Microsoft Information Barriers has proved to be a powerful tool when it is set up properly. If you have been looking for a thorough guide to MS Information Barriers then this is the guide for you.
Table of Content
2. Admin User Setup for Information Barriers
6. Policy Creation for Information Barriers
7. Implement a Policy for Information Barriers
8. General Information: Downsides and Upsides
9. Enable Scoped Directory Search on MS Teams
10. Audit the MS Teams Admin Activity
11. Information Barriers, Our Recommendation
Introduction
Here is our comprehensive guide to Microsoft Information Barriers, Purview Portals, Segments, and Policy Management. To manage the resources in your organization, you must make sure that your admin account has the appropriate roles and licenses. However, assigning roles and licenses and turning on necessary features can be a bit confusing.
That’s why we’ve put together this guide to take you step-by-step through the process and help you set up your admin user with ease. Whether you’re new to Azure or just need a refresher, in this blog we will provide you with all the information you need to ensure that your admin account is properly set up. So, let’s get started!
Admin User Setup for Information Barriers
Setting up an admin user for your Azure tenant can be a tricky task since it involves assigning the right roles and licenses to the admin account as well as enabling certain features. We’ll go over the steps you need to follow to make sure your admin user is properly set up.
First, you need to assign one of the following roles to your admin account:
- Microsoft 365 Global Administrator.
- Office 365 Global Administrator.
Compliance Administrator. - IB Compliance Management.
- Office 365 Global Administrator.
Control who can communicate with whom, using specific collaboration options. Apply policies on external or internal users and groups.
It’s important to note that you may need to select multiple roles if you’re having trouble accessing the Information Barriers management area.
Next, you need to assign one of the following licenses to your admin account:
-
- Microsoft 365 E5/A5 subscription (paid or trial version): https://www.microsoft.com/en-us/microsoft-365/enterprise/office-365-e5?activetab=pivot%3aoverviewtab
-
- Office 365 E5/A5/A3/A1 subscription (paid or trial version): https://www.microsoft.com/en-us/microsoft-365/academic/compare-office-365-education-plans?activetab=tab%3aprimaryr1
-
- Office 365 Advanced Compliance add-on (no longer available for new subscriptions).
-
- Microsoft 365 E3/A3/A1 subscription + the Microsoft 365 E5/A5 Compliance add-on: https://www.microsoft.com/en-us/microsoft-365/academic/compare-office-365-education-plans?activetab=tab%3aprimaryr1 https://www.microsoft.com/en-us/security/business/compliance/e5-compliance?activetab=pivot%3aoverviewtab
-
- Microsoft 365 E3/A3/A1 subscription + the Microsoft 365 E5/A5 Insider Risk Management add-on: https://www.microsoft.com/en-us/microsoft-365/academic/compare-office-365-education-plans?activetab=tab%3aprimaryr1 https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-configure?view=o365-worldwide
Without these licenses, you won’t have access to the Purview Portal.
You also need to enable Scoped directory search for teams and verify that Auditing is enabled in the Purview Portal. Finally, if you’re using Exchange Online, you’ll need to remove any existing Exchange Online address book policies.
By following these steps, you can ensure that your admin user is properly set up and ready to go.
That’s why we’ve put together this guide to take you step-by-step through the process and help you set up your admin user with ease. Whether you’re new to Azure or just need a refresher, in this blog we will provide you with all the information you need to ensure that your admin account is properly set up. So, let’s get started!
For federated users, Microsoft’s Information Barriers policies are ineffective. The users of those organizations will be able to communicate without any limitations if you permit federation with external organizations. This means that Information Barriers policies won’t impede communication between users of your organization if they participate in a chat or meeting set up by outside federated users
If you would like to know more about how to takinge advantage of Information Barriers during external communications, read our blog post here https://agatsoftware.com/blog/information-barriers-external-comunications/
Purview Portal
Are you struggling to understand the different sections of Microsoft’s Information Barriers? Don’t worry, you’re not alone! Many people find the process of setting up and managing Information Barriers to be confusing. But with a little guidance, you’ll be able to get the hang of it quickly.
The first step is to access the Compliance Portal at compliance.microsoft.com. To do so, you’ll need to log in with your previously configured Admin User. Once you’re in, you’ll find three main sections that you’ll need to look at Segments, Policies, and Policy Application.
Segments are where you define the different groups of people that you want to manage with Information Barriers. Here, you’ll be able to create and customize the different Segments that you want to use.
