Microsoft Information Barriers: The Definitive Guide

Microsoft Information Barriers has proved to be a powerful tool when it is set up properly. If you have been looking for a thorough guide to MS Information Barriers then this is the guide for you.eg2I yMARhOv3

Table of Content

1. Introduction

2. Admin User Setup for Information Barriers

3. Purview Portal

4. Segment Creation 

5. Segment Deletion

6. Policy Creation for Information Barriers

7. Implement a Policy for Information Barriers

8. General Information: Downsides and Upsides

9. Enable Scoped Directory Search on MS Teams

10. Audit the MS Teams Admin Activity

11. Information Barriers, Our Recommendation

12. Conclusions


Here is our comprehensive guide to Microsoft Information Barriers, Purview Portals, Segments, and Policy Management. To manage the resources in your organization, you must make sure that your admin account has the appropriate roles and licenses. However, assigning roles and licenses and turning on necessary features can be a bit confusing.

That’s why we’ve put together this guide to take you step-by-step through the process and help you set up your admin user with ease. Whether you’re new to Azure or just need a refresher, in this blog we will provide you with all the information you need to ensure that your admin account is properly set up. So, let’s get started!

Admin User Setup for Information Barriers

Setting up an admin user for your Azure tenant can be a tricky task since it involves assigning the right roles and licenses to the admin account as well as enabling certain features. We’ll go over the steps you need to follow to make sure your admin user is properly set up.

First, you need to assign one of the following roles to your admin account:

    •  Microsoft 365 Global Administrator.
    • Office 365 Global Administrator.
      Compliance Administrator.
    • IB Compliance Management.

Control who can communicate with whom, using specific collaboration options. Apply policies on external or internal users and groups.

It’s important to note that you may need to select multiple roles if you’re having trouble accessing the Information Barriers management area.

Next, you need to assign one of the following licenses to your admin account:

    • Office 365 Advanced Compliance add-on (no longer available for new subscriptions).


Without these licenses, you won’t have access to the Purview Portal.

You also need to enable Scoped directory search for teams and verify that Auditing is enabled in the Purview Portal. Finally, if you’re using Exchange Online, you’ll need to remove any existing Exchange Online address book policies.

By following these steps, you can ensure that your admin user is properly set up and ready to go.
That’s why we’ve put together this guide to take you step-by-step through the process and help you set up your admin user with ease. Whether you’re new to Azure or just need a refresher, in this blog we will provide you with all the information you need to ensure that your admin account is properly set up. So, let’s get started!

For federated users, Microsoft’s Information Barriers policies are ineffective. The users of those organizations will be able to communicate without any limitations if you permit federation with external organizations. This means that Information Barriers policies won’t impede communication between users of your organization if they participate in a chat or meeting set up by outside federated users

If you would like to know more about how to takinge advantage of Information Barriers during external communications, read our blog post here

Purview Portal

Are you struggling to understand the different sections of Microsoft’s Information Barriers? Don’t worry, you’re not alone! Many people find the process of setting up and managing Information Barriers to be confusing. But with a little guidance, you’ll be able to get the hang of it quickly.

The first step is to access the Compliance Portal at To do so, you’ll need to log in with your previously configured Admin User. Once you’re in, you’ll find three main sections that you’ll need to look at Segments, Policies, and Policy Application.

Segments are where you define the different groups of people that you want to manage with Information Barriers. Here, you’ll be able to create and customize the different Segments that you want to use.

Next, you’ll need to set up Policies. This is where you define the rules that you want to apply to the different Segments. You can choose from a variety of options, such as restricting communication between specific Segments or allowing only certain types of communication.

Finally, you’ll need to use the Policy Application section to start and monitor the policy application status. Of all the sections, this one is the most challenging to understand, but with some practice, you can.

Sometimes, the policy application cycle can fail for no apparent reason. In this case, the only way to verify what’s going on is to start it through PowerShell.

Segment Creation

Segments are a great way to manage communication policies for specific groups of users that are defined in the compliance portal or by using PowerShell.

