- Set-OrganizationConfig - EwsAllowList @{Remove="MicrosoftOWSPersonalBookings"}

- Set-OrganizationConfig - EwsAllowList @{Add="MicrosoftOWSPersonalBookings"}

- Set-CASMailbox -Identity adam@contoso.com - EwsAllowList @{Remove="MicrosoftOWSPersonalBookings"}

- Set-CASMailbox -Identity adam@contoso.com - EwsAllowList @{Add="MicrosoftOWSPersonalBookings"}

- - For enabling Customer Key for assigning DEPs to encrypt content across multiple Microsoft 365 workloads (Exchange Online, Teams, Microsoft Purview Information Protection) for all tenant users, contact [m365-ck@service.microsoft.com](mailto:m365-ck@service.microsoft.com).

-Set-RetentionCompliancePolicy -Identity <retention policy GUID without prefix or suffix> -AddExchangeLocationException <identity of inactive mailbox>

-With Microsoft Purview Information Barriers, you can define policies that are designed to prevent certain segments of users from communicating with each other or allow specific segments to communicate only with certain other segments. Information barrier policies can help your organization maintain compliance with relevant industry standards and regulations, and avoid potential conflicts of interest. For more information, see [Learn about information barriers](information-barriers.md).

-This article describes how to configure information barrier policies. Several steps are involved, so make sure you review entire process before you begin configuring information barrier policies.

-> This article includes an [example scenario](#example-scenario-contosos-departments-segments-and-policies) to help you plan and define your information barrier policies.

-## Concepts

-When you define policies for information barriers, you'll work with user account attributes, segments, 'block' and/or 'allow' policies, and policy application.

-| **Step 1**: [Make sure prerequisites are met](#step-1-make-sure-prerequisites-are-met) | - Verify that you have the [required licenses and permissions](information-barriers.md#required-licenses-and-permissions)<br/>- Verify that your directory includes data for segmenting users<br/>- Enable [search by name for Microsoft Teams](/microsoftteams/teams-scoped-directory-search)<br/>- Make sure audit logging is turned on<br/>- Make sure no Exchange address book policies are in place<br/>- Use PowerShell (examples are provided)<br/>- Provide admin consent for Microsoft Teams (steps are included) |

-| **Step 3**: [Define information barrier policies](#step-3-define-information-barrier-policies) | - Define your policies (do not apply yet)<br/>- Choose from two kinds (block or allow) |

-| **Step 5**: [Configuration for information barriers on SharePoint and OneDrive (optional)](#step-5-configuration-for-information-barriers-on-sharepoint-and-onedrive) | - Configure information barriers for SharePoint and OneDrive |

-| **Step 6**: [Information barriers modes (optional)](#step-6-information-barriers-modes) | - Update information barrier modes if applicable |

-In addition to the [required licenses and permissions](information-barriers.md#required-licenses-and-permissions), make sure that the following requirements are met before configuring information barriers:

-> [!TIP]

-> To help you prepare your plan, an example scenario is included in this article. [See Contoso's departments, segments, and policies](#example-scenario-contosos-departments-segments-and-policies).

-During this step, you determine what information barrier policies are needed, make a list of segments to define, and then define your segments.

-Considering legal and industry regulations, who are the groups within your organization who will need information barrier policies? Make a list. Are there any groups who should be prevented from communicating with another group? Are there any groups that should be allowed to communicate only with one or two other groups? Think about the policies you need as belonging to one of two groups:

-When you have your initial list of groups and policies, proceed to identify the segments you'll need.

-In addition to your initial list of policies, make a list of segments for your organization. Users who will be included in information barrier policies should belong to a segment. Plan your segments carefully as a user can only be in one segment. Each segment can have only one information barrier policy applied.

-Determine which attributes in your organization's directory data you'll use to define segments. You can use *Department*, *MemberOf*, or any of the supported attributes. Make sure that you have values in the attribute you select for users. [See the list of supported attributes for information barriers](information-barriers-attributes.md).

-> **Before you proceed to the next section, make sure your directory data has values for attributes that you can use to define segments**. If your directory data does not have values for the attributes you want to use, then the user accounts must be updated to include that information before you proceed with information barriers. To get help with this, see the following resources:<br/>- [Configure user account properties with Office 365 PowerShell](../enterprise/configure-user-account-properties-with-microsoft-365-powershell.md)<br/>- [Add or update a user's profile information using Azure Active Directory](/azure/active-directory/fundamentals/active-directory-users-profile-azure-portal)

-Defining segments does not affect users; it just sets the stage for information barrier policies to be defined and then applied.

- > **Make sure that your segments do not overlap**. Each user who will be affected by information barriers should belong to one (and only one) segment. No user should belong to two or more segments. (See [Example: Contoso's defined segments](#contosos-defined-segments) in this article.)

-After you have defined your segments, proceed to [define information barrier policies](#step-3-define-information-barrier-policies).

-In the following example, we are defining a segment such that "Department equals HR."

-| `New-OrganizationSegment -Name "NotSales" -UserGroupFilter "Department -ne 'Sales'"` | In this example, we defined a segment called *NotSales* that includes everyone who is not in *Sales*. The **-ne** portion of the cmdlet refers to "not equals". |

-| `New-OrganizationSegment -Name "LocalFTE" -UserGroupFilter "Location -eq 'Local'" -and "Position -ne 'Temporary'"` | In this example, we defined a segment called *LocalFTE* that includes people who are located locally and whose positions are not listed as *Temporary*. |

-| `New-OrganizationSegment -Name "Segment1" -UserGroupFilter "MemberOf -eq 'group1@contoso.com'' -and MemberOf -ne 'group3@contoso.com'"`| In this example, we defined a segment called *Segment1* that includes people who are members of group1@contoso.com and not members of group3@contoso.com. |

-| `New-OrganizationSegment -Name "Segment2" -UserGroupFilter "MemberOf -eq 'group2@contoso.com' -or MemberOf -ne 'group3@contoso.com'"` | In this example, we defined a segment called *Segment2* that includes people who are members of group2@contoso.com and not members of group3@contoso.com. |

-| `New-OrganizationSegment -Name "Segment1and2" -UserGroupFilter "(MemberOf -eq 'group1@contoso.com' -or MemberOf -eq 'group2@contoso.com') -and MemberOf -ne 'group3@contoso.com'"`| In this example, we defined a segment called *Segment1and2* that includes people members of group1@contoso.com and group2@contoso.com and not members of group3@contoso.com. |

-Determine whether you need to prevent communications between certain segments, or limit communications to certain segments. Ideally, you'll use the minimum number of policies to ensure your organization is compliant with legal and industry requirements.

-With your list of user segments and the information barrier policies you want to define, select a scenario, and then follow the steps.

-> **Make sure that as you define policies, you do not assign more than one policy to a segment**. For example, if you define one policy for a segment called *Sales*, do not define an additional policy for *Sales*.<p> In addition, as you define information barrier policies, make sure to set those policies to inactive status until you are ready to apply them. Defining (or editing) policies does not affect users until those policies are set to active status and then applied.

-(See [Example: Contoso's information barrier policies](#contosos-information-barrier-policies) in this article.)

-When you want to block segments from communicating with each other, you define two policies: one for each direction. Each policy blocks communication one way only.

- | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsBlocked "segment2name"` | `New-InformationBarrierPolicy -Name "Sales-Research" -AssignedSegment "Sales" -SegmentsBlocked "Research" -State Inactive` <p> In this example, we defined a policy called *Sales-Research* for a segment called *Sales*. When active and applied, this policy prevents people in *Sales* from communicating with people in a segment called *Research*. |

- | `New-InformationBarrierPolicy -Name "policyname" -AssignedSegment "segment1name" -SegmentsAllowed "segment2name","segment1name"` | `New-InformationBarrierPolicy -Name "Manufacturing-HR" -AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Manufacturing" -State Inactive` <p> In this example, we defined a policy called *Manufacturing-HR* for a segment called *Manufacturing*. When active and applied, this policy allows people in *Manufacturing* to communicate only with people in a segment called *HR*. (In this case, *Manufacturing* cannot communicate with users who are not part of *HR*.) |

-Information barrier policies are not in effect until you set them to active status, and then apply the policies.

- | `Set-InformationBarrierPolicy -Identity GUID -State Active` | `Set-InformationBarrierPolicy -Identity 43c37853-ea10-4b90-a23d-ab8c93772471 -State Active` <p> In this example, we set an information barrier policy that has the GUID *43c37853-ea10-4b90-a23d-ab8c93772471* to active status. |

-3. When you have finished setting your information barrier policies to active status, use the **Start-InformationBarrierPoliciesApplication** cmdlet in the Security & Compliance Center.

-Resources are available to help you manage your information barrier policies.

