Microsoft
MicrosoftHi,
so IBs are giving me a big headache.
Up until today there seems to be no accurate and comprehensive documentation about it. The docs presented for example here
Manage information barriers policies | Microsoft Learn
and here
Use multi-segment support in information barriers | Microsoft Learn
present conflicting information, even years after they were first publicly described here. What's the catch?
Allow-Policies don't work as expected. They need explicit concurring (opposite) block polices to work as described above. That renders them more or less useless as they are not really breaking down the complexity of the topic.
I am a bit frustrated to be honest.
Now, with the new feature of multi segments, still several questions are left unanswered and even more conflicting documentary comes along.
Let's take a look at the example from the official doc for multi segment mode:
The North School District has two schools, School 1 and School 2. The district policy is to allow students and teachers to communicate with each other only if they are both in the same school. For example, a student and teacher that are both in School 1 can communicate, but a student in School 1 cannot communicate with a teacher in School 2. For this scenario, multiple segments are configured to support the following district policy scenarios:
North School District's has two schools:
| School 1 | Students and teachers in School 1 | Students and teachers in School 2 |
| School 2 | Students and teachers in School 2 | Students and teachers in School 1 |
North School District will use the Department attribute in Azure Active Directory to define segments, as follows:
| School1 | New-OrganizationSegment -Name "School1" -UserGroupFilter "Department -eq 'School1'" |
| School2 | New-OrganizationSegment -Name "School2" -UserGroupFilter "Department -eq 'School2'" |
| AllTeachers | New-OrganizationSegment -Name "AllTeachers" -UserGroupFilter "MemberOfGroup -eq 'email address removed for privacy reasons'" |
North School District defines three IB policies, as described in the following table:
| Policy 1: Students and teachers in School 1 can communicate with each other | New-InformationBarrierPolicy -Name School1Policy -SegmentsAllowed 'School1' -AssignedSegment 'School1' -State Active In this example, the IB policy is called School1Policy. When this policy is active and applied, it will enable students and teachers in School 1 to communicate with each other. This policy is a one-way policy; it won't prevent students and teachers in School 1 from communicating with School 2. For that, Policy 2 is needed. |
| Policy 2: Students and teachers in School 2 can communicate with each other | New-InformationBarrierPolicy -Name School2Policy -SegmentsAllowed 'School2' -AssignedSegment 'School2' -State Active In this example, the IB policy is called School2Policy. When this policy is active and applied, it will enable students and teachers in School 2 to communicate with each other. |
| Policy 3: Teachers in different schools can communicate with each other | New-InformationBarrierPolicy -Name AllTeachersPolicy -SegmentsAllowed 'AllTeachers' -AssignedSegment 'AllTeachers' -State Active In this case, the IB policy is called AllTeachersPolicy. When this policy is active and applied, teachers in School 1 and School 2 can communicate with each other. |
There's obvioulsy missing the most important part, which is "[...] to allow students and teachers to communicate with each other only if they are both in the same school"
Since I was not sure if I was overseeing something, I fed all the information about IBs I could gather (per official doc) and the example above to ChatGPT and asked if it see's any conflicts here.
That is the answer:
"Given these policies, the stated goal of preventing students and teachers in School 1 from communicating with students and teachers from School 2 is not explicitly achieved by the policies provided.
In fact, the policies seem to allow communication between students and teachers within their respective schools (School 1 and School 2) and also allow communication between teachers from different schools (School 1 and School 2). The policies don't explicitly restrict communication between students and teachers of different schools.
To achieve the goal of preventing communication between students and teachers from different schools, additional policies or rules would need to be defined to enforce those restrictions explicitly. As described, the provided policies focus on enabling communication within specific segments but do not impose cross-segment restrictions as per the stated goal."
Sooo... what now? I am confused. The official doc shows clearly, that even the writers of the official doc get confused about the whole configuration concepts of information barriers. We need a clearer documentation about this. I would be happy to help dive into the concept with the developers and fix the documentation for good if possible.
This feature is so powerful and highly appreciated- but as of now it's in a pretty messy state and, even more frustrating, no one seems to care.
Sincerely,
Josy
