Creating communication barriers between your Teams users
With Microsoft Ignite bringing us a lot of new features in Microsoft Teams I thought it was also time to write about one existing feature I like for Teams which are Information Barrier Policies.
What’s that? IBP’s are policies that create boundaries between users so they are not able to communicate with each other based on specific properties you specify in your policies.
As an example, you could block communications between department A and B but allow both to interact with department C like so:
In this blog I’ve created policies based on group membership, but there are all sorts of properties you can use as criteria for your policies.
What’s very important about this is that you only use one of these attributes as the main criteria for all of your policies.
Please take a look here for all of the properties you can use:
To use IBP’s you’ll need 2 things:
- Users will need to be assigned one of the following licenses:
- Microsoft 365 E5/A5
- Office 365 E5/A5
- Office 365 Advanced Compliance
- Microsoft 365 Compliance E5/A5
- Microsoft 365 Insider Risk Management
- Information Barrier Policies can only be managed by using the Security and Compliance PowerShell Module, in this article you will find the instructions on how to start using this module:
What are we going to do?
- Turn on audit log search
- Set scoped directory search
- Create AAD Groups & Information Segments and block interaction
- Activate the policies
- The End Result
Turn on audit log search
In order to look up the status of a policy application, audit logging must be turned on.
To do this log in to the Security & Complaince Center and enable Audit Log Search as shown in the below video. You can also this by using PowerShell commands (click here)
Set scoped directory search
To limit the scope of the search in Teams you will need to enable Scoped directory search.
This will set up Teams to apply the policies during user searches in Teams.
Create AAD Groups & Information Segments and block interaction
Because I’ve used group membership as the criteria for applying the policies I will create these groups and set the policies query to look at the memberof property for every user.
When you create the segments be sure to only use one attribute as was already mentioned in the first part of this blog.
Activate the policies
After we’ve created the policies they will not be actived directly, we will have to do this ourselves. Then to process these policies you will need to create a job for the IBP agent like so:
The End Result
As you can see in below video when I search for a user which is part of a blocked segment I am not able to find the user.
Because I had a chat session with this user before applying the policy I am still able to see this chat but it will not allow me to send anymore messages to the user.
Also searching for the user won’t let it show up in the results, just like we wanted.
I think Information Barriers are a great way to limit the scope of communications and the good thing is that it’s supported for all the Microsoft 365 services like Exchange, Sharepoint, OneDrive etc.
That’s it for now, please leave a message if you have any questions!