Policy-Controlled Access to Teams, SharePoint, and OneDrive
According to the latest version of the product documentation, Microsoft has decided to bundle Information Barriers into all the Office 365 and Microsoft 365 education plans (A1, A3, and A5). I think this is a good idea because there are obviously many situations in education tenants where information barriers might apply. For example, there’s possibly no need for students (like those in a specific year) to communicate outside their peer group. Information barriers can help by imposing blocks in communication flows between different sets of users.
What’s strange about the current state of information barriers is that, despite the dependency on Exchange Online address book policies, the barriers don’t apply to email communications. Information barriers use address book views to create organization segments (groupings) from recipient information stored in Azure AD. However, although Microsoft discussed the implementation of information barriers for Exchange as long ago as the Ignite 2018 conference, their documentation still ignores the topic and focuses on implementation for:
Information barrier policies work by allowing or blocking communication between different organization segments. A segment is a defined set of Azure AD recipients (tenant and guest accounts and mail contacts) created by running a query against the directory. For instance, a segment might include all the students in a specific class or all the accounts in a department or country.
A limited set of Azure AD attributes can be included information barrier queries. If the available attributes can’t find the right target group, a workaround exists by using the membership of a distribution list or Microsoft 365 group as the basis for a segment. Microsoft’s documentation says that you can pass the name of a group when creating a segment. This has never worked for me. What does work is to pass the external directory object identifier for the group stored in Exchange Online. The identifier points to the Azure AD group. For example:
Get-UnifiedGroup "U.S. Banking Employees" | Select ExternalDirectoryObjectId
ExternalDirectoryObjectId
-------------------------
f4170c40-55d1-469f-afc9-043e1f5a8755
New-OrganizationSegment -Name "U.S. Banking Employees" -UserGroupFilter "MemberOf -eq 'f4170c40-55d1-469f-afc9-043e1f5a8755'"
After creating segments, the next step is to create information barrier policies to define how segments are blocked from communicating with each other (you can also create policies to explicitly allow communication between two segments). For example, let’s assume that we want to use the segment created above to block communications with another segment. We could use this policy:
New-InformationBarrierPolicy -Name "U.S. Banking Employees Block Ireland" -AssignedSegment "U.S. Banking Employees" -SegmentsBlocked "Ireland Banking Employees" -State Inactive
As this policy only blocks communications one-way (from U.S. employees to Irish employees), you’ll need a second policy to block communications in the other direction (from Ireland to the U.S.).
Blocking Communications Through Policy
Eventually, after background jobs run to resolve the accounts defined in organizational segments and assign address book views to accounts, the information barriers become active. For Teams, this means that:
Users can’t add members from a blocked segment to a team or channel.
They can’t add members from a blocked segment to a 1:1 or group chat or meeting.
Users aren’t allowed to join meetings when other users from blocked segments attend.
Directory lookup is scoped to stop people finding others in blocked segments.
Information barriers modify the sharing capabilities of SharePoint Online and OneDrive for Business to stop users sharing information with people in blocked segments. In a nutshell, if someone tries to share content with others, they can only do so if the sharing target is allowed by information barriers. SharePoint sites connected to Microsoft 365 groups or teams can only be shared with people in the same organization segment.
The Poorest Piece of Microsoft’s Compliance Toolkit
Information barriers have been around for several years now, and it’s disappointing to see the limited progress Microsoft has made to develop this capability. Unlike the other compliance solutions available to Microsoft 365 tenants, information barriers don’t have a GUI in the Microsoft 365 compliance center (or anywhere else). All management must be done with PowerShell cmdlets from the Exchange Online management module. The error handling and output from some of the cmdlets is unformatted and uninformative. Most of the processing done to apply information barrier policy settings happens using a background job whose activities are as clear as a black box. Although it’s possible to figure out when conflicts occur in policy application, it requires searches against the audit log and resolution of GUIDs to determine what segments and recipients are involved. All in all, information barrier policies are a mess.
Although it’s nice that Microsoft has made information barrier policies available to education tenants, it would be better if they:
Create a GUI to manage organization segments and information barrier policies in the Microsoft 365 compliance center.
Provide features such as the ability to test organization segments to show what recipients are in a segment (Adaptive scopes for retention policies can display similar information). In addition, have a way for administrators to see if any conflicts exist with other segments (a recipient must appear only in one segment). None of this is rocket science.
Make the operation of the information barrier application more transparent and easier to manage, especially in the resolution of any issues thrown up by processing. Perhaps even apply some of the much-vaunted artificial intelligence that’s strewn around Microsoft 365 to help organizations understand and tweak the flow of communications controlled by policy.
Fix the PowerShell cmdlets so that their error handling is smoother and delivers information to tell administrators how to fix problems.
Include Exchange Online in the workloads supported by information barrier policies.
Demanding Office 365 E5 or Microsoft 365 E5 licenses for a half-baked, unfinished, and problematic solution that’s been generally available for several years is not a good position for Microsoft to be in. It would be better if they fixed the fundamentals of the information barriers solution before expanding those who might have to use it.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem. Information barrier policies are covered in the compliance chapter.
4 Replies to “Microsoft Extends Problematic Information Barriers Solution to All Education Tenants”
I guess it’s another case of native tools being half baked which gives third party vendors and opportunity to sell their solution that covers gaps left by Microsoft. #jobcreation😊
Would like to give my 2 cents on this topic as I am currently concepting compliance design for an education tenant.
1. Found per accident that there is even a GUI integration now in compliance center.
2. Error handling is still a mess and unformatted – even in the portal it displays the raw error message.
3. The worst caveat on information barriers (at least in my scenario) is that they policies are only supported in a symmetric configuration. On the other hand this limitation is not completely addressed in managing. Actually you can setup a symmetric setup in the beginning. As soon as you want to modify policies or re-apply them tho, you event get errors like “Microsoft.Exchange.Management.Tasks.AsymmetricPoliciesException,IB Policies defined on segment
and are not symmetric. Please
ensure that the policies are defined two-ways. For example, if there is a policy where Segment1 cannot communicate
with Segment2, then there must be another policy where Segment2 cannot communicate with Segment1.”
Especially the last point is unfortunately forcing us to having another approach, when we want to have students blocked from reaching out to teachers but not vice-versa.
Not to forget, nice wrap-up on that whole topic, Tony.
Yep. the GUI for Information Barriers is at https://compliance.microsoft.com/ibapplications. It’s a preview, so I didn’t cover it. As far as I can see, the preview is slow and not particularly useful either.
{"id":null,"mode":"button","open_style":"in_modal","currency_code":"EUR","currency_symbol":"\u20ac","currency_type":"decimal","blank_flag_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/blank.gif","flag_sprite_url":"https:\/\/office365itpros.com\/wp-content\/plugins\/tip-jar-wp\/\/assets\/images\/flags\/flags.png","default_amount":100,"top_media_type":"featured_image","featured_image_url":"https:\/\/office365itpros.com\/wp-content\/uploads\/2022\/11\/cover-141x200.jpg","featured_embed":"","header_media":null,"file_download_attachment_data":null,"recurring_options_enabled":true,"recurring_options":{"never":{"selected":true,"after_output":"One time only"},"weekly":{"selected":false,"after_output":"Every week"},"monthly":{"selected":false,"after_output":"Every month"},"yearly":{"selected":false,"after_output":"Every year"}},"strings":{"current_user_email":"","current_user_name":"","link_text":"Virtual Tip Jar","complete_payment_button_error_text":"Check info and try again","payment_verb":"Pay","payment_request_label":"Office 365 for IT Pros","form_has_an_error":"Please check and fix the errors above","general_server_error":"Something isn't working right at the moment. Please try again.","form_title":"Office 365 for IT Pros","form_subtitle":null,"currency_search_text":"Country or Currency here","other_payment_option":"Other payment option","manage_payments_button_text":"Manage your payments","thank_you_message":"Thank you for supporting the work of Office 365 for IT Pros!","payment_confirmation_title":"Office 365 for IT