Information Barriers are a compliance feature of Microsoft 365, and until March 2023 a version, now known as v1 or legacy mode Information Barriers was the only option in place. Legacy (v1) Information Barriers allowed a user to be a member of a single Information Barrier segment and so communications where limited between all users in that same segment (i.e. members of DayTraders could not communicate with members of Consultants group if they were in different Information Barrier segments.
Version 2 allows for 5000 segments (up from 250) and that users can belong to more than one segment.
Microsoft will release an upgrade tool in November 2023 to move tenants on legacy Information Barriers to v2. But what if you are not using Information Barriers at the moment and don’t have anything to migrate?
You can enable Information Barriers v2 in your tenant with the following Compliance PowerShell cmdlets. Note that this will only work if your tenant was created after March 2023.
First, to check you are in “Legacy” or v1 Information Barriers mode. You need the Exchange Online Management PowerShell module installed to get this cmdlet, and then report the Information Barriers mode:
Connect-ExchangeOnline Get-OrganizationConfig | FL Information*
The value of InformationBarrierMode should read “Legacy” at this point.
Check that you have no existing Information Barriers in place, as migration is not available until the end of 2023, and this blog post just covers turning on Information Barriers V2 in a tenant not already using Information Barriers. The following will connect you to the Compliance PowerShell endpoint so that you can check the status of any existing Information Barriers that are in place.
Connect-IPPSSession Get-OrganizationSegment Get-InformationBarrierPolicy
Both of the above Get cmdlets should return nothing. And if they do return nothing, you can now create a new Information Barriers segment to kick your tenant into v2 mode.
New-OrganizationSegment -Name "City_Oxford" -UserGroupFilter "City -eq 'Oxford'"
The above cmdlet creates a new Information Barriers segment filtered on the users City property. All Filterable properties can be used to make a segment contrary to the documentation which only lists some properties (for example, the docs as of Aug 2023 do not list City).
Once the segment is made, you are migrated to v2, and a mode called “SingleSegment”. This is very similar to v1 in that it allows a user to belong to a single segment, but 5000 segments are now supported. Once you are in “SingleSegment” mode (v2) you can move to “MultiSegment” mode (also v2). Don’t move back to Single Segment mode once you are in Multi Segment mode unless you have made no overlapping segments.
To change (if you want) to Multi Segment mode run the following in an Compliance PowerShell module only window:
Set-PolicyConfig -InformationBarrierMode 'MultiSegment'
Wait a few minutes and then check the status of InformationBarrierMode using Get-OrganizationConfig in an Exchange Online PowerShell module only window. You should get a value of MultiAllow.
Get-OrganizationConfig | FL Information*
Note that the documentation refers to an cmdlet called Get-PolicyConfig for viewing which Information Barriers mode your tenant is in. This is a cmdlet that exists in both Exchange Online Management PowerShell module and the Compliance PowerShell module. If you have both modules loaded in a single PowerShell window you will not see the results from the Compliance PowerShell module and therefore you will get conflicting results. For example, if I run “Get-PolicyConfig | FL Information*” in PowerShell with only the Compliance (Connect-IPPSSession) loaded I will see “InformationBarrierMode : MultiSegment”, but if I run the exact same cmdlet in a PowerShell window with Exchange Management module loaded (or both modules loaded) I will see “InformationBarrierMode : Legacy” even though I am not in legacy mode! This is shown in the following picture – the top-right PowerShell window is Exchange+Compliance modules loaded, and returns a different result from the bottom-left window running just the Compliance module:
Once your tenant is enabled for Information Barriers v2 you have the ability to segment users for Teams, OneDrive and SharePoint. Information Barriers v1 is needed for Exchange Online. Information Barriers v1 is really Address Book Policies, and so you need to create these to match your v2 segments and policy combinations.
Photo by Pixabay: https://www.pexels.com/photo/adult-agriculture-alone-attractive-277013/