Upgrading to Information Barriers v2


Information Barriers are a compliance feature of Microsoft 365, and until March 2023 a version, now known as v1 or legacy mode Information Barriers was the only option in place. Legacy (v1) Information Barriers allowed a user to be a member of a single Information Barrier segment and so communications where limited between all users in that same segment (i.e. members of DayTraders could not communicate with members of Consultants group if they were in different Information Barrier segments.

Version 2 allows for 5000 segments (up from 250) and that users can belong to more than one segment.

Microsoft will release an upgrade tool in November 2023 to move tenants on legacy Information Barriers to v2. But what if you are not using Information Barriers at the moment and don’t have anything to migrate?

You can enable Information Barriers v2 in your tenant with the following Compliance PowerShell cmdlets. Note that this will only work if your tenant was created after March 2023.

First, to check you are in “Legacy” or v1 Information Barriers mode. You need the Exchange Online Management PowerShell module installed to get this cmdlet, and then report the Information Barriers mode:

Connect-ExchangeOnline
Get-OrganizationConfig | FL Information*

The value of InformationBarrierMode should read “Legacy” at this point.

Check that you have no existing Information Barriers in place, as migration is not available until the end of 2023, and this blog post just covers turning on Information Barriers V2 in a tenant not already using Information Barriers. The following will connect you to the Compliance PowerShell endpoint so that you can check the status of any existing Information Barriers that are in place.

Connect-IPPSSession
Get-OrganizationSegment
Get-InformationBarrierPolicy

Both of the above Get cmdlets should return nothing. And if they do return nothing, you can now create a new Information Barriers segment to kick your tenant into v2 mode.

New-OrganizationSegment -Name "City_Oxford" -UserGroupFilter "City -eq 'Oxford'"

The above cmdlet creates a new Information Barriers segment filtered on the users City property. All Filterable properties can be used to make a segment contrary to the documentation which only lists some properties (for example, the docs as of Aug 2023 do not list City).

Once the segment is made, you are migrated to v2, and a mode called “SingleSegment”. This is very similar to v1 in that it allows a user to belong to a single segment, but 5000 segments are now supported. Once you are in “SingleSegment” mode (v2) you can move to “MultiSegment” mode (also v2). Don’t move back to Single Segment mode once you are in Multi Segment mode unless you have made no overlapping segments.

To change (if you want) to Multi Segment mode run the following in an Compliance PowerShell module only window:

Set-PolicyConfig -InformationBarrierMode 'MultiSegment'

Wait a few minutes and then check the status of InformationBarrierMode using Get-OrganizationConfig in an Exchange Online PowerShell module only window. You should get a value of MultiAllow.

Get-OrganizationConfig | FL Information*

Note that the documentation refers to an cmdlet called Get-PolicyConfig for viewing which Information Barriers mode your tenant is in. This is a cmdlet that exists in both Exchange Online Management PowerShell module and the Compliance PowerShell module. If you have both modules loaded in a single PowerShell window you will not see the results from the Compliance PowerShell module and therefore you will get conflicting results. For example, if I run “Get-PolicyConfig | FL Information*” in PowerShell with only the Compliance (Connect-IPPSSession) loaded I will see “InformationBarrierMode : MultiSegment”, but if I run the exact same cmdlet in a PowerShell window with Exchange Management module loaded (or both modules loaded) I will see “InformationBarrierMode : Legacy” even though I am not in legacy mode! This is shown in the following picture – the top-right PowerShell window is Exchange+Compliance modules loaded, and returns a different result from the bottom-left window running just the Compliance module:

Two PowerShell windows with conflicting answers for Information Barriers mode

Once your tenant is enabled for Information Barriers v2 you have the ability to segment users for Teams, OneDrive and SharePoint. Information Barriers v1 is needed for Exchange Online. Information Barriers v1 is really Address Book Policies, and so you need to create these to match your v2 segments and policy combinations.

Photo by Pixabay: https://www.pexels.com/photo/adult-agriculture-alone-attractive-277013/

Comments

6 responses to “Upgrading to Information Barriers v2”

  1. Mark avatar
    Mark

    Hi,

    In the article you mention that “Microsoft will release an upgrade tool in November 2023 to move tenants on legacy Information Barriers to v2”

    We have an old tenancy and are patiently waiting a path to upgrade to V2

    Do you know any more information about this?

    Kind regards

    1. Brian Reid avatar

      I have no information on this at the moment.

    1. Brian Reid avatar

      Thanks for the link

  2. Tim avatar
    Tim

    We enabled multi-segment in our tenant and created policies.
    All seems to be working fine in Teams/OneDrive, users are segmented as per rules we set up.

    However in Outlook, everybody got assigned an new empty Address Book Policy that we cannot change. Nobody sees anything.

    Set-mailbox “user” -Addressbookpolicy $null has no effect.

    The empty ABP has the IB attribute.
    IsInformationBarrierPolicy : True

    We did have an existing ABP that was used by 1 mailbox, which we deleted and re-applied IB policies, but still no effect.

    Is this expected behavior?
    Does v2 multisegmentation IB break Outlook addressbooks?

    1. Brian Reid avatar

      So I have not had an opportunity to use Information Barriers since I wrote the original post over a year ago. At that time I was not impressed with the feature because it was not consistent across services. As you say, it works with Teams/OneDrive, but not Exchange.

      Unless it has changed in the last year, my understanding was that IBv2 documentation replaced IBv1 documentation inaccurately and did not point out that Exchange Online still (and only) uses IBv1. The docs seem to imply that IBv2 replaces IBv1, but I think that is only for Teams/OneDrive. It does not replace it for Exchange Online and so you need to duplicate everything you do for IBv2 again for IBv1 (same groups, rules etc.) so that it works for address books.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.