Pros","receipt_title":"Your Receipt","print_receipt":"Print Receipt","email_receipt":"Email Receipt","email_receipt_sending":"Sending receipt...","email_receipt_success":"Email receipt successfully sent","email_receipt_failed":"Email receipt failed to send. Please try again.","receipt_payee":"Paid to","receipt_statement_descriptor":"This will show up on your statement as","receipt_date":"Date","receipt_transaction_id":"Transaction ID","receipt_transaction_amount":"Amount","refund_payer":"Refund from","login":"Log in to manage your payments","manage_payments":"Manage Payments","transactions_title":"Your Transactions","transaction_title":"Transaction Receipt","transaction_period":"Plan Period","arrangements_title":"Your Plans","arrangement_title":"Manage Plan","arrangement_details":"Plan Details","arrangement_id_title":"Plan ID","arrangement_payment_method_title":"Payment Method","arrangement_amount_title":"Plan Amount","arrangement_renewal_title":"Next renewal date","arrangement_action_cancel":"Cancel Plan","arrangement_action_cant_cancel":"Cancelling is currently not available.","arrangement_action_cancel_double":"Are you sure you'd like to cancel?","arrangement_cancelling":"Cancelling Plan...","arrangement_cancelled":"Plan Cancelled","arrangement_failed_to_cancel":"Failed to cancel plan","back_to_plans":"\u2190 Back to Plans","update_payment_method_verb":"Update","sca_auth_description":"Your have a pending renewal payment which requires authorization.","sca_auth_verb":"Authorize renewal payment","sca_authing_verb":"Authorizing payment","sca_authed_verb":"Payment successfully authorized!","sca_auth_failed":"Unable to authorize! Please try again.","login_button_text":"Log in","login_form_has_an_error":"Please check and fix the errors above","uppercase_search":"Search","lowercase_search":"search","uppercase_page":"Page","lowercase_page":"page","uppercase_items":"Items","lowercase_items":"items","uppercase_per":"Per","lowercase_per":"per","uppercase_of":"Of","lowercase_of":"of","back":"Back to plans","zip_code_placeholder":"Zip\/Postal Code","download_file_button_text":"Download File","input_field_instructions":{"tip_amount":{"placeholder_text":"How much would you like to tip?","initial":{"instruction_type":"normal","instruction_message":"How much would you like to tip? Choose any currency."},"empty":{"instruction_type":"error","instruction_message":"How much would you like to tip? Choose any currency."},"invalid_curency":{"instruction_type":"error","instruction_message":"Please choose a valid currency."}},"recurring":{"placeholder_text":"Recurring","initial":{"instruction_type":"normal","instruction_message":"How often would you like to give this?"},"success":{"instruction_type":"success","instruction_message":"How often would you like to give this?"},"empty":{"instruction_type":"error","instruction_message":"How often would you like to give this?"}},"name":{"placeholder_text":"Name on Credit Card","initial":{"instruction_type":"normal","instruction_message":"Enter the name on your card."},"success":{"instruction_type":"success","instruction_message":"Enter the name on your card."},"empty":{"instruction_type":"error","instruction_message":"Please enter the name on your card."}},"privacy_policy":{"terms_title":"Terms and conditions","terms_body":null,"terms_show_text":"View Terms","terms_hide_text":"Hide Terms","initial":{"instruction_type":"normal","instruction_message":"I agree to the terms."},"unchecked":{"instruction_type":"error","instruction_message":"Please agree to the terms."},"checked":{"instruction_type":"success","instruction_message":"I agree to the terms."}},"email":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email address"},"success":{"instruction_type":"success","instruction_message":"Enter your email address"},"blank":{"instruction_type":"error","instruction_message":"Enter your email address"},"not_an_email_address":{"instruction_type":"error","instruction_message":"Make sure you have entered a valid email address"}},"note_with_tip":{"placeholder_text":"Your note here...","initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"empty":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"not_empty_initial":{"instruction_type":"normal","instruction_message":"Attach a note to your tip (optional)"},"saving":{"instruction_type":"normal","instruction_message":"Saving note..."},"success":{"instruction_type":"success","instruction_message":"Note successfully saved!"},"error":{"instruction_type":"error","instruction_message":"Unable to save note note at this time. Please try again."}},"email_for_login_code":{"placeholder_text":"Your email address","initial":{"instruction_type":"normal","instruction_message":"Enter your email to log in."