-description: "Learn how to find noncompliant sites after information barriers policies change."

-recommendations: true

-# Create an information barriers policy compliance report

-If a compliance administrator changes an existing information barriers policy, the change might affect the compatibility of segments already associated with a site.

-For example, a policy might allow communication and collaboration between the Sales and Research segments. Later, the policy might not allow communication and collaboration between these segments. The segments are incompatible and shouldn't be associated with the same site.

-The SharePoint information barriers policy compliance report lets SharePoint Administrators view the list of sites that are noncompliant with existing policies. The report covers these sites:

-The report displays the list of sites that are noncompliant per the existing policies which were recently updated. For each noncompliant site, it shows compatible segments, incompatible segments, and invalid segments (those segments that no longer exist)

-If a OneDrive is noncompliant, this report lets you update the OneDrive to be compliant with the latest IB policies in your organization.

-> [!NOTE]

-> You only need to run this report if information barriers policies are changed. Depending on the number of sites in your organization, it can take a long time for this report to run.

-## Run the report

-1. [Download the latest SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251).

- > [!NOTE]

- > If you installed a previous version of the SharePoint Online Management Shell, go to Add or remove programs and uninstall "SharePoint Online Management Shell".

-2. Connect to SharePoint Online as a [Global Administrator or SharePoint Administrator](./sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

-3. Run the following command to build the report:

- ```PowerShell

- Start-SPOInformationBarriersPolicyComplianceReport

- ```

- Or, to automatically update any noncompliant OneDrive accounts when you build the report, run:

- ```PowerShell

- Start-SPOInformationBarriersPolicyComplianceReport -UpdateOneDriveSegments

- ```

-4. Run the following command to view the status of the task:

- ```PowerShell

- Get-SPOInformationBarriersPolicyComplianceReport

- ```

- The command returns the following set of information:

- `State: Completed`<br>

- `Id: 9e2bd8d8-64a4-4e68-af63-81f0565c3c00`<br>

- `StartTimeInUtc: 12/6/2020 10:56:12 PM`<br>

- `CompleteTimeInUtc: 12/6/2020 10:56:17 PM`<br>

- `QueuedTimeInUtc: 12/6/2020 10:51:06 PM`<br>

- `UpdateOneDriveSegments: False`

-5. Run the following command to view the report:

- ```PowerShell

- Get-SPOInformationBarriersPolicyComplianceReport -reportid <ID>

- ```

- (Where *ID* is the report's ID from the previous step.)

- The command returns the following set of information:

- `Content: {3ef21e8a-69d9-4bf0-a70f-0328e5a18087, 76cd794c-b5f1-4f3d-ad48-075e805fca17, 93d93533-783a-4274-b9c9-b79a3b9beb99}`<br>

- `HasNonCompliantSites: True`<br>

- `State: Completed`<br>

- `Id: 9e2bd8d8-64a4-4e68-af63-81f0565c3c00`<br>

- `StartTimeInUtc: 9/22/2020 11:36:50 PM`<br>

- `CompleteTimeInUtc: 9/22/2020 11:37:00 PM`<br>

- `QueuedTimeInUtc: 9/22/2020 11:31:57 PM`<br>

- `UpdateOneDriveSegments: False`

- The Content row lists the sites that are noncompliant. If all sites are compliant, the Content row is empty and HasNonCompliantSites is "False."

-6. Run the following command to view details about the noncompliant segments associated with each site:

- ```PowerShell

- $report = Get-SPOInformationBarriersPolicyComplianceReport -reportid <ID> $report.Content

- ```

- (Where *ID* is the report's ID from the previous step.)

- The command returns the following set of information for each site:

- `SiteId: 3ef21e8a-69d9-4bf0-a70f-0328e5a18087`<br>

- `SiteUrl: https://contoso.sharepoint.com/sites/Research`<br>

- `SiteType: Group`<br>

- `ComplianceState: NonCompliant`<br>

- `CurrentSegments: Sales, Research`<br>

- `OriginalSegments: Sales, Research`<br>

- `InvalidIBSegments:` <br>

- `IncompatibleSegmentsPairs: <Sales, Research>`<br>

- `FailedToBeProcessed: False`<br>

-> [!NOTE]

-> For info about removing incompatible segments, see [Use information barriers with SharePoint](information-barriers.md#2-use-sharepoint-powershell-to-view-and-manage-information-segments-on-a-site). When you're done with a report, you can delete it by using `Remove-SPOInformationBarriersPolicyComplianceReport -reportid <>`.

-**Governance considerations** - For large organizations, especially with international offices, it can be challenging to make sure the right people have access to the right content for security and compliance purposes. Consider using personalization elements like [information barriers](./information-barriers.md) and [audience targeting](https://support.microsoft.com/office/overview-of-audience-targeting-in-modern-sharepoint-sites-68113d1b-be99-4d4c-a61c-73b087f48a81) to help surface content the specific audiences.

-**Governance considerations** - For large organizations, especially with international offices, it can be challenging to make sure the right people have access to the right content for security and compliance purposes. Consider using personalization elements like [information barriers](./information-barriers.md) and [audience targeting](https://support.microsoft.com/office/overview-of-audience-targeting-in-modern-sharepoint-sites-68113d1b-be99-4d4c-a61c-73b087f48a81) to help surface content the specific audiences.

-[Information barriers](./information-barriers.md) - Information barriers are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. This is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. Information barriers are often used in highly regulated industries and those with compliance requirements, such as finance, legal, and government.

-description: "Learn about the information barriers compliance assistant."

-# Information barriers compliance assistant (preview)

-This article explains how you can enable the information barrier compliance assistant for group-connected SharePoint sites. These are sites that don't have an associated team in Microsoft Teams. When the information barrier compliance assistant is enabled, users who don't match the segments specified on this site are automatically removed to ensure group membership honors configured information barrier policies. This configuration may help ensure your organization remains compliant with standards, policies, and compliance regulations.

-## Prerequisites

-1. Make sure you [define policies for information barriers](/office365/securitycompliance/information-barriers-policies).

-2. [Configure information barrier segments on a SharePoint Site.](information-barriers.md)

-3. [Install the Azure PowerShell module](/powershell/azure/install-az-ps)

-4. PowerShell account must have directory administrator access for the tenant.

-## Enable the background compliance assistant

-These steps create a new application in your organization's enterprise applications. For the compliance assistant to function properly, you must have explicitly added segments to a SharePoint site. Complete the following steps to enable the compliance assistant:

-1. Run the following PowerShell cmdlets.

- ```PowerShell

- Connect-AzureAD

- Connect-AzAccount

- $appId="f46c682f-628c-48e6-b963-03309e34639e"

- $sp=Get-AzADServicePrincipal -ServicePrincipalName $appId

- if ($sp -eq $null) {New-AzADServicePrincipal -ApplicationId $appId}

- Start-Process "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"

- ```

-2. When prompted, sign in using your Office 365 work or school account.

-3. In the **Permissions requested** dialog box, review the information, and select **Accept**. This action configures admin consent for the compliance assistant.

-## Verify a new application was created

-To verify that a new application was properly created in your organization's enterprise applications, complete the following steps:

-1. Log into portal.azure.com with directory administrator's credentials.

-2. Select **Manage Azure Active Directory.**

-3. Select **Enterprise Applications** in left navigation listing.

-4. Search for the compliance assistant using 'M365' as the search term.

- 

-5. Select **M365-Group-Compliance-Assistant** from the list of search results.

-6. On the **M365-Group-Compliance-Assistant overview** page, you can review application properties.

- 

-7. Select **Permissions** in the left-navigation pane to review the permissions that the application is authorized for.

- 

-8. In this example, the **M365-Group-Compliance-Assistant** is authorized to add/remove non-compliant information barrier users from your Microsoft 365 groups.

-You can use the [Microsoft Purview compliance portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance) to search, review, and track audit log events for the M365-Group-Compliance-Assistant application. The audit activities associated with the compliance assistant are:

-To search the audit log for Microsoft 365 Groups activities, see [Search the audit log](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#search-the-audit-log).

->[!Note]

->The compliance assistant runs periodically (every 24 hours). The assistant runs on group-connected SharePoint sites that do not have an associated team in Microsoft Teams. To enable the compliance assistant for SharePoint sites connected to Microsoft Teams, follow the instructions in the [Define information barrier policies](/microsoft-365/compliance/information-barriers-policies) article.

-description: "Learn about associating segments with a OneDrive, and what happens when segments are associated with a OneDrive."

-# Use information barriers with OneDrive

-[Microsoft Purview Information Barriers](/microsoft-365/compliance/information-barriers) are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. This solution is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. Information barriers are often used in highly regulated industries and those organizations with compliance requirements, such as finance, legal, and government.

-For OneDrive, information barriers can determine and prevent the following kinds of unauthorized collaborations:

-## Information barriers modes and OneDrive

-When information barriers are enabled on SharePoint and OneDrive, the OneDrive of segmented users are automatically protected with IB policies. [Information barriers modes](/microsoft-365/compliance/information-barriers-policies#step-6-information-barriers-modes) help strengthen access, sharing, and membership of a OneDrive site based on its IB mode and segments associated with the OneDrive.

-When using information barriers with OneDrive, the following IB modes are supported:

-| **Mode** | **Description** |

-|:- |:-|

-| **Open** | When a non-segmented user provisions their OneDrive, the site's IB mode is set as Open, by default. There are no segments associated with the site. |

-| **Owner Moderated** | When a OneDrive is used for collaboration with incompatible users in the presence of the site owner/moderator, the OneDrive's IB mode can be set as Owner Moderated. See [this section](#manage-the-ib-mode-of-a-users-onedrive-preview) for details on Owner Moderated site. |

-| **Explicit** | When a segmented user provisions their OneDrive within 24 hours of enablement, the site's IB mode is set as *Explicit* by default. The user's segment and other segments that are compatible with the user's segment and with each other get associated with the user's OneDrive. |

-| **Mixed** | When a segmented user's OneDrive is allowed to be shared with unsegmented users, the site's IB mode can be set as *Mixed*. This is an opt-in mode that the SharePoint admin can set on OneDrive of a segmented user. |

->[!NOTE]

->Starting July 12, 2022, *Inferred* mode has changed to *Mixed* mode. The functionality for the mode remains the same.

-## Sharing files from OneDrive

-### Open

-When a OneDrive has no segments and IB mode as *Open*:

-### Owner Moderated

-When a site has information barriers mode is set to *Owner Moderated*:

-### Explicit

-When a OneDrive has information barriers segments and the mode is set to *Explicit*:

-### Mixed

-When a OneDrive has information barriers segments and the mode is set to *Mixed*:

-## Accessing shared files from OneDrive

-### Open mode

-For a user to access content in a OneDrive that has no segments associated and IB mode as *Open*:

-### Owner Moderated mode

-For a user to access a SharePoint site with site's information barriers mode is set to *Owner Moderated*:

-### Explicit mode

-For a user to access content in a OneDrive that has segments and the IB mode set to *Explicit*:

-1. The user's segment must match a segment that is associated with the OneDrive.

- AND

-2. The files must be shared with the user.

->[!NOTE]

->By default, non-segment users can access shared OneDrive files only from other non-segment users with IB modes as *Open*. They can't access shared files from OneDrive that have segment(s) applied and the IB mode is *Explicit*.

-### Mixed mode

-For a segmented user to access content in a OneDrive that has segments and the IB mode set as *Mixed*:

-1. The user's segment must match a segment that is associated with the OneDrive.

- AND

-2. The files must be shared with the user.

-For an unsegmented user to access content in a OneDrive that has segments and the IB mode set as *Mixed*:

-## Example scenario

-The following example illustrates three segments in an organization: HR, Sales, and Research. An information barrier policy has been defined that blocks communication and collaboration between the Sales and Research segments.

-

-With information barriers in OneDrive, when a segment is applied to a user, within 24 hours that segment is automatically associated with the user's OneDrive. Other segments that are compatible with the user's segment and with each other will also get associated with the OneDrive. A OneDrive can have up to 100 segments associated with it. A global or SharePoint admin can manage these segments using PowerShell, as described later in the section [Associate or remove additional segments on a user's OneDrive](#manage-segments-on-a-users-onedrive).

-The following table shoes the effects of this example configuration:

-| Components | HR users | Sales users | Research users | Non-segment users |

-|:--|:|:|:|:|

-| Segments associated with OneDrive | HR | Sales, HR | Research, HR | None |

-| IB mode on OneDrive | Explicit | Explicit | Explicit | Open |

-| OneDrive content can be shared with | HR only | Sales and HR | Research and HR | Anyone based on the sharing settings selected |

-| OneDrive content can be accessed by | HR only | Sales and HR | Research and HR | Anyone with whom the content has been shared |

-## Enable SharePoint and OneDrive information barriers in your organization

-Enabling information barriers for SharePoint and OneDrive are configured in a single action. Information barriers for the services can't be enabled separately. To enable information barriers for OneDrive, see [Enable SharePoint and OneDrive information barriers in your organization](/sharepoint/information-barriers#enable-sharepoint-and-onedrive-information-barriers-in-your-organization). After you've enabled information barriers for SharePoint and OneDrive, continue with the OneDrive guidance in this article.

-## Prerequisites

-1. Make sure you meet the [licensing requirements for information barriers](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-barriers).

-2. [Create information barrier policies](/office365/securitycompliance/information-barriers-policies) that allow or block communication between the segments and activate the policies. Create segments and define the users in each.

-3. After you've configured and activated your information barrier policies, wait 24 hours for the changes to propagate through your organization.

-4. Enable information barriers for OneDrive. Enabling information barriers for SharePoint and OneDrive are configured in a single action and these services can't be enabled separately. To enable information barriers for OneDrive, see the guidance and steps in the [Use information barriers with SharePoint](/sharepoint/information-barriers) article.

-5. Complete the steps in the following sections to customize and manage information barriers for OneDrive in your organization.

-## Use PowerShell to view the segments associated with a OneDrive

-A global or SharePoint admin can view and change the segments associated with a user's OneDrive. Your organization can have up to 5,000 segments and users can be assigned to multiple segments.

-> [!IMPORTANT]

-> Support for 5,000 segments and assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. Assigning users to multiple segments requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](/microsoft-365/compliance/information-barriers-multi-segment) for details. <br><br> For organizations in *Legacy* mode, the maximum number of segments supported is 250 and users are restricted to being assigned to only one segment. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).

