This chapter covers Information Barriers (IB) in Microsoft 365, a critical security feature for preventing unauthorized communication between specific user groups. Information Barriers are a core topic under MS-102 objective 3.4 (Security Threats) and appear in approximately 5-8% of exam questions, often as scenario-based items testing policy configuration, segmentation, and troubleshooting. Mastering IB is essential for compliance roles in regulated industries like finance and legal, where insider trading or conflict-of-interest rules require strict communication boundaries.
Jump to a section
Imagine a large office building where two departments, Research and Compliance, must never communicate directly to avoid conflicts of interest. The building manager installs invisible dividers that block all corridors between the two zones. Employees from Research can walk freely within their zone, use shared printers, and attend meetings, but any attempt to enter Compliance's zone triggers a silent alarm and the door remains locked. If a Research employee tries to send a memo via the internal mail system to a Compliance colleague, the mailroom automatically intercepts the envelope and returns it with 'Undeliverable' stamped on it. The dividers are not physical walls—they are invisible rules enforced by the building's security system. Employees may not even realize the dividers exist until they attempt a blocked action. The system logs every attempt for audit purposes. This is exactly how Information Barriers work in Microsoft 365: segments are defined by policy, not by separate networks, and the enforcement happens at the communication layer—blocking specific actions like sending emails, sharing files, or adding users to groups—while allowing all other work to proceed normally.
What Are Information Barriers and Why Do They Exist?
Information Barriers (IB) are a compliance and security feature in Microsoft 365 that restricts communication and collaboration between specific groups of users. They are designed to prevent conflicts of interest, insider trading, and other regulatory violations by enforcing policies that block or allow communication based on user segments. IB is part of the Microsoft Purview compliance suite and is available in Microsoft 365 E5/A5/G5, Office 365 E5, and Microsoft 365 Compliance add-on licenses.
IB policies apply to:
Exchange Online (email, meeting requests)
Microsoft Teams (chat, channel conversations, file sharing, calling, meeting invites)
SharePoint Online (site access, file sharing)
OneDrive for Business (file sharing)
How Information Barriers Work Internally
IB operates on a policy-based segmentation model. The core components are:
1. Segments: User groups defined by attributes such as department, job title, or custom attributes (e.g., ExtensionAttribute1). Segments are the building blocks of IB.
2. Policies: Rules that define allowed or blocked communication between segments. There are two types:
- Block: Prevents all communication between members of specified segments.
- Allow: Permits communication only between specified segments (exclusive allow).
3. User Attributes: IB uses Azure AD user attributes to assign users to segments. Supported attributes include Department, JobTitle, Country, City, Company, and up to 15 custom attributes (CustomAttribute1–CustomAttribute15).
When a user attempts to perform a communication action (e.g., send an email, start a Teams chat), the Microsoft 365 service evaluates the sender's segment and the recipient's segment against active IB policies. If a block policy exists between the two segments, the action is denied. The enforcement is asynchronous and can take up to 30 minutes to apply after policy changes.
Key Components, Values, Defaults, and Timers
Segment attributes: Must be populated in Azure AD. The attribute values are case-sensitive and must match exactly.
Policy creation: Using the Microsoft Purview compliance portal or PowerShell. PowerShell cmdlets are in the ExchangeOnlineManagement module.
Policy processing: Policies are evaluated in order of priority. The Block policy takes precedence over Allow if both exist for the same segment pair.
Timers:
Policy changes take up to 30 minutes to apply.
New user assignments to segments take up to 30 minutes to take effect.
In Teams, IB policies are cached and refreshed every 24 hours.
Default values: By default, no IB policies exist. You must create at least one segment and one policy.
Configuration and Verification Commands
PowerShell commands (Exchange Online PowerShell):
# Connect to Exchange Online PowerShell
Connect-ExchangeOnline
# Create a new segment
New-InformationBarrierSegment -Name "Research" -UserGroupFilter "Department -eq 'Research'"
New-InformationBarrierSegment -Name "Compliance" -UserGroupFilter "Department -eq 'Compliance'"
# Create a block policy
New-InformationBarrierPolicy -Name "Research-Compliance-Block" -AssignedSegment "Research" -SegmentsBlocked "Compliance" -State Active
# Apply the policy (required after creating or modifying policies)
Start-InformationBarrierPoliciesApplication
# Verify policy application
Get-InformationBarrierPoliciesApplicationStatus
Get-InformationBarrierSegment
Get-InformationBarrierPolicyIn the Microsoft Purview compliance portal: - Navigate to Information barriers > Segments > Policies. - Use Policy application to apply pending changes.
