Latest Enhancements in Microsoft 365 Content Governance
As AI becomes embedded in everyday work, governance shifts from being a back‑office function to a strategic enabler. Organizations that succeed with Copilot and agents aren’t just moving fast (70% of early Copilot users said they were more productive) – they are prepared, resilient, and deliberate in balancing AI-driven innovation with security and relevance. AI-first modern governance delivers real value across three dimensions: building readiness before AI is turned on, ensuring resilience when the unexpected happens, and driving relevance so people and AI can focus on what matters. Today, we are excited to announce many content governance innovations that moves organizations forward on their frontier transformation.
Innovations across 3Rs Framework: Readiness, Relevance, Resiliency
As your tenant’s digital estate grows exponentially in this AI era, content governance becomes even more important to get it right.
Readiness covers the elements of content permissions and oversharing, lifecycle, and sprawl of content. These elements take center stage in the boardrooms as they could become an inhibitor for organization’s AI transformations.
Relevance touches upon a key aspect of successful Copilot and agent deployments – how good their responses are? The quality of data AI can access directly determines the quality of its outputs. Dormant and inactive content must be put in cold storage and excluded from AI’s visibility. This increases the quality of responses.
Resiliency is all about business continuity, especially in the era where agents are part of the workforce and organizations must be prepared for unforeseen situations, such as an agent going rogue and accidentally deleting content. We are excited to share new capabilities that help your organization stay resilient.
With this backdrop, let us dive into innovations across these three pillars and additional areas:
Enhancements in content oversharing controls
Security and Compliance capabilities
Readiness
Readiness is about ensuring your content is permissioned rightfully, organized in manageable clusters, and has lifecycle guardrails before AI uses it. We are bringing many innovations to Copilot native governance capabilities powered by SAM (SharePoint Advanced Management). Let’s dive in.
1. Enhancements in content oversharing controls
New Admin role: SharePoint Advanced Management Admin role
We heard your feedback for Microsoft 365 and SharePoint admins to be able to see granular insights, for example file level view of permissions scopes, right within SharePoint admin center. Today, we are thrilled to announce a new admin role called SharePoint Advanced Management Admin to empower you to achieve just that.
Catalog management – Generally Available
As your tenant grows, managing the increasing number of sites and OneDrives can quickly become overwhelming. Catalog Management brings order to this complexity by organizing content into meaningful groups aligned to how your business operates, creating a centralized catalog of sites tailored to your needs. With that foundation in place, you can connect governance tools and actions to specific content groups, enabling more targeted oversight and improvements across your environment.
Data Access Governance – Site permissions report for Users and Groups - Generally Available by June 2026
Site Permissions reports now extend to users and Microsoft 365 and Security Groups, enabling admins to instantly identify every site a user/group can access and the scope of that access — closing a critical blind spot in oversharing governance. And clear remediation pathways are available through Restricted Access Control (RAC) and Restricted Content Discovery (RCD) policies. Learn more:
Data Access Governance - Detailed reports for Everyone and EEEU – Generally available
The new Data Access Governance detailed report deliver complete, item-level visibility for "Everyone" and "Everyone except external users" permissions across your entire tenant — empowering admins to identify and remediate oversharing risks at scale, especially as organizations prepare for secure Copilot adoption.
In addition, admins can now customize emails for site access reviews (SAR) with their own messaging, assign review requests directly to site owners OR site admins, ensuring clear accountability. They can choose between sending one combined review email to all recipients or individual emails, improving control over urgency and responses. Email delivery status and recipient lists are visible, removing uncertainty about notifications.
Governance hub for Site Owners – Private Preview
Site owners have a critical role to play in ensuring accuracy of site information, including the site's necessity, its owners, members, permissions, and sharing settings. We’re introducing the Governance Reviews Dashboard in Private Preview, a centralized, actionable view where site owners can see all pending site governance reviews (inactivity, ownership, attestation, access reviews) across the sites they own.
The dashboard shows required actions, due timelines, and site enforcement status and allows site owners to act directly from one place. Combined with consolidated policy notifications, it replaces multiple emails with a single, actionable governance surface.
As you see below, the dashboard highlights the Group-based Permissions Review initiated for the owners of the Contoso Finance site.
Restricted access control (RAC) policy for Site Owners – Generally Available
We are bringing content oversharing controls to site admins!
Site owners/admins can now independently manage RAC (Restricted Access Control) policy on a site, by providing appropriate justification on why the policy is being applied or updated.
RAC policy ensures that only users specified in the control groups will be allowed to access content. It also prevents oversharing of content with users outside of the control groups. Copilot honors RAC policy and thus prevents oversharing.
Restricted content discovery (RCD) policy for Site Owners – Generally Available
Restricted Content Discovery (RCD) policy is very powerful control to prevent content from being discovered in Microsoft 365 Copilot as well as in Declarative agents. Site owners/admins can now independently manage RCD (Restricted Content Discovery) policy on a site, by providing appropriate justification on why the policy is being applied or updated.
2. SharePoint Admin Agent
Introducing the SharePoint Admin Agent, Microsoft’s first-party AI assistant for managing your rapidly growing digital estate across Microsoft 365.
As the content backbone of Microsoft 365 – powering Teams, OneDrive, Loop, Copilot, and more - SharePoint sits at the center of content governance, spanning permissions, lifecycle, resilience, and relevance across users, apps, and now AI agents.
The SharePoint Admin Agent brings these capabilities together in one simple conversational experience, with powerful skills across Storage, Lifecycle, Catalog, Oversharing Management, and Multi-Geo. Admins can ask questions in natural language, gain actionable insights, and take meaningful action without switching portals or writing scripts.
Together, these capabilities help organizations drive the 3Rs of content governance for AI era: Relevance, Readiness, and Resilience.
SharePoint Admin Agent’s Starter Prompts:
You can try various starter prompts categorized under various skills – Permissions, Lifecycle, Storage, and Multi-Geo.
Permissions and Oversharing Management skill – Generally Available
Empowers admins to use natural language to uncover who has access to what, detect oversharing risks, and take targeted action to better protect sensitive content.
Lifecycle skill – Generally Available
Helps admins stay in control of content from creation to end of life by identifying inactive, outdated, and ownerless sites and enabling actions like reviews and archival.
Storage skill – Generally Available
Gives admins a clear view of storage consumption across the tenant so they can spot content sprawl, optimize capacity, and reduce unnecessary costs with confidence.
Multi-Geo skill – Private Preview
Microsoft 365 Multi-Geo enables customers to comply with data residency compliance requirements by ensuring that the data (OneDrive, mailbox, Teams channels & chats, et al) of a user is hosted within a specific geo where the user is located. The new Multi Geo skill in SharePoint Admin agent assists the admin in getting insights on the location status of OneDrive for Business of users and groups.
Recovery Skill – Private Preview
The Recovery skill helps admins leverage the Microsoft 365 Backup tool to find and understand available restore points, so that you can more easily and quickly recover from events that require point in time recovery of your OneDrive or SharePoint data. The initial release focuses on restore point availability if you have enabled Microsoft 365 Backup and have onboarded OneDrive accounts or SharePoint sites. In the future it will provide recommendations based on activity.
3. Agent governance in SharePoint, Teams, and OneDrive
Microsoft Agent 365 is a unified control-plane for agents that enables you to observe, govern and secure agents across your organization – including agents built with Microsoft AI platform and from other partners. Read more.
Specifically, Agent Registry and Agent Map capabilities provides you a breadth view of agents in your organization. To complement that breadth view, we are introducing depth view of agents in the lens of Microsoft 365 resources, specifically SharePoint sites, Teams, and OneDrives. Thrilled to introduce Agent Access Insights and Heatmap.
Agent Access Insights for SharePoint and OneDrive – Generally Available
Agent access insights provide rich information on agents that are accessing SharePoint sites and OneDrive within your tenant. It provides you with details on how much traffic these agents are bringing to your sites and in cases of accidental oversharing it helps you to take necessary actions such as setting up RAC (Restricted Access Control) or RCD (Restricted Content Discovery) policy.
Agent Access Heatmap for SharePoint and OneDrive – Private Preview in May’26
Agents are most effective when working on your organization’s relevant data. Agent Access Heatmap offers rich visual insights on agent access with additional dimensions like sensitivity and agent platform. This gives admins visibility into both the sensitivity of the content being accessed and the frequency of access. Admins now have effective tools for pausing agentic access to a site or scoping more granular access.
Enterprise App Insights – Generally Available
Enterprise Application Insights helps you to gain visibility into how non-Microsoft (3rd party) enterprise applications are accessing SharePoint and OneDrive content. It provides details on which apps are accessing sites, how frequently these apps are accessing content, permission scope (example: Files.Read) as well as what call pattern (Application Only, User and Application, etc.,) they exhibit, enabling you to take measures to enhance the security of your tenancy.
Restrict access for high privileged applications – Private Preview
Third-party applications with broad reaching permission across all files or all sites in your organization can increase the risk of data disclosure. This new setting allows OneDrive and SharePoint Administrators to enforce finer-grained permissions for 3rd party applications or define which specific applications are allowed to have these broadly scoped permissions. Via Baseline Security Mode, admins can also gain rich insights into which applications in their organization are having these broad permissions, and which resources are being accessed.
Relevance and Resiliency
Relevance is about making sure people and AI, are working from the right information at the right time. By reducing noise, retiring stale content, and focusing Copilot and agents on high‑value data, governance helps every insight stay accurate, actionable, and meaningful.
Resiliency, on the other hand, is all about business continuity so that in unexpected situations like ransomware incidents or agents accidentally deleting content you can recover quickly.
Microsoft 365 Archive
File level archive for SharePoint – Public Preview
File level archive for SharePoint is in public preview, with controls spanning admin, site, and file-level UI, and through Graph APIs or PowerShell. File level Archive gives you a way to more surgically file away inactive content, saving you 75% off list in storage costs. That content remains searchable by end users or admins, is easily reactivated in place by any user with file read permissions and continues to work seamlessly with Purview functionality. Best of all, you are only charged for usage if your total storage consumption is greater than your pre-allocated quota, and there are no reactivation fees (just like site archiving)!
Purview data lifecycle management retention policy integration is now in Private Preview. With that, you can leverage these retention policies to move files into archive before they are deleted as part of a more wholistic retain-archive-delete data lifecycle management workflow.
Here are a couple of recent customer examples highlighting the adoption of Microsoft 365 Archive:
*Stats based on customers’ testimonials. Read more at aka.ms/M365Archive/Story/Kantar and aka.ms/M365Archive/Story/DentsuSharePoint Extra Storage PAYG meter – Public Preview in June 2026
We’re also making it easier than ever to manage and pay for your active data.
SharePoint Extra Storage PAYG meter will roll in public preview June 2026. This PAYG meter allows you to grow your active storage usage with very little operational overhead. It works seamlessly with Archive PAYG so that you are charged the lowest possible blended rate only for storage that you're using on a daily basis (charged monthly). And you are only charged if total active + archive storage usage exceeds your pre-allocated quota. Now there's no need to prepay up to a year in advance for storage packs that you'll grow into later, no need to try to precisely manage that prepaid level through predictive efforts, and no risk of breaching storage payment compliance. Pricing will be shared when the product is in public preview.
Tenant-wide Version Trimming and What-if Analysis – Private Preview in June 2026
The “what if analysis” capability gives you a way to test which versions the trimming feature will delete and what the impact of that action will be. You can then run the actual tenant-level trimming job to free up storage space. This is very similar to the existing site and doclib level trimming capabilities, but expanded for a tenant-wide job. The initial release will be via PowerShell only. Please request to join the private preview by filling out this form.
SharePoint Admin Agent Storage Agentic Skill general availability. As noted above, the Storage Agentic skill rolling into general availability now helps with SharePoint usage understanding and optimization. Stay tuned for more intelligence and automation coming to this skill this year and beyond, including integration of version trimming reports and execution.