-1. Connect to the [Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) as a global admin.

-2. Run the following command to get the list of segments and their GUIDs.

- ```PowerShell

- Get-OrganizationSegment | ft Name, EXOSegmentID

- ```

-3. Save the list of segments.

- |**Name**|**EXOSegmentId**|

- |:-|:|

- | Sales | a9592060-c856-4301-b60f-bf9a04990d4d |

- | Research | 27d20a85-1c1b-4af2-bf45-a41093b5d111 |

- | HR | a17efb47-e3c9-4d85-a188-1cd59c83de32 |

-4. If not previously completed, [download](https://go.microsoft.com/fwlink/p/?LinkId=255251) and install the latest SharePoint Online Management Shell. If you installed a previous version of the SharePoint Online Management Shell, follow the instructions in the [Enable SharePoint and OneDrive information barriers in your organization](/sharepoint/information-barriers#enable-sharepoint-and-onedrive-information-barriers-in-your-organization) article.

-5. Connect to SharePoint as a [global admin or SharePoint admin](/sharepoint/sharepoint-admin-role) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

-6. Run the following command:

- ```PowerShell

- Get-SPOSite -Identity <site URL> | Select InformationSegment

- ```

- For example:

- ```powershell

- Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationSegment

- ```

-## Manage segments on a user's OneDrive

-> [!WARNING]

-> If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. Be careful not to associate any segments with the OneDrive of a non-segment user.

-> [!NOTE]

-> Any changes you make will be overwritten if the user's segment changes.

-To associate a segment with a OneDrive, run the following command in the SharePoint Online Management Shell.

-> [!IMPORTANT]

-> Support for 5,000 segments and assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. Assigning users to multiple segments requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](/microsoft-365/compliance/information-barriers-multi-segment) for details. <br><br> For organizations in *Legacy* mode, the maximum number of segments supported is 250 and users are restricted to being assigned to only one segment. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).

-```PowerShell

-Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>

- ```

-For example:

-```powershell

-Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

-```

-When you add segments to a OneDrive, the site's IB mode is automatically updated to *Explicit*. An error will appear if you attempt to associate a segment that isn't compatible with the existing segments on the OneDrive.

-> [!IMPORTANT]

-> Support for assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. To determine if your organization is in *Legacy* mode, see [Check the IB mode for your organization)](/microsoft-365/compliance/information-barriers-multi-segment#check-the-ib-mode-for-your-organization). <br><br> Users are restricted to being assigned to only one segment for organizations in *Legacy* mode. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).

-To remove segment from a OneDrive, run the following command.

-```PowerShell

-Set-SPOSite -Identity <site URL> -RemoveInformationSegment <segment GUID>

- ```

-For example:

-```powershell

-Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

-```

-If all the segments of a OneDrive site are removed, the IB mode of the OneDrive is automatically updated to *Open*.

-## Manage the IB mode of a user's OneDrive (preview)

-To view the IB mode of a OneDrive site, run the following command in the SharePoint Online Management Shell as a SharePoint admin or global administrator:

-```powershell

-Get-SPOSite -Identity <site URL> | Select InformationBarriersMode

-```

-

-For example:

-```powershell

-Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationBarriersMode

-```

-A SharePoint admin or global administrator also has the ability to manage the IB mode of a OneDrive site to meet the needs of your organization with new IB modes:

-### Owner Moderated mode example

-Allow an incompatible segment user access to a OneDrive. For example, you want to allow HR user's OneDrive to be accessed by both Sales and Research segment users in your tenant.

-*Owner Moderated* is a mode applicable to OneDrive site that allows incompatible segment users access to OneDrive in the presence of a moderator/owner. Only the site owner has the capability to invite incompatible segment users on the same site.

-To update a OneDrive site IB mode to *Owner Moderated*, run the following PowerShell command:

-```powershell

-Set-SPOSite -Identity <siteurl> InformationBarriersMode OwnerModerated

-```

-Owner Moderated IB mode canΓÇÖt be set on a site with segments. Remove the segments before setting the IB mode as Owner Moderated. Access to an Owner Moderated site is allowed for users who have site access permissions. Sharing of an Owner Moderated OneDrive and its contents is only allowed by the site owner per their IB policy.

-### Mixed mode example

-Allow unsegmented users to access OneDrive associated with segments. For example, you want to allow HR user's OneDrive to be accessed by HR segment and unsegmented users in your tenant. Mixed mode applicable to OneDrive site that allows segmented and unsegmented users access to OneDrive.

-To update a OneDrive site IB Mode to Mixed, run the following PowerShell command:

-```powershell

-Set-SPOSite -Identity <siteurl> InformationBarriersMode Mixed

-```

-Mixed IB mode can't be set on a site without segments. Add segments before setting the IB mode as Mixed.