Next, you’ll need to set up Policies. This is where you define the rules that you want to apply to the different Segments. You can choose from a variety of options, such as restricting communication between specific Segments or allowing only certain types of communication.
Finally, you’ll need to use the Policy Application section to start and monitor the policy application status. Of all the sections, this one is the most challenging to understand, but with some practice, you can.
Sometimes, the policy application cycle can fail for no apparent reason. In this case, the only way to verify what’s going on is to start it through PowerShell.
Segment Creation
Segments are a great way to manage communication policies for specific groups of users that are defined in the compliance portal or by using PowerShell.
When creating a Segment, you need to provide a Segment name and one or more specific conditions using for the Segment to populate These conditions can be based on Email, Department, Group membership, etc., you cannot use security groups; however, it has to be a Microsoft 365 group. Also, the maximum number of Segments you can have is 100, according to Microsoft documentation.
One important thing to note is that there can be no overlap for users in Segments, meaning that a user can only be a part of 1 Segment. PowerShell is the only way to check which users are part of a segment.
Segments are easy to create and provide a lot of flexibility when it comes to setting up communication policies. So, if you’re looking for an easier way to manage your communication policies, Segments are the way to go!
Segment Deletion
You may be asking what to do with segments that are no longer needed. Fortunately, you can easily delete segments that are part of an active policy in the Purview Portal.
To delete a segment from an active policy, simply open the policy in the Purview Portal and click the “Delete” button next to the unwanted segment. You’ll see a confirmation message, and then the segment will be removed from the policy.
It’s important to remember that you won’t be able to delete a segment using PowerShell if it’s part of an active policy. If you try to delete a segment using PowerShell, you’ll get an error message.
So next time you need to delete a segment from an active policy, just remember to use the Purview Portal – it’s the easiest and most efficient way to do it.
Policy Creation for Information Barriers
It is important to understand that policies are made up of two parts: the assigned Segment and the Blocked or Allowed Segment. Indicating whether this Assigned Segment is only permitted to communicate with the Allowed Segment, or whether it is forbidden from doing so but is permitted to communicate with other Segments or members of other groups
When creating a policy with a Blocked Segment, you always need two policies. For example, if you want to block communication between group A and group B, you need a policy where Group A is the Assigned Segment and Group B is the Blocked Segment and you also need a policy where Group B is the Assigned Segment and Group A is the blocked Segment.
If this condition is not met, you won’t be able to apply policies.
Warning of a major limitation: A Segment can only be part of a policy once. Regardless of whether it’s an Assigned Segment or Blocked/Allowed Segment. Without meeting this condition, you won’t be able to apply policies.
Check the steps to create a policy:
1. Log into your policy management system and select the ‘Create Policy’ option.
2. Select the Assigned Segment and either Block or Allow the Segment.
3. If you are blocking communication, make sure to create a policy for each Segment.
4. Ensure that each Segment is part of only one policy.
5. Click ‘Save’ to create your policy.
6. To extend your policy to other groups or users, create a new policy with new Segments.
7. Finally, apply the policy in order for it to take effect.
Following these steps will help you easily create and manage your policies. Remember to always to double-check that each Segment is part of only one policy and that each blocking policy has two policies.
Implement a Policy for Information Barriers
Welcome to the section where we will put the rules we previously established into practice! The policies won’t be applicable if anything is configured incorrectly. For instance, the policy application cycle won’t begin if there isn’t a mirror policy for a Block policy, so your policies will stay the same.
It’s crucial to remember that policy application doesn’t happen constantly. Instead, it happens during a cycle of policy application. According to my experience, this cycle can take anywhere between 30 minutes and 24 hours, and the number of users and groups your tenant has may be related to how long it takes to apply.
Once you’ve ensured that everything is set up correctly, you can click “Apply all policies” and wait for the application to complete. Keep in mind that there will be no message or notification when the application is finished, so it’s best to just wait until it’s complete. Additionally, you cannot modify policies during an ongoing policy application cycle, so it’s best to let the cycle finish before making any other adjustments.
General Information
When it comes to phishing, malware, and data leakage, Microsoft Teams is no exception to being at risk. When you’re not actively using Teams or are away from your computer, Teams will send an email notification containing a link to the missed message. Threat actors can exploit these Teams features to launch phishing attacks using malicious code.
The guest access functionality in Teams could also lead to data leaks and unauthorized access. For instance, sharing files with external users or guests through channels even when it is no longer required, or continuing to provide access to Teams even after the meeting has ended, could result in data leakage or the visibility of confidential files.
