Plan information barriers
Required permissions
To define or edit information barrier policies, you must be assigned one of the following roles:
- Microsoft 365 global administrator
- Office 365 global administrator
- Compliance administrator
- IB Compliance Management
To learn more about roles and permissions, see Permissions in the Microsoft Defender portal.
Workflow at a glance
There are several phases involved in implementing information barriers. First, you need to ensure that prerequisites have been met. This involves:
- Verifying that you have the required licenses and permissions.
- Verifying that your directory includes data for segmenting users.
- Enabling scoped directory search for Microsoft Teams.
- Making sure audit logging is turned on.
- Making sure no Exchange address book policies are in place.
- PowerShell
- Connect to Microsoft Defender portal PowerShell.
- Connect to Azure PowerShell module.
- Providing admin consent for Microsoft Teams.
For more information, see Prerequisites.
Segmenting users
Once prerequisites have been met you can move on to the next phase, which is to segment users in your organization. To segment users, it is recommended that you:
- Determine what policies are needed.
- Make a list of segments to define.
- Identify which attributes to use. (It is recommended to use the same attribute for all your segments. Ensure your segments do not overlap; each user should be assigned to exactly one segment.)
- Define segments in terms of policy filters
For more information, see Part 1: Segment users.
Defining information barrier policies
When defining information barrier policies you need to determine whether you need to prevent communications between certain segments or limit communications to certain segments. It is recommended that you use the minimum number of policies to ensure your organization is compliant with legal and industry requirements.
Once you have identified your user segments and the information barrier policies you want to define, you will choose between implementing one (or both) of the following scenarios:
- Scenario 1: Block communications between segments
- Scenario 2: Allow a segment to communicate only with one other segment
For more information, see Part 2: Define information barrier policies.
Applying information barrier policies
Currently, information barrier policies must be defined and managed by using a combination of Office 365 Security & Compliance PowerShell cmdlets as illustrated below:
Use the Get-InformationBarrierPolicy cmdlet to see a list of policies that have been defined and make note of the status and identity (GUID) of each policy.
Get-InformationBarrierPolicy
Use the Set-InformationBarrierPolicy cmdlet with an Identity parameter and the State parameter set to Active.
Set-InformationBarrierPolicy -Identity GUID -State Active
Use the Start-InformationBarrierPoliciesApplication cmdlet to apply the policy.
Start-InformationBarrierPoliciesApplication
After you run
Start-InformationBarrierPoliciesApplication,
you will need to allow 30 minutes for the system to start applying the policies.
For more information, see Part 3: Apply information barrier policies.