Information Barrier
Policies and Organization Segments
Microsoft introduced Information Barriers earlier this year as a replacement for address book policies to segment accounts within tenant directories in a way that could be used by all Office 365 applications. The basic idea is that Information Barrier polices control who can communicate with others within an Office 365 tenant. Organization segments define sets of users and policy rules dictate how segments can communicate.
Teams Has Problems with
New Guest Accounts
Exchange Online and Teams are the first applications to support Information Barriers. For Exchange Online, the switch from address book policies to Information Barriers is transparent. Most functionality works smoothly with Teams too, with the notable exception that team owners can’t create a new guest user account to the tenant by adding them to a team’s membership.
Existing guest accounts don’t cause problems because Teams can check that adding them to a team membership won’t violate a policy. Teams does this by calling the directory services API to check what organization segments the guest belongs to. When an attempt is made to add a new guest, the call fails because the account doesn’t exist in the Exchange Online directory store (EXODS). Teams can’t validate that the barrier is respected, and the attempt fails (Figure 1).
Figure 1: Teams can’t add a new guest account to team membership
Unfortunately, apart from being told that Teams ran into an issue, no clues are given to the team owner as to what went wrong. Despite being told that a problem happened, behind the scenes the guest account is created in the tenant directory and an Azure B2B Collaboration invitation goes to the guest’s email address (Figure 2).
Figure 2: The invitation to join the team arrives in the guest’s mailbox
When the guest tries to redeem the invitation and log into Teams, Azure Active Directory validates the invitation but when Teams starts, the guest discovers that they don’t have membership of the group they were invited to join (Figure 3).
Figure 3: Whoops! No access to the team for the guest
An Easy Workaround
The workaround is simple: create the guest account through the Azure Active Directory portal or by adding them to the membership of the underlying Office 365 group using Outlook or OWA. The addition of the new member will be replicated to Teams and any Information Barrier checks will then be imposed. Microsoft is aware that this situation is unsatisfactory and is working on a fix.
To learn more about Information Barriers, read Chapter 19 of the Office 365 for IT Pros eBook. The book also includes a ton of information about Teams management.
Good article – very useful, thanks. I don’t suppose you have any wisdom as to whether it’s a requirement to purchase the relevant compliance SKU or bundle (E5 Compliance or Insider Risk) for each guest user if they are added to segments for Info Barriers? MS have suggested they need to be, but that’s not how most guest access is done, they often say you can have, for instance, five guests per internal licence). For my client, that would add a massive cost if we have to buy a SKU/bundle for every guest. I have your book and was hoping it would be covered in there (great book BTW).
Thanks Tony. I would read that statement in the same way – it will be a debate with MS – given the cost of the add-ons, it makes a difficult business case if we need to licence all guests. I really appreciate your thoughts on this.
Loading...
Like any licensing discussion with Microsoft, you might find room for maneuver, especially in the context of an enterprise agreement.
Loading...
Is there any news on this topic? Seems to me, that Guest Invites make their way to a group membership but still there is no guest access when following the invitation reveived by mail.
I haven’t looked into this topic for several years, so I don’t know what the current situation is. If you’re having a problem, report it as s support incident to Microsoft to make sure that they share your pain. It might prompt some work to be done to remove any issues, if they still exist.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
Hi Tony,
Good article – very useful, thanks. I don’t suppose you have any wisdom as to whether it’s a requirement to purchase the relevant compliance SKU or bundle (E5 Compliance or Insider Risk) for each guest user if they are added to segments for Info Barriers? MS have suggested they need to be, but that’s not how most guest access is done, they often say you can have, for instance, five guests per internal licence). For my client, that would add a massive cost if we have to buy a SKU/bundle for every guest. I have your book and was hoping it would be covered in there (great book BTW).
Guest users are licensed for the standard Teams features but once you get into the realms of extended functionality, all bets are off. The relevant guidance for information barriers is at https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-barriers and says “For scenarios in which two groups cannot communicate with each other, users in both groups require a license to benefit from the service (see below example).” From this text, I read it to mean that guests in the relevant groups would need licenses. But feel free to argue the point with your Microsoft licensing specialist…
Thanks Tony. I would read that statement in the same way – it will be a debate with MS – given the cost of the add-ons, it makes a difficult business case if we need to licence all guests. I really appreciate your thoughts on this.
Like any licensing discussion with Microsoft, you might find room for maneuver, especially in the context of an enterprise agreement.
Is there any news on this topic? Seems to me, that Guest Invites make their way to a group membership but still there is no guest access when following the invitation reveived by mail.
I haven’t looked into this topic for several years, so I don’t know what the current situation is. If you’re having a problem, report it as s support incident to Microsoft to make sure that they share your pain. It might prompt some work to be done to remove any issues, if they still exist.