When creating a Segment, you need to provide a Segment name and one or more specific conditions using for the Segment to populate These conditions can be based on Email, Department, Group membership, etc., you cannot use security groups; however, it has to be a Microsoft 365 group. Also, the maximum number of Segments you can have is 100, according to Microsoft documentation.

One important thing to note is that there can be no overlap for users in Segments, meaning that a user can only be a part of 1 Segment. PowerShell is the only way to check which users are part of a segment. 

Segments are easy to create and provide a lot of flexibility when it comes to setting up communication policies. So, if you’re looking for an easier way to manage your communication policies, Segments are the way to go!

Segment Deletion

You may be asking what to do with segments that are no longer needed. Fortunately, you can easily delete segments that are part of an active policy in the Purview Portal.

To delete a segment from an active policy, simply open the policy in the Purview Portal and click the “Delete” button next to the unwanted segment. You’ll see a confirmation message, and then the segment will be removed from the policy.

It’s important to remember that you won’t be able to delete a segment using PowerShell if it’s part of an active policy. If you try to delete a segment using PowerShell, you’ll get an error message.

So next time you need to delete a segment from an active policy, just remember to use the Purview Portal – it’s the easiest and most efficient way to do it.

Policy Creation for Information Barriers

It is important to understand that policies are made up of two parts: the assigned Segment and the Blocked or Allowed Segment. Indicating whether this Assigned Segment is only permitted to communicate with the Allowed Segment, or whether it is forbidden from doing so but is permitted to communicate with other Segments or members of other groups

When creating a policy with a Blocked Segment, you always need two policies. For example, if you want to block communication between group A and group B, you need a policy where Group A is the Assigned Segment and Group B is the Blocked Segment and you also need a policy where Group B is the Assigned Segment and Group A is the blocked Segment.

If this condition is not met, you won’t be able to apply policies.

Warning of a major limitation: A Segment can only be part of a policy once. Regardless of whether it’s an Assigned Segment or Blocked/Allowed Segment. Without meeting this condition, you won’t be able to apply policies.

Check the steps to create a policy:

1. Log into your policy management system and select the ‘Create Policy’ option.

2. Select the Assigned Segment and either Block or Allow the Segment.

3. If you are blocking communication, make sure to create a policy for each Segment.

4. Ensure that each Segment is part of only one policy.

5. Click ‘Save’ to create your policy.

6. To extend your policy to other groups or users, create a new policy with new Segments.

7. Finally, apply the policy in order for it to take effect.

Following these steps will help you easily create and manage your policies. Remember to always to double-check that each Segment is part of only one policy and that each blocking policy has two policies.

Implement a Policy for Information Barriers

Welcome to the section where we will put the rules we previously established into practice! The policies won’t be applicable if anything is configured incorrectly. For instance, the policy application cycle won’t begin if there isn’t a mirror policy for a Block policy, so your policies will stay the same.

It’s crucial to remember that policy application doesn’t happen constantly. Instead, it happens during a cycle of policy application. According to my experience, this cycle can take anywhere between 30 minutes and 24 hours, and the number of users and groups your tenant has may be related to how long it takes to apply.

Once you’ve ensured that everything is set up correctly, you can click “Apply all policies” and wait for the application to complete. Keep in mind that there will be no message or notification when the application is finished, so it’s best to just wait until it’s complete. Additionally, you cannot modify policies during an ongoing policy application cycle, so it’s best to let the cycle finish before making any other adjustments.

General Information

When it comes to phishing, malware, and data leakage, Microsoft Teams is no exception to being at risk. When you’re not actively using Teams or are away from your computer, Teams will send an email notification containing a link to the missed message. Threat actors can exploit these Teams features to launch phishing attacks using malicious code.

The guest access functionality in Teams could also lead to data leaks and unauthorized access. For instance, sharing files with external users or guests through channels even when it is no longer required, or continuing to provide access to Teams even after the meeting has ended, could result in data leakage or the visibility of confidential files.

To get to know the capabilities and limitations of Information Barries for Microsoft, take the time to check out this blog too:   

Disadvantages of Information Barriers 

IBs (Identity Blocking) provide a complete block between Microsoft tenant entities, making it impossible for members of opposing Blocking Segments to communicate, make calls, join joint meetings, or share files. Unfortunately, this only applies to internal users. If an external Teams user adds members of opposing Segments to a meeting, both parties will be able to attend.

Troubleshooting IBs can be difficult and time-consuming. As it is done on Microsoft’s side, the process is often a large black box. While PowerShell can provide some insight, it is not enough to fully control the process. Additionally, the policy application cycle does not happen automatically and must be monitored regularly.

Advantages of Information Barriers 

Setting up your IBs correctly can provide great blocking capabilities that are seamlessly integrated into many of Microsoft’s services and apps, like Teams and SharePoint.

Segments are an incredibly powerful tool for dividing your organization into manageable units using user attributes. With this feature, you can ensure that your data is secure and accessible only to the people who need it.

Enable Scoped Directory Search on MS Teams

Let’s check how to Enable Scoped Directory Search on MS Teams!

Simply log into your Office 365 account, and navigate to the Admin option in the left toolbar. Then, head to the Information Barrier Admin Centre and select ‘Show all’ in the left menu. Find MS Teams and open the app, select ‘Teams’ then ‘Teams settings’. Scroll down to ‘search by name’ and turn on the option if it’s not already enabled. Finally, hit ‘save changes’ to complete the process.

Audit the MS Teams Admin Activity

Auditing the Microsoft Teams administrative activity is a crucial step to ensure that the policies you have implemented are being properly followed and adhered to. This process involves monitoring the actions taken by administrators and users within the platform, and checking them against the policies you have established.

Here’s how to get started with auditing MS Teams:

  1. Access the Purview Portal: This is the platform where you can view and manage your MS Teams settings.
  2. Click on “Audit”: This option is located in the left-side navigation menu.
  3. Start Recording User and Admin Activity: Once you are on the Audit page, you will see an option to “Start recording user and admin activity.” Click on this button to begin the auditing process.
  4. Automated Monitoring: Once you have started the recording, the platform will automatically monitor all activity within MS Teams, making it easier to identify any potential policy violations.

By following these simple steps, you can be sure that your compliance processes are running smoothly, and that you have the tools you need to maintain a secure and efficient MS Teams environment.

Information Barriers, Our Recommendation

SphereShield is a software solution that provides information barriers for organizations to prevent the unauthorized sharing of sensitive or confidential information. The real-time proactive approach of the software allows it to inspect and handle communications in near real-time, blocking or masking messages, files, images, calls, and desktop sharing before any incident can occur. 

This feature is particularly useful for organizations that need to comply with regulations or internal policies that require granularly blocking communications. The software can also help organizations to reduce the risk of data breaches and insider threats and improve overall security and governance of sensitive data. 

C9ewU3uO5gO2EMtZD zk2N0S3V6FikI0e8BAoHwauPQgMNZiCQJunhb

SphereShield offers several benefits and advantages for organizations that need to comply with regulations or internal policies related to data protection and communication security. Some of these benefits may include:

    •  Real-time, proactive inspection and handling of communications to prevent incidents before they occur.
    • Ability to block or mask messages, files, images, calls, and desktop sharing in a granular manner, allowing for compliance with specific regulations or policies.
    •  Addressing the need for proper compliance by providing a solution that does not compromise near-real-time performance.
    •    Improved security and governance of sensitive data by identifying and addressing potential risks before they can cause damage.


In conclusion, setting up Information Barriers in Azure can be a complex task. Still, by following the steps outlined in this guide, you can ensure that your admin user is properly configured and ready to manage your organization’s communication policies. 

On the other hand, SphereShield is a valuable software solution for organizations that need to comply with regulations or internal policies related to data protection and communication security. Its real-time proactive approach allows for the inspection and handling of communications in near real-time, preventing incidents before they occur. With the ability to block or mask messages, files, images, calls, and desktop sharing in a granular manner, SphereShield provides true compliance without compromising performance. 

