-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path2-Configure-IB.ps1
More file actions
208 lines (163 loc) · 9.02 KB
/
2-Configure-IB.ps1
File metadata and controls
208 lines (163 loc) · 9.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
#------------------------------------------------------------
# 2-Configure-IB.ps1
# Configure Information Barriers v2 (IB)
# 2021-03-27 Martina Grom, atwork.at
#------------------------------------------------------------
# IB supports Teams, OneDrive for Business and SharePoint Online.
# https://techcommunity.microsoft.com/t5/security-compliance-and-identity/information-barriers-v2-is-now-generally-available-for-all-new/ba-p/3757781
# Follow the steps at
# https://learn.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies?view=o365-worldwide#step-1-make-sure-prerequisites-are-met
# Note: If the following login does not work properly, switch to Windows PowerShell (x64)
# PowerShell: Show session menu
#------------------------------------------------------------
# Import and Login
#------------------------------------------------------------
# Note: Use the latest EXO v3
Import-Module ExchangeOnlineManagement
# Connect to Exchange Online PowerShell with an interactive login
# https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps
Connect-ExchangeOnline -UserPrincipalName <admin@yourtenant.org>
# Connect to Security & Compliance PowerShell PowerShell using modern authentication and ExchangePowerShellV3 module
# https://learn.microsoft.com/en-us/powershell/module/exchange/connect-ippssession?view=exchange-ps
# Required for Set-PolicyConfig...
Connect-IPPSSession -UserPrincipalName <admin@yourtenant.org>
# Test the EXO connection if needed
Get-PSSession | Select-Object -Property State, Name
# Get-EXORecipient <some-mailbox>
#------------------------------------------------------------
# Check the audit log
#------------------------------------------------------------
# https://learn.microsoft.com/en-gb/microsoft-365/compliance/audit-log-enable-disable?view=o365-worldwide#verify-the-auditing-status-for-your-organization
Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled
# Enable audit Log if required
# Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
#------------------------------------------------------------
# Connect to Azure
#------------------------------------------------------------
Import-Module -Name Az.Resources
Import-Module -Name Az.Accounts
# Connect to Azure with a browser sign in token
Connect-AzAccount
#------------------------------------------------------------
# Add the Multi tenant IB app to the tenant & consent to it
#------------------------------------------------------------
# https://learn.microsoft.com/en-us/microsoft-365/compliance/information-barriers-policies?view=o365-worldwide#step-1-make-sure-prerequisites-are-met
$appId = "bcf62038-e005-436d-b970-2a472f8c1982"
$sp = Get-AzADServicePrincipal -ServicePrincipalName $appId
$sp
# Create the app and consent if it doesn't exist
if ($null -eq $sp) { New-AzADServicePrincipal -ApplicationId $appId }
# Give the consent as Admin
Start-Process "https://login.microsoftonline.com/common/adminconsent?client_id=$appId"
#------------------------------------------------------------
# Configure Information Barriers v2 (IB)
#------------------------------------------------------------
# Check which IB mode is enabled
# https://techcommunity.microsoft.com/t5/security-compliance-and-identity/information-barriers-v2-is-now-generally-available-for-all-new/ba-p/3757781
Get-PolicyConfig
# Filter just the InformationBarrierMode
Get-PolicyConfig | fl *information*
# We need to setup the Multi-segment support on orgnaizational level first
# https://techcommunity.microsoft.com/t5/security-compliance-and-identity/information-barriers-v2-is-now-generally-available-for-all-new/ba-p/3757781
Get-OrganizationConfig | fl *information*
# If tenant is in Legacy mode:
<#
PS > Get-OrganizationConfig | fl *information*
MaxInformationBarrierSegmentsLegacy :
MaxInformationBarrierSegments : 5000
MaxInformationBarrierBridges : 5000
InformationBarriersManagementEnabled : False
InformationBarriersEnforcementEnabled : False
InformationBarriersRestrictPeopleSearch : True
InformationBarrierMode : Legacy
#>
# Get default tenant domain (or set it hardcoded)
$DefaultDomain = Get-AcceptedDomain `
| Where-Object { $PSItem.domainname -like '*onmicrosoft.com' -and $PSItem.domainname -notlike '*.mail.onmicrosoft.com' }
<#
PS > Enable-ExoInformationBarriersMultiSegment -Organization M365x42927623.onmicrosoft.com
Information : Multi Segment mode successfully enabled.
Success : True
Identity :
IsValid : True
ObjectState : New
#>
Enable-ExoInformationBarriersMultiSegment -Organization $DefaultDomain.DomainName
<# Organization config result should show now:
PS > Get-OrganizationConfig | fl *information*
MaxInformationBarrierSegmentsLegacy :
MaxInformationBarrierSegments : 5000
MaxInformationBarrierBridges : 5000
InformationBarriersManagementEnabled : False
InformationBarriersEnforcementEnabled : False
InformationBarriersRestrictPeopleSearch : True
InformationBarrierMode : MultiAllow
#>
# If single mode - enable multimode | only this one command is in the ipps powershell / not exchange only module
Set-PolicyConfig -InformationBarrierMode 'MultiSegment'
# Check it
Get-PolicyConfig | fl *information*
<#
PS > Get-PolicyConfig | fl *information*
SensitiveInformationScanTimeWindowExo :
InformationBarrierMode : MultiSegment
InformationBarrierPeopleSearchRestriction : Enabled
#>
#------------------------------------------------------------
# Set the IB policies
#------------------------------------------------------------
New-OrganizationSegment -Name "Retail" -UserGroupFilter "Department -eq 'Retail'"
New-OrganizationSegment -Name "Operations" -UserGroupFilter "Department -eq 'Operations'"
Get-OrganizationSegment | fl
# Setup policy - active or inactive
New-InformationBarrierPolicy -Name "Operations-to-Retail" -AssignedSegment "Operations" -SegmentsBlocked "Retail" -State Active
New-InformationBarrierPolicy -Name "Retail-to-Operations" -AssignedSegment "Retail" -SegmentsBlocked "Operations" -State Active
# Apply the policies
Start-InformationBarrierPoliciesApplication
# See a list of available policies
Get-InformationBarrierPolicy
Get-InformationBarrierPolicy | Select Name, Guid, State, SegmentsAllowed, SegmentsBlocked | Format-Table
# Most recent display information about whether policy application completed, failed, or is in progress.
Get-InformationBarrierPoliciesApplicationStatus
# Display information about whether policy application completed, failed, or is in progress.
# Get-InformationBarrierPoliciesApplicationStatus -All $true
#------------------------------------------------------------
# Test the IB policies
#------------------------------------------------------------
# Get a list of all segments
Get-OrganizationSegment
# See the status of IB
# Get-InformationBarrierRecipientStatus -Identity AdeleV@M365x42927623.OnMicrosoft.com -Identity2 DebraB@M365x42927623.onmicrosoft.com
Get-InformationBarrierRecipientStatus -Identity AdeleV -Identity2 DebraB
Get-InformationBarrierRecipientStatus -Identity DebraB -Identity2 AdeleV
Get-InformationBarrierPolicy -ExoPolicyId a4cdf52e-65b5-4fae-ab64-9d707d64829e
# Troubleshooting
# Lookup specific users if they are affected by an IB policy
Get-InformationBarrierRecipientStatus -Identity AdeleV
# Look which segments are included in IB policies
# Get-InformationBarrierPolicy -Identity b42c3d0f-49e9-4506-a0a5-bf2853b5df6f
# Make sure segments are configured correctly
# Get-OrganizationSegment -Identity c96e0837-c232-4a8a-841e-ef45787d8fcd
# Issue: Communications are allowed between users who should be blocked in Microsoft Teams
# Get-InformationBarrierRecipientStatus -Identity <value> -Identity2 <value>
#------------------------------------------------------------
# Configuration for information barriers on SharePoint and OneDrive
# https://learn.microsoft.com/en-us/sharepoint/information-barriers
# https://learn.microsoft.com/en-us/sharepoint/information-barriers-onedrive
# https://learn.microsoft.com/en-us/MicrosoftTeams/information-barriers-in-teams
#------------------------------------------------------------
# Check and update modules first
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version
# Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
# Update-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force
Import-Module Microsoft.Online.SharePoint.PowerShell
# Connect to SPO
Connect-SPOService -Url https://<yourtenant>-admin.sharepoint.com
# Enable IB in SharePoint
Set-SPOTenant -InformationBarriersSuspension $false
Set-SPOTenant -IBImplicitGroupBased $true
Get-OrganizationSegment | ft Name, EXOSegmentID
# Microsoft Teams
Set-UnifiedGroup -InformationBarrierMode Implicit
# Disconnect...
# Disconnect-ExchangeOnline