Examine information barriers in SharePoint

Completed

For SharePoint, information barriers (IBs) can determine and prevent the following kinds of unauthorized collaborations:

  • Adding a user to a site.
  • User access to a site or site content.
  • Sharing a site or site content with other users.

Information barriers modes help strengthen access, sharing, and membership of a site based on its IB mode and any segments associated with the site. When an organization uses information barriers with SharePoint, Information Barriers supports the following IB modes.

Mode Description Examples
Open When a SharePoint site doesn't have segments, the system automatically sets the site's IB mode to Open. A Team site created for the company's annual picnic.
Owner Moderated (preview) When a user creates a SharePoint site for collaboration between incompatible segments moderated by the site owner, the owner should set the site's IB mode to Owner Moderated. The only sites that support this IB mode are sites not connected to a Microsoft 365 group. A site created for collaboration between the VP of Sales and Research in the presence of the VP of HR (site owner).
Implicit When Microsoft Teams provisions a site, the system sets the site's IB mode to Implicit by default. A SharePoint administrator or Global administrator can't manage segments with the Implicit mode configuration. A Team created for all Sales segment users to collaborate with each other.
Explicit When the end-user site creation experience adds a segment to a SharePoint site, or a SharePoint administrator adds a segment to a site, the system sets the site's IB mode to Explicit. A research site created for Research segment users.

Sharing sites for IB modes

Open

When a site has no segments, and the administrator set its IB mode to Open:

  • The user can share the site and its contents based on the information barrier policy applied to the user. For example, if the IB policy allows a user in HR to communicate with users in Research, the user can share the site with those users.

Owner Moderated

When an administrator set a site's IB mode to Owner Moderated:

  • The system disables the option to share with Anyone with the link.
  • The system disables the option to share with Company-wide link.
  • The site owner can share the site and its content with existing members.
  • The site owner can only share the site and its content per their IB policy.

Note

Owner Moderated mode only supports non-group connected sites.

Implicit

When an administrator set a site's IB mode to Implicit:

  • The system disables the option to share with Anyone with the link.
  • The system disables the option to share with Company-wide link.
  • The site owner or other users with appropriate permissions can share the site and its contents with existing members through a sharing link.
  • You can't directly add new users to the site. The Team owner should add users to the Team's group using Microsoft Teams.

Explicit

When a site is associated with segments, and an administrator set its IB mode to Explicit:

  • The system disables the option to share with Anyone with the link.
  • The system disables the option to share with Company-wide link.
  • The site owner or other users with appropriate permissions can only share the site and its content with users whose segment matches that of the site. For example, if an administrator associates a site with the HR segment, the site owner or other users with appropriate permissions can only share the site with HR users. This limitation on sharing occurs even though HR is compatible with both Sales and Research segments.
  • You can add new users as site members only if their segment matches the segment of the site.

Access control for IB modes

Open mode

When a user wants to access a SharePoint site that has no segment, and an administrator set its IB mode to Open:

  • The user has site access permissions.

Owner Moderated mode

When a user wants to access a SharePoint site, and an administrator set its IB mode to Owner Moderated:

  • The user has site access permissions.

Note

An administrator can only set the IB mode of non-group connected sites Owner Moderated.

Implicit mode

When a user wants to access a SharePoint site, and an administrator set its IB mode to Implicit:

  • The user must be a member of the Microsoft 365 group connected to the site.
  • The user can't access the site if they aren't a member of the Microsoft 365 group connected to the site.
  • The information barriers compliance assistant ensures the group membership is IB compliant.

Explicit mode

When a user wants to access a SharePoint site that has segments, and an administrator set its IB mode is Explicit:

  • The user's segment must match a segment associated with the site.

    AND

  • The user must have access permission to the site.

Note

Nonsegment users can't access a site associated with segments. They receive an error message.

Example scenario

The following example illustrates three segments at Contoso: HR, Sales, and Research. Contoso's SharePoint administrator created an information barrier policy that blocks communication and collaboration between the Sales and Research segments. These segments are incompatible.

Diagram showing an example of segments in an organization.

With SharePoint information barriers, a SharePoint or Global administrator can associate segments to a site. Doing so prevents users from sharing the site with users outside those segments. It also prevents users outside those segments from accessing the site. You can associate up to 100 compatible segments with a site. An administrator associates the segments at the site level (previously called site collection level). They can also associate the Microsoft 365 group connected to the site with the site's segment.

In this example, the HR segment is compatible with both Sales and Research. However, because the Sales and Research segments are incompatible, an administrator can't associate them with the same site.

Enable SharePoint and OneDrive information barriers in your organization

SharePoint administrators or Global administrators can enable information barriers in SharePoint and OneDrive in an organization. They can enable information barriers for SharePoint and OneDrive in a single action. They can't enable information barriers separately for each service. Complete the following steps to enable information barriers for your organization:

  1. Download and install the latest version of SharePoint Online Management Shell.

  2. Connect to SharePoint Online as a global admin or SharePoint admin in Microsoft 365.

  3. To enable information barriers in SharePoint and OneDrive, run the following command:

    Set-SPOTenant -InformationBarriersSuspension $false
    
  4. After you enable information barriers for SharePoint and OneDrive in your organization, wait for approximately 1 hour for the changes to take effect.

If you enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.

To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode Teams-connected sites in your tenant, run the following command:

Set-SPOTenant -IBImplicitGroupBased $true

If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.

Site creation and management by site owners

When a segmented user creates a SharePoint site:

  • The site is associated with the user's segment.
  • The system automatically sets the site's information barriers mode to Explicit.

When a SharePoint site's IB mode is Explicit, the site owners can add more segments to the site even if it already has segments. Site owners can't remove added segments from sites. SharePoint administrators must remove added segments in an organization, if needed.

When a nonsegmented user creates a SharePoint site:

  • The site isn't associated with any segment.
  • The system automatically sets the site's information barriers mode to Open.

When a SharePoint administrator creates a SharePoint site from the SharePoint admin center:

  • The site isn't associated with any segment.
  • The system automatically sets the site's information barriers mode to Open.

Tip

To help site owners add a segment to a site, share the Associate information segments with SharePoint sites article with your SharePoint site owners.

Microsoft Teams sites

When an organization creates a team in Microsoft Teams, the system automatically creates a SharePoint site for the team's files. To protect the Microsoft Team sites with information barriers control, an organization can enable information barriers in SharePoint for its tenant. Within 24 hours, the system automatically sets the site's information barriers mode to Implicit. Segments associated with the team's members are also associated with the site.

Microsoft Teams sites with Implicit information barrier modes have site access and sharing based on Microsoft 365 group membership. For example, users have access to the Microsoft Teams site if they're members of the Microsoft 365 group connected to the site. The Microsoft 365 group connected to the Team is IB compliant.

Note

If you enabled information barriers for SharePoint in your organization before March 15, 2022, the system based a Teams-connected site's access and sharing on the segments of the site. For example, you can share the site and its content with a user whose segment matches that of the site. Or, a user can access the site and its content if they have the same segment as the site and the user has site access permissions.

To enable Microsoft 365 group membership-based access and sharing control for all Implicit mode sites in an organization, run the following command as a SharePoint Administrator:

Set-SPOTenant -IBImplicitGroupBased $true

Knowledge check

Choose the best response for the following question.

Check your knowledge

1.

What's the maximum number of compatible segments that can be associated with a site?