Not too long ago Microsoft introduced the concept of Information barriers for Microsoft Teams. For those of use familiar with the financial industry and governmental (supervisory) bodies, this concept is not new. In my time, these barriers were called “Chinese Walls”.  The goal was very simple: people from specific departments were not allowed to share information. This might be because of conflicts of interest with these departments.

Chinese Walls

A Chinese Wall (or Information Barrier) needs to prevent such sharing of information. As this concept is not new, other measures have been around for some time. Examples include setting specific permissions on storage locations, encryption of information and settings up specific permissions for the content itself.

But these restrictions are either based on the content, location or the person accessing them. It does not restrict people from circumventing the barrier by using Microsoft Teams chat or conversations. And that’s where the new Information Barriers come into play.

Information barriers in Microsoft Teams

This new function uses attributes from the user, for example the department, to determine if information may be shared. At this moment, the restrictions include:

  • Disallowing adding certain members to a team;
  • Starting a new private chat;
  • Inviting a user to join a meeting;
  • Initiating a screen sharing;
  • Placing a phone call (VOIP).

You’ll notice that that these restrictions do not apply to files. Or, on other words, these files stored in SharePoint and OneDrive are not protected/encrypted or otherwise part of the barrier. You can use the unified labels for that. Also, the functions described here are part of Microsoft Teams. These will not affect the sharing options in either SharePoint and OneDrive – but this is part of the roadmap.

Requirements

As always, there’s a list of requirements for using this functions. Let’s start with licenses. You’ll need any one of these to use the information barriers:

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 E5 Compliance

You’ll also need to be either a Global Administrator, Global Administrator or part of IB Compliance Management (and yep, that’s a new role).

Other requirements are:

  1. Make sure your directory is up to date. Yep, that’s going to be challenge for many an organization. But you will need to make sure that user account attributes, such as group membership and department name are populated correctly in Azure Active Directory/Exchange Online;
  2. Audit logging must be turned on;
  3. No address book policies. You’ll need to remove any address book policy or policies in order to make it work;
  4. You will need PowerShell and the Exchange Online management shell;
  5. Scope directory search for Teams needs to be turned on. You can find this option in the Org-wide settings of the Teams admin-center.

Let’s try them out….

Let’s set the wheels in motion and set-up an information barrier. To test this out, I’ve got a small organization. It only has two departments and five employees. Both departments are not allowed to exchange information using Microsoft Teams.

Segments and policies

How does the information barrier work? It’s consists of two major components. There are (organizational) segments and barrier policies. The segments contain the users. These users are added based on the attributes in the Azure Active Directory.

In my example I created the segments Operations and Management. To create such a segment, you’ll need this PowerShell cmdlet:

New-OrganizationSegment -name <name> -UserGroupFilter <filter>

You’ll end up with this response.

Make sure that each affected user belongs to one segment. Now we have the segments, we can configure the barriers. In my example, I don’t want my users to communicate either way. So I will need two barriers (Management->Operations and Operations->Management).

To create these barriers, you’ll need to create a barrier policy using this PowerShell cmdlet:

New-InformationBarrierPolicy -name <name> -AssignedSegment <segment_name> -SegmentsBlocked <segment_name> -State Inactive

You’ll end up with this response.

You’ll notice that this policy will not be active. As stated in the screenshot, the information barriers will come in effect when these have been set to Active and the barrier-application has been started. Note the GUID of the policies (you’ll need these).

To set the policies to active and start the barrier-application, you use this PowerShell cmdlet:

Set-InformationBarrierPolicy -Identity <GUID> -State Active
Start-InformationBarrierPoliciesApplication

You’ll end up with this response.

If you don’t remember the GUID of the policies, you can use the Get-InformationBarrierPolicy cmdlet.

It will take some time for the policies to come into effect. I just waited 24 hours, just to be sure. If you want to now the status of the application, just use Get-InformationBarrierPoliciesApplicationStatus.

get-informationbarrierpoliciesapplicationstatus

Testing time

Ok, time for some test-scenario’s. I’ve used two of my “employees” to test some scenario’s:

  1. Control and Albert (Operations | Management) try to chat one-on-one;
  2. Control tries to chat with Peter, George and Connie;
  3. Control tries to add Connie to an Operations Teams environment.

One-on-one chat

Let’s start with a simple chat. Control tries to chat with Albert. At the moment he tries to send a message, it is blocked due to the policy. Nice! Let’s see if Control can send an attachment to Albert. But no, the policy won’t allow this either.

This slideshow requires JavaScript.

One-on-N chat

If this doesn’t work, let try to create a group chat. This is interesting. I can add people from multiple segments. But when I try to send the message, the magic happens. All recipients which Control cannot interact with are removed from the conversation. So very cool this!

This slideshow requires JavaScript.

Adding a user to Teams

Right, let’s take a look at a Teams “team” (I’m still not sure how to call this: team, site, space, collaborative-environment). This time it’s Connie how’s doing the work. She wants to add Control to a team. And because of the barriers, this is not possible.

Failed_add_member

This works for either new or existing teams. But if your existing team was created before the barriers took affect, then there’s no change. So be carefull with that.

PowerShell rules

Ok, this is pretty cool stuff and it works. You will need PowerShell cmdlets to get it working.

Here’s a few of them:

  • Get-InformationBarrierRecipientStatus (this one didn’t work for me)
  • Get-InformationBarrierPolicy
  • Get-OrganizationSegment

Watertight?

So, Chinese Walls have come to Microsoft Teams. But it this a watertight solution? No, of course not. For example: I could still exchange information in Teams which contained members of both departments. But these were Teams created before the barriers….

It’s the same argument I always hear when talking about information protection: “people can still take a picture of the document”. And the same goes for this function. Yes, people can:

  • still e-mail;
  • still talk with each-other at the watercooler;
  • use the phone;
  • use OneDrive/SharePoint to share files.

But please remember: Chinese Walls (or Information Barriers) are not a purely technical measure. It’s something very common to highly regulated industries. Which also implies that employees working in these organizations are aware of these rules and regulations and the sanctions for non-compliance.

So, are these wall impenetrable? Probably not, but close enough. And for other scenario’s there’s options like unified labeling, data loss prevention and more. And Microsoft’s promising to enhance these functions – it’s still in preview 🙂

More information

There is a lot of information from Microsoft on this new feature. Please see here:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.