2.SAM (SharePoint Advanced Management) Inactive site policy - Generally available
As part of Copilot native governance capabilities, admins can trigger an inactive site policy per tailored criteria, say any sites that are untouched for two years, and then take automatic actions like set read only or archive. Learn more here.
3. Microsoft 365 Backup
In the AI era, the speed at which individuals get work done is greatly accelerated. So too is the speed at which bad actors can take advantage of weaknesses in cyber-attack scenarios, and the speed at which an inadvertent agentic action can take place. Given this, it's more important than ever to put proper resilience capabilities in place. Microsoft 365 Backup was built to do just that, in a uniquely secure, scalable, and performant manner.
For those not familiar, Microsoft 365 Backup provides ultra-fast large scale and backup (near day-zero protection) and recovery capabilities. The solution is a critical component of any M365 customer’s cyber resiliency story. You can onboard the native M365 Backup application via the M365 admin center, or you can leverage a Microsoft 365 Backup Storage app built by the one of the recognized backup partner solutions (just be sure to ask for the version of the partner app built on M365 Backup Storage to get the performance and security benefits of the platform). For example, Veeam Data Cloud Premium, AvePoint Confide Express, or Cohesity with M365 Backup Storage. These vendors provide extended capabilities that deliver a fuller set of capabilities to you to ensure you never have to trade off speed for feature or service coverage. You can get everything you need and more with one of their better-together M365 Backup Storage hybrid solutions.
We heard from our customers and partners about the need to expand and extend native platform capabilities.
Full Workload Backup - Rolling out to public preview
This allows you the ability to fully protect all your SharePoint sites, OneDrive accounts, and/or Exchange Online mailboxes dynamically with a few simple clicks. With full workload backup you can ensure your tenant is fully protected without any operational overhead to detect and add new sites or users. The tool does that for you automatically.
Feature Discovery experience is now generally available
With this experience, you will be notified within the Backup tool whenever we launch a new capability for you adopt. This way, you can benefit from the manageability and enhanced features we release in regular intervals, all within the Backup tool.
Easier discovery of the daily fast restore points is rolling out to general availability
With this update, we're making it easier to find and leverage the ~daily preloaded restore points that provide the fastest restore performance in the Backup tool. These faster restore points for OneDrive and SharePoint are your optimized path to recover large quantities of sites at speeds of up to and beyond 3TB/hr. (with most tenants completing full tenant restores in a matter of hours).
2-year Backup Restore Point Retention in Private Preview
With this capability, you can select to keep the backup recovery points for up to 2 years after they are created. That means you can use Microsoft 365 Backup to go back in time up to 2 years after a restore point is created.
M365 Backup in the government community cloud (aka GCC) is generally available
Now customers that operate in GCC can benefit from the operationally fast and secure capabilities delivered by Backup. Some of the newest features mentioned in this blog are still in the process of reaching GCC but will be there soon.
Granular file/folder browse/restore is generally available
With this, the Backup tool provides a specialized recovery method to find and restore folders/files within a site in a matter of minutes.
Departmental billing is generally available
Departmental billing gives admins the ability to attach distinct Azure billing policies to distinct Backup policies, is also generally available. Now each department in your organization can control and pay for their own backups.
Security & Compliance capabilities in SharePoint & OneDrive
Extended SharePoint Permissions (ESP) – General Availability
Extended SharePoint Permissions (ESP) extends SharePoint’s existing site permission model so that document libraries can use sensitivity labels to ensure access controls follow files when they’re downloaded from SharePoint. Files downloaded from ESP‑enabled libraries can only be opened by users who have access in SharePoint, and access is evaluated dynamically—changing or revoking SharePoint permissions, deleting the file, or deactivating the site automatically removes access to the downloaded copy.
At the same time, files stored within SharePoint libraries that use ESP continue to behave like first‑class SharePoint content. They remain governed by standard Microsoft 365 experiences—including enterprise search, discovery, auditing, and Copilot interactions. Protection is applied without breaking how documents are stored, discovered, or reasoned over inside SharePoint.
To learn more, check out the Configure SharePoint with a sensitivity label to extend permissions to downloaded documents page.
OneNote support for Sensitivity Labels - General Availability
Organizations can now classify and protect OneNote sections using the same sensitivity labels they already rely on across Word, Excel, Outlook, and SharePoint, ensuring sensitive notes are encrypted and access‑controlled according to organizational policy. Labels are applied at the section level, making it easy to protect sensitive content while still allowing teams to collaborate securely across Windows, Mac, Web, iOS, and Android.
Copilot continues to respect user permissions, and with sensitivity labels applied to OneNote sections, organizations gain an additional layer of classification and control—helping ensure AI‑assisted interactions with notes remain compliant with security and privacy expectations.
To learn more, check out Sensitivity Labels in OneNote Now Generally Available | Microsoft Community Hub
Sensitivity label support for videos – Public Preview in May’26
Video has become a core medium for collaboration—capturing meetings, training, product demos, and internal communications. With sensitivity label support for video files, organizations can now begin extending their information protection strategy to video content stored in SharePoint and Microsoft Stream, bringing videos into the same classification framework used for documents.
Users can continue to watch and share videos as they do today, with labeling applied as governance metadata rather than as a disruptive enforcement layer. By introducing labeling for video files, Microsoft lays the groundwork for more comprehensive protection and compliance scenarios over time—helping organizations understand, manage, and govern video content alongside documents, without changing user workflows on day one.
Label inheritance for Teams Meeting Recordings– Public Preview in May’26
Protecting meeting content shouldn’t require extra steps from users. With this update, Teams meeting recordings will automatically inherit the sensitivity label of the meeting itself, ensuring protection is applied by default and stays consistent from the moment a meeting is recorded.
When a meeting is labeled, that label now flows seamlessly to the recording—without any user action. For meetings protected with encryption, recordings are securely playable online but cannot be downloaded, significantly reducing the risk of data exfiltration while still enabling access for authorized participants. This approach balances strong protection with usability, especially for highly sensitive meetings.
Beyond recordings, the inherited label is consistently enforced across all related meeting artifacts, including transcripts, shared documents, and notes. This delivers a more cohesive, end‑to‑end compliance experience for meetings, closing long‑standing gaps where different artifacts could be protected inconsistently.
Microsoft Baseline Security Mode (BSM) 2026 – Private Preview
Security is no longer a point‑in‑time deployment — it’s a continuous journey. At Ignite’25 we introduced Microsoft Baseline security mode 2025.
Today, we’re announcing the Microsoft Baseline Security Mode (BSM) 2026— a major step forward in helping organizations operationalize secure‑by‑default protections across their Microsoft environments. BSM 2026 builds on the foundation introduced in BSM 2025 by expanding workload coverage, deepening integration across services, and applying the security learnings Microsoft has gained through our own internal transformation under the Secure Future Initiative (SFI).
BSM 2026 expands beyond identity and collaboration workloads to include:
- Microsoft Intune
- Microsoft Purview
- Dynamics 365
This expansion also adds a new pillar “Applications” enabling organizations to enforce consistent, baseline protections across even more of their Microsoft cloud estate — reducing configuration drift and ensuring security standards extend beyond productivity into device management, data governance, and business applications.
To join the preview, go here.
Microsoft 365 Information Barriers (IB) enhancements
Microsoft 365 Information Barriers (IB) is a compliance control that prevents specific people or groups in an organization from communicating or collaborating with each other across Microsoft 365 services. It’s mainly used to avoid conflicts of interest and meet FINRA regulatory requirements.
We are happy to announce the general availability of the following enhancements to Microsoft 365 Information barriers:
- IB Insights: Insights on usage of IB modes across SharePoint sites and OneDrive are now generally available. These rich insights help you identify and discover IB usage patterns across SharePoint sites and OneDrive.
- IB support in Gallatin: Information barriers in Microsoft Teams, SharePoint Online and OneDrive, Microsoft 365 Groups will be generally available in Gallatin environment in June 2026.
Learn about Information Barriers | Microsoft Learn
Microsoft 365 Enterprise lifecycle
Cross-tenant sites migration – Generally Available
Microsoft 365 provides enterprise customers with capabilities to support the full lifecycle of their business, whether it be mergers, acquisitions, divestitures, or consolidation – The M365 Cross-Tenant Data Migration features allow admins to manage migrations at scale, securely, with deep product integration to ensure minimal impact to your daily business.
We’re happy to announce general availability of Cross-tenant SharePoint site migration, allowing admins to quickly migrate Communications Sites, Team Sites, and Group-Connected Sites from one Tenant to another with full fidelity and features such as automatic redirection of sharing links.
M365 Cross-tenant user migration with Teams Chat and Meetings – Private Preview
Adding to the Microsoft 356 Cross-Tenant migration capabilities, we’re excited to announce the preview of Cross-Tenant User Data Migration with Orchestrator, featuring Teams Chat and Meetings migration. This preview brings meetings, 1:1 chat, and group chat migration securely and at-scale, with built-in product integrations to ensure minimal business disruption.
It also helps to simplify your role in managing migrations by ensuring orchestration across OneDrive, Mailboxes, and Teams, and enhances the user's experience when they migrate by making sure that everything, they need to be productive is ready and waiting for them when the migration is complete. Read more.
Multi-Geo: Default geo move – Private Preview
Microsoft 365 Multi Geo provides enterprise customers with the ability to expand their Microsoft 365 presence to multiple geographic regions within a single existing Microsoft 365 Tenant. A Multi Geo tenant has a primary geo and one or more satellite geos where the tenant data (files, mailboxes, Teams chats) are hosted.
As Microsoft opens new data centers in new countries, some customers wish to relocate their primary geo to the new go-local location e.g. a customer may choose to relocate their primary geo for M365 from the broader EUR geo to Germany geo to ensure that the data resides within Germany. Sometimes enterprises change their primary business location to another country and are then required to change primary geo of their M365 tenant.
We are now enabling customers to change their primary geo for SharePoint and OneDrive from a broader region like EUR or APAC to a more specific geo like Germany or Korea respectively. For such moves of primary geo of a tenant, the customer should not have a satellite in the target geo. This capability is currently in private preview.
Restricted site provisioning for Apps – GA
Manage the sprawl and structure of data in your organization by applying this new control that allows you to govern which 3rd party applications or agents can create OneDrives or SharePoint Sites in your organization. Using restricted OneDrive and SharePoint Site creation for Apps, you can apply allow or deny-based policy, and manage which types of SharePoint site can be created on a per-application basis. Available via SharePoint Online Management Shell, using the command Set-SPORestrictedSiteCreationForApps.
Get started now!
If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
For all the private previews mentioned in this blog, you can sign up Private Preview.
M365 Conference – Related Sessions
Watch the featured sessions at the M365 Community Conference in Orlando:
- Agent 365: The Control Plane for All Agents, Tue, April 21, 4.15 pm EST
- Microsoft Baseline Security Mode: Simplify, Secure, Succeed, Tue, April 21, 4.15 pm EST
- New Security and Compliance Features and Reporting for SharePoint Admin, Site Owners and More, Thurs, April 23, 9 am EST
- What's New in Security & Compliance for SharePoint, OneDrive, and Teams, Wed, April 22, 2.30 pm EST
- Microsoft 365 Multi Geo and Mergers & Acquisitions, Tue, April 21, 1.45 pm EST
- From Chaos to AI-Ready in 30 Days: Meet the SharePoint Governance Agent, Grounded by SAM, Tue, April 21, 11 .30 am EST
- Secure and Govern Microsoft 365 Copilot - What Every IT Pro Needs to Know, Wed, April 22, 1.30 pm EST
Resources
To learn more about the features in detail, check out the product capabilities documentations below.
- To learn more about Microsoft 365 Backup and the ISV solutions built on the M365 Backup Storage platform, check out this recent webinar: Resiliency in the age of AI with Microsoft 365 Backup
Microsoft