Getting ready for the Great Information Barrier in Microsoft Teams

Information Barrier is now in Preview in Microsoft Teams but what does this mean? Information Barriers enables organizations to prevent users segments from communicating with each other or only allows defined groups of users to communication with certain business units. This will help organizations maintain their compliance with all relevent industry standards and regulations, and protect users against conflict of interests. The main driver for delivering this functionality came from the Financial Service industry (FINRA 2241, Debt Research Regulatory Notice 15-31).

Information Barriers are configured by using Policies within Office 365 Security & Compliance Centre using PowerShell and like with all Microsoft product there are several prerequisites before implementing.

Important Note:

Information barrier groups cannot be created across tenants.

Using bots to add users is not supported in version 1.

Information barriers version 1 doesn’t include support for SharePoint and OneDrive for Business. We are working on enabling the feature in SharePoint and will communicate once it’s available.

Prerequisites

License(s)

You will need to have the listed Microsoft subscriptions in order to use Information Barriers.

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 Information Protection and Compliance

Permissions

You will need to have the following Admin roles to configure Information Barriers.

  • Microsoft 365 Global Administrator
  • Office 365 Global Administrator
  • Compliance Administrator
  • IB Compliance Management (This is a new role)

Directory Data

You need to ensure Account Attributes like Group Membership, Department Name, etc. are populated correctly in Azure Active Directory or Exchange Online. As this information will be used later on in this post.

Scope Directory

Please Note:

Before you set up or define policies, you must enable scoped directory search in Microsoft Teams. Wait at least 24 hours after enabling scoped directory search before you set up or define policies for information barriers.

Auditing

Audit logging must be enabled within your Security & Compliance centre. The most simple way of switching on Auditing is using Exchange Online PowerShell with the following command;

1
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Exchange Address Book Policies

You need to ensure that your organisation doesnt have any Exchange Address Book Policies. If you are unsure how to check this then following this url https://docs.microsoft.com/en-us/exchange/address-books/address-book-policies/remove-an-address-book-policy

PowerShell

You will need to ensure that you have the AzureRM module is installed on your client machine, this can be done by running the following command;

1
Install-Module AzureRM

Admin Consent for Information Barriers

When your policies are in place, information barriers can remove people from chat sessions they are not supposed to be in. This helps ensure your organization remains compliant with policies and regulations. Use the following procedure to enable information barrier policies to work as expected in Microsoft Teams.


1
2
3
4
5
Login-AzureRmAccount
$appId="bcf62038-e005-436d-b970-2a472f8c1982"
$sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId
if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId }
Start-Process  "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

When prompted, sign in using your work or school account for Office 365.

In the Permissions requested dialog box, review the information, and then choose Accept.

Regards,
The Author – Blogabout.Cloud

Leave a Reply

Your email address will not be published. Required fields are marked *