Create an information barriers policy compliance report

If a compliance administrator changes an existing information barriers policy, the change might affect the compatibility of segments already associated with a site.

For example, a policy might allow communication and collaboration between the Sales and Research segments. Later, the policy might not allow communication and collaboration between these segments. The segments are incompatible and shouldn't be associated with the same site.

The SharePoint information barriers policy compliance report lets SharePoint Administrators view the list of sites that are noncompliant with existing policies. The report covers these sites:

  • Microsoft 365 group-connected team sites that aren't connected to Microsoft Teams
  • Communication sites
  • Modern team sites that aren't connected to Microsoft 365 groups
  • OneDrive

The report displays the list of sites that are noncompliant per the existing policies which were recently updated. For each noncompliant site, it shows compatible segments, incompatible segments, and invalid segments (those segments that no longer exist)

If a OneDrive is noncompliant, this report lets you update the OneDrive to be compliant with the latest IB policies in your organization.

Note

You only need to run this report if information barriers policies are changed. Depending on the number of sites in your organization, it can take a long time for this report to run.

Run the report

Important

Microsoft recommends that you use roles with the fewest permissions. Minimizing the number of users with the Global Administrator role helps improve security for your organization. Learn more about Microsoft Purview roles and permissions.

  1. Download the latest SharePoint Online Management Shell.

    Note

    If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell".

  2. Connect to SharePoint Online as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

  3. Run the following command to build the report:

    Start-SPOInformationBarriersPolicyComplianceReport
    

    Or, to automatically update any noncompliant OneDrive accounts when you build the report, run:

    Start-SPOInformationBarriersPolicyComplianceReport -UpdateOneDriveSegments
    
  4. Run the following command to view the status of the task:

    Get-SPOInformationBarriersPolicyComplianceReport
    

    The command returns the following set of information:

    State: Completed
    Id: 9e2bd8d8-64a4-4e68-af63-81f0565c3c00
    StartTimeInUtc: 12/6/2020 10:56:12 PM
    CompleteTimeInUtc: 12/6/2020 10:56:17 PM
    QueuedTimeInUtc: 12/6/2020 10:51:06 PM
    UpdateOneDriveSegments: False

  5. Run the following command to view the report:

    Get-SPOInformationBarriersPolicyComplianceReport -reportid <ID>
    

    (Where ID is the report's ID from the previous step.)

    The command returns the following set of information:

    Content: {3ef21e8a-69d9-4bf0-a70f-0328e5a18087, 76cd794c-b5f1-4f3d-ad48-075e805fca17, 93d93533-783a-4274-b9c9-b79a3b9beb99}
    HasNonCompliantSites: True
    State: Completed
    Id: 9e2bd8d8-64a4-4e68-af63-81f0565c3c00
    StartTimeInUtc: 9/22/2020 11:36:50 PM
    CompleteTimeInUtc: 9/22/2020 11:37:00 PM
    QueuedTimeInUtc: 9/22/2020 11:31:57 PM
    UpdateOneDriveSegments: False

    The Content row lists the sites that are noncompliant. If all sites are compliant, the Content row is empty and HasNonCompliantSites is "False."

  6. Run the following command to view details about the noncompliant segments associated with each site:

    $report = Get-SPOInformationBarriersPolicyComplianceReport -reportid <ID> $report.Content
    

    (Where ID is the report's ID from the previous step.)

    The command returns the following set of information for each site:

    SiteId: 3ef21e8a-69d9-4bf0-a70f-0328e5a18087
    SiteUrl: https://contoso.sharepoint.com/sites/Research
    SiteType: Group
    ComplianceState: NonCompliant
    CurrentSegments: Sales, Research
    OriginalSegments: Sales, Research
    InvalidIBSegments:
    IncompatibleSegmentsPairs: <Sales, Research>
    FailedToBeProcessed: False

Note

For info about removing incompatible segments, see Use information barriers with SharePoint. When you're done with a report, you can delete it by using Remove-SPOInformationBarriersPolicyComplianceReport -reportid <>.