Blog Post

SharePoint Premium Blog
11 MIN READ

Microsoft Syntex – SharePoint Advanced Management (SAM) Add-on – Announcing General Availability

Sesha_Mani's avatar
Sesha_Mani
Icon for Microsoft rankMicrosoft
Mar 01, 2023

Organizations are seeing massive growth in their digital estate as they continue their digitization journey. Your business runs on content – proposals, contracts, invoices, designs, plans, training videos, and more. Every day, customers add over 1.6 billion new documents to Microsoft 365. Microsoft Syntex brings advanced AI from the Microsoft Cloud to your M365 content, simplifying your everyday business processes at scale. With this exponential content growth, it’s increasingly important to manage and govern your digital estate diligently.


For many organizations, Microsoft SharePoint site content sprawl and oversharing are real problems, no matter your size or geographic distribution. Site content sprawl is high volume creation of SharePoint sites through self-service sites or Teams creation, while content oversharing is about sharing the content beyond the needed audience either intentionally or accidentally. To help SharePoint and IT Admins address sprawl and oversharing, we are thrilled to announce the general availability of Microsoft SharePoint Advanced Management (SAM) add-on, a new set of advanced security and content management capabilities.


Customers who have existing SharePoint licenses, either standalone or through Microsoft 365/Office 365 suite, can purchase the SAM add-on SKU, which is a per-user license. Learn more at https://aka.ms/LearnSAM.


Let’s look at the SAM capabilities under two pillars:

 

Advanced access policies for secure collaboration

 

Advanced sites content lifecycle management

 

Once you’ve purchased and licensed the SAM add-on for your users in the tenancy, you can access premium advanced management capabilities in the SharePoint Admin Center under the new “Advanced management” tab, see below:

 

Figure. A SharePoint admin viewing “Advanced management” tab in the SharePoint Admin Center

 

Advanced access policies for secure collaboration

 

SharePoint data access governance (DAG) insights V1 – General Availability


As the sprawl of Teams and SharePoint sites contributes to the exponential growth of your organization’s digital estate, it’s important to know the top sites that require close attention.

A site’s lifecycle starts at creation time and evolves to the active state when users add content and collaborate in the site. During this active state you may wonder how to detect and avoid oversharing, or accidental sharing. Look no further, admins can now use the data access governance (DAG) insights dashboard in SharePoint admin center to address these needs.

Today, we are happy to announce that V1 of SharePoint data access governance (DAG) insights feature is generally available. DAG insights empower you to discover top-100 and top-10,000 sites that matter the most among millions of sites you may have. Two main criteria are used to determine these top sites: 1) Overshared sites i.e., sites with the highest number of anyone or company sharable or specific personal links, and 2) Sites with the highest number of labelled sensitive documents. In addition, you can run periodic DAG reports and monitor/validate/tailor sharing, device, and access policies for those sites that matter the most.

 

In the future, we’re looking to expand DAG with end-to-end capability such as Site Access Reviews. This allows a SharePoint admin to request the owners of the top-most sites to review and attest the access pattern seen in their sites is expected.

 

Interested in learning more? Check out the product article here: SharePoint Data access governance (DAG) insights.

 

Figure. SharePoint admin views SharePoint data access governance (DAG) insights and triggers site access review to site owners

 

Back to top

 

Restricted access control (RAC) policy for SharePoint sites – General availability


Oversharing of content is another common concern in many organizations. Despite the right intent, users mistakenly share content with a broader audience that often results in unauthorized access to content. Especially as hybrid work and external collaboration becomes business existential themes, oversharing problems expand to a new level.


DAG reports help you discover overshared sites in your organization. Then what can you do with those sites? You may want to restrict access to those overshared sites such that no matter how widespread the content was shared, or inheritance was broken at the document level, the access is instantly confined to a set of users only. The solution is here.


Today, we are excited to announce restricted access control (RAC) policy for SharePoint sites is generally available. With this advanced policy, you can now restrict access to a Microsoft 365 Group-connected site only to the existing members of the parent Microsoft 365 group. Users who are not the current members of the Microsoft 365 group will be denied access even if the site or its content was previously shared with them. Whenever admin configures this RAC policy for a given site, it is audited in the Microsoft 365 Audit Logs.


We plan to extend this policy to all SharePoint site templates, be it classic or communication or Shared Channels-connected sites. Simply configure the RAC policy for a site with an Azure Active Directory security group principal. Very powerful access control! This is coming to the SAM add-on in Q2CY23.


To learn more about this premium feature, check out the article here: RAC Policy for SharePoint Sites.

 

Figure. Controlling oversharing of a group-connected site with restricted access control (RAC) policy

 

Back to top

 

Restricted access control (RAC) policy for OneDrives – General Availability


Much like oversharing SharePoint sites, users also overshare their OneDrive content, especially with external users.


Today we are excited to announce that restricted access control (RAC) policy for OneDrives is generally available. With this policy, you can now restrict access to all OneDrives in your organization to a set of users. For example, restrict access to only your employees and no one else. You simply create security groups in Azure Active Directory that contains all your employees, then in SharePoint admin center restrict to those groups by configuring the Limit OneDrive Access setting. It’s that simple!


We plan to extend this policy such that you can configure the RAC policy for a given user’s OneDrive. This capability is coming to the SAM add-on in Q2CY23.


To learn more about this feature, check out the article here: Restricted access control (RAC) policy for OneDrives.

 

Figure. SharePoint admin limiting access to all OneDrives to employees only, no external vendors allowed

 

Back to top

 

Conditional access policies for SharePoint sites and OneDrives – General availability


Security posture of content varies based on its business criticality. General training content should be easily accessible wherein classified strategy content should be accessible only when certain conditions are met. The conditional access requirements should match the sites’ security posture.


Today, we are thrilled to announce the general availability of conditional access policies for SharePoint sites and Teams. Simply use the SharePoint Online PowerShell cmdlet Set-SPOSite -conditionalaccesspolicy AuthentictionContext to set appropriate access policy for a site, which dictates the conditions required for accessing that site.


For example, for your 2025 Strategy site that is expected to have business critical content, you can configure the policy to require MFA (multi-factor-authentication) for all users. Users will be required to go through additional credential gates only when they try accessing sites or teams that contain business-critical information.


You can also configure additional credential gates for OneDrive, in addition to SharePoint sites. For example, for the OneDrive accounts of your senior leadership team members, you can configure a conditional access policy to always require managed devices to access these OneDrives.


If your organization already has sensitivity labels deployed, then you can also associate this policy with the sensitivity labels and simply label the sites or teams appropriately.


To learn more about this feature, check out the product article here: Conditional access policy for sites.

 

Figure. Securing a SharePoint site with conditional access policy that requires MFA (multi-factor-authentication)


Back to top

 

Secure SharePoint Document Libraries – General Availability


SharePoint Document Libraries are the primary source of storage for your documents. Although you can control access through tailored permissioning for a given document library, so far there isn’t a way to apply granular security policies, such as encryption, or watermarking to it. We are uplifting the security posture of the SharePoint document libraries by allowing site owners to set appropriate policies through a sensitivity label.


Today, we are thrilled to announce Secured SharePoint Document Libraries coming to general availability on April 1, 2023. With this new capability you can now protect your document libraries, and hence the Office documents hosted in them, from the get-go and thus protecting from the day documents are created or uploaded to SharePoint document libraries.


Simply set the appropriate content sensitivity label for your document libraries using the Library Settings in the site’s settings information panel. From that point onwards all documents, newly created or modified, in that library will be automatically assigned with that library’s label. Most importantly, they are secure from the get-go with policies associated with that label. Even if the document gets downloaded from the library and if the label has an encryption policy, then the protection will travel with the document.


Learn more about this capability here: Secure SharePoint Document Libraries.

 

Figure. Site owner setting a default sensitivity label for a SharePoint document library

 

Back to top

 

Advanced sites lifecycle management

 

Sites lifecycle policies – Inactive sites – Coming in Q2CY23

 

A site in an active state may enter an inactive state perhaps after a few years. With the sprawl of sites, how would you discover sites that have moved to an inactive state and then take action on them? Standing access, especially by external vendors and third-party applications, to inactive SharePoint sites is one of the sources of data leakage and security incidents. Look no further.


Today, we are thrilled to announce the SharePoint inactive sites policy, coming in Q2CY23. With this advanced management capability admins, can now create a tailored inactive site policy targeting specific SharePoint sites, perhaps Teams created sites or sites labelled as Public or sites with information segment of Research, and trigger alerts to respective site owners. Site owners of these inactive sites can then decide to either keep or delete or take other actions on these sites.

 

You as the SharePoint admin can also look to apply RAC (Restricted access control) policy on these inactive sites to protect the content and remove any standing access for unauthorized users.


Another hidden gem of this policy is, if a SharePoint site is connected to Teams, then inactivity is determined by evaluating user actions in both Teams and SharePoint site. The Teams owners, in addition to the site owners, will get notified about inactivity in the Team and connected SharePoint site.


This policy is included in the SAM add-on and will activate in your tenant once ready. Stay tuned for more updates on this policy enablement in the upcoming quarter Q2CY23.

