Microsoft Teams – Deploy Information barrier policies for your organization.

A year ago Microsoft released the information barrier policies as another security enhancement feature in Microsoft Teams. With this new component it helps the organization to enforce policies which prevents the communication between specific group of people. This is primarily helpful and beneficial for the organizations who are into manufacturing and production units where they would need to adhere certain industry standards and guidelines usually to avoid conflicts of interest.

Before we actually move into deploying the information barrier policies segmentation of the users needs to be done.Ideally the business requirement which falls into compliance category to prevent communications between groups of users in Microsoft Teams. For example a person from Marketing Team cannot make a call,send instant messages or share his desktop to Research department. It can be vice versa or its is only one direction. All the sets of users needs to be identified because this contributes to the number of the segments that we are going to create for this policy to prevent the communication between them.

There are three key elements involved in creating the information barrier policy:

1) Segment the users in your organization.
2) Define Information barrier policies.
3) Apply the information barrier policies.

Below prerequisite needs to be met for creating the information barrier policies:

1) Users must have any one of the following license assigned – Microsoft 365 E5,Office 365 E5,Office 365 Advanced Compliance or Microsoft 365 E5 Information Protection and Compliance.

2) Enable scoped directory search for Microsoft Teams

Scoped directory search can be easily enabled from the teams admin center with the below toggle switch.

3) Turn on the Auditing on the audit log search page in Security and Compliance center. This is required for troubleshooting Information barriers policies. If we do not see them turned on then it is already enabled.

4) No address book policy should be enabled if we need this feature. Because Information barriers are based on address book policies and if we have them it might create a conflict and start working based on the configured address book policy.

5) Grant Admin consent for information barriers in Microsoft Teams.

Login-AzureRmAccount 
$appId="bcf62038-e005-436d-b970-2a472f8c1982" 
$sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId
if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId }
Start-Process  "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

Once we run the above command global admin with the required privilege needs to grant admin consent to the information barrier processor app. This helps information barriers from removing persons from chat sessions where they are not supposed to be in them.

6) Ensure that the required data user attributes are populated in the user attribute fields which is required to identify and apply the information barrier policy.

In our example we’ve chosen 2 ideal candidates and populated the department attribute value which will be used for segmentation.

Now we need to segment users which means “Block” policies prevent sales group from communicating with research group.

In order to accomplish this task we need to connect to office365 security and compliance powershell module

In our example we can take two groups marketing and research where they both shouldn’t communicate with each other.

New-OrganizationSegment -Name "Marketing" -UserGroupFilter "Department -eq 'marketing'"

The above example creates a segment of users who are only from marketing department.

In our case we need to create one more segment of users where they belong to research team

New-OrganizationSegment -Name "research" -UserGroupFilter "Department -eq 'research'"

Now we have created the segment the information barrier policies needs to be created. Now we have to keep few things very clear in mind while applying the information barrier policies. For instance two policies cannot be applied to one segment of users. It is always advisable to make this information barrier policy to inactive status once they are created. Later we can edit this and apply for all users.

When we block communication between two segments in our case marketing and research we need to define two policies. A very important point to note is that each policy blocks communication one way only.

New-InformationBarrierPolicy -Name "Marketing-Research" -AssignedSegment "Research" -SegmentsBlocked "Marketing" -State Inactive

Now we need to create another policy to block the marketing department to communicate with research.

Activate the information barrier policy

Set-InformationBarrierPolicy -Identity GUID -State Active

We can verify the information barrier policies that we have created to ensure they have the correct values as per our requirement.

Now we need to start the information barrier policies with the below command

Start-InformationBarrierPoliciesApplication

As per the information we’ve received in the above command we need to wait for a while until the deployment gets completed in our tenant and will be successful once the status becomes completed.

Testing the information barrier policy to applied recipient.

Now logged in as Vijay Raghavan user from Marketing Team while attempting to search for Clen Richard from Research he gets an empty result.

However he is able to lookup for other users.

The users who are applied in this policy will not be able to add the blocked users in any of their teams as well.

The same thing happens for the other user Clen Richard on attempting to talk to the user from Marketing Team.

Subsequently the information barriers adds a great value to any organization to uphold the communication compliance with few easy steps from the office 365 security ad compliance center and consistently utilize Microsoft Teams.As of now information barriers apply to Microsoft Teams chats and channels only.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: