Examine information barriers in Microsoft Teams

  • 9 minutes

Microsoft Purview Information Barriers (IBs) are policies that an administrator can configure to prevent individuals or groups from communicating with each other. IBs are useful if, for example, one department is handling information that it shouldn't share with other departments. IBs are also useful when an organization wants to isolate a group or prevent it from communicating with anyone outside of that group.

The Shared channels feature in Microsoft Teams supports information barriers. Depending on the type of sharing, information barriers policies may restrict sharing in certain ways. For more information about shared channels and information barriers behavior, see Information barriers and Shared Channels.

Organizations create Information Barrier policies in the Microsoft Purview compliance portal. Once an organization creates an IB policy, Microsoft 365 can apply it to various Microsoft 365 services, including Microsoft Teams, OneDrive, and SharePoint. For Teams, information barriers can determine and prevent the following kinds of unauthorized collaborations:

  • Adding a user to a team or channel
  • User access to team or channel content
  • User access to 1:1 and group chats
  • User access to meetings
  • Prevents lookups and discovery (the people picker doesn't display users)

Organizations can use information barriers in Microsoft Teams to prevent a team from communicating or sharing data with:

  • Another specific team.
  • Anyone outside of the team.

The Information Barrier Policy Evaluation Service (IBPES) determines whether a communication complies with IB policies.

Information barrier triggers

In Microsoft 365, organizations create Information Barrier policies to define the communication restrictions between different user groups. They base these restrictions on user attributes such as department, location, job title, and so on. A policy includes a set of rules that determine which users or groups of users can or can't communicate with each other.

When an organization performs a Microsoft Teams event, the Information Barrier Policy Evaluation Service checks the Information Barrier policies assigned to the user performing the event. The IBPES evaluates the user's IB policies against the policies of the existing team members to ensure the communication between them adheres to the defined rules. If the policies of the new user conflict with the policies of another team member, then Microsoft Teams restricts their communication accordingly.

Microsoft 365 activates IB policies when the following Teams events take place:

  • Adding a user to a team. When an organization attempts to add a new user to a team, the Information Barrier Policy Evaluation Service checks the user's IB policies. It evaluates them against the policies of the existing team members to ensure that communication between them adheres to the defined rules. If no violations occur and the organization successfully adds the user to the team, the user can perform all functions in the team without further checks. However, if the user's policy blocks the organization from adding them to the team, the user doesn't show up in search.

    Screenshot of searching for a new member to add to a team and finding no matches to the user's name.

  • A user requests a new chat. Each time that a user requests a new chat with one or more other users, the Information Barrier Policy Evaluation Service evaluates the chat to verify that it isn't violating any IB policies. If the conversation violates an IB policy, then Teams doesn't start the conversation.

    Here's an example of a 1:1 chat.

    Screenshot showing blocked communication in a one-on-one chat in Microsoft Teams.

    Here's an example of a group chat.

    Screenshot showing group chat in Microsoft Teams, where an administrator added two users to the chat.

  • A meeting member invites a user to join the meeting. In this scenario, the Information Barrier Policy Evaluation Service evaluates the user's IB policy against the IB policies that apply to the other team members. If there's a violation, Teams doesn't allow the user to join the meeting.

    Screenshot showing the message a user receives when Microsoft Teams blocks them from joining a call.

  • Two or more users share a screen. When a user shares a screen with other users, the Information Barrier Policy Evaluation Service must evaluate the sharing. It checks whether the sharing violates the IB policies of other users. If the sharing violates another user's IB policy, then Teams doesn't allow the screen share.

    Here's an example of a screen share before Microsoft Teams applies the IB policy.

    Screenshot showing when a user shares a screen with other users before Teams applies an I B policy.

    Here's an example of screen share after Teams applies the IB policy. Teams doesn't display the screen share and call icons.

    Screenshot showing when Microsoft Teams blocks a user from sharing a screen with other users.

  • A user places a phone call in Teams. Whenever a user initiates a voice call (through voice over IP, or VOIP) to another user or group of users, the Information Barrier Policy Evaluation Service evaluates the call. It checks whether the call violates the IB policies of other team members. If there's any violation, Teams blocks the voice call.

  • Guests in Teams. IB policies apply to guests in Teams, too. If guests must be discoverable in an organization's global address list, see Manage guest access in Microsoft 365 Groups. Once guests are discoverable, the organization can define IB policies.

How IB policy changes affect existing chats

Sometimes there's an existing chat or other communication between users taking place when an Information Barrier policy change occurs. For example, an organization may:

  • Create a new IB policy.
  • Change an existing IB policy.
  • Activate an IB policy change due to a user profile change, such as a job change.

How do these IB policy changes affect existing chats? In these instances, the Information Barrier Policy Evaluation Service evaluates existing communications to ensure it can still allow the communications to occur. In doing so, it automatically searches the members to ensure their membership in the team doesn't violate any policies.

  • 1:1 chat. If communication between two users is no longer allowed (because of application to one or both users of a policy that blocks communication), Teams blocks further communication. Their existing chat conversations become read-only.

    Here's an example that shows the chat is visible.

