Organizations dealing with financial services, legal, public sectors, professional services have a huge concern about insider risks and are sceptical about security & compliance with respect to Modern Workplace. Insider risks can include vulnerabilities ranging across loss of Intellectual properties, frauds, data spillage, violations of specific department’s confidentiality, workplace harassments, regulatory compliance violations, conflicts of interest and more. Microsoft Purview is offering Insider risk capabilities like Communication Compliance, Insider risk management, Information barriers (IB) and Privileged access management.
IB are used to restrict any kind of collaboration and Teams communication between two internal segments of users within an organization. IB offers a comprehensive detect, alert, and remediate mechanism and is applicable to MS Teams, SharePoint, One Drive for business and Exchange Online workloads. Key Components of IB
1. User Account attributes that are defined in Azure AD & Exchange Online like Department, Job title, Location etc. 2. Segments are set of users created using PowerShell and defined in Compliance portal that use selected User Account attributes. 3. IB policies determine the communication restrictions. There are two types of IB policies
a. Block Policies: To prevent One segment communication with another segment. b. Allow Policies: Allow one segment to communicate with certain segments only.
4. If you want non-IB users & groups to be visible to IB segment & policy users, use block policy. Non-IB users & groups will not be visible to IB Segment & policy users while using allow policies. 5. Modern groups support IB. Distributed lists & Security groups are considered as non-IB groups 6. In IB enabled tenant, hidden/disabled user accounts are prevented from communicating with all other user accounts.
Prerequisites for IB implementation
Roles required to implement IB
1. Microsoft 365 Enterprise Global Administrator 2. Global Administrator 3. Compliance Administrator 4. IB Compliance Management (New Role)
If we need to restrict collaboration and communication for Group A & Group B using IB, users in both groups A & B require a license.
Following licenses provides rights to the user to benefit from IB Service
1. Microsoft 365 E5/A5/G5 2. Microsoft 365 E5/A5/G5 Compliance 3. Microsoft 365 E5/A5/G5 Insider Risk Management 4. Office 365 E5/A5/G5
Information Barrier for M365 workloads
When IB policies are applied, they restrict 2 ways collaboration & communication. When Department A (DeptA) & Department B (DeptB)are segmented under IB policies, they cannot communicate & collaborate with each other. For example, Consider DeptA users trying to communicate & collaborate with DeptB users, follow activities are restricted.
Search DeptB Users
Add DeptB users to a team
Start Chat session with DeptB users
Start Group chat with DeptB users
Invite DeptB users to join meeting
Screenshare with DeptB users
Place a call with DeptB Users
Share a file with DeptB user
Access to a file through sharing a link
SharePoint Online & One Drive for Business
Adding DeptB user to SharePoint site
Sharing SharePoint site and Content with DeptB user
DeptB user accessing SharePoint Site and content
Search SharePoint site
When a Team channel is created, a SharePoint site is created automatically which will store files in backend. IB polices are not directly honoured to SharePoint site by default, and need to enable IB policies for SharePoint & OneDrive
In MS teams, teams created before IB polices created are by default set to Open. Once IB policies are enabled at tenant level, Open mode needs to be converted to Implicit mode to ensure Teams are IB Compliant.
Maximum number of segments allowed in organization – 100
No limit for number of IB policies that can be configured in organization
IB policies doesn’t work for federated users. If two segments of IB enabled users join meeting organized by external federated users, IB polices will not restrict communication between segment 1 & segment 2 users
Surya Pammi is a Technology Enthusiast working as an Infrastructure Architect in Cognizant Technology Solutions. He is MCT Certified and is an MVP aspirant. His technical expertise spans across Microsoft 365, Microsoft SharePoint, MS Teams, MS Viva & Power Platform.