Information barriers attributes

Certain attributes in Azure Active Directory can be used to segment users in information barriers (IB). Once segments are defined, those segments can be used as filters for IB policies. For example, you might use Department to define segments of users by department within your organization (assuming no single employee works for two departments at the same time).

This article describes how to use attributes with information barriers, and it provides a list of attributes that can be used. To learn more about information barriers, see the following resources:

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

How to use attributes in IB policies

The attributes listed in this article can be used to define or edit segments of users. Your defined segments serve as parameters (called UserGroupFilter values) in IB policies.

  1. Determine which attribute you want to use to define segments. (See the Reference section in this article.)

  2. Make sure the user accounts have values filled in for the attribute(s) you selected in Step 1. View user account details, and if necessary, edit user accounts to include attribute values.

  3. Define segments using PowerShell, similar to the following examples:

    Example Cmdlet
    Define a segment called Segment1 using the Department attribute New-OrganizationSegment -Name "Segment1" -UserGroupFilter "Department -eq 'Department1'"
    Define a segment called SegmentA using the MemberOf attribute (suppose this attribute contains group names, such as "BlueGroup") New-OrganizationSegment -Name "SegmentA" -UserGroupFilter "MemberOf -eq 'BlueGroup'"
    Define a segment called DayTraders using ExtensionAttribute1 (suppose this attribute contains job titles, such as "DayTrader") New-OrganizationSegment -Name "DayTraders" -UserGroupFilter "ExtensionAttribute1 -eq 'DayTrader'"

    Tip

    When you define segments, use the same attribute for all your segments. For example, if you define some segments using Department, define all of the segments using Department. Don't define some segments using Department and others using MemberOf. Make sure your segments do not overlap; each user should be assigned to exactly one segment.

Reference

The following table lists the attributes that you can use with information barriers.

Azure Active Directory property name
(LDAP display name)
Exchange property name
Co Co
Company Company
Department Department
ExtensionAttribute1 CustomAttribute1
ExtensionAttribute2 CustomAttribute2
ExtensionAttribute3 CustomAttribute3
ExtensionAttribute4 CustomAttribute4
ExtensionAttribute5 CustomAttribute5
ExtensionAttribute6 CustomAttribute6
ExtensionAttribute7 CustomAttribute7
ExtensionAttribute8 CustomAttribute8
ExtensionAttribute9 CustomAttribute9
ExtensionAttribute10 CustomAttribute10
ExtensionAttribute11 CustomAttribute11
ExtensionAttribute12 CustomAttribute12
ExtensionAttribute13 CustomAttribute13
ExtensionAttribute14 CustomAttribute14
ExtensionAttribute15 CustomAttribute15
MSExchExtensionCustomAttribute1 ExtensionCustomAttribute1
MSExchExtensionCustomAttribute2 ExtensionCustomAttribute2
MSExchExtensionCustomAttribute3 ExtensionCustomAttribute3
MSExchExtensionCustomAttribute4 ExtensionCustomAttribute4
MSExchExtensionCustomAttribute5 ExtensionCustomAttribute5
MailNickname Alias
PhysicalDeliveryOfficeName Office
PostalCode PostalCode
ProxyAddresses EmailAddresses
StreetAddress StreetAddress
TargetAddress ExternalEmailAddress
UsageLocation UsageLocation
UserPrincipalName UserPrincipalName
Mail WindowsEmailAddress
Description Description
MemberOf MemberOfGroup

Resources