New era in content management and security in SharePoint, OneDrive, and Teams
Published May 02 2023 08:00 AM 42.7K Views

Organizations are seeing massive growth in their digital estate as they continue their digitization journey. Businesses run on content – proposals, contracts, invoices, designs, plans, training videos, and more. Every work day, customers add over 2 billion new documents to Microsoft 365. Microsoft Syntex brings advanced AI from the Microsoft Cloud to your M365 content, simplifying your everyday business processes at cloud scale. Microsoft 365 security and compliance offerings empower you to manage and govern your every increasing digital estate diligently.

For many organizations, content oversharing and governance are real challenges, no matter the size or geographic distribution. Content oversharing is when content is shared beyond the needed audience either intentionally or accidentally. Today at the Microsoft 365 Conference, we are thrilled to announce new content management and security capabilities to address these problems.

Let’s look at these new capabilities under the following pillars:


Oversharing controls – Advanced access policies for secure collaboration

Content lifecycle management

Expanded security controls to safeguard content

Organization lifecycle management

Comprehensive compliance

Oversharing controls - advanced access policies for secure collaboration

SharePoint data access governance (DAG) enhancements – Site access reviews, Restricted Access Control (RAC) policy, and Everyone Except External Users (EEEU) report


As the sprawl of Teams and SharePoint sites contribute to the exponential growth of your organization’s digital estate, it’s important to identify the top sites that require close attention.

A site’s lifecycle starts when it is created and evolves to the active state, which is when users add content and collaborate in the site. During this active state, how do you detect and avoid oversharing or accidental sharing? Look no further, admins can now use the data access governance (DAG) insights dashboard in SharePoint admin center to address these needs.

Today, we are happy to announce that many enhancements are coming to SharePoint Data Access Governance (DAG) insights, notably site access reviews, integration with restricted access control (RAC) policy and a new EEEU (Everyone except external users) report. DAG v1 insights empower you to discover the top-100 and top-10,000 sites that matter the most among the millions of sites you may have. We announced the general availability of DAG v1 a few months back as part of the Microsoft Syntex - SharePoint Advanced Management (SAM) launch.


We’re expanding DAG insights with the following enhancements:


1. Site access reviews - This allows a SharePoint admin to request the owners of the top sites discovered in Sharing or Sensitivity label reports in DAG to review and attest that the access pattern seen in their sites is expected. This enhancement will be available in H2CY23.


2. Integration with restricted access control (RAC) policy – From the DAG insights experience, you can now take actions on over-shared sites with single click by enabling restricted access control (RAC) policy for them. This enhancement will be available in H2CY23.


3. EEEU (Everyone except external users) report – One of the common source for overshared sites is users mistakenly share with EEEU group, which will allow all users in the organization except external users. We are now introducing a new report in DAG that will list the top-100 sites (and top-10000 via csv) that were shared with EEEU group. This enhancement will be available in H2CY23.


Interested in learning more? Check out the product article here: SharePoint Data access governance (DAG) insights.


001 SharePoint data access governance (DAG) insights.gif

Figure. SharePoint admin views SharePoint data access governance (DAG) insights and triggers site access reviews to site owners, and restricts access for an overshared site, Project Apollo


Restricted access control (RAC) policy for SharePoint sites with security groups - General availability


Data access governance (DAG) reports help you discover overshared sites in your organization. Then, what actions do you want to take next for those sites? You may want to restrict access to those overshared sites such that no matter how widespread the content was shared, or if inheritance was broken at the document level, the access is instantly confined to a set of users only. The solution is here.

In the SAM launch a few months back, we announced general availability of Restricted Access Control (RAC) policy for Microsoft 365 Groups-connected sites.

Today, we are excited to announce that the Restricted Access Control (RAC) policy for SharePoint sites with security groups is generally available. With this advanced policy, you can now restrict access to a non-group connected site, be it classic or communication or Shared Channels-connected site, using Azure Active Directory security groups.

Users who are not the current members of the specified security groups will be denied access even if the site or its content was previously shared with them by breaking inheritance from the site permission. Very powerful access control!

All the admin activities of configuring or updating RAC policy for sites are audited in the Microsoft 365 Audit Logs.

To learn more about this feature, check out the article here: RAC Policy for SharePoint Sites.


002 Restricted access control (RAC) policy.gif

Figure. Controlling oversharing of a non-group connected site with restricted access control (RAC) policy


Back to top


External/Internal Collaboration Insights – Private preview


Content collaboration is at the center of any organization’s productivity and business growth. While open collaboration may bring more productivity and thus opportunities, external collaboration is the biggest source of corporate data leakage and exfiltration due to accidental oversharing. Knowing your organization’s collaboration patterns allows you to drive positive collaboration trends and to control activities that may pose a security risk to your enterprise. Collaboration insights is designed to synthesize the collaboration patterns in your organization.


Today we are announcing the private preview of external/internal Collaboration Insights as part of the SharePoint Advanced Management (SAM) add-on.

With Collaboration Insights you can obtain weekly insights on how users in your organization are leveraging OneDrive and SharePoint to collaborate internally and externally by viewing, editing, and sharing files. Collaboration Insights also provides key aggregate data on the total number of users, user types, and sites so that you can monitor growth trends over time.


003 External internal collaboration insights.gif

Interested in participating in this private preview? Fill out the form here.


Back to top


Restricted apps access (RAA) policy for SharePoint sites and OneDrives – Private preview


Security posture of content varies based on its business criticality. General training content should be easily accessible wherein classified strategy content should be accessible only when certain conditions are met. The conditional access requirements should match the sites’ security posture.

Using conditional access for SharePoint sites and OneDrives you can restrict business critical sites requiring additional conditions like MFA (multi-factor-authentication) for users. But you may have several applications registered in Azure Active Directory that get unrestricted access to such business-critical sites. Well, now you can restrict access to applications for such sites.

Today we are thrilled to announce the private preview of Restricted Applications Access (RAA) policy for SharePoint sites and OneDrives. It empowers SharePoint admins to control the list of third-party applications allowed access to a given SharePoint site or OneDrive. You can even require the allowed application to meet certain conditions defined through Azure Active Directory’s authentication context. For example, users who access content through that application must be MFA authenticated. Very flexible and powerful access control for applications.

Simply, run the following SharePoint Online PowerShell cmdlet for a given site!


Set-SPOSite -Identity <site url> BlockAppAccess $true -AllowedAppServicePrincipleIds “1f75b7a0-b161-43f2-96d9-269d80c1f619, d365ab6f-2ecb-4e8e-a93d-b55755489c0d”


In the above example, setting BlockAppAccess to true will block all third-party applications access to the site except the two applications whose IDs are called out in the AllowedAppServicePrincipleIds list. Simple and powerful access control!

Interested to participate in the private preview, sign up using this form.

Back to top


Advanced sites lifecycle management


Sites lifecycle policies – Inactive sites – Coming in Q2CY23


A site in an active state may enter an inactive state perhaps after a few years. With the sprawl of sites, how would you discover sites that have moved to an inactive state and then take action on them? Standing access, especially by external vendors and third-party applications, to inactive SharePoint sites is one of the sources of data leakage and security incidents. Look no further.

Today, we are thrilled to announce the SharePoint inactive sites policy, coming in Q2CY23. This new feature gives admins the ability to create custom inactive site policies that target specific SharePoint sites, such as Teams-created sites or sites labeled as Public or with an information segment of Research. Once these policies are in place, site owners of inactive sites will receive alerts and can choose to keep, delete, or take other actions as needed.

As a SharePoint admin, you'll also have the option to apply Restricted Access Control (RAC) policies to inactive sites to protect their content and remove any unauthorized access. And for sites connected to Teams, the inactivity status will be determined by evaluating user actions in both Teams and the SharePoint site. This means that Teams owners, as well as site owners, will be notified of any inactivity.

This policy is included in the SAM add-on and will be activated in your tenant once it's ready. Keep an eye out for more updates on this exciting new feature in Q2CY23.


004 sites lifecycle policies - inactive sites.gif

Figure. SharePoint admin creates an inactive site policy in SharePoint admin center and site owner responds to the policy notification

If you’d like to participate in our private preview, please sign up using this form.

Back to top


SharePoint Change History – Coming Q2CY23


As SharePoint admins, often you are tasked with troubleshooting inaccessible team sites. Also, to understand and manage a site’s lifecycle, it is imperative to know all the activities carried out by site owners. The new Change History capability in SharePoint admin center aims to address these needs.

Today we are thrilled to announce SharePoint Change History general availability coming in Q2CY23. This feature enables you to view all changes made to a site's properties by other admins and site owners, allowing for faster investigation and resolution of helpdesk tickets. With this historical view, you can quickly identify any changes that may have caused an issue and resolve it in a matter of hours, instead of days.


SharePoint Change History is included in the SAM add-on and will be activated in your tenant as soon as it's ready. Keep an eye out for more updates on this exciting new capability in Q2CY23!


005 SharePoint change history.gif

Figure. SharePoint admin viewing change history report in SharePoint Admin Center

If you’d like to participate in our private preview, please sign up using this form.

