All insights
Data ProtectionSRA Standards

Ethical Wall Enforcement: Meeting SRA Conflict of Interest Obligations in Microsoft 365

The SRA requires law firms to maintain effective systems for managing conflicts of interest, and policy memos are no longer sufficient in a cloud-first environment where Teams, SharePoint, and Copilot surface information across the entire tenant. This guide covers the full Information Barriers deployment for regulated law firms, the technical enforcement of ethical walls that the COLP must be able to evidence to the regulator.

INSIGHTS OF 2026
14 min read
Practitioner Insight

The Regulatory Context

The Solicitors Regulation Authority (SRA) Standards and Regulations require law firms to maintain effective systems for identifying and managing conflicts of interest. When a firm acts for parties on opposing sides of a matter - or when one department holds price-sensitive information that another department must not access, the firm needs an "ethical wall" (also called a "Chinese wall" or "information barrier").

Historically, this was managed with physical separation, separate file servers, and policy memos. In a modern Microsoft 365 environment where Teams, SharePoint, OneDrive, Exchange, and Copilot all index and surface information across the tenant, a policy memo is insufficient. You need technical enforcement.

Microsoft 365 Information Barriers provide that enforcement. But the implementation is complex, poorly documented, and unforgiving of configuration errors. This article walks through the full deployment based on experience implementing barriers across fourteen law firms.

How Information Barriers Work

Information Barriers (IB) operate on a segment-and-policy model:

Segments

A segment is a logical grouping of users, defined by an Entra ID attribute. The typical approach is to use the Department attribute, but you can use any synced attribute - Company, CustomAttribute1-15 (via Exchange), or MemberOf (group membership).

# Connect to Security & Compliance PowerShell
Connect-IPPSSession -UserPrincipalName admin@lawfirm.com

# Create segments based on department
New-OrganizationSegment -Name "Corporate" -UserGroupFilter "Department -eq 'Corporate'"
New-OrganizationSegment -Name "Litigation" -UserGroupFilter "Department -eq 'Litigation'"
New-OrganizationSegment -Name "Real Estate" -UserGroupFilter "Department -eq 'Real Estate'"
New-OrganizationSegment -Name "Employment" -UserGroupFilter "Department -eq 'Employment'"

Policies

A policy defines the relationship between two segments. There are two types:

  1. Block - Users in Segment A cannot communicate with or discover users in Segment B
  2. Allow - Users in Segment A can only communicate with Segment B (blocking all others)

For law firms, the "Block" type is almost always appropriate, creating specific barriers between conflicted departments:

# Create a barrier between Corporate and Litigation
New-InformationBarrierPolicy -Name "Corporate-Litigation-Block" -AssignedSegment "Corporate" -SegmentsBlocked "Litigation" -State Active

# Create the reciprocal policy (required)
New-InformationBarrierPolicy -Name "Litigation-Corporate-Block" -AssignedSegment "Litigation" -SegmentsBlocked "Corporate" -State Active

Critical: Barrier policies are not automatically reciprocal. You must create the policy in both directions. Forgetting the reciprocal policy is the single most common implementation error.

Applying Policies

After creating segments and policies, you must start the application process:

# Apply all information barrier policies
Start-InformationBarrierPoliciesApplication

# Check application status
Get-InformationBarrierPoliciesApplicationStatus | Format-List

Application can take 30 minutes to 24 hours depending on tenant size. Do not make changes during this period.

Teams Isolation

Once barriers are applied, the effects in Microsoft Teams are immediate and comprehensive:

  • Chat: Users in blocked segments cannot initiate 1:1 or group chats with each other. The "New chat" search will not return users from the blocked segment.
  • Teams membership: Users from blocked segments cannot be members of the same Team. If they are already members, they will be removed during policy application.
  • Calls: VOIP and PSTN calls between blocked segments are prevented.
  • Meeting chat: If users from blocked segments are both invited to a meeting, the meeting will proceed but the chat functionality is disabled.

Pre-existing Teams

This is where implementations go wrong. If a Team already contains users from both segments, the policy application process will attempt to remove the offending users. But it does not always succeed cleanly - especially with shared channels and private channels.

Before applying barriers, audit every Team for cross-segment membership:

# Requires Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Group.Read.All", "User.Read.All"

$teams = Get-MgGroup -Filter "resourceProvisioningOptions/Any(x:x eq 'Team')" -All
foreach ($team in $teams) {
    $members = Get-MgGroupMember -GroupId $team.Id -All
    foreach ($member in $members) {
        $user = Get-MgUser -UserId $member.Id -Property Department
        [PSCustomObject]@{
            TeamName = $team.DisplayName
            UserPrincipal = $user.UserPrincipalName
            Department = $user.Department
        }
    }
} | Export-Csv -Path "C:\Audit\teams-membership-by-dept.csv" -NoTypeInformation

Review this report and remediate cross-segment memberships before activating barriers.

SharePoint Site Restrictions

Information Barriers enforce access controls on SharePoint sites associated with Teams. When a barrier is applied:

  • The SharePoint site linked to a Team inherits the barrier policy
  • Users from blocked segments cannot access the site or its document libraries
  • The site will not appear in search results for blocked users

For standalone SharePoint sites (not linked to a Team), you must enable IB on the site explicitly:

# Enable Information Barriers on a standalone SharePoint site
Set-SPOSite -Identity "https://lawfirm.sharepoint.com/sites/matter-12345" -InformationBarrierMode "Open"
# Modes: Open, OwnerModerated, Implicit, ExplicitlyAssociatedWithSegment

The InformationBarrierMode options are:

  • Open - IB-compatible but no segment restrictions
  • OwnerModerated - Site owner can add users from any segment (use sparingly)
  • Implicit - Inherits segment from the associated Team
  • ExplicitlyAssociatedWithSegment - Manually assigned to a specific segment

OneDrive Discovery Prevention

Information Barriers also affect OneDrive. Users from blocked segments:

  • Cannot browse to each other's OneDrive via direct URL
  • Will not see each other's files in search results
  • Cannot share OneDrive files with each other

This is automatic once policies are applied. However, verify it is working:

# Verify OneDrive IB compliance
Get-SPOSite -IncludePersonalSite $true -Limit All -Filter "Url -like '-my.sharepoint.com/personal/'" | ForEach-Object {
    [PSCustomObject]@{
        OneDriveUrl = $_.Url
        Owner = $_.Owner
        InformationBarrierMode = $_.InformationBarrierMode
    }
} | Export-Csv -Path "C:\Audit\onedrive-ib-status.csv" -NoTypeInformation

Deployment Sequence

The order of operations matters enormously. Here is the standard deployment sequence:

  1. Entra ID attribute hygiene - Ensure every user has the correct Department attribute. Run a report. Fix gaps. This takes 1-2 weeks for most firms.
  2. Segment creation - Create all segments. Verify with Get-OrganizationSegment.
  3. Pre-barrier audit - Audit Teams membership, SharePoint access, and shared mailboxes for cross-segment conflicts.
  4. Remediate conflicts - Remove users from cross-segment Teams, reassign shared mailboxes, update distribution lists.
  5. Create policies in Inactive state - Build the policies but do not activate them. Review with the COLP (Compliance Officer for Legal Practice).
  6. Activate and apply - Set policies to Active and run Start-InformationBarrierPoliciesApplication.
  7. Verify - Test chat, Teams membership, SharePoint access, and search from both sides of the barrier.
  8. Monitor - Check the IB compliance report weekly for the first month.

Impact on Search and People

Information Barriers modify the behaviour of Microsoft Search and the People card:

  • People search - Users from blocked segments do not appear in People search results
  • Organisation chart - The org chart in Delve/Profile cards is truncated at the barrier boundary
  • Suggested contacts - Outlook's suggested contacts will not recommend users from blocked segments
  • Microsoft Copilot - Copilot will not surface content from blocked segments (this is critical for firms enabling AI)

Common Failures

Orphaned Users

Users without a valid Department attribute are not assigned to any segment. They become "orphaned" and may be able to communicate across barriers. Run this check monthly:

# Find users not in any segment
$allUsers = Get-MgUser -All -Property UserPrincipalName, Department
$segmentedDepts = (Get-OrganizationSegment).UserGroupFilter | ForEach-Object {
    if ($_ -match "'(.+)'") { $Matches[1] }
}
$orphaned = $allUsers | Where-Object { $_.Department -notin $segmentedDepts }
$orphaned | Select-Object UserPrincipalName, Department | Export-Csv -Path "C:\Audit\orphaned-users.csv" -NoTypeInformation

Segment Conflicts

If a user belongs to a department that matches two overlapping segments, behaviour is unpredictable. Ensure segment filters are mutually exclusive.

Shared Mailboxes

Shared mailboxes that span barriers cause delivery failures. Identify and remediate these before activation.

Exchange Transport Rules as a Complement

Information Barriers control Teams, SharePoint, and OneDrive - but they do not natively block email between segments. For that, deploy Exchange transport rules:

# Block email between Corporate and Litigation
New-TransportRule -Name "IB-Block-Corporate-to-Litigation" -FromMemberOf "Corporate-DL" -SentToMemberOf "Litigation-DL" -RejectMessageReasonText "This message has been blocked by the firm's information barrier policy. Contact compliance@lawfirm.com if you believe this is in error." -Priority 0

Conclusion

Information Barriers in Microsoft 365 provide genuine technical enforcement of ethical walls. But the implementation requires careful planning - attribute hygiene, pre-barrier audits, staged deployment, and ongoing monitoring. For SRA-regulated firms, this is no longer optional. If your firm is relying on policy memos and trust to enforce ethical walls in a cloud-first environment, you are not meeting the regulatory standard.

Facing this in your environment?

We implement and operate these exact controls inside Microsoft 365 tenants. Find the right first step for your situation.

Explore Readiness Sprint
PreviousExternal Sharing Governance: Five Controls That Prevent Regulatory Breach in SharePointNext Data Residency Governance: Answering the Question Your DPO Cannot Currently Evidence

More in Data Protection

ISO 27001 A.5.12

Data Classification Governance: Why Taxonomy Failures Undermine Every Downstream Control

12 min readISO 27001 A.8.12

USB Exfiltration Control: The Data Loss Prevention Measure Insurers Now Expect

7 min readISO 27001 A.5.14

External Sharing Governance: Five Controls That Prevent Regulatory Breach in SharePoint

5 min read