Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Support for assigning users to multiple segments is available only when your organization isn't in Legacy mode. To determine if your organization is in Legacy mode, see Check the IB mode for your organization and check the value of the InformationBarrierMode property.
For organizations in Legacy mode, users can only be assigned to one segment. Organizations in Legacy mode are eligible to upgrade to the newest version of Information Barriers in the future. For more information, see the Information Barriers roadmap.
The multi-segment mode enables you to assign users in your organization to up to 10 segments in Information Barriers instead of being limited to just one segment. This support for more diverse communication rules between individuals and groups supports more complex organizational and operational scenarios. For organizations using multi-segment support, define all Information Barriers policies with an allowlist.
When you configure multi-segment support, user compatibility depends on each user's assignment to a shared segment. If users share assignment to the same segment, they're compatible. For example, the following table shows that User A and User B aren't compatible because they don't share an assigned segment. However, User A is compatible with User C and User B is compatible with User C because they each have an assigned segment in common.
| User | Assigned segments |
|---|---|
| User A | Segment 1, Segment 2 |
| User B | Segment 3, Segment 4 |
| User C | Segment 2, Segment 4 |
Multi-segment example: North School District's schools, segments, and policies
The North School District has two schools, School 1 and School 2. The district policy is to allow students and teachers to communicate with each other only if they're both in the same school. For example, a student and teacher that are both in School 1 can communicate, but a student in School 1 can't communicate with a teacher in School 2. For this scenario, configure multiple segments to support the following district policy scenarios:
North School District's schools and plan
North School District has two schools:
| Segment | Allowed communication | Prevented communication |
|---|---|---|
| School 1 | Students and teachers in School 1 | Students and teachers in School 2 |
| School 2 | Students and teachers in School 2 | Students and teachers in School 1 |
For this structure, North School District's plan includes three IB policies:
- An IB policy that enables students and teachers in School 1 to communicate with each other.
- An IB policy that enables students and teachers in School 2 to communicate with each other.
- An IB policy that allows teachers in School 1 and School 2 to communicate with each other.
North School District's defined segments
North School District uses the Department attribute in Microsoft Entra ID to define segments, as follows:
| Segment | Segment definition |
|---|---|
| School1 | New-OrganizationSegment -Name "School1" -UserGroupFilter "Department -eq 'School1'" |
| School2 | New-OrganizationSegment -Name "School2" -UserGroupFilter "Department -eq 'School2'" |
| AllTeachers | New-OrganizationSegment -Name "AllTeachers" -UserGroupFilter "MemberOfGroup -eq 'AllTeachersgroup@northschoolsdistrict.com'" |
After defining the segments, Contoso defines the IB policies.
North School District's IB policies
North School District defines three IB policies, as described in the following table:
| Policy | Policy Definition |
|---|---|
| Policy 1: Students and teachers in School 1 can communicate with each other | New-InformationBarrierPolicy -Name School1Policy -SegmentsAllowed 'School1' -AssignedSegment 'School1' -State Active In this example, the IB policy is called School1Policy. When this policy is active and applied, it enables students and teachers in School 1 to communicate with each other. This policy is a one-way policy; it doesn't prevent students and teachers in School 1 from communicating with School 2. For that, Policy 2 is needed. |
| Policy 2: Students and teachers in School 2 can communicate with each other | New-InformationBarrierPolicy -Name School2Policy -SegmentsAllowed 'School2' -AssignedSegment 'School2' -State Active In this example, the IB policy is called School2Policy. When this policy is active and applied, it enables students and teachers in School 2 to communicate with each other. |
| Policy 3: Teachers in different schools can communicate with each other | New-InformationBarrierPolicy -Name AllTeachersPolicy -SegmentsAllowed 'AllTeachers' -AssignedSegment 'AllTeachers' -State Active In this case, the IB policy is called AllTeachersPolicy. When this policy is active and applied, teachers in School 1 and School 2 can communicate with each other. |
With segments and policies defined, North School District runs the Start-InformationBarrierPoliciesApplication cmdlet to apply the policies. When the cmdlet finishes, North School District implements its communication policy for students and teachers.
Check the IB mode for your organization
To support assigning users to multiple segments, verify that your IB organization supports multiple segments. Run the following cmdlet to verify your IB mode in the Security & Compliance PowerShell:
Get-PolicyConfig
If the value of the InformationBarrierMode property is SingleSegment, enable multi-segment support by following the guidance in the Enable multiple segment support for users section in this article. If the value of the InformationBarrierMode property is MultiSegment, you can skip enabling support for multi-segment because it's already enabled for your organization.
If the value of the InformationBarrierMode property is Legacy, enabling multi-segment isn't supported for your organization. Legacy organizations are eligible to upgrade to the newest version of Information Barriers in the future. For more information, see the Information Barriers roadmap.
Enable multiple segment support for users
To enable multiple segment support for organizations in SingleSegment mode, ensure that you don't have any IB segments or policies currently defined for your organization. Run the following cmdlet to enable multiple segment support in your organization:
Set-PolicyConfig -InformationBarrierMode 'MultiSegment'
Important
If you enable multiple segments and configure IB in your organization, don't revert to single segment support.
Multi-segment support for users in OneDrive
If your IB organization isn't in LegacyMode and you configure OneDrive for Information Barriers to support multiple segments, the OneDrive user experience works as follows:
OneDrive IB policy: The policy automatically sets a multi-segment user's OneDrive to Owner Moderated mode.
OneDrive site access by a multi-segment user:
- Explicit or Mixed mode: A multi-segment user can access the OneDrive if they belong to at least one of the segments of the OneDrive and have site access permission.
- All other modes: Users have the same site access experience as with single segment support.
OneDrive sharing by a multi-segment user: A multi-segment user can share a OneDrive site and the included content according to the IB mode set for OneDrive.
- Explicit mode: Users can share OneDrive content with other users who have the same segment as the OneDrive.
- Open or Owner moderated mode: Users can share content with other compatible users according to IB policies.
For more information about managing IB for OneDrive, see Use Information Barriers with OneDrive.
Multi-segment support for users in SharePoint Online
If your IB organization isn't in LegacyMode and you configure SharePoint for Information Barriers to support multiple segments, the SharePoint user experience works as follows:
Site creation: When a user with multiple segments creates a SharePoint site (either a Microsoft 365 group connected site or a non-group site), the site automatically uses Owner moderated mode.
SharePoint site access by a multi-segment user:
- Explicit mode: Users get access if they have at least one segment that matches the site's segment and they have site access permission.
- All other modes: Users have the same site access experience as with single segment support.
SharePoint site sharing by a multi-segment user: A user with multiple segments can share the site and its content according to the IB mode of the site.
- Explicit mode: Can share content with users who match the segment of the site.
- Implicit or Owner moderated mode: Can share content with the other existing members of the Microsoft 365 group connected to the site.
- Open mode: Can share content with other users who they're compatible with per IB policy.
For more information about managing IB for SharePoint, see Use Information Barriers with SharePoint.
Multi-segment support for users in Microsoft Teams
If your IB organization isn't in LegacyMode and you configure Teams for Information Barriers to support multiple segments, the Microsoft Teams user experience works as follows:
- Team creation: When a user with multiple segments creates a team, the team automatically uses Implicit mode.
- Team member addition: All users in the team must have one segment that is compatible with all other users.
For more information about managing IB for Microsoft Teams, see Use Information Barriers with Microsoft Teams.