Not too long ago Microsoft introduced the concept of Information barriers for Microsoft Teams. For those of use familiar with the financial industry and governmental (supervisory) bodies, this concept is not new. In my time, these barriers were called “Chinese Walls”. The goal was very simple: people from specific departments were not allowed to share information. This might be because of conflicts of interest with these departments.
A Chinese Wall (or Information Barrier) needs to prevent such sharing of information. As this concept is not new, other measures have been around for some time. Examples include setting specific permissions on storage locations, encryption of information and settings up specific permissions for the content itself.
But these restrictions are either based on the content, location or the person accessing them. It does not restrict people from circumventing the barrier by using Microsoft Teams chat or conversations. And that’s where the new Information Barriers come into play.
Information barriers in Microsoft Teams
This new function uses attributes from the user, for example the department, to determine if information may be shared. At this moment, the restrictions include:
- Disallowing adding certain members to a team;
- Starting a new private chat;
- Inviting a user to join a meeting;
- Initiating a screen sharing;
- Placing a phone call (VOIP).
You’ll notice that that these restrictions do not apply to files. Or, on other words, these files stored in SharePoint and OneDrive are not protected/encrypted or otherwise part of the barrier. You can use the unified labels for that. Also, the functions described here are part of Microsoft Teams. These will not affect the sharing options in either SharePoint and OneDrive – but this is part of the roadmap.
As always, there’s a list of requirements for using this functions. Let’s start with licenses. You’ll need any one of these to use the information barriers:
- Microsoft 365 E5
- Office 365 E5
- Office 365 Advanced Compliance
- Microsoft 365 E5 Compliance
You’ll also need to be either a Global Administrator, Global Administrator or part of IB Compliance Management (and yep, that’s a new role).
Other requirements are:
- Make sure your directory is up to date. Yep, that’s going to be challenge for many an organization. But you will need to make sure that user account attributes, such as group membership and department name are populated correctly in Azure Active Directory/Exchange Online;
- Audit logging must be turned on;
- No address book policies. You’ll need to remove any address book policy or policies in order to make it work;
- You will need PowerShell and the Exchange Online management shell;
- Scope directory search for Teams needs to be turned on. You can find this option in the Org-wide settings of the Teams admin-center.
Let’s try them out….
Let’s set the wheels in motion and set-up an information barrier. To test this out, I’ve got a small organization. It only has two departments and five employees. Both departments are not allowed to exchange information using Microsoft Teams.
Segments and policies
How does the information barrier work? It’s consists of two major components. There are (organizational) segments and barrier policies. The segments contain the users. These users are added based on the attributes in the Azure Active Directory.
In my example I created the segments Operations and Management. To create such a segment, you’ll need this PowerShell cmdlet:
New-OrganizationSegment -name <name> -UserGroupFilter <filter>
You’ll end up with this response.
Make sure that each affected user belongs to one segment. Now we have the segments, we can configure the barriers. In my example, I don’t want my users to communicate either way. So I will need two barriers (Management->Operations and Operations->Management).
To create these barriers, you’ll need to create a barrier policy using this PowerShell cmdlet:
New-InformationBarrierPolicy -name <name> -AssignedSegment <segment_name> -SegmentsBlocked <segment_name> -State Inactive
You’ll end up with this response.
You’ll notice that this policy will not be active. As stated in the screenshot, the information barriers will come in effect when these have been set to Active and the barrier-application has been started. Note the GUID of the policies (you’ll need these).
To set the policies to active and start the barrier-application, you use this PowerShell cmdlet:
Set-InformationBarrierPolicy -Identity <GUID> -State Active Start-InformationBarrierPoliciesApplication
If you don’t remember the GUID of the policies, you can use the Get-InformationBarrierPolicy cmdlet.
It will take some time for the policies to come into effect. I just waited 24 hours, just to be sure. If you want to now the status of the application, just use Get-InformationBarrierPoliciesApplicationStatus.
Ok, time for some test-scenario’s. I’ve used two of my “employees” to test some scenario’s:
- Control and Albert (Operations | Management) try to chat one-on-one;
- Control tries to chat with Peter, George and Connie;
- Control tries to add Connie to an Operations Teams environment.
Let’s start with a simple chat. Control tries to chat with Albert. At the moment he tries to send a message, it is blocked due to the policy. Nice! Let’s see if Control can send an attachment to Albert. But no, the policy won’t allow this either.
If this doesn’t work, let try to create a group chat. This is interesting. I can add people from multiple segments. But when I try to send the message, the magic happens. All recipients which Control cannot interact with are removed from the conversation. So very cool this!
Adding a user to Teams
Right, let’s take a look at a Teams “team” (I’m still not sure how to call this: team, site, space, collaborative-environment). This time it’s Connie how’s doing the work. She wants to add Control to a team. And because of the barriers, this is not possible.
This works for either new or existing teams. But if your existing team was created before the barriers took affect, then there’s no change. So be carefull with that.
Ok, this is pretty cool stuff and it works. You will need PowerShell cmdlets to get it working.
Here’s a few of them:
- Get-InformationBarrierRecipientStatus (this one didn’t work for me)
So, Chinese Walls have come to Microsoft Teams. But it this a watertight solution? No, of course not. For example: I could still exchange information in Teams which contained members of both departments. But these were Teams created before the barriers….
It’s the same argument I always hear when talking about information protection: “people can still take a picture of the document”. And the same goes for this function. Yes, people can:
- still e-mail;
- still talk with each-other at the watercooler;
- use the phone;
- use OneDrive/SharePoint to share files.
But please remember: Chinese Walls (or Information Barriers) are not a purely technical measure. It’s something very common to highly regulated industries. Which also implies that employees working in these organizations are aware of these rules and regulations and the sanctions for non-compliance.
So, are these wall impenetrable? Probably not, but close enough. And for other scenario’s there’s options like unified labeling, data loss prevention and more. And Microsoft’s promising to enhance these functions – it’s still in preview 🙂
There is a lot of information from Microsoft on this new feature. Please see here: