Slides of the session about Governance features in SharePoint Premium that I delivered at the Modern Workplace Conference Paris 2024. In the session I demonstrated those governance features in key four areas: Security Controls | Content Lifecycle Management | Site Actions & Data Acces Governance
3. Suivez-nous tout au long de l’année !
Follow us all year round!
https://ams.community
https://twitter.com/mwcparis
https://modern-workplace.pro
https://twitter.com/aOSComm
https://www.linkedin.com/company/ams-community
https://www.linkedin.com/company/mwcp
https://www.facebook.com/ modernworkplaceconferenceparis
https://www.facebook.com/aOSCommunity (FR)
https://www.facebook.com/aosComm (EN)
#MWCP24
5. Agenda
• Business & customer challenges to govern content
in Microsoft 365
• Governance features in SharePoint Premium
• Session Recap
• Quick References & Roadmap
6. Business challenges with data in Microsoft 365
2 billion
documents
a day are added
to Microsoft 365
Unstructured data is the
leading contributor to data
growth
By 2025, 80–90%
of data growth will
be associated with
unstructured data
Traditional methods of
managing content aren’t
effective at this scale
Organizations
spend $59 billion
per year storing and
managing content
Classification projects
remain a manual effort
Human errors by an
organization’s own
employees or at an
external vendor are
behind a large fraction
of data breaches
7. Customer challenges
• SharePoint is the content platform for all M365
Apps:
Sprawl of SharePoint sites content
Oversharing and accidental sharing
Content lifecycle management
SILO’D
LATENT
SLOW
HIGH COST
INFLEXIBLE
DATA CHAOS MONOLITHIC
UNGOVERNED
LACK OF OWNERSHIP
SILO’D
LATENT
SLOW
HIGH COST
INFLEXIBLE
DATA CHAOS
MONOLITHIC
UNGOVERNED LACK OF OWNERSHIP
SILO’D
LATENT
SLOW
HIGH COST
INFLEXIBLE
DATA CHAOS
MONOLITHIC
UNGOVERNED
LACK OF OWNERSHIP
9. Content Governance with SharePoint
Premium
• Governance features with SharePoint Premium
at a glance:
Restricted access controls
Sites lifecycle management
Data Access Governance reports
Recent changes in Sites
10. Content Governance with SharePoint Premium
Text
Detect
Monitor
Take action
Automate
SharePoint
Premium
Governance
Site lifecycle
management (SLM)
policy framework
Data Access
Governance
(DAG) Insights
Recent actions
insights
Change history
RAC: Restricted
access control
(RAC) Policy for
OneDrive
Restricted access
control (RAC) Policy
for Sites
GCAP: Granular
Conditional Access
Policies (GCAP)
Collaboration
Insights
Site lifecycle
inactive sites
policy
Governance Principles
Monitor and discover sites
with high exposure, take
appropriate actions, and
automate
11. Restricted Access Control (RAC) for
SharePoint Sites
RAC policy can be set at the site level. Even if
individual files/folders have broken inheritance and
over-shared, only RAC allowed users can access
Restrict access only to a set of users/groups at site
level
Available for Microsoft 365 group-connected,
Teams-connected, and non-group connected
sites
It can be setup in the SPO Admin Center or
through PowerShell
15. Restricted Access Control (RAC) for
OneDrive
Allow only a set of users, part of a security group, to
have access to OneDrive files
Restrict access to OneDrive only to a set of
users/groups
Meet any regulatory or business requirements
that require keeping external or partner users
away from your internal users’ OneDrive
16. Restricted Access Control (RAC) for
OneDrive
RAC Setting for
OneDrive access
Security Group
configured
17. Conditional Access Policies for
SharePoint Sites and OneDrive
Associate MFA (multi-factor-auth) and granular CA
(conditional access) policies
Apply advanced access policies on SharePoint Sites,
Teams, and M365 Groups based on conditions such
as GPS Location, IP Address, etc
Tailor the additional authentication
requirements for business sensitive sites
Authentication contexts can be applied through
PowerShell or the use of Sensitivity labels
18. Conditional Access Policies for
SharePoint Sites and OneDrive
Setting CA at the Site level
with authentication contexts
20. Block download policy for SPO Sites
& OneDrive
Block download policy can be set at the site level. It
prevents documents download for both external
and internal users
Data leakage is a common problem in any organization,
the major root cause is users downloading files of the
secure Microsoft 365 ecosystem
Applicable to all file types. Special parameter
for Teams Meeting Recordings when setting
up the policy (-BlockDownloadFileTypeIds
TeamsMeetingRecording)
21. Block download policy for SPO Sites
& OneDrive
Setting the Block Download
Policy for a Site
Informative banner enabled
once the policy is configured
22. Demo #3: Block download
policies for SPO Sites and
OneDrive
23. Site lifecycle management policies
Set up an inactive site policy to automatically detect
inactive sites based on conditions and send
notifications to site owners via email
Manage inactive sites across your tenant from the
SharePoint Admin Center
Site Admins can download a CSV report with the
inactive sites identified by the policy
Site owners are notified monthly for three
months. They can confirm if the sites are still
active
24. Site lifecycle management policies
Access to the Site
lifecycle management
Wizard for creating a Site
lifecycle management policy
26. Recent Admin Action for SharePoint
Sites
Shows recent actions taken on sites, includes
updates to site name, URL, storage quota,
membership, etc
Review and understand recent changes you
have made on sites in the tenant. As well as
status update on your recent actions
Review the last 30 actions in the last 30 days.
Export and download a .csv file detailing all the
changes made
29. Change history report
Actions reported include updates to site name,
URL, quota storage, membership, etc
Review SharePoint Sites property changes
made within the last 180 days by any Admin
and Site Owner
It’s possible to create up to 5 reports. Two
report types: Site settings | Organization
settings. A report can be downloaded as .CSV
30. Change history report
Site settings changes report
CSV report with the changes
happened in sites in the tenant
32. Secure document libraries
It does not overwrite the label already applied
to documents uploaded to the library
Classify and protect files in a document library
by setting up a default sensitivity label
It works with Office files and PDF files (Note for
PDF files you need an extra step)
35. Data access governance reports (*)
Control access to sensitive content by finding
sites storing files with sensitivity labels applied
Discover how content is being shared across the
organization and identify sites that contain
overshared or sensitive content
Data access governance reports provide
information within the last 30 days. These
reports can be also downloaded in CSV format
36. FAQs
• RAC policy applied to a Team connected site is not inherited in any
private and/or shared channel in the Team
• Inactive Sites policy does not allow to set up automatic deletion of
inactive sites
• Applying a label to PDFs uploaded in a secure document library
requires some additional setup to be done
38. Quick References & Roadmap
• Restrict SharePoint site access with Microsoft 365 groups and Entra
security groups - SharePoint in Microsoft 365 | Microsoft Learn
• Restrict OneDrive access by security group - SharePoint in Microsoft
365 | Microsoft Learn
• Block download policy for SharePoint sites and OneDrive - SharePoint
in Microsoft 365 | Microsoft Learn
• Manage site lifecycle policies - SharePoint in Microsoft 365 |
Microsoft Learn
• Review recent SharePoint administrator site actions - SharePoint in
Microsoft 365 | Microsoft Learn
39. Quick References & Roadmap
• Create change history reports for SharePoint sites - SharePoint in
Microsoft 365 | Microsoft Learn
• Configure a default sensitivity label for a SharePoint document library
| Microsoft Learn
• Enable sensitivity labels for files in SharePoint and OneDrive |
Microsoft Learn
• Data access governance reports for SharePoint sites - SharePoint in
Microsoft 365 | Microsoft Learn
40. Session Summary
• Governance features in SharePoint Premium are designed to help on
solving challenges to govern content in Microsoft 365
• The following features are in the box: Sites lifecycle management |
Restricted access controls | Recent changes in sites
• Monitor and discover sites with high exposure, take appropriate
actions, and automate
• SharePoint Premium can be a key asset on a successful rollout of
Copilot for Microsoft 365
Sites lifecycle management
Restricted access controls
Data Access Governance reports
Recent changes in Sites
Review the last 30 actions made within the last 30 days in the recent actions panel.
View more details such as previous and current value of the settings changed and directly access the site details panel to review the change.
Export and download a. csv file detailing all the changes made within the last 30 days.
Review the last 30 actions made within the last 30 days in the recent actions panel.
View more details such as previous and current value of the settings changed and directly access the site details panel to review the change.
Export and download a. csv file detailing all the changes made within the last 30 days.
You can create change history reports in the SharePoint admin center to review SharePoint site property changes made within the last 180 days.
Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes.
Show all the recent actions taken by all administrators and owners on sites for past 180 days, including updates to site name, URL, storage quota, membership, etc.
You can create change history reports in the SharePoint admin center to review SharePoint site property changes made within the last 180 days.
Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes.
Show all the recent actions taken by all administrators and owners on sites for past 180 days, including updates to site name, URL, storage quota, membership, etc.
When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority.
A default label offers a baseline level of protection and a form of automatic labeling without content inspection. To help you distinguish between this feature's default label with the default label in label policies:
Default sensitivity label for a document library: Location-based labeling, applicable only for SharePoint. Overrides a lower-priority label unless manually applied.
Default sensitivity label from a policy: Always applicable for all locations. Never overrides an existing label.
When you use Office on the web to create or edit a file, the default sensitivity label for a document library can be applied without delays. However, labeling is not immediate if you upload a file or create it using Microsoft 365 Apps on Windows, macOS, iOS or Android, and then save to SharePoint:
File upload: it can take a few minutes for the label to be applied.
Microsoft 365 Apps: the label is applied after the app is closed.
When SharePoint is enabled for sensitivity labels, you can configure a default label for document libraries. Then, any new files uploaded to that library, or existing files edited in the library will have that label applied if they don't already have a sensitivity label, or they have a sensitivity label but with lower priority.
A default label offers a baseline level of protection and a form of automatic labeling without content inspection. To help you distinguish between this feature's default label with the default label in label policies:
Default sensitivity label for a document library: Location-based labeling, applicable only for SharePoint. Overrides a lower-priority label unless manually applied.
Default sensitivity label from a policy: Always applicable for all locations. Never overrides an existing label.
When you use Office on the web to create or edit a file, the default sensitivity label for a document library can be applied without delays. However, labeling is not immediate if you upload a file or create it using Microsoft 365 Apps on Windows, macOS, iOS or Android, and then save to SharePoint:
File upload: it can take a few minutes for the label to be applied.
Microsoft 365 Apps: the label is applied after the app is closed.
When a report is ready, select it to view the data. Each sharing link report includes:
Up to 100 sites with highest number of sharing links created in the last 30 days.
The policies applied to these sites – site sensitivity, site unmanaged device policy, and site external sharing policy.
The primary admin for each site.
Note that the reports don't include OneDrive data.