-## Effects of changes to user segments

-If a user's segment changes, the OneDrive's segment and IB mode will be automatically updated within 24 hours as described in the section above OneDrive information barriers

-Example 1: User's segment updated from Research to Sales, the user's OneDrive will be as follows within 24 hours:

-Example 2: User's segment updated from HR to None, the user's OneDrive will be as follows within 24 hours:

-## Effects of changes to information barrier policies

-If a compliance administrator changes an existing policy, the change may impact the compatibility of the segments associated with the OneDrive.

-For example, segments that were once compatible may no longer be compatible. A SharePoint admin must change the segments associated with an affected site accordingly. Learn how to create an [information barriers policy compliance report in PowerShell](/sharepoint/info-barriers-report).

-If a policy changes after files are shared, the sharing links will work only if the user attempting to access the shared files has a segment applied that matches a segment associated with the OneDrive.

-## Auditing

-Audit events are available in the Microsoft Purview compliance portal to help you monitor information barrier activities. Audit events are logged for the following activities:

-For more information about OneDrive segment auditing in Office 365, see [Search the audit log in the compliance center](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#information-barriers-activities).

-## Resources

-description: "Learn about associating segments with a site, and what happens when segments are associated with a site."

-# Use information barriers with SharePoint

-[Microsoft Purview Information Barriers](/microsoft-365/compliance/information-barriers) are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. This solution is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. Information barriers are often used in highly regulated industries and those organizations with compliance requirements, such as finance, legal, and government.

-For SharePoint, information barriers can determine and prevent the following kinds of unauthorized collaborations:

-## Information barriers modes and SharePoint sites

-[Information barriers modes](/microsoft-365/compliance/information-barriers-policies#step-6-information-barriers-modes) help strengthen access, sharing, and membership of a site based on its IB mode and segments associated with the site.

-When using information barriers with SharePoint, the following IB modes are supported:

-| **Mode** | **Description** | **Examples** |

-|:- |:-|:-|

-| **Open** | When a SharePoint site doesn't have segments, the site's IB mode is automatically set as *Open*. See [this section](#view-and-manage-segments-as-an-administrator) for details on managing segments with the *Open* mode configuration. | A Team site created for picnic event for your organization. |

-| **Owner Moderated** | When a SharePoint site is created for collaboration between incompatible segments moderated by the site owner, the site's IB mode should be set as *Owner Moderated*. See [this section](#owner-moderated-mode-scenario) for details on managing *Owner Moderated* site. | A site is created for collaboration between VP of Sales and Research in the presence of VP of HR (site owner). |

-| **Implicit** | When a site is provisioned by Microsoft Teams, the site's IB mode is set as *Implicit* by default. A SharePoint Administrator or Global Administrator can't manage segments with the *Implicit* mode configuration. | A Team is created for all Sales segment users to collaborate with each other. |

-| **Explicit** | When segment is added to a SharePoint site either via end-user site creation experience or by a SharePoint Administrator adding segment to a site, the site's IB mode is set as *Explicit*. See [this section](#view-and-manage-segments-as-an-administrator) for details on managing segments with the *Explicit* mode configuration. | A research site is created for Research segment users. |

-## Sharing sites for IB modes

-Sharing of sites with users is based on the IB mode of the site.

-### Open

-When a site has no segments and site's information barriers mode is set to *Open*:

->[!TIP]

->If you want to allow sharing of *Open* mode sites with mail-enabled security groups, see the [Allow sharing of Open mode sites with mail-enabled security groups](#allow-sharing-of-open-mode-sites-with-mail-enabled-security-groups) section in this article.

-### Owner Moderated

-When a site has information barriers mode is set to *Owner Moderated*:

-### Implicit

-When a site's information barriers mode is set to *Implicit*:

->[!NOTE]

->If you've enabled information barriers for SharePoint in your organization before March 15, 2022, see the **Enable SharePoint and OneDrive information barriers** section in this article.

-### Explicit

-When a site is associated with segment(s) and site's information barriers mode is set to *Explicit*:

-## Access control for IB modes

-Access to sites by users is based on the IB mode of the site.

-### Open mode

-For a user to access a SharePoint site that has no segment and site's information barriers mode is set to *Open*:

-### Owner Moderated mode

-For a user to access a SharePoint site with site's information barriers mode is set to *Owner Moderated*:

-### Implicit mode

-For a user to access SharePoint sites that have information barriers mode set to *Implicit*:

->[!NOTE]

->If you've enabled information barriers for SharePoint in your organization before March 15, 2022, see the **Enable SharePoint and OneDrive information barriers** section in this article.

-### Explicit mode

-For a user to access SharePoint sites that have segments and site's information barriers mode is *Explicit*:

- AND

-Non-segment users can't access a site associated with segments. They'll see an error message.

-## Example scenario

-The following example illustrates three segments in an organization: HR, Sales, and Research. An information barrier policy has been defined that blocks communication and collaboration between the Sales and Research segments. These segments are incompatible.