Interaction with Related Technologies
Azure AD: IB relies on Azure AD user attributes for segment membership. Changes to attributes must be synced from on-premises (if using hybrid) or updated directly in Azure AD.
Exchange Online: IB blocks email delivery, meeting requests, and free/busy information.
Microsoft Teams: IB blocks chat, channel conversations, file sharing, calling, and meeting invites. It also affects the ability to add users to teams.
SharePoint Online: IB can block site access and file sharing between segments.
OneDrive for Business: IB blocks file sharing with users from blocked segments.
Microsoft Purview Audit (Premium): IB events are logged in the audit log for monitoring and compliance.
Important Limitations
IB does not apply to guest users or external users.
IB does not prevent communication via third-party apps or other services.
IB policies do not apply to distribution groups or mail-enabled security groups.
In Teams, IB only applies to users in the same tenant. Cross-tenant communication is not blocked by IB.
IB cannot be used to block communication within the same segment.
There is a limit of 100 segments and 100 policies per tenant.
Common Misconfigurations
Incorrect attribute values: If a user's department attribute is "Research " (with a trailing space), the segment filter "Department -eq 'Research'" will not match. Always trim spaces.
Missing policy application: After creating or modifying policies, you must run Start-InformationBarrierPoliciesApplication or click Apply policy in the portal. Otherwise, policies remain in draft state.
Overlapping policies: If you create both a block and an allow policy for the same segment pair, the block policy takes precedence. This can lead to unexpected blocking.
Step-by-Step Configuration Flow
Identify user segments based on business requirements.
Ensure user attributes are correctly populated in Azure AD.
Create segments in the Purview portal or PowerShell.
Create policies (Block or Allow) for the segment pairs.
Set policy state to Active.
Apply the policies using Start-InformationBarrierPoliciesApplication.
Wait up to 30 minutes for full enforcement.
Verify by attempting blocked actions from a test user.
Monitor audit logs for IB events.
Troubleshooting
Policy not applying: Run Get-InformationBarrierPoliciesApplicationStatus to check the status. If it shows "NotStarted" or "Failed", ensure the policy state is Active and reapply.
User not in segment: Check the segment filter and user attributes. Use Get-InformationBarrierSegment -Identity "SegmentName" | fl to view the filter.
Teams still allowing blocked communication: Teams caches IB policies for up to 24 hours. Wait or have the user sign out and sign back in.
Error messages: Common errors include "Segment not found" (check filter) and "Policy already exists" (delete or modify existing).
Define User Segments
Identify and define the groups of users that need to be isolated from each other. Use business requirements like departments, job roles, or geographic locations. Ensure the Azure AD attributes used (e.g., Department, CustomAttribute1) are accurately populated for all affected users. You can create up to 100 segments per tenant. Each segment is defined by a user group filter using OPath syntax, such as `Department -eq 'Research'`. Multiple filters can be combined with `-and` or `-or`. This step is critical because incorrect filters will cause users to be misassigned, leading to either unnecessary blocking or gaps in compliance.
Create Information Barrier Policies
Create policies that define allowed or blocked communication between segments. Use the Microsoft Purview compliance portal or PowerShell. For a block policy, specify the source segment and the segments to block. For an allow policy, specify the source segment and the segments allowed to communicate. Policies must be set to 'Active' state to take effect. You can create up to 100 policies. Remember that block policies take precedence over allow policies if both exist for the same segment pair. After creation, the policy is in a 'Pending' state until you explicitly apply it.
Apply Information Barrier Policies
After creating or modifying policies, you must trigger a policy application to enforce them. In PowerShell, run `Start-InformationBarrierPoliciesApplication`. In the portal, click 'Apply policy'. This process can take up to 30 minutes to complete. During application, the system evaluates all policies and updates the enforcement rules across Exchange Online, Teams, SharePoint, and OneDrive. You can check the status using `Get-InformationBarrierPoliciesApplicationStatus`. If the status shows 'Failed', review the error details and correct any issues before reapplying.
Verify Policy Enforcement
After the policies have been applied, test the enforcement from the perspective of a user in the source segment. For example, attempt to send an email to a user in a blocked segment. The email should be rejected with a non-delivery report (NDR). In Teams, try to start a chat or call with a blocked user; the action should be prevented. Also verify that allowed communications work as expected. Use audit logs to confirm that IB events are being recorded. Keep in mind that Teams may take up to 24 hours to fully enforce policies due to caching.