To get to know the capabilities and limitations of Information Barries for Microsoft, take the time to check out this blog too: https://agatsoftware.com/blog/information-barriers-microsoft-teams-capabilities-and-limitations/
Disadvantages of Information Barriers
IBs (Identity Blocking) provide a complete block between Microsoft tenant entities, making it impossible for members of opposing Blocking Segments to communicate, make calls, join joint meetings, or share files. Unfortunately, this only applies to internal users. If an external Teams user adds members of opposing Segments to a meeting, both parties will be able to attend.
Troubleshooting IBs can be difficult and time-consuming. As it is done on Microsoft’s side, the process is often a large black box. While PowerShell can provide some insight, it is not enough to fully control the process. Additionally, the policy application cycle does not happen automatically and must be monitored regularly.
Advantages of Information Barriers
Setting up your IBs correctly can provide great blocking capabilities that are seamlessly integrated into many of Microsoft’s services and apps, like Teams and SharePoint.
Segments are an incredibly powerful tool for dividing your organization into manageable units using user attributes. With this feature, you can ensure that your data is secure and accessible only to the people who need it.
Enable Scoped Directory Search on MS Teams
Let’s check how to Enable Scoped Directory Search on MS Teams!
Simply log into your Office 365 account, and navigate to the Admin option in the left toolbar. Then, head to the Information Barrier Admin Centre and select ‘Show all’ in the left menu. Find MS Teams and open the app, select ‘Teams’ then ‘Teams settings’. Scroll down to ‘search by name’ and turn on the option if it’s not already enabled. Finally, hit ‘save changes’ to complete the process.
Audit the MS Teams Admin Activity
Auditing the Microsoft Teams administrative activity is a crucial step to ensure that the policies you have implemented are being properly followed and adhered to. This process involves monitoring the actions taken by administrators and users within the platform, and checking them against the policies you have established.
Here’s how to get started with auditing MS Teams:
- Access the Purview Portal: This is the platform where you can view and manage your MS Teams settings.
- Click on “Audit”: This option is located in the left-side navigation menu.
- Start Recording User and Admin Activity: Once you are on the Audit page, you will see an option to “Start recording user and admin activity.” Click on this button to begin the auditing process.
- Automated Monitoring: Once you have started the recording, the platform will automatically monitor all activity within MS Teams, making it easier to identify any potential policy violations.
By following these simple steps, you can be sure that your compliance processes are running smoothly, and that you have the tools you need to maintain a secure and efficient MS Teams environment.
Information Barriers, Our Recommendation
SphereShield is a software solution that provides information barriers for organizations to prevent the unauthorized sharing of sensitive or confidential information. The real-time proactive approach of the software allows it to inspect and handle communications in near real-time, blocking or masking messages, files, images, calls, and desktop sharing before any incident can occur.
This feature is particularly useful for organizations that need to comply with regulations or internal policies that require granularly blocking communications. The software can also help organizations to reduce the risk of data breaches and insider threats and improve overall security and governance of sensitive data.
SphereShield offers several benefits and advantages for organizations that need to comply with regulations or internal policies related to data protection and communication security. Some of these benefits may include:
-
- Real-time, proactive inspection and handling of communications to prevent incidents before they occur.
-
- Ability to block or mask messages, files, images, calls, and desktop sharing in a granular manner, allowing for compliance with specific regulations or policies.
-
- Addressing the need for proper compliance by providing a solution that does not compromise near-real-time performance.
-
- Improved security and governance of sensitive data by identifying and addressing potential risks before they can cause damage.
Conclusions
In conclusion, setting up Information Barriers in Azure can be a complex task. Still, by following the steps outlined in this guide, you can ensure that your admin user is properly configured and ready to manage your organization’s communication policies.
On the other hand, SphereShield is a valuable software solution for organizations that need to comply with regulations or internal policies related to data protection and communication security. Its real-time proactive approach allows for the inspection and handling of communications in near real-time, preventing incidents before they occur. With the ability to block or mask messages, files, images, calls, and desktop sharing in a granular manner, SphereShield provides true compliance without compromising performance.
The software also improves the overall security and governance of sensitive data by identifying and addressing potential risks before they can cause damage. Overall, SphereShield offers a comprehensive solution for organizations looking to protect their sensitive information and comply with regulations.
AGAT Software will be your best ally with information barrier solutions.Contact us to get a short demo!