-If you're configuring information barriers for SharePoint and OneDrive, you'll need to enable information barriers on these services. You'll also need to enable information barriers on these services if you're configuring information barriers for Microsoft Teams. When a Microsoft Teams team is created, a SharePoint site is automatically created and associated with Microsoft Teams for the files experience. Information barrier policies aren't honored on this SharePoint site and files by default.

-To enable information barriers in SharePoint and OneDrive, follow the guidance and steps in the [Use information barriers with SharePoint](/sharepoint/information-barriers) article.

-| **Owner Moderated (preview)** | The IB policy of the Microsoft 365 resource is determined from the resource owner's IB policy. The resource owners can invite any user to the resource based on their IB policies. This mode is useful when your company wants to allow collaboration among incompatible segment users that are moderated by the owner. Only the resource owner can add new members per their IB policy. | The VP of HR wants to collaborate with the VPs of Sales and Research. A new SharePoint site that is set with IB mode *Owner Moderated* to add both Sales and Research segment users to the same site. It is the responsibility of the owner to ensure appropriate members are added to the resource. |

-| **Implicit** | The IB policy or segments of the Microsoft 365 resource is inherited from the resource members IB policy. The owner can add members as long as they are compatible with the existing members of the resource. This is the default IB mode for Microsoft Teams. | The Sales segment user creates a Microsoft Teams team to collaborate with other compatible segments in the organization. |

-For more information about information barrier modes and how they are configured across services, see the following articles:

-Contoso has five departments: HR, Sales, Marketing, Research, and Manufacturing. In order to remain compliant with industry regulations, people in some departments are not supposed to communicate with other departments, as listed in the following table:

-| Segment | Can talk to | Cannot talk to |

-For this structure, Contoso's plan includes three information barrier policies:

-1. A policy designed to prevent Sales from communicating with Research (and another policy to prevent Research from communicating with Sales).

-2. A policy designed to allow Manufacturing to communicate with HR and Marketing only.

-For this scenario, it's not necessary to define policies for HR or Marketing.

-With the segments defined, Contoso proceeds to define policies.

-Contoso defines three policies, as described in the following table:

-| **Policy 3: Allow Manufacturing to communicate with HR and Marketing only** | `New-InformationBarrierPolicy -Name "Manufacturing-HRMarketing" -AssignedSegment "Manufacturing" -SegmentsAllowed "HR","Marketing","Manufacturing" -State Inactive` <p> In this case, the information barrier policy is called *Manufacturing-HRMarketing*. When this policy is active and applied, Manufacturing can communicate only with HR and Marketing. HR and Marketing are not restricted from communicating with other segments. |

-When the cmdlet finishes, Contoso is compliant with legal and industry requirements.

-Microsoft cloud services include powerful communication and collaboration capabilities. But suppose that you want to restrict communication and collaboration between two groups to avoid a conflict of interest from occurring in your organization. Or, perhaps you want to restrict communication and collaboration between certain people inside your organization in order to safeguard internal information. Microsoft 365 enables communication and collaboration across groups and organizations, so is there a way to restrict communication and collaboration among specific groups of users when necessary? With Microsoft Purview Information Barriers (IB), you can!

-Microsoft Teams, SharePoint Online, and OneDrive for Business support information barriers. Assuming your [subscription](#required-licenses-and-permissions) includes information barriers, a compliance administrator, or information barriers administrator can define policies to allow or prevent communications between groups of users in Microsoft Teams. Information barrier policies can be used for situations like these:

-> [!IMPORTANT]

-> Information barriers ***only supports*** two way restrictions. One way restrictions, such as marketing can communicate and collaborate with day traders, but day traders cannot communicate and collaborate with marketing ***is not supported***.

-For all of these example scenarios (and more), information barrier policies can be defined to prevent or allow communications and collaboration in Microsoft Teams, SharePoint Online and OneDrive. Such policies can prevent people from calling or chatting with those they shouldn't, or enable people to communicate only with specific groups in Microsoft Teams. With information barrier policies in effect, whenever users who are covered by those policies attempt to communicate and collaborate with others in Microsoft Teams, SharePoint Online or OneDrive checks are done to prevent (or allow) communication and collaboration (as defined by information barrier policies).

-To learn more about the user experience with information barriers, see:

-> Currently, information barriers do not apply to email communications. In addition, information barriers are independent from [compliance boundaries](set-up-compliance-boundaries.md).<p> Before you define and apply information barrier policies, make sure your organization does not have [Exchange address book policies](/exchange/address-books/address-book-policies/address-book-policies) in effect. (Information barriers are based on address book policies.)