Monitor and Audit
Regularly monitor the effectiveness of information barriers using the Microsoft Purview audit log. IB-related events include 'InformationBarrierPolicyApplied' and 'InformationBarrierActionDenied'. These logs help in compliance reporting and incident investigation. Additionally, review the status of policy applications periodically. If users are moved between segments (e.g., due to job changes), update their attributes and reapply policies. Use the `Get-InformationBarrierPolicy` cmdlet to list all policies and verify their states.
Enterprise Scenario 1: Investment Bank – Insider Trading Prevention
A large investment bank has three divisions: Mergers & Acquisitions (M&A), Research, and Sales & Trading. Regulatory requirements mandate that M&A and Sales & Trading teams must not communicate with Research to prevent insider trading. The bank uses IB with segments based on the Department attribute. They create two block policies: one blocking M&A from communicating with Research, and another blocking Sales & Trading from communicating with Research. The policies are applied to Exchange Online, Teams, and SharePoint. In production, the bank has 10,000 users across these segments. Performance is not an issue because IB is evaluated at the service level. Common misconfiguration occurs when a user's department attribute is misspelled (e.g., 'Reserch' instead of 'Research'), causing them to fall outside the segment and bypass the block. The bank mitigates this by running weekly scripts to validate attribute values against HR data.
Enterprise Scenario 2: Law Firm – Client Conflict Walls
A law firm handles cases for multiple clients that are in direct competition. To avoid conflicts of interest, the firm implements information barriers to prevent employees working on one client's case from communicating with those working on a competitor's case. They use custom attributes (CustomAttribute1) to tag users with client codes. They create multiple block policies between different client segments. The firm also uses allow policies for specific cross-segment collaboration when permitted. In production, they have 50 segments and 200 policies. A key challenge is maintaining the policies as clients change. They use PowerShell scripts to automate policy creation and deletion. Troubleshooting often involves checking the Get-InformationBarrierPoliciesApplicationStatus to ensure policies are applied after changes. They also rely on audit logs to demonstrate compliance during regulatory audits.
Scenario 3: Multi-National Corporation – Geographic Restrictions
A multinational corporation has operations in countries with data sovereignty laws that restrict cross-border communication of sensitive data. They use IB to block communication between segments defined by the Country attribute. For example, employees in the EU are placed in an 'EU' segment, and employees in the US are placed in a 'US' segment. A block policy prevents EU and US segments from communicating via Teams chat and file sharing. However, they allow email for business purposes using an allow policy for specific domains. This setup requires careful planning because IB does not prevent communication via third-party apps. The company also uses conditional access policies as a complementary control. A common issue is that IB does not apply to guest users, so they must manage guest access separately.
MS-102 Exam Focus on Information Barriers
Objective Code: 3.4 – Implement and manage information barriers.
The MS-102 exam tests your ability to plan, configure, and troubleshoot Information Barriers. You will see scenario-based questions where you must choose the correct steps to meet compliance requirements. Key areas:
Segment creation: Know that segments use OPath filters based on Azure AD attributes. Common attributes: Department, JobTitle, CustomAttribute1-15. Remember that attribute values are case-sensitive.
Policy types: Understand the difference between Block and Allow policies. Block prevents all communication; Allow permits only specified communication. Block takes precedence.
Policy application: After creating policies, you must explicitly apply them using Start-InformationBarrierPoliciesApplication. This is a common trap – candidates forget this step.
Timing: Policies take up to 30 minutes to apply. Teams caching can extend this to 24 hours.
Limitations: IB does not apply to guest users, distribution groups, or external communications. It only works within the same tenant.
Troubleshooting: Be able to interpret error messages and know how to check policy application status.
Common Wrong Answers: 1. "Information barriers apply to all communication including external users." – False. IB only applies to internal users within the same tenant. 2. "Once a policy is created, it is immediately enforced." – False. You must apply the policy. 3. "Allow policies override block policies." – False. Block policies take precedence. 4. "Information barriers can be used to block communication within the same segment." – False. IB only controls communication between different segments.
Numbers to Memorize:
Maximum segments: 100
Maximum policies: 100
Policy application time: up to 30 minutes
Teams cache refresh: 24 hours
Edge Cases:
When a user belongs to multiple segments (though not directly supported, a user can be in only one segment at a time based on the filter logic).
If a segment filter matches no users, the policy is effectively inactive.
If a policy application fails, existing policies remain in effect; new policies are not applied.
Exam Tips:
Read the scenario carefully to identify which communication channels need to be blocked (email, Teams, SharePoint).
Look for keywords like 'regulatory compliance', 'conflict of interest', 'insider trading' – these point to IB.
If the question mentions guest users, remember IB does not apply.
When troubleshooting, always check if the policy has been applied.
Use the process of elimination: if a step mentions 'apply policy', it is likely correct.