The software also improves the overall security and governance of sensitive data by identifying and addressing potential risks before they can cause damage. Overall, SphereShield offers a comprehensive solution for organizations looking to protect their sensitive information and comply with regulations.

AGAT Software will be your best ally with information barrier solutions.Contact us to get a short demo!


Shared Channels in Microsoft Teams: How to Use Them, Copy and Merge Them

ZWdBIT7FDXwefYE8NFrJT XCFZVIZkBE6juCcN34lwf4fFDNIuZbyvIwFZFCAk6t5zEItKeZ2zad3mbMKQct1sapjor1okXO 13xrYLxpNV5Lt4Sl1TbuCqzTazvTZ5a0HM6sC9 ZIxSzicriM52rJCrjSTKw1gUuLJRszfd2nvjN oLyyMh9 TppYSy6A
  1. Introduction
  2. Getting Started with Shared Channels in Teams
  3. When Should You Use Group Chats, Shared Channels, Private Channels, And Standard Channels?
  4. Create and Delete a Shared Channel in Microsoft Teams
  5. Advantages and Limitations of Microsoft Teams Shared Channels
  6. AGAT Solution: How to Merge and Copy Shared Channels? 


Channels are dedicated sections to keep conversations organized by specific topics, projects, disciplines, or whatever works for your team. In 2022, a very requested feature was added to Microsoft Teams: Shared Channels to create collaboration spaces where you can invite people who are not in the team but work on the same project. In this blog, we’ll explain everything you need to know about it, how to use it, its advantages, and its limitations too. We will also deal with the question of how to merge them with regular channels and tips to keep improving your work.

Getting Started with Shared Channels in Teams

Shared channels in Microsoft Teams create collaboration spaces where you can invite people who are not in the team but work on the same project or task.

Shared channels are enabled by default in Teams but anyways you can choose if people can create these shared channels or not, if they can share them with people outside your organization, and even if they can participate in external shared channels by creating a channel policy.

Sharing channels with people outside your organization also requires that you configure cross-tenant access settings in Azure AD. Each organization that you want to share channels with must also complete this configuration. But this is the perfect alternative to keep your productivity on top and make the collaborations easiest.

When Should You Use Group Chats, Shared Channels, Private Channels, And Standard Channels?


You can use Group Chats when:

  • You require a single conversation with several parties.
  • With the people you need to talk to there is no a team created.
  • There is a bunch of people you need to share information with but not the complete team.
  • You must immediately share links or information while in a meeting.
  • You bring up the same subject as the prior message once more.

And you can use Standard Teams channels when:

  • You will deliver information to a larger team.
  • Longer-form collaboration with multiple responses is necessary.
  • You need to upload and update files while working on projects or presentations with others.
  • You begin a new project that is only accessible to certain team members.
  • Members outside of a group chat can require access to history and files (in this case, any member of the team can access the channel activity and files).

Group Chats and Standard Channels in all the aforementioned instances support both, external and internal users. As a result, a Teams admin must give permission for a member of another organization who uses Teams to join a group chat or channel.

For discussions where everyone on the team can participate, use conventional or standard channels. When you require a focused area for work with a small set of team members, use private channels. And when you need to work with others outside the team, use shared channels.

Create and Delete a Shared Channel in Microsoft Teams

The ability to create and delete shared channels can be managed at the organizational level. 

The person who creates a shared channel becomes the owner and only the shared channel owner can directly add or remove people from it. Members of a shared channel have a secure conversation space, and when new members are added, they can see all conversations (even old ones) in that shared channel.

Team owners can see the names of all shared channels in their teams and can also delete any of them. Team owners can’t see the files in a shared channel or the conversations and member lists of a shared channel unless they are members of that shared channel.

