2. @indiacloudsec #ICSS202
SPEAKERS PANEL
Information Barriers in
MS Teams
Track 1 (Microsoft 365 Security)
Session Time: 1:30 PM to 2:30 PM IST
Nanddeep
Nachan
Smita Nachan
Microsoft MVP, MCT Microsoft MVP, MCT
Session No.
33672
3. @indiacloudsec #ICSS202
Agenda
• Information Barriers in Microsoft 365
• Information Barriers Configurations
• Segment the users
• Define Information Barrier Policies
• Information Barriers in MS Teams
• Information Barriers in SharePoint and OneDrive
4. @indiacloudsec #ICSS202
Office 365 Consultant
Speaker | Author | Blogger
Nanddeep Nachan
• Pune, India
• Twitter Handle: @NanddeepNachan
• LinkedIn: /in/NanddeepNachan
• Microsoft MVP, MCT
• SharePoint, Microsoft 365, MS Azure
7. @indiacloudsec #ICSS202
Information Barriers (IB) in Microsoft 365
• Allow or prevent communications between groups of users
• Supported in Microsoft Teams, SharePoint Online, and OneDrive for Business.
Image Reference: https://docs.microsoft.com/en-us/microsoftteams/information-barriers-in-teams
8. @indiacloudsec #ICSS202
• Trader group x Marketing team
• Financial organizations
• Trade secret material
• Banking sector
• Sales and Research
• Education
• Legal firm
• Government
• Professional services
Information Barriers Scenarios
9. @indiacloudsec #ICSS202
Determine and prevent the following kinds of unauthorized
communications:
• Searching for a user
• Adding a member to a team
• Starting a chat session with someone
• Starting a group chat
• Inviting someone to join a meeting
• Sharing a screen
• Placing a call
• Sharing a file with another user
• Access to file through sharing link
What happens with IB in MS Teams?
10. @indiacloudsec #ICSS202
Determine and prevent the following kinds of unauthorized
collaborations:
• Adding a member to a site
• Accessing site or content by a user
• Sharing site or content with another user
• Searching a site
What happens with IB in SharePoint Online
and OneDrive?
13. @indiacloudsec #ICSS202
Configure information barriers for Microsoft
365
Configure prerequisites and permissions
Segment users in your organization
Create and configure information barrier policies
Apply information barrier policies
14. @indiacloudsec #ICSS202
Information barriers are included in below subscriptions:
• Microsoft 365 E5/A5
• Office 365 E5/A5
• Office 365 Advanced Compliance
• Microsoft 365 Compliance E5/A5
• Microsoft 365 Insider Risk Management
1. Required licenses
Configure prerequisites and
permissions
15. @indiacloudsec #ICSS202
To define or edit information barrier policies, you must be assigned one
of the following roles:
• Microsoft 365 global administrator
• Office 365 global administrator
• Compliance administrator
• IB Compliance Management
2. Required permissions
Configure prerequisites and
permissions
16. @indiacloudsec #ICSS202
Organization’s structure must be reflected in Azure AD :
3.1. Attributes for information barrier policies
3.2 Add or update a user's profile information using Azure Active
Directory
3. Directory Data
Configure prerequisites and
permissions
18. @indiacloudsec #ICSS202
Organization’s structure must be reflected in Azure AD :
3.2. Use Profile info in AAD
Configure prerequisites and
permissions
Use PowerShell to change properties of user accounts:
Set-AzureADUser
19. @indiacloudsec #ICSS202
Enable scoped directory search in Microsoft Teams
4. Scoped directory search
Configure prerequisites and
permissions
Wait for 24 hours
20. @indiacloudsec #ICSS202
• EXO license for the target user
5. EXO license
Configure prerequisites and
permissions
• Must be turned ON
• https://compliance.microsoft.com/auditlogsearch
6. Audit logging
21. @indiacloudsec #ICSS202
• Make sure NO Exchange address book policies are in place
7. No address book policies
Configure prerequisites and
permissions
• Install-Module -Name Az
• Install-Module ExchangeOnlineManagement
• Connect-AzAccount -Tenant "TENANT.onmicrosoft.com"
• Connect-IPPSSession
8. PowerShell Modules
22. @indiacloudsec #ICSS202
9. Admin consent for IB in MS Teams
Configure prerequisites
and permissions
PowerShell
Connect-AzAccount -Tenant "<tenant>.onmicrosoft.com"
$appId = "bcf62038-e005-436d-b970-2a472f8c1982"
$sp = Get-AzureADServicePrincipal -Filter "appid eq '$($appid)'"
if ($sp -eq $null) { New-AzureADServicePrincipal -ApplicationId $appId }
Start-Process
"https://login.microsoftonline.com/common/adminconsent?client_id=$appId"
24. @indiacloudsec #ICSS202
• Determine policies
• List down policies
• "Block" policies
• "Allow" policies
• Identify segments
• List down segments
• Plan segments
• A user can only be in one segment
• Each segment can have only one information barrier policy applied
• Determine AAD attribute to define segments
Segment users Segment users in your
organization
25. @indiacloudsec #ICSS202
Use Case: Sales - Research - HR
Based on the
Department attribute,
we will define 3
segments:
1. HR segment
2. Sales segment
3. Research segment
30. @indiacloudsec #ICSS202
• Block communications between segments
• Allow a segment to communicate only with one other segment
Define IB Policies
Define information barrier policies
31. @indiacloudsec #ICSS202
Use Case: Sales - Research - HR
Based on the
segments, we will
define 3 policies:
1. Sales
Research
2. Research
Sales
3. HR Research
Sales
43. @indiacloudsec #ICSS202
PowerShell to manage segments on SharePoint
site
PowerShell
# Import modules
Import-Module Az
Import-Module ExchangeOnlineManagement
Connect-AzAccount -Tenant "TENANT.onmicrosoft.com"
Connect-IPPSSession
# Get the segments
Get-OrganizationSegment | ft Name, EXOSegmentID
# Apply the segment to SharePoint / OneDrive site
Connect-SPOService
Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>
44. @indiacloudsec #ICSS202
Audit events available in Office 365 audit logs:
• Segments are added to a site
• Segments are changed on a site
• Segments are removed from a site
Auditing
45. @indiacloudsec #ICSS202
• When a segmented user creates a SharePoint site, the site is
associated with the user's segment.
• Site owners can add more segments to the site.
• Site owners cannot remove added segments from sites.
Site creation and management
46. @indiacloudsec #ICSS202
Segments associated with Microsoft Teams sites
• Segments associated with the Microsoft Team team's members are
automatically associated with the site within 24 hours.
• SharePoint admins can't change the segments associated with a site
when the site is connected to a team.
47. @indiacloudsec #ICSS202
Site Sharing
When a segment is associated with a site:
• Share with "Anyone with the link" option is disabled.
• The site and its content can be shared only with users whose segment matches
that of the site.
• New users can be added to the site as site members only if their segment
matches that of the site.
When a site has no segments associated:
• The site and its contents can be shared based on the information barrier policy
applied to the user.