Information Barriers block communication between user segments defined by Azure AD attributes like Department or CustomAttribute1-15.
You must explicitly apply IB policies using Start-InformationBarrierPoliciesApplication; they do not take effect immediately upon creation.
Block policies take precedence over Allow policies for the same segment pair.
IB does not apply to guest users, distribution groups, or external recipients.
Maximum of 100 segments and 100 policies per tenant.
Policy changes take up to 30 minutes to apply; Teams caching can delay enforcement up to 24 hours.
IB is available in Microsoft 365 E5, Office 365 E5, and with the Microsoft 365 Compliance add-on.
Troubleshooting tip: Verify segment membership using Get-InformationBarrierSegment and check policy application status with Get-InformationBarrierPoliciesApplicationStatus.
These come up on the exam all the time. Here's how to tell them apart.
Information Barriers (IB)
Prevents communication between user segments.
Enforced at the service level (block/allow).
Uses segment filters based on Azure AD attributes.
Requires explicit policy application.
Logs denied actions in audit log.
Communication Compliance (CC)
Monitors and reviews communications for policy violations.
Detects and alerts but does not block automatically.
Uses policies with conditions and classifiers.
No policy application step – works in near real-time.
Captures communications for review, not just logs.
Mistake
Information barriers block communication with external users.
Correct
IB only applies to users within the same Microsoft 365 tenant. Guest users and external recipients are not subject to IB policies. To block external communication, use other tools like Exchange mail flow rules or Teams external access settings.
Mistake
Once you create an IB policy, it takes effect immediately.
Correct
After creating or modifying a policy, you must explicitly apply it using `Start-InformationBarrierPoliciesApplication` or the portal button. The application process can take up to 30 minutes. The policy is not enforced until the application completes successfully.
Mistake
Allow policies override block policies.
Correct
Block policies take precedence over allow policies. If a user is in a segment that has a block policy with another segment, any allow policy between those segments is ignored. This is by design to ensure compliance.
Mistake
Information barriers can prevent communication within the same segment.
Correct
IB policies only control communication between different segments. They cannot be used to block communication among users who are in the same segment. To restrict intra-segment communication, use other features like communication compliance or retention policies.
Mistake
Information barriers apply to all Microsoft 365 services automatically.
Correct
IB applies to Exchange Online, Microsoft Teams, SharePoint Online, and OneDrive for Business. It does not apply to Yammer, Power BI, or third-party apps. Also, within Teams, IB does not block calling via PSTN or external federated calls.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
You need a license that includes Information Barriers, such as Microsoft 365 E5, Office 365 E5, or the Microsoft 365 Compliance add-on. Additionally, you must have the necessary permissions: Information Barrier Administrator role or equivalent. User attributes used for segment membership must be populated in Azure AD. For Teams, ensure Teams is enabled and licensed for all users. There is no other infrastructure requirement; IB is a cloud-only feature.
After you apply the policies using Start-InformationBarrierPoliciesApplication, it can take up to 30 minutes for the policies to be fully enforced across Exchange Online, Teams, SharePoint, and OneDrive. However, for Teams, the policies are cached and may take up to 24 hours to take effect for all users. You can check the status using Get-InformationBarrierPoliciesApplicationStatus.
No, Information Barriers only control communication between different segments. They cannot be used to block communication among users who belong to the same segment. To restrict intra-segment communication, you would need to use other features like communication compliance policies or retention policies.
No, Information Barriers only apply to users within your Microsoft 365 tenant. Guest users and external users are not subject to IB policies. If you need to block communication with external users, you must use other controls such as Exchange mail flow rules, Teams external access settings, or SharePoint external sharing restrictions.
If a user is not assigned to any segment, they are not affected by any Information Barrier policies. They can communicate freely with all users, including those in segments with policies. To ensure compliance, all relevant users must be included in at least one segment. Otherwise, they could inadvertently bypass the intended restrictions.
First, verify that the policies have been applied by checking Get-InformationBarrierPoliciesApplicationStatus. If the status is 'NotStarted' or 'Failed', reapply. Next, check that the user is correctly assigned to the intended segment by running Get-InformationBarrierSegment and confirming the user's attributes match the filter. Also, ensure the policy state is 'Active'. For Teams, remind users to sign out and sign back in to refresh the cache. Finally, review audit logs for IB-related events.
Yes, Information Barriers can block file sharing between users in different segments. When a user tries to share a file with a user in a blocked segment, the sharing action is denied. This applies to both SharePoint Online and OneDrive for Business. Note that IB does not prevent access to sites or files that were shared before the policy was applied.
You've just covered Information Barriers in Microsoft 365 — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?