Use Information Barriers with SharePoint

Microsoft Purview Information Barriers are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. This solution is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. Information Barriers are often used in highly regulated industries and those organizations with compliance requirements, such as finance, legal, and government.

For SharePoint, Information Barriers can determine and prevent the following kinds of unauthorized collaborations:

• Adding a user to a site
• User access to a site or site content
• Sharing a site or site content with other users

Information Barriers modes and SharePoint sites

Information Barriers modes help strengthen access, sharing, and membership of a site based on its IB mode and segments associated with the site.

When you use Information Barriers with SharePoint, you can use the following IB modes:

Sharing sites for IB modes

Sharing of sites with users is based on the IB mode of the site.

Open

When a site has no segments and you set the site's Information Barriers mode to Open:

• The site and its contents can be shared based on the information barrier policy applied to the user. For example, if a user in HR is allowed to communicate with users in Research, the user can share the site with those users.

Owner Moderated

When you set a site's Information Barriers mode to Owner Moderated:

• The option to share with Anyone with the link is disabled.
• The option to share with Company-wide link is disabled.
• (For group connected sites) The site and its content can be shared with existing members.
• (For non-group connected sites) The site and its content can be shared only by the site owner per their IB policy.

Implicit

When you set a site's Information Barriers mode to Implicit:

• The option to share with Anyone with the link is disabled.
• The option to share with Company-wide link is disabled.
• The site and its content can be shared with existing members via a sharing link.
• New users can't be added to the site directly. The Team owner should add users to the Team's group using Microsoft Teams.

Explicit

When you associate a site with segments and set the site's Information Barriers mode to Explicit:

• The option to share with Anyone with the link is disabled.
• The option to share with Company-wide link is disabled.
• You can share the site and its content only with users whose segment matches that of the site. For example, if you associate a site with the HR segment, you can share the site with just HR users (even though HR is compatible with both Sales and Research segments).
• You can add new users as site members only if their segment matches the segment of the site.

Access control for IB modes

The IB policy is enforced when opening the SharePoint site or content in the SharePoint site. This enforcement is based on the IB mode of the site.

Open mode

For a user to access a SharePoint site that has no segment and the site's Information Barriers mode is set to Open:

• The user has site access permissions.

Owner Moderated mode

For a user to access a SharePoint site with the site's Information Barriers mode set to Owner Moderated:

• (For non-group connected sites) The user has site access permissions.
• (For group connected sites) The user must be a member of the Microsoft 365 group connected to the site.

Implicit mode

To access SharePoint sites that use Information Barriers mode set to Implicit:

• You're a member of the Microsoft 365 group connected to the site.
• If you're not a member of the Microsoft 365 group connected to the site, you can't access the site.
• The Information Barriers compliance assistant ensures the group membership is IB compliant.

Explicit mode

To access SharePoint sites that use segments and site's Information Barriers mode is Explicit:

• Your segment matches a segment that's associated with the site.

  AND

• You have access permission to the site.

Non-segment users can't access a site associated with segments. They see an error message.

Allow apps running in app-only mode to access IB sites

Many organizations use applications running in an app-only context in their organization. To allow these apps running in app-only mode to access IB protected sites, SharePoint admins can enable opt-in capability.

To enable applications running in app-only mode to access IB sites, run the following command:

Set-SPOTenant -AppBypassInformationBarriers $true

If you enable Teams Meeting Recording or EDU Assignment application in your organization, run the following command to allow these applications to interact with IB protected sites:

Set-SPOTenant -AppOnlyBypassPeoplePickerPolicies $true

Example scenario

The following example illustrates three segments in an organization: HR, Sales, and Research. An information barrier policy blocks communication and collaboration between the Sales and Research segments. These segments are incompatible.

With SharePoint Information Barriers, a SharePoint Administrator or Global Administrator can associate segments to a site to prevent the site from being shared with or accessed by users outside the segments. You can associate up to 100 compatible segments with a site. You associate the segments at the site level (previously called site collection level). The Microsoft 365 group connected to the site is also associated with the site's segment.

In the previous example, the HR segment is compatible with both Sales and Research. However, because the Sales and Research segments are incompatible, you can't associate them with the same site.

Prerequisites

1. Make sure you meet the licensing requirements for Information Barriers.
2. Create information barrier policies that allow or block communication between the segments, and then set them to active. Create segments and define the users in each.
3. Wait 24 hours after configuring and activating your information barrier policies for the changes to propagate through your organization.
4. Complete the steps in the following sections to enable and manage SharePoint and OneDrive Information Barriers in your organization.

Enable SharePoint and OneDrive Information Barriers in your organization

SharePoint Administrators or Global Administrators can enable Information Barriers in SharePoint and OneDrive in your organization. Complete the following steps to enable Information Barriers for your organization:

1. Download and install the latest version of SharePoint Online Management Shell.

2. Connect to SharePoint Online as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

3. Run the following command to enable Information Barriers in SharePoint and OneDrive:

   Set-SPOTenant -InformationBarriersSuspension $false 
   

4. Wait for approximately 1 hour for the changes to take effect after you enable Information Barriers for SharePoint and OneDrive in your organization.

