Gravity Union

View Original

Essential Tools for Compliance and Management: An End-to-End Guide to SharePoint Premium (Part 2)

The first part of this SharePoint Premium series focused on Content Experiences and Content Processing features. This included capabilities such as: autofill columns, tools to assemble documents from templates, automated tagging, eSignatures, building AI document processing models and more.

In Part 2, we focus on the back-end content governance controls for IT admins and content owners.

These are features for managing compliance, access control, oversharing, content sprawl and more. Whether you’re handling sensitive information or just everyday files, SharePoint Premium’s content governance tools make it easier to stay on top of things.

This article covers three areas:

See this content in the original post

SharePoint Advanced Management (SAM) is an add-on for Microsoft 365 to enhance the governance, security, and management capabilities of SharePoint and OneDrive. It benefits organizations of all sizes, but especially those who have large volumes of content.

The key benefits of SharePoint Advanced Management are:

  • Enhanced governance with detailed reports and policies to manage sprawl and/or oversharing

  • Security features such as restricted access control policies and data access reports

Let’s go through both:

Manage governance with reports and policies

For better governance, SAM provides access to comprehensive reports to monitor and analyze content usage, compliance, and security across your organization. This visibility is crucial for making informed decisions about content, and planning for deployments such as Copilot.

The governance reports are available in the SharePoint Admin Center. Most of the features require IT Admin permissions, but some can be accessed by site owners.

SharePoint Advanced Management (SAM) is available in the admin center

Inactive Sites report

One of the ways to tackle content sprawl is to go after low hanging fruit, such as inactive sites in SharePoint.

The first step is to setup policies for your inactive sites. SAM supports configuring different policies for different types of sites. For example:

  • Employee portal Communication Sites are inactive if nobody visits in 12 months

  • Project Sites are inactive if nothing is edited for 3 months

When a site goes inactive, Site Owners get a notification. The owner selects the Certify site button in the notification email to keep the site.

Example of email to Certify site. Image source: Microsoft

The site owner is reminded a few times if they ignore the email. If they still do nothing, an admin can run a report and find the sites that have no owner action for additional follow up. Nothing is deleted automatically.

Get more details on this feature here: Manage site lifecycle policies - SharePoint in Microsoft 365 | Microsoft Learn

Manage oversharing

One of the worries with deploying an AI tool such as Copilot is that information will be exposed when it shouldn't be. That usually means an organization is relying on 'security by obscurity', which isn't a great strategy in the long-term!

SAM provides a way to start tackling this issue.

The Data access governance reports help identify sites with potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies.

Data governance reports in SharePoint Admin

The following reports are currently available from the Data access governance landing page:

  • Sharing links

  • Sensitivity labels applied to files

  • Content shared with 'Everyone except external users'

Note: you don't need a SharePoint Premium license for all of these reports — it’s only required for Content shared with 'Everyone except external users.'

There are some limitations to these reports as some only show oversharing in the last 28 days, and there's a limit to how many sites can be listed. However, these are a good place to start to secure your environment and prepare for AI.

More detail: Data access governance reports for SharePoint sites - SharePoint in Microsoft 365 | Microsoft Learn

Security

The security features in SAM help IT owners and admins protect sensitive information. One key feature is the option to create access policies for more restrictive access so that users or Copilot can't use this information.

Restrict access policies
Policies to restrict access apply in 2 scenarios:

  • Restrict SharePoint access

  • Restrict OneDrive access

One example of why you might want to set this up is to restrict what Copilot has access to and returns in prompts to users.

Restricting SharePoint access means a policy limits permissions to pre-defined groups. It doesn't mean that Copilot will never access the site, it means that only permitted users will be able to do so.

It adds another layer of security for Global or SharePoint Administrators to manage the most sensitive sites or data in an organization.

To set this up, first you need to turn on a global setting in SharePoint Admin under Policies > Access Control > Site Level Access Restriction:

Step 1: Enable access restriction

This will let you control individual site access. An admin will do this under Active Sites > Restricted Access Settings:

Step 2: Restrict groups

Using these policies will also restrict user browsing and searching over the content.

There are differences in settings for group vs. non-group connected sites, learn more here: Restrict SharePoint site access with Microsoft 365 groups and Entra security groups

To limit access to OneDrive, see the instructions here: Restrict access to a user's OneDrive content to people in a group.

Licensing

SharePoint Advanced Management is a per-user license. To use SharePoint Advanced Management, you must have a license for each user in your organization.

SharePoint Advanced Management costs $3 USD / $3.80 CAD per user per month at the time of this writing.

See this content in the original post

Microsoft 365 Archive allows organizations to manage and store inactive data efficiently.

This is particularly useful for organizations that need to manage large volumes of content but want to avoid the costs associated with storing data that is no longer actively used. By archiving this data, organizations can free up valuable storage space and reduce costs, while still retaining the ability to access the data if needed.

Essentially, M365 Archive moves SharePoint sites into 'cold storage.'

Being in this cold tier means the site is no longer accessible by anyone in the organization outside of Microsoft Purview or admin search. Archiving a site means that everything is archived within it, including:

  • Document libraries and files

  • Lists and list data

  • Metadata

  • Permissions

Admin setup and controls

M365 Archive is configured through the Admin center, and pay-as-you go billing must be enabled to use this feature.

After it's enabled in the Syntex settings, admins select the active sites that they want to archive. The site will first go into a 'Recently archived' state, and after seven days it goes into the full 'Archived' state:

Archived sites in the SharePoint Admin center. Image source: Microsoft

Sites that are archived can be reactivated. A site retains all of its metadata and permissions upon reactivation.

The admin processes are manual in the user interface, but they can also be controlled through PowerShell.

The end-user experience

Archived sites and content will not display in search results or be accessible by end users. End users will see this when trying to access the site:

End user view of an archived site. Image source: Microsoft

In some cases, this is beneficial to content governance - users will be directed to find an active site, and not be distracted with old content in search results. In other cases, users might need older knowledge to refer to and are frustrated when they can't. To help resolve this, M365 Archive provides an option to add a link to reactivate a site that goes to a ticket system, request form, or contact for an admin.

Licensing

M365 archive is charged per-GB for both storage and reactivation.

Storage consumption is charged at a per-GB monthly rate. This rate is charged only when the archived storage AND the active storage in SharePoint exceeds the SharePoint storage capacity limit of the tenant.

Storage reactivation is also charged per-GB. This rate is charged regardless of whether a tenant is over or under the SharePoint limit and only if reactivation is executed more than seven days after the site was archived.

Get pricing details on Microsoft Learn.

See this content in the original post

M365 Backup is designed to help organizations safeguard their data against various threats including ransomware, malware attacks and human error.

Traditionally, organizations rely on tools outside of the Microsoft ecosystem to backup and restore for better diversification. Organizations may still want to do that, but M365 Backup may be an option if you prioritize faster backup and recovery times.

According to Microsoft's internal research, many customers will see average speeds for mass restores that are 20 times faster than traditional means of backing up and restoring large volumes of Microsoft 365 data. Source: Microsoft internal research, 2024

M365 Backup covers data in SharePoint, OneDrive and Exchange.

Setup and policy creation

Similar to M365 Archive, setup starts in the admin center in Syntex settings.

After it's enabled, an admin creates policies for each workload - OneDrive, SharePoint, or Exchange.

Setup for SharePoint backup policy. Image source: Microsoft

The policies seem configurable for frequency and retention, but they are pre-determined by Microsoft (at least for now).

What you can configure is *what* SharePoint sites, OneDrive or mailbox locations to backup. They can be selected through a CSV file, selecting specific locations or using a filter to search.

Learn more about setting up policies on Microsoft Learn

Licensing

As with the Archive feature, the Microsoft 365 Backup service is a pay-as-you-go service. The list price is $0.15 USD/GB/month of protected content.

Protected content includes:

  • The back up size of the protected mailboxes, SharePoint sites, and OneDrive accounts

  • Deleted content in the user’s Recycle Bin and second-stage Recycle Bin

As an example, if you have a 2GB site that is backed up, you are charged 2 GB for the first month. If you delete half the content so the site has only 1 GB of data, the next monthly bill will still be for 2 GB. Why? The backup tool is retaining the deleted content for a year. The bill will go down to 1GB for backup after 12 months.

Learn more about pricing.

Summary

SharePoint Premium governance features with M365 Archive and Backup are powerful options to help you manage content and get a handle on sprawl.

For assistance in setting up M365 Archive, Backup and implementing SharePoint Premium governance features, we encourage you to reach out to Gravity Union. Our experts are ready to help you navigate and optimize your Microsoft 365 environment.