Use information barriers with OneDrive

Information barriers are policies in Microsoft 365 that a compliance admin can configure to prevent users from communicating and collaborating with each other. This solution is useful if, for example, one division is handling information that shouldn't be shared with specific other divisions, or a division needs to be prevented, or isolated, from collaborating with all users outside of the division. Information barriers are often used in highly regulated industries and those organizations with compliance requirements, such as finance, legal, and government.

For OneDrive, information barriers can determine and prevent the following kinds of unauthorized collaborations:

  • User access to OneDrive or stored content
  • Sharing OneDrive or stored content with other users

Information barriers modes and OneDrive

When information barriers are enabled on SharePoint and OneDrive, the OneDrive of segmented users are automatically protected with IB policies. Information barriers modes help strengthen access, sharing, and membership of a OneDrive site based on its IB mode and segments associated with the OneDrive.

When using information barriers with OneDrive, the following IB modes are supported:

Mode Description
Open When a non-segmented user provisions their OneDrive, the site's IB mode is set as Open, by default. There are no segments associated with the site.
Owner Moderated When a OneDrive is used for collaboration with incompatible users in the presence of the site owner/moderator, the OneDrive's IB mode can be set as Owner Moderated. See this section for details on Owner Moderated site.
Explicit When a segmented user provisions their OneDrive within 24 hours of enablement, the site's IB mode is set as Explicit by default. The user's segment and other segments that are compatible with the user's segment and with each other get associated with the user's OneDrive.

Sharing files from OneDrive

Open

When a OneDrive has no segments and IB mode as Open:

  • The user can share files and folders based on the information barrier policy applied to the user and the sharing setting for the OneDrive.

Owner Moderated

When a site has information barriers mode is set to Owner Moderated:

  • The option to share with Anyone with the link is disabled.
  • The option to share with Company-wide link is disabled.
  • The site and its content can be shared with existing members.
  • The site and its content can be shared only by the OneDrive owner per their IB policy.

Explicit

When a OneDrive has segments with IB mode as Explicit:

  • The option to share with Anyone with the link is disabled.
  • The option to share with Company-wide link is disabled.
  • Files and folders can be shared only with users whose segment matches that of the OneDrive.

Accessing shared files from OneDrive

Open mode

For a user to access content in a OneDrive that has no segments associated and IB mode as Open:

  • The files must be shared with the user.

Owner Moderated mode

For a user to access a SharePoint site with site's information barriers mode is set to Owner Moderated:

  • The user has site access permissions.

Explicit mode

For a user to access content in a OneDrive that has segments and IB mode as Explicit:

  1. The user's segment must match a segment that is associated with the OneDrive.

    AND

  2. The files must be shared with the user.

Note

By default, non-segment users can access shared OneDrive files only from other non-segment users with IB modes as Open. They can't access shared files from OneDrive that have segment(s) applied and the IB mode is Explicit.

Example scenario

The following example illustrates three segments in an organization: HR, Sales, and Research. An information barrier policy has been defined that blocks communication and collaboration between the Sales and Research segments.

Example of segments in an organization

With information barriers in OneDrive, when a segment is applied to a user, within 24 hours that segment is automatically associated with the user's OneDrive. Other segments that are compatible with the user's segment and with each other will also get associated with the OneDrive. A OneDrive can have up to 100 segments associated with it. A global or SharePoint admin can manage these segments using PowerShell, as described later in the section Associate or remove additional segments on a user's OneDrive.

The following table shoes the effects of this example configuration:

Components HR users Sales users Research users Non-segment users
Segments associated with OneDrive HR Sales, HR Research, HR None
IB mode on OneDrive Explicit Explicit Explicit Open
OneDrive content can be shared with HR only Sales and HR Research and HR Anyone based on the sharing settings selected
OneDrive content can be accessed by HR only Sales and HR Research and HR Anyone with whom the content has been shared

Enable SharePoint and OneDrive information barriers in your organization

Enabling information barriers for SharePoint and OneDrive are configured in a single action. Information barriers for the services cannot be enabled separately. To enable information barriers for OneDrive, see Enable SharePoint and OneDrive information barriers in your organization. After you've enabled information barriers for SharePoint and OneDrive, continue with the OneDrive guidance in this article.

Prerequisites

  1. Make sure you meet the licensing requirements for information barriers.
  2. Create information barrier policies that allow or block communication between the segments and activate the policies. Create segments and define the users in each.
  3. After you've configured and activated your information barrier policies, wait 24 hours for the changes to propagate through your organization.
  4. Enable information barriers for OneDrive. Enabling information barriers for SharePoint and OneDrive are configured in a single action and these services cannot be enabled separately. To enable information barriers for OneDrive, see the guidance and steps in the Use information barriers with SharePoint article.
  5. Complete the steps in the following sections to customize and manage information barriers for OneDrive in your organization.

Use PowerShell to view the segments associated with a OneDrive

A global or SharePoint admin can view and change the segments associated with a user's OneDrive.

  1. Connect to the Security & Compliance Center PowerShell as a global admin.

  2. Run the following command to get the list of segments and their GUIDs.

    Get-OrganizationSegment | ft Name, EXOSegmentID
    
  3. Save the list of segments.

    Name EXOSegmentId
    Sales a9592060-c856-4301-b60f-bf9a04990d4d
    Research 27d20a85-1c1b-4af2-bf45-a41093b5d111
    HR a17efb47-e3c9-4d85-a188-1cd59c83de32
  4. If not previously completed, download and install the latest SharePoint Online Management Shell. If you installed a previous version of the SharePoint Online Management Shell, follow the instructions in the Enable SharePoint and OneDrive information barriers in your organization article.

  5. Connect to SharePoint as a global admin or SharePoint admin in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

  6. Run the following command:

    Get-SPOSite -Identity <site URL> | Select InformationSegment 
    

    For example:

    Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationSegment
    

Manage segments on a user's OneDrive

Warning

If the segments associated with a user's OneDrive don't match the segment applied to the user, the user won't be able to access their OneDrive. Be careful not to associate any segments with the OneDrive of a non-segment user.

Note

Any changes you make will be overwritten if the user's segment changes.

To associate a segment with a OneDrive, run the following command in the SharePoint Online Management Shell. A OneDrive can have up to 100 associated segments.

Set-SPOSite -Identity <site URL> -AddInformationSegment <segment GUID> 

For example:

Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -AddInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

When you add segments to a OneDrive, the site's IB mode is automatically updated to Explicit. An error will appear if you attempt to associate a segment that isn't compatible with the existing segments on the OneDrive.

To remove segment from a OneDrive, run the following command.

Set-SPOSite -Identity <site URL> -RemoveInformationSegment <segment GUID>

For example:

Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com -RemoveInformationSegment 27d20a85-1c1b-4af2-bf45-a41093b5d111

If all the segments of a OneDrive site are removed, the IB mode of the OneDrive is automatically updated to Open.

Manage the IB mode of a user's OneDrive (preview)

A SharePoint admin or global administrator can manage the IB mode of a OneDrive with the following PowerShell command:

Get-SPOSite -Identity <site URL> | Select InformationBarriersMode

For example:

Get-SPOSite -Identity https://contoso-my.sharepoint.com/personal/John_contoso_onmicrosoft_com | Select InformationBarriersMode

Owner Moderated mode scenario: Allow an incompatible segment user access to a OneDrive. For example, you want to allow HR user's OneDrive that is accessed by both Sales and Research segment users.

Owner Moderated is a new mode applicable to OneDrive site that allows incompatible segment users access to OneDrive in the presence of a moderator/owner. Only the site owner has the capability to invite incompatible segment users on the same site.

To update a OneDrive to Owner Moderated, run the following PowerShell command:

Set-SPOSite -Identity <siteurl> InformationBarriersMode OwnerModerated

Owner Moderated IB mode cannot be set on a site with segments. Remove the segments first before setting IB mode as Owner Moderated. Access to an Owner Moderated site is allowed to users who have site access permissions. Sharing of an Owner Moderated OneDrive and its contents is only allowed by the site owner per their IB policy.

Effects of changes to user segments

If a user's segment changes, the OneDrive's segment and IB mode will be automatically updated within 24 hours as described in the section above OneDrive information barriers

Example 1: User's segment updated from Research to Sales, the user's OneDrive will be as follows within 24 hours:

  • Segment: Sales, HR
  • IB mode: Explicit

Example 2: User's segment updated from HR to None, the user's OneDrive will be as follows within 24 hours:

  • Segment: None
  • IB mode: Open

Effects of changes to information barrier policies

If a compliance administrator changes an existing policy, the change may impact the compatibility of the segments associated with the OneDrive.

For example, segments that were once compatible may no longer be compatible. A SharePoint admin must change the segments associated with an affected site accordingly. Learn how to create an information barriers policy compliance report in PowerShell.

If a policy changes after files are shared, the sharing links will work only if the user attempting to access the shared files has a segment applied that matches a segment associated with the OneDrive.

Auditing

Audit events are available in the Microsoft 365 Compliance center to help you monitor information barrier activities. Audit events are logged for the following activities:

  • Enabled information barriers for SharePoint and OneDrive
  • Applied segment to site
  • Changed segment of site
  • Removed segment of site
  • Applied information barriers mode to site
  • Changed information barriers mode of site
  • Disabled information barriers for SharePoint and OneDrive

For more information about OneDrive segment auditing in Office 365, see Search the audit log in the compliance center.

Resources