To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode Teams-connected sites in your tenant, run the following command:

Set-SPOTenant -IBImplicitGroupBased $true

If you installed a previous version of the SharePoint Online Management Shell, complete the following steps:

1. Go to Add or remove programs and uninstall SharePoint Online Management Shell.

2. Navigate to the Microsoft Download Center for the SharePoint Online Management Shell), select your language, and then select Download.

3. You might be asked to choose between downloading a x64 and x86 .msi file. Download the x64 file if you're running the 64-bit version of Windows or the x86 file if you're running the 32-bit version of Windows. If you don't know which version you're running on your computer, see Which version of Windows operating system am I running?.

4. After the download is complete, run the installer file and follow the configuration steps in the setup workflow.

5. Connect to SharePoint Online as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

6. Run the following command to enable Information Barriers in SharePoint and OneDrive:

   Set-SPOTenant -InformationBarriersSuspension $false 
   

7. Wait for approximately 1 hour for the changes to take effect after you configure Information Barriers in SharePoint and OneDrive in your organization.

To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode sites in your organization, run the following command:

Set-SPOTenant -IBImplicitGroupBased $true

View and manage segments as an administrator

SharePoint Administrators or Global Administrators can view and manage segments on a SharePoint site. Your organization can have up to 5,000 segments, and users can be assigned to multiple segments.

View and manage Information Barriers segments as follows:

1. Use the SharePoint admin center to view and manage information segments

To view, edit, or remove information segments for a site, use Active sites in the SharePoint admin center.

The Segments column lists the first segment associated with the site and shows whether the site has other segments associated. Learn how to show or move this column

To view the complete list of segments associated with a site, select the site name to open the details panel, then select the Settings tab.

To edit the segments associated with the site, select Edit, add or remove segments, then select Save.

2. Use SharePoint PowerShell to view and manage information segments on a site

1. Connect to the Security & Compliance Center PowerShell as a Global Administrator.

2. Run the following command to get the list of segments and their GUIDs.

   Get-OrganizationSegment | ft Name, EXOSegmentID
   

3. Save the list of segments.

   Name	EXOSegmentId
   Sales	a9592060-c856-4301-b60f-bf9a04990d4d
   Research	27d20a85-1c1b-4af2-bf45-a41093b5d111
   HR	a17efb47-e3c9-4d85-a188-1cd59c83de32

4. If you didn't previously complete this step, download and install the latest SharePoint Online Management Shell. If you installed a previous version of the SharePoint Online Management Shell, follow the instructions in the Enable SharePoint and OneDrive Information Barriers in your organization section in this article.

5. Connect to SharePoint Online as a Global Administrator or SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

6. Run the following command:

   Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>
   

   For example:

   Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111
   

You see an error message if you attempt to associate a segment that isn't compatible with the site's existing segments.

To remove a segment from a site, run the following command:

Set-SPOSite -Identity <site URL> -RemoveInformationSegment <segment GUID>

For example:

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

To view the segments of a site, run the following command to return the GUIDs of any segments associated with the site.

Get-SPOSite -Identity <site URL> | Select InformationSegment

3. Use the SharePoint REST API to view and manage information segments on a site

SharePoint includes a Representational State Transfer (REST) service that you can use to manage segments on a site. To access SharePoint resources and manage site segments by using REST, construct a RESTful HTTP request by using the OData standard. This request corresponds to the desired client object model application programming interface (API).

For more information about the SharePoint REST service, see Get to know the SharePoint REST service.

View and manage IB modes as an administrator with SharePoint PowerShell

To view the IB mode of a site, run the following command:

Get-SPOSite -Identity <site URL> | Select InformationBarriersMode

Owner Moderated mode scenario

You want to allow a Sales and Research user to collaborate on a SharePoint site in the presence of HR user.

Owner Moderated is a mode applicable to site (Teams-connected site, non-group connected sites) which allows incompatible segment users access to site. Only the site owner has the capability to invite incompatible segment users on this same site.

To update a site's mode to Owner Moderated, run the following PowerShell command:

Set-SPOSite -Identity <siteurl> -InformationBarriersMode OwnerModerated

You can't set the Owner Moderated IB mode on a site with segments. Remove the segments first before setting IB mode as Owner Moderated. Users who have site access permissions can access an Owner Moderated site. Only the site owner can share an Owner Moderated site and its contents per their IB policy.

Auditing

You can view audit events in the Microsoft Purview portal to monitor information barrier activities. The system logs audit events for the following activities:

• Enabling Information Barriers for SharePoint and OneDrive
• Applying a segment to a site
• Changing the segment of a site
• Removing the segment of a site
• Applying Information Barriers mode to a site
• Changing Information Barriers mode of a site
• Disabling Information Barriers for SharePoint and OneDrive

For more information about SharePoint segment auditing in Office 365, see Search the audit log in the Microsoft Purview portal.

Site creation and management by site owners

When a segmented user creates a SharePoint site, the site associates with the user's segment and the site's Information Barriers mode automatically sets to Explicit.