    Screenshot showing the availability of a user chat before Teams applies an information barrier policy.

    Here's an example that shows what happens when Teams disables the chat.

    Screenshot showing a user chat that Teams disabled after applying an information barrier policy.

  • Group chat. What happens if communication from one user to a group is no longer allowed (for example, because a user changed jobs)? In this scenario, Teams removes all the users whose participation violates the policy from group chat. In addition, Teams prohibits further communication with the group. The user can still see old conversations. However, they can't see or participate in any new conversations with the group. If the new or changed policy that prevents communication applies to more than one user, Teams may remove the users affected by the policy from group chat. They can still see old conversations.

    In this example, Enrico moved to a different department within the organization. As a result, Teams removed Enrico from the group chat.

    Screenshot of a group chat from which Teams removed a user.

    Enrico can no longer send messages to the group chat.

    Screenshot showing what happens when a user tries to send messages to a group chat after Teams removed them from the group.

  • Team. When Teams removes any users from the group, it also removes them from the team. As such, they can't see or participate in existing or new conversations.

Information barrier modes and Teams

Information barriers mode helps organizations strengthen who they can add or remove from a Team. When an organization uses information barriers with Microsoft Teams, Microsoft Purview supports the following IB modes:

  • Open. This configuration is the default IB mode for all existing groups that an organization provisioned before it enabled information barriers. In this mode, there are no IB policies applicable.
  • Implicit. This configuration is the default IB mode when an organization provisions a team after enabling Information barriers. Implicit mode allows an organization to add all compatible users in the group.
  • Owner Moderated. Microsoft Purview sets this mode on a team when the team owner wants to allow collaboration between incompatible segment users. The team owner can add new members per their IB policy.

When an organization creates teams before activating an Information Barrier policy, Microsoft Purview automatically sets the teams' IB mode to Open by default. Once the organization activates IB policies on its Microsoft 365 tenant, it must update the mode of its existing teams to Implicit to ensure that existing teams are IB-compliant.

Organizations should use the Set-UnifiedGroup cmdlet with the InformationBarrierMode parameter that corresponds to the mode it wants to use for its segments. The allowed values for the InformationBarrierMode parameter are Open, Implicit, and Owner Moderated.

For example, to configure the Implicit mode for a Microsoft 365 Group, an organization should use the following PowerShell command:

Set-UnifiedGroup -InformationBarrierMode Implicit

Additional PowerShell resource. To update the mode from Open to Implicit for all existing teams, use this PowerShell script.

If an organization changes the Open mode configuration on existing Teams-connected groups to meet compliance requirements, it must update the IB modes for associated SharePoint sites connected to the Teams team.

Known Issues

The following sections identify known issues when implementing information barriers in Microsoft Teams.

Users can't join ad-hoc meetings

There's a maximum size for meeting rosters in Microsoft Teams. The maximum number of participants that can join a meeting depends on the type of meeting used. For example, in a standard Teams meeting, up to 300 participants can join. However, in the live events feature in Teams, you can host up to 20,000 participants. Because the maximum number of participants for each meeting type is fixed, organizations can't change it.

If an organization enables IB policies, Microsoft Teams doesn't allow users to join meetings if the size of the meeting roster is greater than the meeting attendance limits. The root cause is that IB checks rely on whether Teams can add users to a meeting chat roster. Only when Teams can add them to the roster does it allow them to join the meeting. A user joining a meeting once adds that user to the roster. As such, the roster can fill up fast for recurring meetings.

What happens when the chat roster reaches the meeting attendance limits, but new users not on the roster still want to join the meeting? The answer depends on whether the organization enabled IB:

  • If the organization enabled IB, Teams doesn't allow new users to join the meeting.
  • If the organization didn't enable IB, Teams allows new users to join the meeting. However, they can't see the chat option in the meeting.

Tip

Until Microsoft increases the size of meeting chat rosters, a short-term solution is to remove inactive members from the meeting chat roster to make space for new users.

Users can't join channel meetings

If an organization enables IB policies, members of the team can't join channel meetings. Only nonmembers of the team can join channel meetings. The root cause is that IB checks rely on whether an organization can add users to a meeting chat roster. They can only join the meeting when the organization can add them to the meeting roster. The chat thread in a channel meeting is available to Team/Channel members only. Nonmembers can't see or access the chat thread.

If an organization enables IB and a nonteam member attempts to join a channel meeting, Teams doesn't allow that user to join the meeting. If the organization didn't enable IB and a nonteam member attempts to join a channel meeting, Teams allows the user to join the meeting. However, they can't see the chat option in the meeting.

Maximum number of segments allowed in an organization

Each organization can set up to 100 segments when configuring IB policies. There's no limit on the number of policies that an organization can configure.

IB policies don't work for federated users

If an organization allows federation with external organizations, IB policies don't restrict the users of those external organizations. If users of an organization join a chat or meeting organized by external federated users, then IB policies also don't restrict communication between users of the organization.

Knowledge check

Choose the best response for the following question. Then select “Check your answers.”

Check your knowledge

1.

When the Information Barriers policy administrator makes changes to a policy, what service automatically searches the members to ensure their membership in the team doesn't violate any policies?