Information Barriers in MS Teams

@indiacloudsec #ICSS202
Presented By
Microsoft 365 , Power Platform &
Cloud Security India User group

SPEAKERS PANEL
Information Barriers in
MS Teams
Track 1 (Microsoft 365 Security)
Session Time: 1:30 PM to 2:30 PM IST
Nanddeep
Nachan
Smita Nachan
Microsoft MVP, MCT Microsoft MVP, MCT
Session No.
33672

Agenda
• Information Barriers in Microsoft 365
• Information Barriers Configurations
• Segment the users
• Define Information Barrier Policies
• Information Barriers in MS Teams
• Information Barriers in SharePoint and OneDrive

Office 365 Consultant
Speaker | Author | Blogger
Nanddeep Nachan
• Pune, India
• Twitter Handle: @NanddeepNachan
• LinkedIn: /in/NanddeepNachan
• Microsoft MVP, MCT
• SharePoint, Microsoft 365, MS Azure

Office 365 Consultant
Speaker | Author | Blogger
Smita Nachan
• Pune, India
• Twitter Handle: @SmitaNachan
• LinkedIn: /in/SmitaNachan
• Microsoft MVP, MCT
• SharePoint, Microsoft 365

Information Barriers in
Microsoft 365

Information Barriers (IB) in Microsoft 365
• Allow or prevent communications between groups of users
• Supported in Microsoft Teams, SharePoint Online, and OneDrive for Business.
Image Reference: https://docs.microsoft.com/en-us/microsoftteams/information-barriers-in-teams

• Trader group x Marketing team
• Financial organizations
• Trade secret material
• Banking sector
• Sales and Research
• Education
• Legal firm
• Government
• Professional services
Information Barriers Scenarios

Determine and prevent the following kinds of unauthorized
communications:
• Searching for a user
• Adding a member to a team
• Starting a chat session with someone
• Starting a group chat
• Inviting someone to join a meeting
• Sharing a screen
• Placing a call
• Sharing a file with another user
• Access to file through sharing link
What happens with IB in MS Teams?

Determine and prevent the following kinds of unauthorized
collaborations:
• Adding a member to a site
• Accessing site or content by a user
• Sharing site or content with another user
• Searching a site
What happens with IB in SharePoint Online
and OneDrive?

Use Case: Sales - Research - HR

Information Barriers
Configurations

Configure information barriers for Microsoft
365
Configure prerequisites and permissions
Segment users in your organization
Create and configure information barrier policies
Apply information barrier policies

Information barriers are included in below subscriptions:
• Microsoft 365 E5/A5
• Office 365 E5/A5
• Office 365 Advanced Compliance
• Microsoft 365 Compliance E5/A5
• Microsoft 365 Insider Risk Management
1. Required licenses
Configure prerequisites and
permissions

To define or edit information barrier policies, you must be assigned one
of the following roles:
• Microsoft 365 global administrator
• Office 365 global administrator
• Compliance administrator
• IB Compliance Management
2. Required permissions
permissions

Organization’s structure must be reflected in Azure AD :
3.1. Attributes for information barrier policies
3.2 Add or update a user's profile information using Azure Active
Directory
3. Directory Data
permissions

List of attributes:
3.1. Attributes for IB policies
permissions

Organization’s structure must be reflected in Azure AD :
3.2. Use Profile info in AAD
permissions
Use PowerShell to change properties of user accounts:
Set-AzureADUser

Enable scoped directory search in Microsoft Teams
4. Scoped directory search
permissions
Wait for 24 hours

• EXO license for the target user
5. EXO license
permissions
• Must be turned ON
• https://compliance.microsoft.com/auditlogsearch
6. Audit logging

• Make sure NO Exchange address book policies are in place
7. No address book policies
permissions
• Install-Module -Name Az
• Install-Module ExchangeOnlineManagement
• Connect-AzAccount -Tenant "TENANT.onmicrosoft.com"
• Connect-IPPSSession
8. PowerShell Modules

9. Admin consent for IB in MS Teams
Configure prerequisites
and permissions
PowerShell
Connect-AzAccount -Tenant "<tenant>.onmicrosoft.com"
$appId = "bcf62038-e005-436d-b970-2a472f8c1982"
$sp = Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"
if ($sp -eq $null) { New-AzureADServicePrincipal -ApplicationId $appId }
Start-Process
"https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

Segment the users

• Determine policies
• List down policies
• "Block" policies
• "Allow" policies
• Identify segments
• List down segments
• Plan segments
• A user can only be in one segment
• Each segment can have only one information barrier policy applied
• Determine AAD attribute to define segments
Segment users Segment users in your
organization

Based on the
Department attribute,
we will define 3
segments:
1. HR segment
2. Sales segment
3. Research segment

Define HR Segment Segment users in your organization

Define Sales Segment Segment users in your organization

Define Research Segment Segment users in your organization

Define Information
Barrier Policies

• Block communications between segments
• Allow a segment to communicate only with one other segment
Define IB Policies
Define information barrier policies

Based on the
segments, we will
define 3 policies:
1. Sales
Research
2. Research
Sales
3. HR Research
Sales

Policy# 1: Sales Research Define IB policies

Policy# 2: Research Sales Define IB policies

Policy# 3: HR Sales, Research Define IB policies

See all Information barrier policies Define IB policies

Activate IB policies Define IB policies
Wait for 30 minutes for the system to start applying the policies.

Apply active IB policies in the
Microsoft 365 compliance center
Define IB policies

View application status of IB Define IB policies

Test Information Barrier
Policies in MS Teams

Information Barrier Policies
in SharePoint and OneDrive

Enable IB in SharePoint and OneDrive
PowerShell
Set-Spotenant -InformationBarriersSuspension $false
Wait for 1 hour

Manage Segments

PowerShell to manage segments on SharePoint
site
PowerShell
# Import modules
Import-Module Az
Import-Module ExchangeOnlineManagement
Connect-AzAccount -Tenant "TENANT.onmicrosoft.com"
Connect-IPPSSession
# Get the segments
Get-OrganizationSegment | ft Name, EXOSegmentID
# Apply the segment to SharePoint / OneDrive site
Connect-SPOService
Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>

Audit events available in Office 365 audit logs:
• Segments are added to a site
• Segments are changed on a site
• Segments are removed from a site
Auditing

• When a segmented user creates a SharePoint site, the site is
associated with the user's segment.
• Site owners can add more segments to the site.
• Site owners cannot remove added segments from sites.
Site creation and management

Segments associated with Microsoft Teams sites
• Segments associated with the Microsoft Team team's members are
automatically associated with the site within 24 hours.
• SharePoint admins can't change the segments associated with a site
when the site is connected to a team.

Site Sharing
When a segment is associated with a site:
• Share with "Anyone with the link" option is disabled.
• The site and its content can be shared only with users whose segment matches
that of the site.
• New users can be added to the site as site members only if their segment
matches that of the site.
When a site has no segments associated:
• The site and its contents can be shared based on the information barrier policy
applied to the user.

References

References
• https://docs.microsoft.com/en-us/microsoft-
365/compliance/information-barriers
• https://docs.microsoft.com/en-us/MicrosoftTeams/information-barriers-
in-teams
• https://docs.microsoft.com/en-us/onedrive/information-barriers
• https://docs.microsoft.com/en-us/sharepoint/information-barriers

Thank You Sponsors!

Information Barriers in MS Teams

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à Information Barriers in MS Teams

Similaire à Information Barriers in MS Teams (20)

Plus de Nanddeep Nachan

Plus de Nanddeep Nachan (20)

Dernier

Dernier (20)

Information Barriers in MS Teams