Build Information Barriers in Microsoft Teams to Segregate Groups of Users

fishbowls.jpg

Privacy is rapidly becoming one of our greatest concerns in our digital society. Microsoft is putting a whole lot of effort into providing great tools for privacy and security in Office 365. Microsoft Teams is the fastest growing product in the history of the company and it sure gets its fair share of these efforts.

Many municipalities in Sweden are deploying Microsoft Teams for their schools. Teams is a wonderful tool for the classroom and its extensible nature opens up for many third-party learning tools to be a part of the Teams experience. Teachers love it and students love it.

However, letting children into the platform shared with many different kinds of users, internal and external, privacy becomes a challenge. For example, adult students, unknown to the teachers, children and parents can freely contact these children via chat, voice and video. As you can imagine, this is not a suitable setup.

Fear not! There are different ways to segregate groups of users in Microsoft Teams.

Step 1: Microsoft Teams Scoped Directory Search

Teams Scoped Directory Search sits on top of Exchange Online Adress Book Policies and let the organization create virtual boundaries (or views) of the organization. Users inside such a scope can only search and find users inside the same scope. This is a good start to hide certain user groups from each other, like students and faculties, but it won’t block communication. A user can still input the whole email address in Teams to initiate a chat or a call. This leads us to step 2.

Step 2: Microsoft Teams Information Barriers

Information barriers are policies that an admin can configure to prevent individuals or groups from communicating with each other. The differences from Scoped Directory Search is that information barriers also enforce the policy to block the communication and lets the user know this. You create policies based on queries for departments or other Azure AD attributes. This makes it very flexible.

Here are a couple of examples of the user experience when information barriers are violated.

Action User Experience if policy is violated
Adding Members to a team The user will not show up in search
Start a new private chat The chat is not created, and an error message appears
invited a user to join a meeting The user will not join the meeting and an error message appears
Screen sharing is initiated The screen share won’t be allowed, and an error message appears
Placing a phone call (VOIP) The voice call is blocked

InformationBarriers

When a new information barrier is created, the evaluation service searches across Teams to find any pre-existing communications that may violates the policy:

  • Existing 1:1 chats will become read-only
  • Users will be removed from group chats
  • Team membership will be updated accordingly

Summary

There are many situations where different users in an Azure AD should NOT be able to communicate with each other. These tools makes this possible and since dynamic queries are used for policies, if configured correctly, all this can be an automated experience for everyone.

Please follow me here, on LinkedIn and on Twitter.

@DanielChronlund

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s