Create a Shared Channel:

  1. Select the “More Options” button and then click “Add Channel” while you are in the team you want to establish the shared channel for.
1QU2grpgAWb04QmS6hg x8V
  1. Give your channel a name and a description based on your project or task.
  2. Select the right-hand down arrow next to “Privacy”, then select “Shared – People you select from your org or other orgs have access.” Select “Create” next.
8l9iwThDuPBww21rWFYjkutMesfnyXPwWJsh0Rrnf MZbRt67UL
  1. Enter the names of the organization members you wish to add to the channel in the text box and choose from the list. And enter the email addresses and choose from the list to add individuals from outside your organization. Next, choose “Share.”
DlyYs9Dm0X7HhMGPjGSQx8jYsV5j aacxf899QVgJacE
  1. By clicking the down arrow to the right of “Member” and selecting “Owner,” you can convert a member into an owner. Next, click “Done.”
IMbNIQcm6EwUihOLXvDayNv8lldZXHW1jBPokfJJV1vBgC7zMGww RVavPKZt4Wp9LUnqvKFjWKroueWQK8MFXXrAgcB8DJC0GWKZeVv0Xgx q2oPk79Ys3Txvbqzz06Vk7NM5hYKlN5L7y4

Delete a Shared Channel: 

Deleted shared channel can be restored within 30 days after deletion. When a deleted shared channel is restored, all previous memberships will be restored as well.

Go to the shared channel you own and select the “More Options” button and then click “Delete This Channel.”


And to restore a deleted shared channel go to the host team for the shared channel and select the “More Options” button and then click “Manage Team.”

Select Channels > Deleted > Restore.

h8j98xSyKeYH Hp16827fABLvzjq7eQl6FxtiZYehkhA5qJjfvRlr6M BQrZ5d3IBjszQHSdE7aegD2QYo2L5ZYiDmv30StMi VpNQzCEjnn3cn Arl6Uaz7zzMGt8EZPsPL I6R0oQoUcPkZZYvoNZPPOspqDN7wEo5v0UafQPiOuAlGw5RSAghVlHHzg

Advantages and Limitations of Microsoft Teams Shared Channels

Microsoft Teams is a collaboration and cooperation platform used by too many enterprises globally, and each one of them needs its Teams environment to reflect the dynamic nature of business operations. 

Even when Teams Channels offer a lot of advantages such as allowing to communicate effectively with large groups of people in and out of your organization, enhancing productivity and maintaining secure the communications, there are also some limitations of Shared Channels like that Stream, Planner and Forms Apps are not supported and neither the Custom Apps, Bots, Connectors and Messaging Extensions.

Microsoft does not provide the option to rebuild Teams so when organizations add too many teams and channels that they no longer use, their platforms can soon become bloated and need to be changed to reflect their current organizational structure.

Anyways, there is a solution so users can move items around quickly and according to their organization’s schedule using AGAT’s SphereShield.

Take for example a company that is engaged in the creation of a new software product. These projects are frequently completed quickly and depending on where a feature is in its lifetime, different teams are assigned to handle different aspects of it.

How could they benefit from SphereShield’s Channel Management and Teams Governance on their journey? Keep reading to find it out.

AGAT Solution: How to Merge and Copy Shared Channels?

Merge Channels using Channel Management:

It might be challenging to manage channels in Microsoft Teams at times, that’s why it’s so important for us to discuss the security and compliance add-ons, such as DLP and making e-discovery user-friendly, as well as how we can utilize SphereShield to copy, and merge a Microsoft Teams channel.

For example, the Team discovers as they continue to work that they have divided the creation of some new features into various channels. They then come to the realization that they wish to handle them as parts of a single, larger feature. As a result, they could combine those channels and preserve all the information in one location.


Copy Channels:

Why would your company replicate a Team Channel? In fact, this would be a template channel with everything set up the way our business needs to work—with default files, folders, and a planner—plus whatever else you might want to include.

You can perform a copy of a channel by going into the SphereShield admin portal, selecting the team that houses the channel, then selecting said channel and pressing “Copy,” you have the choice then to copy or move it to whichever team you want!

With AGAT’s Channel Management solution, you can easily move, copy, archive, merge and even export channels into a PDF. This allows you to manage your team’s environment and the ability to organize or re-organize even if there is a million of channels. And the best part is that you can convert Standard and Private Channels into Shared Channels! 