Site owners can add more segments to a SharePoint site that already has segments with the site's mode set as Explicit. Site owners can't remove added segments from sites. SharePoint Administrators need to remove added segments in your organization if needed.

When a non-segmented user creates a SharePoint site, the site doesn't associate with any segment and the site's Information Barriers mode automatically sets to Open.

When a SharePoint Administrator creates a SharePoint site from the SharePoint admin center, the site doesn't associate with any segment and the site's IB mode sets to Open.

To help site owners add a segment to a site, share the Associate information segments with SharePoint sites article with your SharePoint site owners.

Microsoft Teams sites

When you create a team in Microsoft Teams, you also automatically create a SharePoint site for the team's files. To protect the Microsoft Teams sites with Information Barriers control, you can enable Information Barriers in SharePoint for your tenant.

Within 24 hours, the site's Information Barriers mode is automatically set as Implicit and segments associated with the team's members are associated with the site.

Microsoft Teams sites with the information barrier mode as Implicit have site access and sharing based on Microsoft 365 group membership.

For example, users have access to the Microsoft Teams site if they're members of the Microsoft 365 group connected to the site. The Microsoft 365 group connected to the Team is IB compliant.

• The site and its content can be shared with user whose segment matches that of the site.
• The site and its content can be accessed by a user if they have same segment as that of the site and have site access permissions.

To enable Microsoft 365 group membership-based access and sharing control for all Implicit mode sites in your organization, run the following command as a SharePoint Administrator:

Set-SPOTenant -IBImplicitGroupBased $true

Private channel and Information Barriers

When you enable SharePoint Information Barriers in your organization, any new private channel site automatically inherits its parent Microsoft Team's IB mode within 24 hours. The mode for a private channel is assigned as follows:

Private channel site access and sharing is governed by its IB mode:

• Private channel site with Open Information Barriers mode

  • Access is allowed to anyone who has site access permissions
  • Sharing links are allowed per the site's existing sharing policy
  • People picker allows discoverability of user per the sharer's IB policy

• Private channel site with Implicit Information Barriers mode

  • Access is allowed to user who is currently a member of the private channel
  • Sharing is allowed using People with existing access link

Private channel sites already configured in your organization have their Information Barriers mode set as Open. To configure existing private channel sites to Implicit mode, run the following cmdlet in SharePoint PowerShell module:

Set-Sposite -Identity <site URL> -InformationBarriersMode Implicit

Learn more about managing Microsoft Teams connected teams sites.

Search

Users see search results from:

• Segment associated sites: When the site's segment matches the user's segment and the user has site access permission. For example, a site with Explicit mode.
• Non-segmented sites: When the user has existing access to the content or site. For example, sites with Open, Owner Moderated or Implicit mode. When the user selects the search result to open the content in the site, the user is denied access if they don't match the site's IB policy.

Effects of changes to user segments

If a SharePoint site owner or site member's segment changes, they continue to have access to the site or content per the site's IB mode:

• Open mode: User can access the site if they have existing site access permissions.
• Owner Moderated: User can access the site if they have existing site access permissions.
• Implicit Mode: If the user is a member of the Microsoft 365 group, they continue to have access to the site.
• Explicit Mode: If the user's new segment matches the site's segment and user has site access permissions, they continue to have access to the site.

Effects of changes to existing information barrier policies

If a compliance administrator changes an existing IB policy, the change might impact the compatibility of the segments associated with a site (in Explicit or Implicit mode*). For example, segments that were once compatible might no longer be compatible.

With Information Barriers policy compliance report, the SharePoint Administrator can view the list of sites where segments are no longer compatible. For more information, see Learn how to create an Information Barriers policy compliance report in PowerShell.

To manage out of compliance sites:

• In Explicit mode, a SharePoint Administrator must change the associated segments to bring them in to IB compliance.
• In Implicit mode, a SharePoint Administrator can't manage segments directly. We recommend the Teams admin to manage the Team's membership to bring the Teams membership roster and segments in to IB compliance.

How to suspend SharePoint and OneDrive Information Barriers in your organization

If your organization wants to temporarily suspend Information Barriers on SharePoint, use SharePoint Online Management Shell and the Set-Spotenant cmdlet.

To suspend Information Barriers, run the following command:

Set-SPOTenant -InformationBarriersSuspension $true 

Allow sharing of Open mode sites with mail-enabled security groups

IB supports an opt-in capability available in the SharePoint PowerShell module for sites in Open mode to be shared with mail-enabled security groups for site permissions, sharing, and audience targeting. This capability is only supported in Open mode sites. SharePoint admins can enable this support in your organization. We recommend you ensure the security group membership is IB compliant.

Before enabling group support, verify that you meet the following prerequisites:

• Your organization has only IB Block policies
• Your organization is enabled for SharePoint IB (see this section in this article).

To configure mail-enabled security group support in Open mode sites, run the following command:

Set-SPOTenant -ShowPeoplePickerGroupSuggestionsForIB $true

Resources

• Information Barriers in Microsoft Teams
• Information Barriers in OneDrive