-## What happens with information barriers

-When information barrier policies are in place, people who should not communicate or share files with other specific users won't be able to find, select, chat, or call those users. With information barriers, checks are in place to prevent unauthorized communication and collaboration.

-Information barriers applies to Microsoft Teams (chats and channels), SharePoint Online and OneDrive.

-In Microsoft Teams, information barrier policies determine and prevent the following kinds of unauthorized communications:

-If the people involved are included in an information barrier policy to prevent the activity, they will not be able to proceed. In addition, potentially, everyone included in an information barrier policy can be blocked from communicating with others in Microsoft Teams. When people affected by information barrier policies are part of the same team or group chat, they might be removed from those chat sessions and further communication with the group might not be allowed.

-To learn more about the user experience with information barriers, see [information barriers in Microsoft Teams](/MicrosoftTeams/information-barriers-in-teams).

-In SharePoint Online and OneDrive, information barrier policies determine and prevent the following kinds of unauthorized collaborations:

-To learn more about the user experience with information barriers, see [information barriers in SharePoint Online](/sharepoint/information-barriers)

-## Required licenses and permissions

-Before you get started with IB, you should confirm your [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans) and any add-ons. To access and use IB, your organization must have one of the following subscriptions or add-ons:

-For more information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-protection).

-To [define or edit information barrier policies](information-barriers-policies.md), you must be assigned one of the following roles:

-(To learn more about roles and permissions, see [Permissions in the Office 365 Security & Compliance Center](../security/office-365-security/permissions-in-the-security-and-compliance-center.md).)

-You must be familiar with PowerShell cmdlets in order to define, validate, or edit information barrier policies. Although we provide several examples of PowerShell cmdlets in the [how-to article](information-barriers-policies.md), you'll need to know other details, such as parameters, for your organization.

-## Next steps

- 

- 

- 

-**Windows 10 and Windows 11 versions of the deployment lab kit are now available for free download in the Microsoft Evaluation Center.**

-[Download Windows 11 with Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit)<br>

-[Download Windows 10 with Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-lab-kit)

-|Microsoft Endpoint Configuration Manager, Version 2103|Microsoft Endpoint Configuration Manager, Version 2111|

-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires May 16, 2022. The Windows 11 lab expires May 6, 2022. New versions will be published prior to expiration.

-| Rule name| Windows&nbsp;11 <br>and<br> Windows&nbsp;10 | Windows&nbsp;Server <br> 2022 <br>and<br> Windows&nbsp;Server <br> 2019 | Windows Server | Windows&nbsp;Server <br> 2016 <br> <sup>[[1, 2](#fn1)] | Windows&nbsp;Server <br> 2012&nbsp;R2 <br> <sup>[[1, 2](#fn1)] |

-| [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) | Y version 1809 or later | Y | Y | Y | Y |

-| [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) | Y <br> version 1803 or later | Y | Y | Y | Y |

-| [Block executable files from running unless they meet a prevalence, age, or trusted list criterion](#block-executable-files-from-running-unless-they-meet-a-prevalence-age-or-trusted-list-criterion) | Y <br> version 1803 or later | Y | Y | Y | Y |

-| [Block persistence through WMI event subscription](#block-persistence-through-wmi-event-subscription) <br> \* _File and folder exclusions not supported._ | Y <br> version 1903 (build 18362) or later | Y | Y <br> version 1903 (build 18362) or later | N | N |

-| [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) | Y <br> version 1803 or later | Y | Y | Y | Y |

-| [Use advanced protection against ransomware](#use-advanced-protection-against-ransomware) | Y <br> version 1803 or later | Y | Y | Y | Y |

-[Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the internet. You can [audit network protection](evaluate-network-protection.md) in a test environment to view which apps would be blocked before you enable it.

-Confirm network protection is enabled on a local computer by using Registry editor:

-1. Select **Start** and type **regedit** to open **Registry Editor**.

-2. Navigate to **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Protection\EnableNetworkProtection**

-3. Select **EnableNetworkProtection** and confirm the value:

- - 0=Off

- - 1=On

- - 2=Audit

-2. Go to **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.

-4. On the **General** page, specify a name for the new policy and verify the **Network protection** option is enabled.

-1. System Integrity Protection (SIP) enabled

-1. Use a Mobile device management (MDM) tool to configure Microsoft Defender for Endpoint

- > The maximum number of protected domains that you can define in all anti-phishing policies is 50.