-

-With SharePoint information barriers, a SharePoint Administrator or Global Administrator can associate segments to a site to prevent the site from being shared with or accessed by users outside the segments. Up to 100 compatible segments can be associated with a site. The segments are associated at the site level (previously called site collection level). The Microsoft 365 group connected to the site is also associated with the site's segment.

-In the above example, the HR segment is compatible with both Sales and Research. However, because the Sales and Research segments are incompatible, they can't be associated with the same site.

-## Prerequisites

-1. Make sure you meet the [licensing requirements for information barriers](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#information-barriers).

-2. [Create information barrier policies](/office365/securitycompliance/information-barriers-policies) that allow or block communication between the segments, and then set them to active. Create segments and define the users in each.

-3. After you've configured and activated your information barrier policies, wait 24 hours for the changes to propagate through your organization.

-4. Complete the steps in the following sections to enable and manage SharePoint and OneDrive information barriers in your organization.

-## Enable SharePoint and OneDrive information barriers in your organization

-SharePoint Administrators or Global Administrators can enable information barriers in SharePoint and OneDrive in your organization. Complete the following steps to enable information barriers for your organization:

-1. [Download](https://go.microsoft.com/fwlink/p/?LinkId=255251) and install the latest version of SharePoint Online Management Shell.

-2. Connect to SharePoint Online as a Global Administrator or [SharePoint Administrator](sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

-3. To enable information barriers in SharePoint and OneDrive, run the following command:

- ```PowerShell

- Set-SPOTenant -InformationBarriersSuspension $false

- ```

-4. After you've enabled information barriers for SharePoint and OneDrive in your organization, wait for approximately 1 hour for the changes to take effect.

->[!NOTE]

->If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.

-To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode Teams-connected sites in your tenant, run the following command:

-```powershell

-Set-SPOTenant -IBImplicitGroupBased $true

-```

->[!NOTE]

->If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.

-If you installed a previous version of the SharePoint Online Management Shell, complete the following steps:

-1. Go to **Add or remove programs** and uninstall *SharePoint Online Management Shell*.

-2. Navigate to the Microsoft Download Center for the [SharePoint Online Management Shell](https://go.microsoft.com/fwlink/p/?LinkId=255251)), select your language, and then select **Download**.

-3. You may be asked to choose between downloading a x64 and x86 .msi file. Download the x64 file if you're running the 64-bit version of Windows or the x86 file if you're running the 32-bit version of Windows. If you don't know which version you're running on your computer, see [Which version of Windows operating system am I running?](https://support.microsoft.com/help/13443/windows-which-operating-system).

-4. After the download is complete, run the installer file and follow the configuration steps in the setup wizard.

-5. Connect to SharePoint Online as a Global Administrator or [SharePoint Administrator](sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

-6. To enable information barriers in SharePoint and OneDrive, run the following command:

- ```PowerShell

- Set-SPOTenant -InformationBarriersSuspension $false

- ```

-7. After you've configured information barriers in SharePoint and OneDrive in your organization, wait for approximately 1 hour for the changes to take effect.

->[!NOTE]

->If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.

-To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode sites in your organization, run the following command:

-```powershell

-Set-SPOTenant -IBImplicitGroupBased $true

-```

->[!NOTE]

->If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.

-## View and manage segments as an administrator

-SharePoint Administrators or Global Administrators can view and manage segments on a SharePoint site. Your organization can have up to 5,000 segments and users can be assigned to multiple segments.

-> [!IMPORTANT]

-> Support for 5,000 segments and assigning users to multiple segments is only available when your organization isn't in *Legacy* mode. Assigning users to multiple segments requires additional actions to change the information barriers mode for your organization. For more information, see [Use multi-segment support in information barriers)](/microsoft-365/compliance/information-barriers-multi-segment) for details. <br><br> For organizations in *Legacy* mode, the maximum number of segments supported is 250 and users are restricted to being assigned to only one segment. Organizations in *Legacy* mode will be eligible to upgrade to the newest version of information barriers in the future. For more information, see the [information barriers roadmap](https://www.microsoft.com/microsoft-365/roadmap?filters=&searchterms=information%2Cbarriers).

-View and manage information barriers segments as follows:

-### 1. Use the SharePoint admin center to view and manage information segments

-To view, edit, or remove information segments for a site, use <a href="https://go.microsoft.com/fwlink/?linkid=2185220" target="_blank">**Active sites** in the SharePoint admin center</a>.

-The Segments column lists the first segment associated with the site and shows whether the site has other segments associated. [Learn how to show or move this column](customize-admin-center-site-list.md#customize-columns)

-

-To view the complete list of segments associated with a site, select the site name to open the details panel, and then select the **Settings** tab.

-To edit the segments associated with the site, select **Edit**, add or remove segments, and then select **Save**.

-

-### 2. Use SharePoint PowerShell to view and manage information segments on a site

-1. Connect to the [Security & Compliance Center PowerShell](/powershell/exchange/office-365-scc/connect-to-scc-powershell/connect-to-scc-powershell) as a Global Administrator.

-2. Run the following command to get the list of segments and their GUIDs.

- ```PowerShell

- Get-OrganizationSegment | ft Name, EXOSegmentID

- ```

-3. Save the list of segments.

- |**Name**|**EXOSegmentId**|

- |:-|:|

- | Sales | a9592060-c856-4301-b60f-bf9a04990d4d |

- | Research | 27d20a85-1c1b-4af2-bf45-a41093b5d111 |

- | HR | a17efb47-e3c9-4d85-a188-1cd59c83de32 |

-4. If not previously completed, [download](https://go.microsoft.com/fwlink/p/?LinkId=255251) and install the latest SharePoint Online Management Shell. If you installed a previous version of the SharePoint Online Management Shell, follow the instructions in the **Enable SharePoint and OneDrive information barriers in your organization** section in this article.

-5. Connect to SharePoint Online as a [Global Administrator or SharePoint Administrator](./sharepoint-admin-role.md) in Microsoft 365. To learn how, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online).

-6. Run the following command:

- ```PowerShell

- Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID>

- ```

- For example:

- ```powershell

- Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

- ```

-You'll see an error message if you attempt to associate a segment that isn't compatible with the site's existing segments.

->[!NOTE]

->When you add a segment to a site, the site's IB mode is automatically updated as *Explicit*.

-To remove segment from a site, run the following command:

