MS Teams Security & Compliance – Information Barrier (IB)

Organizations dealing with financial services, legal, public sectors, professional services have a huge concern about insider risks and are sceptical about security & compliance with respect to Modern Workplace. Insider risks can include vulnerabilities ranging across loss of Intellectual properties, frauds, data spillage, violations of specific department’s confidentiality, workplace harassments, regulatory compliance violations, conflicts of interest and more. Microsoft Purview is offering Insider risk capabilities like Communication Compliance, Insider risk management, Information barriers (IB) and Privileged access management.


IB are used to restrict any kind of collaboration and Teams communication between two internal segments of users within an organization. IB offers a comprehensive detect, alert, and remediate mechanism and is applicable to MS Teams, SharePoint, One Drive for business and Exchange Online workloads.

Key Components of IB

1. User Account attributes that are defined in Azure AD & Exchange Online like Department, Job title, Location etc.
2. Segments are set of users created using PowerShell and defined in Compliance portal that use selected User Account attributes.
3. IB policies determine the communication restrictions. There are two types of IB policies

a. Block Policies: To prevent One segment communication with another segment.
b. Allow Policies: Allow one segment to communicate with certain segments only.

4. If you want non-IB users & groups to be visible to IB segment & policy users, use block policy. Non-IB users & groups will not be visible to IB Segment & policy users while using allow policies.
5. Modern groups support IB. Distributed lists & Security groups are considered as non-IB groups
6. In IB enabled tenant, hidden/disabled user accounts are prevented from communicating with all other user accounts.


Prerequisites for IB implementation

Roles required to implement IB

1. Microsoft 365 Enterprise Global Administrator
2. Global Administrator
3. Compliance Administrator
4. IB Compliance Management (New Role)


Licensing

If we need to restrict collaboration and communication for Group A & Group B using IB, users in both groups A & B require a license.


Following licenses provides rights to the user to benefit from IB Service

1. Microsoft 365 E5/A5/G5
2. Microsoft 365 E5/A5/G5 Compliance
3. Microsoft 365 E5/A5/G5 Insider Risk Management
4. Office 365 E5/A5/G5


Information Barrier for M365 workloads

When IB policies are applied, they restrict 2 ways collaboration & communication. When Department A (DeptA) & Department B (DeptB)are segmented under IB policies, they cannot communicate & collaborate with each other. For example, Consider DeptA users trying to communicate & collaborate with DeptB users, follow activities are restricted.


MS Teams

  1. Search DeptB Users
  2. Add DeptB users to a team
  3. Start Chat session with DeptB users
  4. Start Group chat with DeptB users
  5. Invite DeptB users to join meeting
  6. Screenshare with DeptB users
  7. Place a call with DeptB Users
  8. Share a file with DeptB user
  9. Access to a file through sharing a link 

SharePoint Online & One Drive for Business

  1. Adding DeptB user to SharePoint site
  2. Sharing SharePoint site and Content with DeptB user
  3. DeptB user accessing SharePoint Site and content
  4. Search SharePoint site


Key Points

  1. When a Team channel is created, a SharePoint site is created automatically which will store files in backend. IB polices are not directly honoured to SharePoint site by default, and need to enable IB policies for SharePoint & OneDrive
  2. In MS teams, teams created before IB polices created are by default set to Open. Once IB policies are enabled at tenant level, Open mode needs to be converted to Implicit mode to ensure Teams are IB Compliant.
  3. Maximum number of segments allowed in organization – 100
  4. No limit for number of IB policies that can be configured in organization
  5. IB policies doesn’t work for federated users. If two segments of IB enabled users join meeting organized by external federated users, IB polices will not restrict communication between segment 1 & segment 2 users

Recommended Blog: Manage your Teams Notifications

About the Author:

Surya Pammi is a Technology Enthusiast working as an Infrastructure Architect in Cognizant Technology Solutions. He is MCT Certified and is an MVP aspirant. His technical expertise spans across Microsoft 365, Microsoft SharePoint, MS Teams, MS Viva & Power Platform.

Reference:

Pammi, S. (2022). MS Teams Security & Compliance – Information Barrier (IB). Available at: https://techcommunity.microsoft.com/t5/microsoft-teams-community-blog/ms-teams-security-amp-compliance-information-barrier-ib/ba-p/3594522 [Accessed: 12th September 2022].

Share this on...

Rate this Post:

Share: