Pre reqs:
- First make sure scoped directory search is turned on:
Teams admin center, select Org-Wide settings –> Teams settings
Under search, next to Scope Directory search in Teams using an Exchange address book policy (ABP), turn the toggle on.
Please note this can take up to 24 hours to replicate. https://docs.microsoft.com/en-us/MicrosoftTeams/teams-scoped-directory-search
2. Licensing and permissions:
- Microsoft 365 E5
- Office 365 E5
- Office 365 Advanced Compliance
- Microsoft 365 E5 Information Protection and Compliance
3. To define or edit information barrier policies, you must be assigned one of the following roles:
- Microsoft 365 global administrator
- Office 365 global administrator
- Compliance administrator
- IB Compliance Management (this is a new role!)
4. Turn on audit logging - 0365 admin –> compliance –> Search –> Audit log search
- Click “turn on auditing”
The banner is then updated:
You can also do this via the Exchange online Powershell:
Turn on audit log search:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
Turn off audit logs search:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
To verify that audit log is off via Powershell
Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
Or via the Admin Center
5. Make sure no exchange address book policies are in place
https://docs.microsoft.com/en-us/exchange/address-books/address-book-policies/remove-an-address-book-policy
6. Provide admin consent for Microsoft Teams:
On this step first you need to make sure you have the permissions for the 0365 security and Compliance:
Login-AzureRmAccount $appId=”bcf62038-e005-436d-b970-2a472f8c1982″ $sp=Get-AzureRmADServicePrincipal -ServicePrincipalName $appId if ($sp -eq $null) { New-AzureRmADServicePrincipal -ApplicationId $appId } Start-Process “https://login.microsoftonline.com/common/adminconsent?client_id=$appId“
Step 2 Segment users:
- Before we proceed to this section make sure your directory data has values that you can use to define segments. List of attributes you can use with information barriers can be found here:
https://docs.microsoft.com/en-us/microsoft-365/compliance/information-barriers-attributes?view=o365-worldwide#reference
2. Create the “segment”
New-OrganizationSegment -Name “Sales” -UserGroupFilter “Department -eq ‘Sales'”
New-OrganizationSegment -Name “Research” -UserGroupFilter “Department -eq ‘Research'”
Now we set it so Sales and Research are not able to communicate
New-InformationBarrierPolicy -Name “Sales-Research” -AssignedSegment “Sales” -SegmentsBlocked “Research” -State Inactive
Since the above cmdlet is no symmetrical we need to also block research from talking with sales:
New-InformationBarrierPolicy -Name “Research-Sales” -AssignedSegment “research” -SegmentsBlocked “sales” -State Inactive
Apply the information barrier policy:
- First run Get-informationbarrierpolicy to see a list of our policies we defined:
In this example the Guid from running the above cmdlet is 15912fe7-0dd5-4b90-b3e0-4b94168cb63e so we will run:
Set-InformationBarrierPolicy -Identity 15912fe7-0dd5-4b90-b3e0-4b94168cb63e -State Active
Then you must also run this same cmdlet for the other segment we created using its guid.
Now that we have defined our two segments you must run the following cmdlet to “start” the policy:
Start-InformationBarrierPoliciesApplication
At this point you should be all setup. However, After approximately a half hour, policies are applied, user by user, for your organization. If your organization is large, it can take 24 hours (or more) for this process to complete. (As a general guideline, it takes about an hour to process 5,000 user accounts.)