Legal requirements, directory attributes, segments, policies, workload modes, rollout, monitoring, and evidence

Microsoft Purview Information Barriers Planning Guide

Design two-way internal communication and collaboration boundaries that the business can explain, operate, and defend. Translate legal and conflict-of-interest requirements into reliable user segments, the minimum block or allow policies, compatible Teams and SharePoint/OneDrive modes, a testable rollout, controlled owner-moderated collaboration, user support, monitoring, and durable audit evidence.

Legacy, single-segment, and multi-segment organization modes; attributes and source ownershipTeams chats, calls, meetings, groups, channels, SharePoint, OneDrive, Planner, people search, and filesLicensing, least privilege, policy application, propagation, exceptions, compliance reports, lifecycle, and rollback
Regulated business segments collaborating in separate transparent work zones with a controlled owner-moderated bridge and an unsegmented open area
Information Barriers succeed when segment boundaries are reliable, compatible collaboration is intentional, owner-moderated bridges are exceptional, and every workload/user lifecycle is tested—not when the policy diagram exists only in Purview.

Planning objective

Build a lawful collaboration boundary—not a substitute for access control or email policy

Microsoft Purview Information Barriers (IB) restrict two-way communication and collaboration between defined users and segments in Microsoft Teams, SharePoint, OneDrive, and supported Microsoft Planner experiences. Depending on the workload and configuration, IB can limit finding a user, starting chats or calls, adding team members, sharing screens or files, accessing or sharing site/OneDrive content, and assigning or sharing supported Planner work.

IB does not restrict the content of Exchange Online email messages. Use documented Exchange mail-flow rules for email communication controls. IB is also independent from eDiscovery compliance boundaries, and it does not replace Microsoft Entra access, Teams/SharePoint permissions, sensitivity labels, DLP, retention, Conditional Access, insider-risk processes, communication compliance, or a documented exception/incident workflow.

Start with written legal, regulatory, contractual, conflict-of-interest, independence, confidentiality, or ethical requirements. For every proposed incompatible relationship, name the accountable business/legal owner, affected people and collaboration paths, required exceptions, duration, data impacts, user experience, evidence, and consequence of incorrect blocking or incorrect access. The technology plan must preserve supported business collaboration without weakening the boundary.

Control statement: No segment or policy should be activated until the organization mode, license coverage, least-privileged roles, source attributes, two-way policy matrix, unsegmented population, Microsoft 365 Groups/Teams/sites/OneDrives/Planner impacts, application dependencies, test corpus, support plan, monitoring, evidence, and recovery actions are approved.

Architecture decisions

Choose the organization and resource modes before defining filters

Legacy mode

Legacy organizations support up to 250 segments and one segment per user. Exchange address-book-policy behavior differs and existing ABPs are a prerequisite concern. Treat legacy modernization as a separate Microsoft-supported project, not an in-place assumption.

Single-segment mode

A user belongs to one segment. Non-IB users/groups remain visible to segmented users, and IB no longer relies on Exchange ABPs in the same way as legacy. Choose attributes that remain mutually exclusive throughout HR and identity lifecycle events.

Multi-segment mode

A user can belong to up to 10 segments, and non-legacy organizations can define up to 5,000 segments. Enable multi-segment before defining segments/policies; Microsoft warns not to revert after configuring IB. Multi-segment creators can trigger owner-moderated resource behavior.

Block versus allow

Block policies describe incompatible segments; allow policies describe the only compatible segments. Microsoft recommends block policies for most scenarios for consistent user experience. Use the minimum policies, and assign only one policy to each segment.

Teams modes

Open does not apply IB membership restrictions; Implicit allows compatible users and is the normal mode for new Teams after enablement; Owner Moderated allows an owner to supervise incompatible members under their own policy. Existing teams may remain Open until changed.

SharePoint modes

Open uses permissions plus the sharer’s policy; Implicit uses connected Microsoft 365 Group membership; Explicit associates specific compatible segments; Owner Moderated supports controlled mixed collaboration. Sharing links and membership behavior change by mode.

OneDrive modes

Open has no segments; Explicit uses the owner and compatible associated segments; Owner Moderated allows owner-supervised incompatible collaboration; Mixed is an opt-in path for segmented-owner sharing with unsegmented users. Validate access and sharing separately.

Unsegmented population

Inventory everyone outside segments—executives, legal, HR, contractors, guests, disabled/hidden identities, service accounts, new hires, transfers and acquisitions. Visibility and collaboration behavior differ by organization mode and policy design.

Workload test matrix

Validate what the user can discover, initiate, join, share, access, and keep

Workload or controlExpected IB behaviorPlanning dependenciesTests and evidenceCommon blind spot
Teams people search, chat, call and screen sharingIncompatible users should not find/select one another for restricted actions, start new one-to-one/group chats, place calls, invite to meetings, share screens or exchange files through restricted collaboration paths.Scoped directory search, segment/policy application, organization mode, Teams client cache/propagation, existing conversations, federation/guest context, meeting design.Allowed/blocked pair searches, new/existing chat, group chat, call, screen share, file, meeting invitation and multiple clients; relationship cmdlet and policy-application evidence.Assuming a blocked Teams relationship also blocks email, external cross-tenant behavior, or every existing artifact.
Teams and Microsoft 365 Group membershipMembership must be compatible with the Team/group IB mode. The background compliance process can remove noncompliant members after user policy/segment or group-mode changes.Existing Open teams, Implicit/Owner Moderated modes, owners, multi-segment users, guests, group source, provisioning automation, private/shared channels.Add/remove allowed and blocked users; mode change; attribute transfer; owner change; existing roster reconciliation; group/team/site consistency and audit evidence.Activating policies while legacy Teams remain Open, losing an owner, or treating a group creation success as proof of ongoing compliance.
Private and shared channelsNew private-channel sites inherit appropriate parent-team mode after SharePoint enablement; shared-channel membership is checked within the tenant. External organization participants are not bounded by both tenants’ IB policies in the same way.Parent Team mode, existing private-channel sites, shared-channel policy, cross-tenant access, external teams, site mode, owner/member changes.Create/add/share channel, add user to team with shared channels, internal/external team sharing, site membership/content access, policy/segment change and noncompliance response.Believing IB alone prevents collaboration with incompatible people in another organization’s tenant.
SharePoint connected sitesImplicit sites use compliant Microsoft 365 Group membership; new Teams sites become Implicit after enablement/propagation. Incompatible direct access/sharing should be blocked according to mode.Tenant SharePoint/OneDrive IB enablement, site mode, connected group/team, existing direct permissions/sharing links, private/shared channel sites, search/Copilot.Member/nonmember, direct permission, existing-access link, Anyone/company link availability, search and Copilot visibility/open, app access, segment/policy change and compliance report.Ignoring existing Open sites or believing search-result suppression and access denial are always identical.
SharePoint Explicit/Owner Moderated/OpenExplicit requires a matching associated segment plus permission; Owner Moderated permits owner-supervised incompatible access; Open relies on permission while sharing is constrained by the sharer’s IB policy.Approved use case, compatible site segments, owner continuity, permissions, links, apps, sensitivity/sharing settings, multi-segment creator behavior.Matching/nonmatching/unsegmented users, owner/non-owner sharing, owner removal, permission without segment, segment without permission, link reuse, search and policy change.Using Owner Moderated as a broad exception without an accountable moderator and expiry.
OneDrive sharing and accessA segmented owner’s OneDrive is protected according to Explicit, Owner Moderated or Mixed mode; Open applies to non-segmented owners. Access still requires content permission and compatible mode/policy conditions.Provisioning timing, owner segment(s), mode, associated segments, existing links/direct access, unsegmented collaboration, sync/search/Copilot and offboarding.Owner and compatible/incompatible/unsegmented users, new/existing share, direct link, folder/file, owner transfer/segment change, sync and application access.Assuming a policy change automatically cleans every historical sharing/permission state without validation.
Planner basic plansPeople-picker restrictions affect new plan sharing and task assignment in supported basic-plan clients. Existing plans and already assigned tasks can remain accessible.Plan type/client support, current sharing/assignments, Teams/group context, unsegmented users, project/process owner and alternate workflow.Search, new share, new assignment, existing plan/task access, allowed/blocked pair and client variants; inventory exceptions and business continuity.Assuming all Planner/Premium experiences or historical assignments are remediated automatically.
Email, eDiscovery and adjacent Purview controlsIB does not block email content and does not define eDiscovery compliance boundaries. Other controls must implement those objectives.Exchange transport rules, address-book visibility, DLP, sensitivity, retention, communication compliance, eDiscovery roles/boundaries, insider-risk process.Email allowed/blocked cases through the separate rule; eDiscovery scope test; label/DLP behavior; audit and case ownership.Claiming IB is a complete ethical wall across every Microsoft 365 data and communication path.

Twelve-step planning and rollout

Prove the business boundary before applying it user by user

Document the requirement

Obtain legal/compliance and executive ownership for every incompatible relationship, permitted collaboration, data/workload scope, jurisdiction, effective/expiry date, exception authority, evidence, and consequence of under- or over-blocking.

Confirm subscriptions and roles

Verify current Microsoft subscription/add-on requirements for all affected users and administrators. Assign least-privileged IB Compliance Management or compliance administration roles; protect emergency access and audit administrative actions.

Record organization mode

Use the supported configuration cmdlets to record Legacy, SingleSegment or MultiSegment. Review existing ABPs, segment limits, multi-segment need and irreversibility warning. Do not design from a screenshot or assume a new tenant’s behavior.

Prepare prerequisites

Enable/verify audit logging; enable Teams scoped directory search before the first policies and allow at least 24 hours; validate Security & Compliance/Exchange/SharePoint PowerShell access, administrators, change control and support readiness.

Inventory people and resources

Enumerate licensed users, guests, disabled/hidden accounts, service identities, groups, Teams, channels, sites, OneDrives, Planner plans, apps and existing collaborations. Find Open resources, mixed memberships, direct permissions, external contexts and business-critical exceptions.

Engineer source attributes

Select supported Entra/Exchange attributes or MemberOf groups with an authoritative owner, allowed values, validation, change approval, HR/identity workflow, synchronization SLA, duplicate/missing-value control, transfer/offboarding handling and audit.

Model segments and policies

Build expected membership lists and a symmetric compatibility matrix. Use minimal block policies for most scenarios, reciprocal policies where the intended restriction requires both segment directions, no more than one policy per segment, and inactive status during design.

Design resource modes and exceptions

Map existing/new Teams/groups/sites/OneDrives to Open, Implicit, Explicit, Owner Moderated or Mixed as supported. Define moderators, owners, expiry, external/shared-channel limits, app-only dependencies, search/Copilot behavior and alternate collaboration paths.

Build the test population

Use non-production identities representing each segment combination, unsegmented users, multi-segment users, owners/moderators, guests, transfers, service/app contexts and allowed/blocked pairs. Define expected behavior for every matrix row and client.

Activate and apply a controlled pilot

Set approved policies active and apply all policies under a change window. Microsoft notes about 30 minutes before processing begins and approximately 5,000 users per hour; monitor application status and do not treat submission as completion.

Enable workloads and reconcile

Enable SharePoint and OneDrive IB together, allow roughly 24 hours for propagation, move approved existing Teams/sites from Open where required, reconcile removed/noncompliant users, site segments/modes, private/shared channels, OneDrives, apps and Planner exceptions.

Validate, communicate, monitor and close

Execute the full corpus, capture relationship/policy/application/site evidence, train help desk and owners, notify affected users, monitor audit and compliance reports, fix failures, document suspension/rollback, schedule attribute/resource recertification and retain approval/evidence.

Blocking design defects

Top risks and common Information Barriers misconfigurations

Technology before legal design

Segments based on the org chart can over-block business collaboration or fail the actual conflict rule. Require a written two-way compatibility model and accountable legal/business authority.

Wrong organization mode

Legacy, single-segment and multi-segment behavior differs for limits, user membership and Exchange visibility. Verify mode before creating segments; do not assume multi-segment can be casually reversed.

Unreliable directory attributes

Missing, duplicated, stale, free-text or user-editable values move people into the wrong segment. Treat segment attributes as controlled identity/security data with source ownership and monitoring.

One-way policy object, two-way requirement

A blocked relationship may require reciprocal policies for both assigned segments even though the business outcome is two-way separation. Test both directions and never assign multiple policies to one segment.

Existing Teams remain Open

Teams created before activation can stay Open. Inventory and deliberately change eligible existing Teams/groups and associated sites; activation alone is not a complete retrofit.

SharePoint/OneDrive not enabled

Teams file collaboration depends on SharePoint. If IB is not enabled for SharePoint and OneDrive, the chat/member boundary and file/site boundary can diverge.

Owner Moderated becomes a bypass

Owner Moderated is a controlled collaboration model, not a general exception. Limit moderators, purpose, membership, content, review, duration and replacement ownership.

External shared-channel assumption

Internal IB relationships do not automatically impose matching restrictions across another organization’s tenant. Pair IB with cross-tenant, guest, channel, data and contractual controls.

Email falsely assumed blocked

IB does not restrict email message communication. Design and test separate Exchange mail-flow rules where the requirement includes email, with reversible change control.

Policy applied but not reconciled

Background processing, propagation, removed members, out-of-compliance sites, existing links/tasks and application behavior require validation. “Application completed” is not final business evidence.

Operations and evidence

Monitor identities, policies, resources, exceptions, and user outcomes together

Relationship and membership evidence

Use supported cmdlets to query the IB relationship between test/affected users, list segments and policies, and compare computed membership with the authoritative expected roster. Investigate missing, overlapping and unexpected unsegmented users.

Policy application evidence

Capture policy states, the Apply all policies request, start/completion/failure/in-progress status, affected-user counts, timestamps and errors. Retain every application run so changes can be correlated with user/resource outcomes.

Teams and group evidence

Record resource mode, owners, members, removed/incompatible users, private/shared channels, external context, creation path, user/segment/mode change events, and allowed/blocked actions across supported clients.

SharePoint/OneDrive evidence

Capture tenant enablement/suspension state, mode and associated segments, group/team membership, permissions, sharing links, search/Copilot behavior, app-only settings, compliance/insights reports, and remediation of incompatible sites.

Audit and exception evidence

Search Purview Audit for IB segment, policy, application and SharePoint/OneDrive changes. Link moderator/exception approvals, owner, members, business purpose, content, external parties, compensating controls, expiry and review.

User and service evidence

Track support tickets, blocked legitimate collaboration, prohibited collaboration attempts, user notices, owner/moderator readiness, application failures, external/shared-channel incidents, email-rule gaps and time to safe resolution.

Measures and cadence

Prove that the barrier still matches the business as people and resources change

Attribute quality

Coverage of required attributes/groups, invalid values, duplicate/conflicting membership, unsegmented population, synchronization latency, unauthorized changes and transfer/offboarding completion. Segment correctness begins upstream.

Policy completeness

Required legal relationships mapped, reciprocal directions implemented, one policy per segment, inactive/draft versus active state, successful application, failed users, recent validation and evidence owner.

Resource compliance

Teams/groups/sites/OneDrives by mode, legacy Open resources, incompatible members/segments, private/shared-channel exceptions, direct permissions/links, app dependencies, compliance-report findings and remediation age.

Exception exposure

Owner-moderated/Mixed resources, moderators, incompatible users, external participants, data/business purpose, compensating controls, last use, expiry, owner continuity, review and validated retirement.

User outcome

Allowed collaboration success, prohibited action blocks, false blocks, help-desk volume, resolution time, transfer/new-hire/offboarding defects, client differences, application failures and unaddressed email/external paths.

Closed-loop remediation

Policy/attribute/resource findings with owner, due date, change record, user/business communication, retest, audit evidence, root-cause correction and follow-up application/report status.

Per change

Legal approval, attribute/segment/policy/resource impact, application, propagation, test, communication, evidence and rollback.

Daily during rollout

Application status/errors, removed users, support/incident queues, critical applications/resources and approved stop/suspension decisions.

Monthly

Attribute drift, unsegmented/multi-segment users, active policies, Open/incompatible resources, exceptions, reports and remediation.

Quarterly

Legal/business attestation, owner/moderator review, end-to-end test corpus, roles/licenses/audit, external/email gaps and recovery exercise.

Frequently asked questions

Microsoft Purview Information Barriers planning

Do Information Barriers block email between incompatible segments?

No. Microsoft states that IB policies do not restrict communication in email messages. If the requirement includes email, design and test separate Exchange Online mail-flow rules under change control. Keep address-book visibility, email delivery and Teams/SharePoint collaboration outcomes distinct.

What is the difference between block and allow policies?

A block policy prevents the assigned segment from communicating with specified segments; an allow policy permits the assigned segment to communicate only with specified segments. Microsoft recommends block policies for most scenarios for consistent user experience. Use the minimum policies and only one policy per segment.

Can a user belong to more than one Information Barriers segment?

Yes in MultiSegment mode, where a user can belong to up to 10 segments. Legacy and SingleSegment modes allow one segment per user. Non-legacy organizations can support up to 5,000 segments; legacy supports up to 250. Verify mode before designing and do not assume a configured multi-segment tenant can be reverted.

How long does policy application take?

Microsoft notes roughly 30 minutes before application starts and processing of about 5,000 user accounts per hour. SharePoint and OneDrive behavior can require about 24 hours after policies are configured/activated and the services are enabled. Monitor actual application status and validate workload outcomes.

What does Owner Moderated mode do?

Owner Moderated allows a designated owner to manage collaboration involving otherwise incompatible users according to the supported resource behavior and the owner’s policy. Treat it as a governed exception with an accountable moderator, purpose, membership limits, content controls, review, expiry and backup owner.

Can IT Perfection help plan and validate Information Barriers?

Yes. IT Perfection can inventory identities and Microsoft 365 resources, validate directory attributes, design the segment/policy matrix, map Teams/SharePoint/OneDrive modes, build pilot tests, configure operational evidence, support rollout and help remediate incompatible or legacy collaboration for Orange County and Southern California organizations.

Governed Microsoft 365 collaboration boundaries

Make the legal boundary accurate in the directory, visible in the resource, and testable in every user journey

IT Perfection can help your legal, compliance, identity, collaboration and support teams translate conflict rules into a practical Information Barriers architecture, clean the source attributes, identify existing-resource gaps, validate permitted and prohibited collaboration, and build a lifecycle that stays reliable as people and workspaces change.

Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, Microsoft infrastructure, cloud security, and operations experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, legal/ethical-wall review, penetration test, incident-response engagement, or Microsoft support case.