Blog Post

Healthcare and Life Sciences Blog
6 MIN READ

Microsoft Purview - Paint By Numbers Series (Part 8a) - Information Barriers and Team Chat

James_Havens's avatar
James_Havens
Icon for Microsoft rankMicrosoft
Jun 20, 2022

 

 

Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community

 

 

Disclaimer

This document is not meant to replace any official documentation, including those found at docs.microsoft.com.  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in docs.microsoft.com, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the docs.microsoft.com data will be referenced both in the document steps as well as in the appendix.

 

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.

 

Target Audience

The Information Protection section of this blog series is aimed at Security and Compliance officers who need to properly label data, encrypt it where needed.

 

Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through.

We will be setting up an Information Barrier between two groups of users.  Here are the primary steps we will be performing:

  • Create a segment
  • Create a policy
  • Publish the policy

This will be communications between teams (Teams chat and emai).

 

Out-of-Scope

This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Sensitivity Labeling
  • Data Protection Loss (DLP) for Exchange, OneDrive, Devices
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management
  • Information Barriers – blocking at a SharePoint or OneDrive level

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

 

Overview of Document

This document will walk an administrator through setting up a basic Information Barrier between two groups of users.

 

Use Case

You need to prevent 2 groups within an organization from communicating. 

 

Definitions

  • Segment – This is a grouping of users based on a “filter”
  • Policy – making the metadata tag available to your tenant
  • Filter – this is an attribute found in the Azure AD identity for a users (ex. location, department, country, etc)

 

Notes

To do a block of 2 users/groups from communicating, you will Need to set up a minimum of 2 Polices. Each policy will block 1-way communication e direction.  Here is a not from the official documentation (also referenced in the Appendix links).

 

 

For Exchange and Information Barriers, please read the following.  This is also referenced in the Appendix below.

 

 

Pre-requisites

The full list of pre-requisites and can be found in the following link: 

Get started with information barriers - Microsoft Purview (compliance) | Microsoft Docs

 

 

Azure Active Directory

To start, you will need to understand which properties the users are associated with.

 

  1. Go to portal.azure.com

 

  1. Open Azure Active Directory

 

  1. Choose your test users and open their accounts   I will chose my test users Megan and Pradeep.

 

 

 

  1. Click Edit Properties and peruse what information is related to them.

 

 

 

  1. Once you know which properties the two users have, you can then create a segment associated with each user.   I will choose departments (Finance and Marketing) as my filters for my segments in the next section

 

 

 

 

 

Setting up a Segment

You will need to set up a minimum of 2 segments.

  1. Open Compliance.microsoft.com

 

  1. On the left, browse to Information Barriers and click on Segments

 

 

 

 

  1. Click New Segment

 

 

 

  1. Give the segment a name.  I recommend you name the segment after the user(s) property you will be using.  I will call mine Marketing and Finance respectively.  When you have a name, click Next.

 

 

 

  1. On the Filter pane, select Add

 

 

 

  1. Select the filter you want.  I will use Department

 

 

 

  1. You can choose Equal or Not Equal as your filter.  I will chose Equal and enter the name “Marketing”.
    1. Note – you can have more than one Filter per segment.  I will chose just one for this blog entry.

 

 

 

  1. Click Next.

 

  1. On the Summary page.  Review and click Submit.

 

 

 

  1. Once your two segments are created, you can now move to the Applying Policy section.

 

Setting up a Policy

You will need to set up a minimum of 2 Polices. Each policy will block communication one direction.

 

 

  1. On the left-side, click on Policies

 

 

  1. Click Create Policy

 

  1. Give the Policy a name and then click Next.

 

  1. On the next part of the wizard, click Choose segment.
 

 

 

 

  1. Select your segment that will blocked from sending data (ex. Marketing) and click Add.  Then click Next.
 

 

 

  1. On the net page, under Communication and collaboration, from the drop down, select Blocked.

 

  1. Then choose your target to be blocked (ex. Finance) by clicking Choose Segment and selecting your other segment.  Then click Add.

 

 

  1. Set your Status to On.  Then click Next.

 

 

  1. Review the Summary and then click Submit.
 

 

 

  1. Now setup a second policy, blocking communication going the other direction.  Once created, proceed to the Policy Application section.



Applying a Policy

Now that your two 1-way policies are created and activated, you have to Apply them to your tenant.

 

  1. On the left-side, click on Apply Policies

 

 

  1. Click Apply All Policies to start your policies

 

  1. You will then see a Creation time for the application of your two 1-way policies.

 

 

  1. You can now test your policy in Teams chat and Exchange

 

 

Troubleshooting with Powershell commands

If you are having issues with your policies not being applied to Teams or your tenant, you can try the following steps from an elevated PowerShell command.

 

  • Note – the Details are pulled from the PowerShell link in the Appendix of this blog section.

 

 

  1. To connect to your Tenant from a Windows 10/11 device, you can run this Connect-IPPSSession cmdlt

a. Here is the raw cmdlet:  Connect-IPPSSession -UserPrincipalName <UPN> [-ConnectionUri <URL>] [-AzureADAuthorizationEndpointUri <URL>] [-PSSessionOption $ProxyOptions]

 

 

b. Note – “-UserPrincipalNameUPN.  <UPN> is your account in user principal name format (ex admin@companyx.com )

 

 

c. Here is a sample of how this cmdlet:   Connect-IPPSSession -UserPrincipalName admin@companyx.com

 

 

  1. Once connected, first, be sure you have imported and installed the ExchangeOnlineModule

a. Here is the 1st cmdlet:   Import-Module ExchangeOnlineManagement

b. Here is the 2nd cmdlet:  Install-Module -Name ExchangeOnlineManagement

 

  1. Second, be sure you have enabled remote sign in

a. Here is the cmdlet:  Set-ExecutionPolicy RemoteSigned

 

  1. Third, to start your Information Barrier policies via PowerShell,

a. Use is the cmdlet:  Start-InformationBarrierPoliciesApplication

 

  1. You will see this message indicating the PowerShell script is running.

 

 

List of your Information Barriers policies

 

  1. To get a list of all Information Barriers policies created, use this PowerShell script.

a. Here is the cmdlet:  Get-InformationBarrierPolicy

b. Example results:

 

 

 

 

 

 

 

Testing in Teams Chat

 

  1. Open you Teams Chat between your two test users.

 

 

  1. You will not be able to type in the Team Chat field but will see the statement Administrator has disabled chat for this user.

 

 

 

 

 

Appendix and Links

 

Get started with information barriers - Microsoft Purview (compliance) | Microsoft Docs

 

Manage information barriers policies - Microsoft Purview (compliance) | Microsoft Docs

 

Use information barriers with SharePoint - SharePoint in Microsoft 365 | Microsoft Docs

 

Connect to Security & Compliance PowerShell using the EXO V2 module | Microsoft Docs

 

Get started with information barriers - Microsoft Purview (compliance) | Microsoft Docs

 

Learn about information barriers - Microsoft Purview (compliance) | Microsoft Docs

 

 

Note: This solution is a sample and may be used with Microsoft Compliance tools for dissemination of reference information only. This solution is not intended or made available for use as a replacement for professional and individualized technical advice from Microsoft or a Microsoft certified partner when it comes to the implementation of a compliance and/or advanced eDiscovery solution and no license or right is granted by Microsoft to use this solution for such purposes. This solution is not designed or intended to be a substitute for professional technical advice from Microsoft or a Microsoft certified partner when it comes to the design or implementation of a compliance and/or advanced eDiscovery solution and should not be used as such.  Customer bears the sole risk and responsibility for any use. Microsoft does not warrant that the solution or any materials provided in connection therewith will be sufficient for any business purposes or meet the business requirements of any person or organization.

 

 

 

 

 

 

Updated Nov 03, 2022
Version 2.0
healthcare
life sciences
Purview
No CommentsBe the first to comment