-```PowerShell

-Set-SPOSite -Identity <site URL> -RemoveInformationSegment <segment GUID>

- ```

-For example:

-```powershell

-Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ResearchTeamSite -RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

-```

->[!NOTE]

->When all segments are removed from a site, the site's IB mode is automatically updated to *Open*.

-To view the segments of a site, run the following command to return the GUIDs of any segments associated with the site.

-```PowerShell

-Get-SPOSite -Identity <site URL> | Select InformationSegment

-```

-### 3. Use the SharePoint REST API to view and manage information segments on a site

-SharePoint includes a Representational State Transfer (REST) service that you can use to manage segments on a site. To access SharePoint resources and manage site segments using REST, you'll construct a RESTful HTTP request by using the OData standard, which corresponds to the desired client object model application programming interface (API).

-For more information about the SharePoint REST service, see [Get to know the SharePoint REST service](/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service).

-## View and manage IB modes as an administrator with SharePoint PowerShell

-To view the IB mode of a site, run the following command:

-```powershell

-Get-SPOSite -Identity <site URL> | Select InformationBarriersMode

-```

-### Owner Moderated mode scenario

-You want to allow a Sales and Research user to collaborate on a SharePoint site in the presence of HR user.

-*Owner Moderated* is a mode applicable to site (Teams-connected site, non-group connected sites) which allows incompatible segment users access to site. Only the site owner has the capability to invite incompatible segment users on this same site.

-To update a site's mode to *Owner Moderated*, run the following PowerShell command:

-```powershell

-Set-SPOSite -Identity <siteurl> -InformationBarriersMode OwnerModerated

-```

-Owner Moderated IB mode can't be set on a site with segments. Remove the segments first before setting IB mode as Owner Moderated. Access to an Owner Moderated site is allowed to users who have site access permissions. Sharing of an Owner Moderated site and its contents is only allowed by the site owner per their IB policy.

-## Auditing

-Audit events are available in the Microsoft Purview compliance portal to help you monitor information barrier activities. Audit events are logged for the following activities:

-For more information about SharePoint segment auditing in Office 365, see [Search the audit log in the compliance portal](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance#information-barriers-activities).

-## Site creation and management by site owners

-When a segmented user creates a SharePoint site, the site is associated with the user's segment and site's information barriers mode is automatically set to *Explicit*.

-In addition, the site owners have the capability to add more segments to a SharePoint site that already has segments with site's mode set as *Explicit*. Site owners can't remove added segments from sites. SharePoint Administrators will have to remove added segments in your organization if needed.

-When a non-segmented user creates a SharePoint site, the site isn't associated with any segment and site's information barriers mode is automatically set to *Open*.

-When a SharePoint Administrator creates a SharePoint site from the <a href="https://go.microsoft.com/fwlink/?linkid=2185219" target="_blank">SharePoint admin center</a>, the site isn't associated with any segment and the site's IB mode is set to *Open*.

-To help site owners add a segment to a site, share the [Associate information segments with SharePoint sites](https://support.microsoft.com/office/associate-information-segments-with-sharepoint-sites-2b03db07-6d3f-4297-a388-b943317a26a7) article with your SharePoint site owners.

-## Microsoft Teams sites

-When a team is created in Microsoft Teams, a SharePoint site is automatically created for the team's files. To protect the Microsoft Team sites with information barriers control, you can enable information barriers in SharePoint for your tenant.

-Within 24 hours, the site's information barriers mode is automatically set as *Implicit* and segments associated with the team's members are associated with the site.

-Microsoft Teams sites with the information barrier mode as *Implicit* have site access and sharing based on Microsoft 365 group membership.

-For example, users have access to the Microsoft Teams site if they're members of the Microsoft 365 group connected to the site. The Microsoft 365 group connected to the Team is IB compliant.

->[!NOTE]

->If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the Teams-connected site's access and sharing is based on the segments of the site. For example:

-To enable Microsoft 365 group membership-based access and sharing control for all *Implicit* mode sites in your organization, run the following command as a SharePoint Administrator:

-```powershell

-Set-SPOTenant -IBImplicitGroupBased $true

-```

-## Private channel and information barriers

-When SharePoint Information barriers are enabled in your organization, any new private channel site automatically inherits its parent Microsoft Team's IB mode within 24 hours. The mode for a private channel is assigned as follows:

-| **Parent Team's IB mode** | **Private channel site's IB mode** |

-|:--|:--|

-| Open | Open |

-| Implicit or Owner Moderated | Implicit |

-Private channel site access and sharing is governed by its IB mode:

- - Access is allowed to anyone who has site access permissions

- - Sharing links are allowed per the site's existing sharing policy

- - People picker allows discoverability of user per the sharer's IB policy

- - Access is allowed to user who is currently a member of the private channel

- - Sharing is allowed using **People with existing access link**

-Private channel sites already configured in your organization will have their information barriers mode set as *Open*. To configure existing private channel sites to *Implicit* mode, run the following cmdlet in SharePoint PowerShell module:

-```powershell

-Set-Sposite -Identity <site URL> -InformationBarriersMode Implicit

-```

-Learn more about managing [Microsoft Teams connected teams sites](/SharePoint/teams-connected-sites).

-## Search

-Users will see search results from:

-## Effects of changes to user segments

-If a SharePoint site owner or site member's segment changes, they'll continue to have access to the site or content per the site's IB mode:

-## Effects of changes to existing information barrier policies

-If a compliance administrator changes an existing IB policy, the change may impact the compatibility of the segments associated with a site (in *Explicit* or *Implicit* mode).

-For example, segments that were once compatible may no longer be compatible.

-With Information barriers policy compliance report, the SharePoint Administrator will have the capability to view the list of sites where segments are no longer compatible. For more information, see [Learn how to create an information barriers policy compliance report in PowerShell](info-barriers-report.md).

-To manage out of compliance sites:

-## How to suspend SharePoint and OneDrive information barriers in your organization

-If your organization would like to temporarily suspend information barriers on SharePoint, you must use SharePoint Online Management Shell and the [Set-Spotenant](/powershell/module/sharepoint-online/set-spotenant) cmdlet.

-To suspend information barriers, run the following command:

-```PowerShell

-Set-SPOTenant -InformationBarriersSuspension $true

-```

->[!NOTE]

->If you have Microsoft 365 Multi-Geo, you must run this command for each of your geo-locations.

-## Allow sharing of Open mode sites with mail-enabled security groups

-IB supports an opt-in capability available in the [SharePoint PowerShell module](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online) for sites in *Open* mode to be shared with [mail-enabled security groups](/microsoft-365/admin/email/create-edit-or-delete-a-security-group) for site permissions, sharing, and audience targeting. This is only supported in *Open* mode sites. SharePoint admins can enable this support in your organization and we recommend you ensure the security group membership is IB compliant.

-Before enabling group support, verify that you've met the following prerequisites:

-To configure mail-enabled security group support in *Open* mode sites, run the following command:

-```powershell

-Set-SPOTenant -ShowPeoplePickerGroupSuggestionsForIB $true

-```

-## Resources

-Start building [the home site](./home-site.md), [hubs](./planning-hub-sites.md), [sites](https://support.microsoft.com/office/plan-your-sharepoint-communication-site-35d9adfe-d5cc-462f-a63a-bae7f2529182), and pages that will make up the framework of your intranet. Consider using Microsoft Purview Information Barriers to ensure [confidential content](./information-barriers.md) is seen by the right users or use [audience targeting](https://support.microsoft.com/office/target-content-to-a-specific-audience-on-a-sharepoint-site-68113d1b-be99-4d4c-a61c-73b087f48a81) to target specific content to certain groups of users.

-1. The minimum version of Azure Service Fabric Runtime supported by SharePoint Workflow Manager is 9.1.1583.9590, and you can download it from [Azure Service Fabric Runtime](https://download.microsoft.com/download/8/3/6/836E3E99-A300-4714-8278-96BC3E8B5528/9.1.1583.9590/Microsoft.Azure.ServiceFabric.WindowsServer.9.1.1583.9590.zip). Or you can find and download any higher version of its Windows Installer from [here](/azure/service-fabric/service-fabric-get-started).