},"success":{"instruction_type":"success","instruction_message":"Enter your email to log in."},"blank":{"instruction_type":"error","instruction_message":"Enter your email to log in."},"empty":{"instruction_type":"error","instruction_message":"Enter your email to log in."}},"login_code":{"initial":{"instruction_type":"normal","instruction_message":"Check your email and enter the login code."},"success":{"instruction_type":"success","instruction_message":"Check your email and enter the login code."},"blank":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."},"empty":{"instruction_type":"error","instruction_message":"Check your email and enter the login code."}},"stripe_all_in_one":{"initial":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"empty":{"instruction_type":"error","instruction_message":"Enter your credit card details here."},"success":{"instruction_type":"normal","instruction_message":"Enter your credit card details here."},"invalid_number":{"instruction_type":"error","instruction_message":"The card number is not a valid credit card number."},"invalid_expiry_month":{"instruction_type":"error","instruction_message":"The card's expiration month is invalid."},"invalid_expiry_year":{"instruction_type":"error","instruction_message":"The card's expiration year is invalid."},"invalid_cvc":{"instruction_type":"error","instruction_message":"The card's security code is invalid."},"incorrect_number":{"instruction_type":"error","instruction_message":"The card number is incorrect."},"incomplete_number":{"instruction_type":"error","instruction_message":"The card number is incomplete."},"incomplete_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incomplete."},"incomplete_expiry":{"instruction_type":"error","instruction_message":"The card's expiration date is incomplete."},"incomplete_zip":{"instruction_type":"error","instruction_message":"The card's zip code is incomplete."},"expired_card":{"instruction_type":"error","instruction_message":"The card has expired."},"incorrect_cvc":{"instruction_type":"error","instruction_message":"The card's security code is incorrect."},"incorrect_zip":{"instruction_type":"error","instruction_message":"The card's zip code failed validation."},"invalid_expiry_year_past":{"instruction_type":"error","instruction_message":"The card's expiration year is in the past"},"card_declined":{"instruction_type":"error","instruction_message":"The card was declined."},"missing":{"instruction_type":"error","instruction_message":"There is no card on a customer that is being charged."},"processing_error":{"instruction_type":"error","instruction_message":"An error occurred while processing the card."},"invalid_request_error":{"instruction_type":"error","instruction_message":"Unable to process this payment, please try again or use alternative method."},"invalid_sofort_country":{"instruction_type":"error","instruction_message":"The billing country is not accepted by SOFORT. Please try another country."}}}},"fetched_oembed_html":false}
I guess it’s another case of native tools being half baked which gives third party vendors and opportunity to sell their solution that covers gaps left by Microsoft. #jobcreation😊
Would like to give my 2 cents on this topic as I am currently concepting compliance design for an education tenant.
1. Found per accident that there is even a GUI integration now in compliance center.
2. Error handling is still a mess and unformatted – even in the portal it displays the raw error message.
3. The worst caveat on information barriers (at least in my scenario) is that they policies are only supported in a symmetric configuration. On the other hand this limitation is not completely addressed in managing. Actually you can setup a symmetric setup in the beginning. As soon as you want to modify policies or re-apply them tho, you event get errors like “Microsoft.Exchange.Management.Tasks.AsymmetricPoliciesException,IB Policies defined on segment
and are not symmetric. Please
ensure that the policies are defined two-ways. For example, if there is a policy where Segment1 cannot communicate
with Segment2, then there must be another policy where Segment2 cannot communicate with Segment1.”
Especially the last point is unfortunately forcing us to having another approach, when we want to have students blocked from reaching out to teachers but not vice-versa.
Not to forget, nice wrap-up on that whole topic, Tony.
Yep. the GUI for Information Barriers is at https://compliance.microsoft.com/ibapplications. It’s a preview, so I didn’t cover it. As far as I can see, the preview is slow and not particularly useful either.