To get a free trial of AGAT channel management contact us today. Our sales team will contact you with all the information you need.


Block File Sharing: Prevent Information Leaks in Microsoft Teams

In this blog, we will answer questions on how it is possible to block file sharing in OneDrive and Sharepoint, the core  of the Office 365 cloud for companies

  1. Introduction: What are OneDrive and SharePoint? What are their differences?
  2. Compliance and security issues emerging from OneDrive and SharePoint usage
  3. The limitations in the existing solutions, Focus on Information Barriers
  4. How to block specific users and groups from file sharing in OneDrive and SharePoint

A small piece of advice: If you are just interested in blocking specific users and groups in MS OneDrive and SharePoint click here to skip the first part of the article.


Microsoft OneDrive and SharePoint are easily confused, while the 2 fulfill the same function of being the cloud storage offered by Microsoft, both have some differences and it’s worth noting them.

OneDrive tends to be used more for personal private documents SharePoint is a central location for managing files for a group of people that can happen within Teams, Yammer, and Outlook or directly in SharePoint as a file management system. SharePoint also can be used for designing sites with or without documents

OneDrive and Sharepoint in Teams

Inside the MS Teams environment, OneDrive and SharePoint play 2 different roles that can be noticed.

OneDrive handles files in personal and group chats or in the Files Tab while SharePoint handles files that are sent in channels, chats, or posted in their respective Files Tab

This difference although technical will play an important role when having to deal with file permissions on these platforms

Compliance and security issues emerging from OneDrive and SharePoint usage

Let’s take a look at some of the most common problems that emerge with OneDrive and SharePoint.

In a simple scenario, let’s suppose we are dealing with 2 teams at the company: HR and Finance

The HR department may be handling documents with sensitive information: Payroll, employees’ private information, medical records, and the like.

Companies are aware of the issues of not controlling Private Information (PI & PII) that can result in regulation breaches or major data leaks. This is why, for example, an organization would ideally like to prevent anyone other than  HR employees from accessing that information.

Another example may be the finance department not being able to share information with a specific team, like the stock research departments (see our article on Finra for more information on this kind of policy) or company policy that does not allow any finance document to be stored in the cloud.

Basically, any information that has to be controlled between a team or more, or any information that can’t leave a specific team represents a serious threat when using OneDrive and SharePoint

The limitations in the existing solutions, Focus on Information Barriers

Once I was told that the definition of a system is that, any good or even a great system can collapse. For example, a building has a specific number of elevators, but if everyone is in need at the same time, that system collapses.

The analogy can be applied to our case in Microsoft Teams, while there are some solutions such as Information Barriers that address blocking people and groups from communicating, it doesn’t completely prevent them from possible threats and risks..

It is important to note, it only takes a matter of seconds for an employee to share OneDrive and SharePoint files externally without the organization being aware 

How to block specific users and groups from file sharing in OneDrive and SharePoint

Companies that are interested in controlling file sharing and access in OneDrive and SharePoint can check at SphereShield for OneDrive SharePoint.

SphereShield works in real-time, meaning it will not allow, for even a second for the shared file to be seen or noted. What is more, its granularity allows for unlimited policies to be set with different employees or groups.

AGAT’s compliance product addresses problems like

-Preventing specific groups (like finance) from uploading files to SharePoint or OneDrive (and MS Teams through SphereShield Ethical Wall for MS Teams).

-Limiting a specific group from sharing with any other group or any specific group.

-Blocking 2 teams from sharing files with each other.

SphereShield for OD & SP contains a governance feature that allows assigning policies to any SharePoint site inside the company. These policies are designed to determine which groups are allowed to be members of which sites.

Eg. prevent the finance group from accessing the SharePoint site of the HR group.

If you would like to learn more about SphereShield contact us today to see a live demo from one of our experts.

User case of blocking groups while still allowing them to meet together.

Exceptions of specific sites allow people to communicate.