Back to top


Block download policy for Teams Meeting Recording (TMR) files stored in SharePoint sites and OneDrives – General Availability


Teams Meeting artifacts, specifically recording of the meetings, are such a business-critical asset for organizations and source of day-to-day activities of users. To adhere to your local compliance policy and avoid data leakage, you may want to block users from downloading those meeting recordings.

Today, we are thrilled to announce the general availability of block download policy for Teams Meeting Recording (TMR) files stored in SharePoint sites and OneDrives. With one simple PowerShell cmdlet, you can now block the download of Teams meeting recording files from SharePoint sites and OneDrives. This allows users to remain productive while addressing the risk of accidental data loss. Users will continue to have browser-only access to view the recordings without the ability to download or sync or access them through applications.


Simply, run the below SharePoint Admin PowerShell cmdlet:


Set-SPOTenant -BlockDownloadFileTypePolicy $true -BlockDownloadFileTypeIds TeamsMeetingRecording

You may have a need to exempt some users, say your compliance officers, from this policy. You can achieve that by configuring an exemption list with security groups, which will then allow the members of those specified security groups to download.

Couple of notable considerations: After the policy is turned on, any new Teams meeting recordings and saved in SharePoint and OneDrive will be blocked from download. You must be a SharePoint admin to configure this policy. Note that this policy doesn't apply to manually uploaded meeting recording files.

Want to learn more about this capability? Check out Block the download of Teams meeting recording files from SharePoint or OneDrive.


006 Block download policy for Teams meeting recording (TMR) files.gif

Figure: SharePoint admin configuring block download policy for TMR files in SharePoint Admin PowerShell and end user experience showing the policy in action.

Back to top


Expanded content security to safeguard content


Search and governance for standalone images and PDFs in SharePoint and OneDrive – Private preview

In Microsoft 365 SharePoint and OneDrive, the current Microsoft Purview compliance policies like data loss prevention (DLP) protect only Office documents. Many organizations have major percentage of their digital estate as PDFs and images and need a way to protect and govern them too. The solution is here.


Today we are excited to announce the private preview of Protection for Images and PDFs in SharePoint sites and OneDrives. With the power of OCR (Optical Character Recognition) processing in SharePoint and OneDrive the content within images, be it standalone or embedded within PDFs and Office documents, can be extracted along with metadata, and then can be reasoned over. You can configure the OCR setting in Microsoft Purview Compliance Portal.


DLP (data loss prevention) policies can now protect these images and PDFs. To help admins roll out this feature gradually, they can enable this capability only in certain SharePoint sites or OneDrives. For example, if you've a DLP policy that includes a data classifier such as the credit card sensitive information type (SIT), then both Office documents and images and PDFs will be protected by that policy.


In addition, end users will start to see search results including images and PDFs through Enterprise Search, much like they see Office documents.


If you are interested in this feature and want to enroll in the private preview, reach out to your Microsoft Field/Account team.


007 Search and governance for standalone images and PDFs .gif

Figure. An image file that contains a credit card image is detected as sensitive by DLP policy and end user views the policy tip details in SharePoint information pane.

Programmatic way to set files metadata like sensitivity labels at cloud scale – Public preview


The assign sensitivity labels Premium API for OneDrive and SharePoint helps you to automatically designate Excel, PowerPoint, and Word files as sensitive to ensure certain protections are applied to these documents. The API allows you to leverage the functionality to assign labels at scale through your applications. This API provides the following key benefits:

• Is a pay as you go consumption-based API, which does not require additional user licenses.
• Does not require third party tools to download, label, and re-upload your files.
• Allows your enterprise to scale your sensitivity labels to the whole organization without the need for end users to read, interpret, and manually label files.
• Does not require the target file to be open and in use, allowing you to protect files, even if no one is actively working on them.
• Provides labeling at volume. You can label up to 75,000 files a day in your tenant at general availability.
• Allows you to re-use your existing manual labels.


Today, we are thrilled to announce that the assign sensitivity labels Premium API for OneDrive and SharePoint is in Public Preview, with general availability coming in at the end of May 2023. Learn more about metered APIs and get started with the Assign sensitivity labels API for OneDrive and SharePoint.


Back to top


Organization lifecycle management

SharePoint cross-tenant sites content migration – Private preview


Mergers, Acquisitions, and Divestitures (M&A) scenarios are a critical part of an organization’s lifecycle. In fact, many organizations expand their business through M&A.


Imagine Contoso Energy acquiring Fabrikam’s Wind Energy unit in Asia to expand their global footprint in the energy industry, and both Contoso Energy and Fabrikam have a presence in Microsoft 365. As part of this M&A transaction, there is a need to move Fabrikam’s Wind Energy unit employees’ OneDrives and Mailboxes and associated SharePoint sites to Contoso Energy’s tenancy. We announced OneDrives and Mailboxes cross-tenant content migration at Ignite’22. We are addressing the need for moving SharePoint sites across the tenants.


Today, we are thrilled to announce the private preview of SharePoint site cross-tenant content data migration. With this capability you can now move SharePoint sites across two tenants using a simple set of SharePoint PowerShell cmdlets. This includes all kinds of sites like Communication sites, Modern team sites, Teams-connected or Groups-connected sites, etc.


One another notable capability upon site move is that the sharing links to old URLs will continue to work although the URL of the site has changed! This is made possible by the cross-tenant redirect capability that ensures any hit to old URLs is redirected to new URL.


To learn more about cross-tenant move of OneDrives, check out here: Cross-tenant user data migration for OneDrives.


To learn more about cross-tenant move of SharePoint sites, click here: Cross-tenant SharePoint site migration.

To sign-up for this preview, please sign up using this form


008 SharePoint cross-tenant sites content migration.gif

Figure. Migrating a SharePoint site across tenants and experiencing the redirect behavior for the site URL


Back to top


Comprehensive compliance

Information barriers (IB) 2.0 – General availability


Microsoft Purview Information Barriers (IB) is a comprehensive compliance platform that allows regulated customers in finance (FSI), legal and consulting verticals to meet compliance requirements to 'protect communication and collaboration across internal regulated users'.


Information Barriers v2 (IB v2) is now generally available for all new onboarding customers. IB v2 has enhanced architecture which enables the following new features:

1. Large scale segment support: The segment limit in organizations has increased to 5,000 (from 250). This new scale does not require any extra IB configurations.


2. Multi-segment support: Users can be assigned to up to 10 segments.


The new multi-segment organization mode enables administrators to assign users in your organization to up to 10 segments in IB, instead of being limited to just one segment. This allows support for more diverse communication rules between users and groups and supports more complex organizational and operational scenarios. For more information, see Use multi-segment support in information barriers.


009 Information barriers (IB) 2.0.gif

Figure. Enable multiple segment support for organization

3. Flexible user discoverability: Organizations can now choose to allow IB-protected users to discover each other while adhering to IB communication and collaboration policies.


With IB v2, administrators can enable or disable user discoverability restrictions in IB. Once user discoverability restricted by IB is turned off, users can discover each other in the people picker, independent of their IB policies. By default, the people picker restriction is enabled for all IB policies. For more information, see Manage information barriers policies.


010 Disable user discoverability restriction by Information barriers.gif

Figure. Disable user discoverability restriction with Information Barriers

Back to top


We know this is a comprehensive list of content management and security capabilities and you need time to digest and learn about!


To learn all the SharePoint and OneDrive announcements from Microsoft 365 Conference, check out Jeff Teper’s blog at:

For private preview features, you can sign-up here:


For more information about SharePoint Advanced Management and the SAM licensing information, check out the SAM product articles landing page at:


Get started!

If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.


If you are already a Microsoft 365 customer and have SharePoint licenses, then you can purchase the SAM add-on SKU from your M365 Admin Portal by simply searching for “SharePoint Advanced Management Plan 1” in the purchase services tab. You can also purchase through CSP or volume licensing enrollment.


To learn more about the above features in detail, check out the product capabilities documentations below:

What is SAM (SharePoint/Syntex Advanced Management)
SharePoint data access governance (DAG) insights
Restricted access control (RAC) policy for SharePoint Sites
Restricted access control (RAC) policy for OneDrives
Conditional access policy for SharePoint sites and OneDrives
Secure SharePoint Document Libraries
Review recent SharePoint site actions - SharePoint in Microsoft 365 | Microsoft Learn
Block download policy for SharePoint sites and OneDrive - SharePoint in Microsoft 365 | Microsoft Le...
Block the download of Teams meeting recording files from SharePoint or OneDrive.
Overview of metered APIs and services in Microsoft Graph - Microsoft Graph | Microsoft Learn
Assign sensitivity labels API for OneDrive and SharePoint.
Cross-tenant OneDrive migration overview - Microsoft 365 Enterprise | Microsoft Learn
Cross-tenant SharePoint site migration overview (preview) - Microsoft 365 Enterprise | Microsoft Lea...
Information barriers - Microsoft Purview (compliance) | Microsoft Learn
Use multi-segment support in information barriers - Microsoft Purview (compliance) | Microsoft Learn
Manage information barriers policies - Microsoft Purview (compliance) | Microsoft Learn
What’s new in SharePoint Admin Center
SharePoint and OneDrive Security Cookbook

Thank you!

Sesha Mani
Partner Group Product Manager


Jolene Tam
Senior Product Marketing Manager

Version history
Last update:
‎May 02 2023 05:35 AM
Updated by: