Policy-Controlled Access to Teams, SharePoint, and OneDrive
According to the latest version of the product documentation, Microsoft has decided to bundle Information Barriers into all the Office 365 and Microsoft 365 education plans (A1, A3, and A5). I think this is a good idea because there are obviously many situations in education tenants where information barriers might apply. For example, there’s possibly no need for students (like those in a specific year) to communicate outside their peer group. Information barriers can help by imposing blocks in communication flows between different sets of users.
What’s strange about the current state of information barriers is that, despite the dependency on Exchange Online address book policies, the barriers don’t apply to email communications. Information barriers use address book views to create organization segments (groupings) from recipient information stored in Azure AD. However, although Microsoft discussed the implementation of information barriers for Exchange as long ago as the Ignite 2018 conference, their documentation still ignores the topic and focuses on implementation for:
Information barrier policies work by allowing or blocking communication between different organization segments. A segment is a defined set of Azure AD recipients (tenant and guest accounts and mail contacts) created by running a query against the directory. For instance, a segment might include all the students in a specific class or all the accounts in a department or country.
A limited set of Azure AD attributes can be included information barrier queries. If the available attributes can’t find the right target group, a workaround exists by using the membership of a distribution list or Microsoft 365 group as the basis for a segment. Microsoft’s documentation says that you can pass the name of a group when creating a segment. This has never worked for me. What does work is to pass the external directory object identifier for the group stored in Exchange Online. The identifier points to the Azure AD group. For example:
Get-UnifiedGroup "U.S. Banking Employees" | Select ExternalDirectoryObjectId ExternalDirectoryObjectId ------------------------- f4170c40-55d1-469f-afc9-043e1f5a8755 New-OrganizationSegment -Name "U.S. Banking Employees" -UserGroupFilter "MemberOf -eq 'f4170c40-55d1-469f-afc9-043e1f5a8755'"
After creating segments, the next step is to create information barrier policies to define how segments are blocked from communicating with each other (you can also create policies to explicitly allow communication between two segments). For example, let’s assume that we want to use the segment created above to block communications with another segment. We could use this policy:
New-InformationBarrierPolicy -Name "U.S. Banking Employees Block Ireland" -AssignedSegment "U.S. Banking Employees" -SegmentsBlocked "Ireland Banking Employees" -State Inactive
As this policy only blocks communications one-way (from U.S. employees to Irish employees), you’ll need a second policy to block communications in the other direction (from Ireland to the U.S.).
Blocking Communications Through Policy
Eventually, after background jobs run to resolve the accounts defined in organizational segments and assign address book views to accounts, the information barriers become active. For Teams, this means that:
- Users can’t add members from a blocked segment to a team or channel.
- They can’t add members from a blocked segment to a 1:1 or group chat or meeting.
- Users aren’t allowed to join meetings when other users from blocked segments attend.
- Directory lookup is scoped to stop people finding others in blocked segments.
Information barriers modify the sharing capabilities of SharePoint Online and OneDrive for Business to stop users sharing information with people in blocked segments. In a nutshell, if someone tries to share content with others, they can only do so if the sharing target is allowed by information barriers. SharePoint sites connected to Microsoft 365 groups or teams can only be shared with people in the same organization segment.
The Poorest Piece of Microsoft’s Compliance Toolkit
Information barriers have been around for several years now, and it’s disappointing to see the limited progress Microsoft has made to develop this capability. Unlike the other compliance solutions available to Microsoft 365 tenants, information barriers don’t have a GUI in the Microsoft 365 compliance center (or anywhere else). All management must be done with PowerShell cmdlets from the Exchange Online management module. The error handling and output from some of the cmdlets is unformatted and uninformative. Most of the processing done to apply information barrier policy settings happens using a background job whose activities are as clear as a black box. Although it’s possible to figure out when conflicts occur in policy application, it requires searches against the audit log and resolution of GUIDs to determine what segments and recipients are involved. All in all, information barrier policies are a mess.
Although it’s nice that Microsoft has made information barrier policies available to education tenants, it would be better if they:
- Create a GUI to manage organization segments and information barrier policies in the Microsoft 365 compliance center.
- Provide features such as the ability to test organization segments to show what recipients are in a segment (Adaptive scopes for retention policies can display similar information). In addition, have a way for administrators to see if any conflicts exist with other segments (a recipient must appear only in one segment). None of this is rocket science.
- Make the operation of the information barrier application more transparent and easier to manage, especially in the resolution of any issues thrown up by processing. Perhaps even apply some of the much-vaunted artificial intelligence that’s strewn around Microsoft 365 to help organizations understand and tweak the flow of communications controlled by policy.
- Fix the PowerShell cmdlets so that their error handling is smoother and delivers information to tell administrators how to fix problems.
- Include Exchange Online in the workloads supported by information barrier policies.
Demanding Office 365 E5 or Microsoft 365 E5 licenses for a half-baked, unfinished, and problematic solution that’s been generally available for several years is not a good position for Microsoft to be in. It would be better if they fixed the fundamentals of the information barriers solution before expanding those who might have to use it.
Learn more about how Office 365 really works on an ongoing basis by subscribing to the Office 365 for IT Pros eBook. Our monthly updates keep subscribers informed about what’s important across the Office 365 ecosystem. Information barrier policies are covered in the compliance chapter.