Configuring information barriers in Teams

Pre reqs:

  1. First make sure scoped directory search is turned on:

Teams admin center, select Org-Wide settings –> Teams settings

Under search, next to Scope Directory search in Teams using an Exchange address book policy (ABP), turn the toggle on.

Please note this can take up to 24 hours to replicate.

2. Licensing and permissions:

  • Microsoft 365 E5
  • Office 365 E5
  • Office 365 Advanced Compliance
  • Microsoft 365 E5 Information Protection and Compliance

    3. To define or edit information barrier policies, you must be assigned one of the following roles:
  •  Microsoft 365 global administrator
  •  Office 365 global administrator
  •  Compliance administrator
  • IB Compliance Management (this is a new role!)

    4. Turn on audit logging
  • 0365 admin –> compliance –> Search –> Audit log search
  • Click “turn on auditing”

The banner is then updated:

You can also do this via the Exchange online Powershell:

Turn on audit log search:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

Turn off audit logs search:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false

To verify that audit log is off via Powershell

Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled

Or via the Admin Center 

5. Make sure no exchange address book policies are in place

6. Provide admin consent for Microsoft Teams:

On this step first you need to make sure you have the permissions for the 0365 security and Compliance:–compliance-center

Login-AzureRmAccount $appId=”bcf62038-e005-436d-b970-2a472f8c1982″ $sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId } Start-Process “$appId

Step 2 Segment users:

  1. Before we proceed to this section make sure your directory data has values that you can use to define segments. List of attributes you can use with information barriers can be found here:

2. Create the “segment”

New-OrganizationSegment -Name “Sales” -UserGroupFilter “Department -eq ‘Sales'”

New-OrganizationSegment -Name “Research” -UserGroupFilter “Department -eq ‘Research'”

Now we set it so Sales and Research are not able to communicate

New-InformationBarrierPolicy -Name “Sales-Research” -AssignedSegment “Sales” -SegmentsBlocked “Research” -State Inactive

Since the above cmdlet is no symmetrical we need to also block research from talking with sales:

 New-InformationBarrierPolicy -Name “Research-Sales” -AssignedSegment “research” -SegmentsBlocked “sales” -State Inactive

Apply the information barrier policy:

  1. First run Get-informationbarrierpolicy to see a list of our policies we defined:

In this example the Guid from running the above cmdlet is 15912fe7-0dd5-4b90-b3e0-4b94168cb63e so we will run:

Set-InformationBarrierPolicy -Identity 15912fe7-0dd5-4b90-b3e0-4b94168cb63e -State Active

Then you must also run this same cmdlet for the other segment we created using its guid.

Now that we have defined our two segments  you must run the following cmdlet to “start” the policy:


At this point you should be all setup. However, After approximately a half hour, policies are applied, user by user, for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes about an hour to process 5,000 user accounts.)

Leave a Reply

Your email address will not be published. Required fields are marked *