4. Session Objectives
During this session we will:
Look at Microsoft Purview portfolio
Licensing & requirements
Use cases for information barriers & communications compliance
See how both options work
See how to configure both options
5. Microsoft Purview portfolio
Prevent Insider Risks
Insider risk management
Communication compliance
Information barriers
Privileged access management
Customer Lockbox
Compliance management
Compliance Score
Compliance Manager
Build-in templates
Insights and auditing
Search
Core eDiscovery | Advanced eDiscovery
Microsoft Defender for Cloud Apps
Auditing
Privacy Management Dashboard
Information protection
Sensitivity labels & encryption (mails, documents,
sites, groups, PowerBI, data)
Double key encryption
Office 365 message encryption
Information governance
Data classification | Machine Learning
Sensitive Information Types
Records management & disposition
Archive 3rd party information
Metadata
Prevent data loss
Data loss prevention
Endpoint data loss prevention
On-premises data loss prevention
Non-Microsoft cloud apps
6. Licensing
Office 365 E5 | Microsoft 365 E5
M365 E3 + E5 Compliance
M365 E3 + E5 Insider Risk Management
Only users in the relevant segments
or users monitored
https://bit.ly/3Bmog7e (pdf)
8. Use cases for Communication Compliance
Corporate policies
• Acceptable use, ethical standards, other corporate policies
• Detect policy matches
• Examples: harassment, offensive language
Risk management
• Conflict of interest
• Unauthorized communications
Regulatory compliance
• Supervisory or oversight processes
• Dutch Central Bank (DNB regulations), Financial Industry
Regulatory Authority (FINRA)
9. Locations
Microsoft Teams
• Chat communications in channels
• Individual chats
Other
• All mailboxes hosted on Exchange Online (e-mails, attachments)
• Yammer
3rd party sources
• Requires connectors and licenses
• Whatsapp, Instant Bloomberg some examples
10. Getting started
Privacy
• Use settings to anonymize user information
Reviewers
• Mailboxes hosted on Exchange Online
• Communication Compliance Analyst or
Investigator role groups
• Assigned in policy
Find content - policies
• Sensitive information types
• Trainable classifiers
• Specific attributes and keywords
18. What will happen?
User access to team or channel content
Adding a user to a team or channel
Screensharing | telephone calls
User access to meetings
User access to 1:1 and group chats
Connie Control
19. Pre-requisites
Azure Active Directory
• Make sure Azure AD is up to date with relevant attributes
• Do not use Exchange Online address book policies
Licences and permissions
• Every user needs and Exchange Online license
• Information Barriers Administrator role
And do note….
• Verify that audit logging is enabled
• Use PowerShell to enforce barriers on existing groups and teams
• 250 segments per organization
• A user can only be part of one segment
• Guest users are affected – federated users are not
• Information Barriers V2 is coming!
21. Modes | Segments | Policies
Albert
Connie
Management Operations
George
Control
Peter
Segment Segment
Policy
22. Modes | Segments | Policies
Modes
• Open (no IB active)
• Owner Moderated (IB active based on
owner)
• Implicit (Default for Teams)
• Explicit (SPO only)
Segments
• Collection of users based on a limited
set of Azure AD attributes or group
membership
• Only modern groups are supported
Policy
• Used to set the permissions (Allow/Block)
for communication between two segments
23. SharePoint Online and Teams
Explicit mode
• Only for non-connected sites
Teams connected – Implicit mode
• Share with anyone link disabled
• Company-wide link disabled
• Only sharing with existing members
• New users can't be added directly
• Segments cannot be changed, even by SP
Admin or Global Admin
• Also works for private channels
• Can take up to 24 hours for the IB mode
to take effect
26. Checking for issues
Check on user-status
Get-InformationBarrierRecipientStatus -Identity <userid>
Check on segment-status
Get-OrganizationSegment –Identity <GUID>
Check on policy-status
Get-InformationBarrierPoliciesApplicationStatus
Not Started | Failed | In progress
28. Current content
Information Barriers become active on current content
User removed
• 1 on 1 chat: read only and blocked
• Group chat: user removed from participating, can read old conversations
• Team: user removed from team, cannot access content *)
• Other users will see an error when hoovering over the people card
Contacts
• Activity tab removed
• A blocked user will not appear on the org chart
• A blocked user will not appear as suggested contact
• A blocked chat/call contact can be seen in the chats contact list and
will be identified. But there is no interaction option
*) Probably based on the segment the Teams owner is in.
But what if the owner isn’t in a segment? Or both owners are part of different segments?
Still testing this….
29. Shared Channels (internal)
• Share with user - blocked
• Share with team you own: blocked if any users part of the IB
• Share with team you don’t own: blocked if other owner or any users part
of the IB
• Add user to a team that has shared channels: blocked if user is part of
the IB. But…. When the team has 6 or more shared channels – the user
can be added initially. When the IB policy detects a problem – sharing
is stopped (?!).
• An IB does not effect sharing the team with an external party
31. Beware!
• These are complex functions
• A user can only be added to one segment!
• Policies are symmetric – always requires two to function!
• Information Barriers do not work across tenants
• Information Barriers do not block bots, Azure AD apps or API’s
• Information Barriers V2 is on its way
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.
The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy.