Posted in MS Teams

Microsoft 365 Info Barriers

   September 15, 2024

Microsoft 365 Info Barriers: An Overview

Microsoft 365 Information Barriers (IB) is a compliance feature designed to control communication and collaboration between specific users or groups within an organization. It ensures that certain groups or individuals cannot communicate or share data with each other based on policies you set. This feature is especially important in industries such as finance, legal, healthcare, and government where strict internal compliance regulations must prevent the flow of sensitive information between different departments or roles.

Key Concepts of Info Barriers

  1. Segmentation of Users: Info barriers are used to segment users within an organization. This means restricting communication and collaboration between specific groups to ensure compliance with internal policies or regulatory requirements.
  2. Policies: Admins can create and enforce policies that govern how and with whom users can communicate or collaborate. These policies ensure that users who shouldn’t be interacting (due to potential conflicts of interest or compliance concerns) are effectively blocked from doing so.
  3. Control of Collaboration in Multiple Services: Info barriers affect a range of Microsoft 365 services, including:
    • Microsoft Teams: Preventing specific users from starting chats, calls, or meetings with restricted individuals.
    • SharePoint Online and OneDrive: Limiting access to shared files and content between certain users or departments.
    • Exchange Online: Restricting the ability to send or receive emails between segmented groups.
  4. Scenarios for Use: Info barriers are designed for industries or organizations where strict internal controls must be placed on information sharing:
    • Financial Services: Separating investment teams from research teams to prevent conflicts of interest.
    • Legal Firms: Preventing communication between legal teams representing opposing parties in the same case.
    • Healthcare: Ensuring that certain departments or individuals within a hospital do not share patient data inappropriately.

How Info Barriers Work

1. Setting Up Info Barriers

  • Admin Role: A Microsoft 365 compliance admin sets up the information barriers by defining which users or groups should be restricted from communicating with each other.
  • Policies: These restrictions are enforced by creating policies. There are two types of policies:
    • Allow Policies: Define the allowed communication and collaboration between different groups.
    • Block Policies: Define the communication that must be blocked between groups.

The policies can be set up based on attributes in Azure Active Directory (AAD) such as department, role, or region. Once a policy is applied, it restricts both direct and indirect communication between the specified groups.

2. Enforcement Across Services

Once the policies are in place, they apply across the following Microsoft 365 services:

  • Teams: Users who are restricted by an info barrier policy will not be able to:
    • Start a chat or call with users from the restricted group.
    • Invite restricted users to a meeting or collaborate in a channel.
  • SharePoint and OneDrive: Users from restricted groups will not be able to share files with each other or co-author documents.
  • Exchange Online: Email communication between restricted users will be blocked.

3. Policy Monitoring and Enforcement

Once policies are applied, they are continuously monitored and enforced. If a user attempts to violate an info barrier (e.g., by starting a chat with a restricted user), the action is blocked, and the user is notified that their communication is restricted by an info barrier policy.

4. Policy Management

Policies can be managed from the Microsoft 365 Compliance Center, where admins can:

  • Define policies based on user attributes from Azure Active Directory.
  • Apply and enforce policies to the organization or specific departments.
  • Adjust or remove policies as necessary.

Practical Usage Examples of Info Barriers

1. Financial Services: Chinese Walls

In financial services, regulatory rules often require what’s known as a Chinese Wall between certain departments (e.g., a firm’s trading desk and research department) to prevent conflicts of interest. Info barriers ensure that:

  • Traders cannot communicate via Microsoft Teams or Exchange with researchers who might have non-public information.
  • Files in SharePoint and OneDrive cannot be shared between the two groups.
  • Email communication between traders and researchers is automatically blocked to maintain compliance with regulations.

Example: A trader in a large investment bank tries to initiate a chat with a research analyst regarding a stock recommendation. The chat is blocked, and the trader receives a notification that they cannot communicate with the analyst due to an info barrier.

2. Legal Firms: Conflicts of Interest

In law firms, multiple legal teams may be working on different sides of a case, representing opposing clients. To maintain compliance with legal standards and protect client confidentiality, info barriers can be used to:

  • Block any form of communication between the legal teams.
  • Prevent file sharing or document collaboration across teams.
  • Ensure that email exchanges between restricted groups are not allowed.

Example: Two legal teams in the same firm are representing different sides of a corporate merger case. The firm sets up info barriers to prevent the two teams from communicating or sharing files in Teams, SharePoint, and Exchange, ensuring that client confidentiality is maintained.

3. Healthcare: Patient Data Segregation

In a healthcare setting, certain teams or individuals may have access to different types of patient data. Info barriers can be used to ensure that sensitive health information is only accessible by authorized departments. For example:

  • Patient records are stored in SharePoint but access is restricted to only authorized personnel.
  • Teams discussions about sensitive patient data are restricted to the medical staff authorized to handle that data.

Example: In a hospital, the radiology department is working on sensitive patient scans that cannot be shared with administrative staff. Info barriers are implemented to ensure that radiology staff cannot accidentally or intentionally share files or initiate chats with the administration team.

Benefits of Info Barriers

  1. Regulatory Compliance: Info barriers help organizations comply with industry regulations like the Financial Industry Regulatory Authority (FINRA), the Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR), among others.
  2. Protection of Confidential Information: By segmenting users and controlling their communication, organizations can protect sensitive information from being shared with unauthorized users.
  3. Risk Reduction: Info barriers help reduce the risk of conflicts of interest, data leaks, or unintentional information sharing, which could lead to legal or financial consequences.
  4. Scalability: Info barriers can be applied at scale across global organizations, ensuring that communication and data sharing are controlled regardless of the user’s location.

Working Example of Setting Up Info Barriers

Here is a step-by-step example of how an admin might set up Info Barriers for a company with trading and research departments:

  1. Define User Segments in Azure Active Directory:
    • Traders are tagged with the attribute “Department: Trading” in Azure Active Directory.
    • Researchers are tagged with the attribute “Department: Research.”
  2. Create Info Barrier Policies:
    • The admin creates a block policy that prevents users in the “Trading” department from communicating with users in the “Research” department.
    • The admin applies the policy across Teams, SharePoint, OneDrive, and Exchange.
  3. Apply and Enforce Policies:
    • After the policy is applied, any attempt by a trader to communicate with a researcher through Teams (e.g., starting a chat or sharing a file) is automatically blocked.
    • If a trader tries to email a researcher, the email will not be delivered, and the user will receive a notification explaining that the action is blocked due to an Info Barrier policy.
  4. Monitor and Adjust:
    • The admin periodically reviews and adjusts the policies as needed based on organizational changes or evolving regulatory requirements.

Microsoft 365 Info Barriers provide a powerful solution for managing communication and collaboration restrictions within an organization. They help maintain compliance with regulatory requirements, protect sensitive information, and reduce the risk of conflicts of interest. By enforcing policies across multiple Microsoft 365 services, Info Barriers ensure that communication is restricted based on organizational needs, making them essential for businesses operating in highly regulated industries like finance, legal, and healthcare.

Share: XFacebookPinterestLinkedin
Author: tonyhughes