments assigned to the site. Sharing: – Based on the configured IB policy and sharing setting of OneDrive, a user can share files and folders. Access: – The files must be shared with the user. | Default IB mode before barriers were enabled. In this mode, there are no IB policies applicable. | – |
Owner Moderated | When you create a SharePoint site for collaboration between incompatible segments, you should set the site’s IB mode as Owner Moderated. Sharing: – Option to share with Anyone and company-wide links is disabled in this mode. – The site and its content can be shared with existing members for group-connected sites. – The site and its content can be shared only by the site owner as per their IB policy for non-group connected sites. Access: – The user has site access permissions. | For collaborating with incompatible users in the existence of a site owner/moderator, this mode can be set. Sharing: – Option to share with Anyone and company-wide links is disabled in this mode. – The site and its content can be shared with existing members. -The site and its content can be shared only by the OneDrive owner as per their IB policy. Access: – The user has site access permissions. | The team owner can add new members. | – |
Implicit | By default, when a site is provisioned by Microsoft Teams, the site’s IB mode is set as Implicit. A SharePoint admin/ Global admin can’t manage segments when this mode is on. Sharing: – New users can’t be added to the site directly. The team owner should add the users to team groups. – Option to share with Anyone and company-wide links is disabled in this mode. – The site and its content can be shared with existing members via a sharing link. Access: – The user needs to be part of the Microsoft 365 group linked to that site to access the site contents. The non-members won’t have access. | – | Default IB mode when a Team is provisioned after enabling IB. | – |
Explicit | The site’s IB mode is automatically set to explicit when a segment is added to a SharePoint site either via end-user site creation experience or by a SharePoint Administrator. Sharing: – New users can be added as site members only if their segment matches the segment of the site. – Option to share with Anyone and company-wide links is disabled in this mode. – The site and its content can be shared only with users whose segment matches that of the site. Access: – The user needs to belong to a segment that corresponds to one associated with the site and the user should have access permission to the site to access the respective site content. | When a segmented user sets up their OneDrive account within 24 hours of getting access, their account is set to “Explicit” mode by default. Sharing: – Option to share with Anyone and company links is disabled in this mode. – Files and folders can be shared only with users whose segment matches that of OneDrive. Access: – The user’s segment must match a segment that is associated with OneDrive and the files must be shared with the user. | – | – |
Mixed | – | This mode is applicable only to OneDrive. When segmented users grant permission to unsegmented users to access their OneDrive, the site’s Information Barrier mode can be configured as Mixed. Sharing: – Option to share with Anyone and company links is disabled in this mode. – Files and folders can be shared with users whose segment matches that of OneDrive and unsegmented users in the tenant. Access: – For segmented users, the user’s segment must match the associated OneDrive segment and the files must be shared with the user to gain access. – For unsegmented users, the user must have site access permissions. | – | – |
Single/multi-segment | – | – | – | In single and multi-segment modes, IB is not based on Address Book Policies (ABPs), and existing ABPs don’t have any impact on enabling Information barriers. |
Legacy | – | – | – | In legacy mode, IB policies are built upon ABPs, and existing ABPs must be removed before implementing IB policies to ensure compatibility. |
Note: Prior to enabling information barriers on the tenant, all existing teams and groups will operate in Open Mode. Once information barriers are turned on, any new groups or teams created will be automatically set to Implicit Mode.
How Information Barriers Can Be Used to Strengthen Security in Different Microsoft 365 Services?
Information Barriers in Microsoft Teams
An organization may find it necessary to prevent communication between groups in Teams in order to enhance the security of confidential information for various reasons.
- A team must be prevented from communicating or sharing data with a specific other team.
- A team must not communicate or share data with anyone outside of the team.
Use information barriers in Microsoft Teams to prevent people from collaborating in the following ways:
- Adding a user to a team or channel.
- User access to team or channel content.
- User access to 1:1 and group chats.
- User access to meetings.
- Search restrictions in the people picker.
- Sharing a screen.
- Placing a call.
Note: By default, the people picker restriction is enabled for IB policies. However, it is important to note that organizations in legacy mode don’t support enabling/disabling search restrictions.
Example Scenarios:
Scenario 1: Your organization has two departments, A and B. Department A handles sensitive data, and department B should not be able to access that data. If these two departments communicate directly, there is a risk that sensitive information could be leaked. To prevent user’s department communication in Microsoft Teams, you can segment them using information barriers: one segment for Department A and one segment for Department B. This will prevent users in one department from communicating with users in the other department.
Scenario 2: Suppose you have team A which has shared channels with other teams. Now, if you are trying to add a new user who is restricted from communicating with the members of team A, the user can’t be added to team A as an information barrier policy is in place.
Scenario 3: As the owner of two teams within your organization, Team A and Team B, you are unable to share a channel between the two teams. This restriction applies when there are users in Team B who are blocked from interacting with members of Team A due to an information barriers policy.
Scenario 4: When a meeting organizer, Sarah from HR, invites users from different departments to join a meeting, these invitations are also subjected to IB policy evaluation. For instance, if a Sales user like John is invited, his IB policy is checked against the other attendee’s IB policies. If there is a policy violation, John will not be allowed to join the meeting.
Scenario 5: HR is conducting an internal investigation, and they need to ensure that the involved parties cannot communicate or share information. Information barriers can prevent individuals from engaging in 1:1 or group chats with each other during the investigation period.
Information Barriers in SharePoint and OneDrive
After enabling information barriers for SharePoint and OneDrive, you can effectively identify and block unauthorized collaborations in the following.
Use information barriers with SharePoint to prevent the following kinds of unauthorized collaborations:
- Adding a user to a site.
- Block access to SharePoint site or site content using IB.
- Prevent sharing of SharePoint content with other users using IB.
Use information barriers in OneDrive to prevent the following kinds of unauthorized collaborations:
- User access to OneDrive or stored content.
- Sharing OneDrive or stored content with other users.
Example Scenarios:
Scenario 1: Consider three departments – HR, Sales, and Research. An organization has configured information barriers to block communication between Sales and Research. In this scenario,
- Users in HR can access and share content with HR, Sales, and Research.
- Users in Sales can access and share content only with HR & Sales.
- Users in Research can access and share content only with HR & Research.
Scenario 2: A company with a complex organizational structure can use information barriers to prevent employees from accessing or sharing content with individuals who are not authorized to view it. For example, information barriers could be used to prevent employees from sharing trade secrets with individuals who are not authorized to view them.
Scenario 3: A company is developing a new product, and the product team needs to maintain confidentiality about the product. The company can configure information barriers in SharePoint to prevent employees outside of the product team from accessing or sharing information about the product.
Information Barriers in Exchange Online
Currently, Information Barrier (IB) policies do not offer the capability to limit communication and collaboration between different groups and users within email messages. These policies are exclusively supported in Exchange Online deployments.
Key Points
- Information barrier policies do not support one-way restrictions.
- IB currently doesn’t support distribution lists and security groups.
- Each organization can create up to 100 segments when setting up IB policies. There is no limit to the number of IB policies configured in the organization.
Closing Lines
By understanding and utilizing this valuable security feature, businesses can enhance their information protection strategies within the Microsoft 365 ecosystem. I hope this blog will guide you through the important concepts of information barriers in Microsoft 365. Thanks for reading! For any queries, reach out to us in the comment section.