Ethical Wall: Deployment And Maintenance

%3CLINGO-SUB%20id%3D%22lingo-sub-27796%22%20slang%3D%22en-US%22%3EEthical%20Wall%3A%20Deployment%20And%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-27796%22%20slang%3D%22en-US%22%3E%3CP%3EI%20am%20looking%20for%20a%20way%20to%20deploy%20and%20maintain%20an%20ethical%20wall%20within%20a%20domain%20between%20two%20different%20groups%20in%20the%20same%20organization%20for%20Office%20365.%3CBR%20%2F%3E%3CBR%20%2F%3EFor%20example%2C%20the%20two%20groups%20should%20never%20see%20each%20other's%20email.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-27796%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-29677%22%20slang%3D%22en-US%22%3ERE%3A%20Ethical%20Wall%3A%20Deployment%20And%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-29677%22%20slang%3D%22en-US%22%3EI%20agree%20with%20Dean.%20Transport%20rules%20replaced%20transport%20sinks%20as%20the%20way%20to%20impose%20%22ethical%20firewalls%22%20from%20Exchange%202007%20on%2C%20so%20we%20have%20some%2010%20years%20of%20experience%20with%20rules%20being%20used%20for%20this%20purpose.%20You%20don't%20need%20dynamic%20AAD%20groups%20as%20it's%20a%20waste%20of%20money%20unless%20you%20need%20AAD%20premium%20for%20some%20other%20reason.%20Dynamic%20distribution%20lists%20are%20free%20to%20all%20and%20work%20just%20as%20well.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-29621%22%20slang%3D%22en-US%22%3ERe%3A%20Ethical%20Wall%3A%20Deployment%20And%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-29621%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20are%20welcome.%20Another%20thing%20you%20may%20want%20to%20investigate%20are%20the%20controls%20to%20block%20external%20sharing%20to%20specific%20domains.%20I%20don't%20know%20how%20this%20would%20work%20if%20the%20users%20domain%20was%20enabled%20in%20the%20tenant%2C%20but%20it%20could%20be%20worth%20some%20testing.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esee%20%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FRestricted-Domains-Sharing-in-Office-365-SharePoint-Online-and-OneDrive-for-Business-5d7589cd-0997-4a00-a2ba-2320ec49c4e9%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FRestricted-Domains-Sharing-in-Office-365-SharePoint-Online-and-OneDrive-for-Business-5d7589cd-0997-4a00-a2ba-2320ec49c4e9%3Fui%3Den-US%26amp%3Brs%3Den-US%26amp%3Bad%3DUS%3C%2FA%3E%20for%20the%20details.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-29613%22%20slang%3D%22en-US%22%3ERe%3A%20Ethical%20Wall%3A%20Deployment%20And%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-29613%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-29478%22%20slang%3D%22en-US%22%3ERe%3A%20Ethical%20Wall%3A%20Deployment%20And%20Maintenance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-29478%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20start%20with%20Exchange%20transport%20rules%2C%20see%20%3CA%20href%3D%22https%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj919238%2528v%3Dexchg.150%2529.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Ftechnet.microsoft.com%2Fen-us%2Flibrary%2Fjj919238%2528v%3Dexchg.150%2529.aspx%3Ff%3D255%26amp%3BMSPPError%3D-2147217396%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20may%20also%20want%20to%20use%20DLP%20and%20IRM%20to%20evaluate%20content%20and%20enforce%20usage%20rights%20on%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDynamic%20AAD%20groups%20could%20be%20very%20helpful%2C%20providing%20you%20have%20appropriate%20attributes%20on%20the%20user%20accounts.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

I am looking for a way to deploy and maintain an ethical wall within a domain between two different groups in the same organization for Office 365.

For example, the two groups should never see each other's email.

4 Replies

I would start with Exchange transport rules, see https://technet.microsoft.com/en-us/library/jj919238%28v=exchg.150%29.aspx?f=255&MSPPError=-21472173....

 

You may also want to use DLP and IRM to evaluate content and enforce usage rights on files.

 

Dynamic AAD groups could be very helpful, providing you have appropriate attributes on the user accounts.

Thank you!

You are welcome. Another thing you may want to investigate are the controls to block external sharing to specific domains. I don't know how this would work if the users domain was enabled in the tenant, but it could be worth some testing.

 

see https://support.office.com/en-us/article/Restricted-Domains-Sharing-in-Office-365-SharePoint-Online-... for the details.

I agree with Dean. Transport rules replaced transport sinks as the way to impose "ethical firewalls" from Exchange 2007 on, so we have some 10 years of experience with rules being used for this purpose. You don't need dynamic AAD groups as it's a waste of money unless you need AAD premium for some other reason. Dynamic distribution lists are free to all and work just as well.