 

Figure. SharePoint admin creates an inactive site policy in SharePoint admin center and site owner responds to the policy notification

 

Back to top

 

Recent admin actions by SharePoint admins – General availability

 

As the SharePoint admin managing the content lifecycle in your tenancy, you may make many configuration changes. Having a panoramic view of all your recent changes in SharePoint admin center will come in handy if you make any unintentional changes that risk disrupting your users.

 

Today, we are excited to announce Recent Admin Actions (RAA) in SharePoint Admin Center generally available. This new recent admin actions panel in the SharePoint Admin Center shows the latest changes you make to site properties such as site name, site URL, sharing settings, storage limit etc., It allows you to view and export 30 days worth of changes. The recent admin actions (RAA) capability shows the actions taken by you as the SharePoint admin for that given session.


Soon, we will also showcase SharePoint tenant settings changes, such as sharing settings or quota changes, in this panel so that you get full visibility.


To learn more, check out Recent Admin Actions product article: Review recent SharePoint site actions - SharePoint in Microsoft 365 | Microsoft Learn

 

Figure. SharePoint admin viewing recent actions panel in SharePoint Admin Center

 

Back to top

 

SharePoint Site history – Coming in Q2CY23

 

As SharePoint admins, often you are tasked with troubleshooting inaccessible team sites. Also, to understand and manage a site’s lifecycle, it is imperative to know all the activities carried out by site owners. The new Site History capability in SharePoint admin center aims to address these needs.


Today we are thrilled to announce SharePoint Site History general availability coming in Q2CY23. Site History capability shows every change site owners and admins have made to site properties. This historical view helps you investigate and resolve helpdesk tickets in hours rather than days.


This capability is included in the SAM add-on and will activate in your tenant once ready. Stay tuned for more updates on this capability in the upcoming quarter, Q2CY23.

 

Figure. SharePoint admin viewing recent actions panel in SharePoint Admin Center

 

Back to top

 

Block download policy for SharePoint sites and OneDrives – General Availability

 

Whether in active state or inactive state, certain SharePoint sites content in your organization may need an extra layer of protection. For example, SharePoint sites that host the critical elements of your organization’s five-year plan, trade secret documents, or historical intellectual property collateral. These SharePoint sites are worthy of daily monitoring, and to take the security one step further you may want to block the download of files from these sites.
To that end, we now introduce block download policy that will allow you to control download behavior in SharePoint sites or OneDrives.


Today, we are thrilled to announce block download policy for SharePoint sites and OneDrives is becoming generally available. Simply set the block download policy for a SharePoint site of your choice and rest assured the content is completely secured within that site. Users can access the content only through browsers, and won’t be able to print, sync, download or access it through Office desktop apps. If you need to exempt some users, you can achieve this by configuring an exemption list of security groups.


Also, you can even specifically block download of Teams Meeting Recording files from SharePoint and OneDrive at the tenant level. Simply, run the SharePoint Admin PowerShell cmdlet Set-SPOTenant -BlockDownloadFileTypePolicy $true -BlockDownloadFileTypeIds TeamsMeetingRecording. It’s that simple! This capability is coming in Q2CY23.

 

Want to learn more about this capability? Check out Block download policy for SharePoint sites and OneDrives.

 

Figure. SharePoint admin configuring block download policy for a site in SharePoint Admin PowerShell and end user experience showing policy in action

 

We know, these are a lot of advanced management capabilities to digest and learn about! For more information about SharePoint Advanced Management and the SAM licensing information, check out the SAM product articles landing page at:
https://aka.ms/LearnSAM

 

Back to top

Get started!

 

If you are already a Microsoft 365 customer and have SharePoint licenses, then you can purchase the SAM add-on SKU from your M365 Admin Portal by simply searching for “SharePoint Advanced Management Plan 1” in the purchase services tab. You can also purchase through CSP or volume licensing enrollment.

 

If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.

 

Listen to the latest Intrazone podcast episode to hear a segment about SharePoint Advanced Management directly from the product team who built them.


To learn more about the above features in detail, check out the SAM product capabilities documentations below:


What is SAM (SharePoint/Syntex Advanced Management)
SharePoint data access governance (DAG) insights
Restricted access control (RAC) policy for SharePoint Sites
Restricted access control (RAC) policy for OneDrives
Conditional access policy for SharePoint sites and OneDrives
Secure SharePoint Document Libraries
Review recent SharePoint site actions - SharePoint in Microsoft 365 | Microsoft Learn
Block download policy for SharePoint sites and OneDrives
What’s new in SharePoint Admin Center
SharePoint and OneDrive Security Cookbook

Thank you!
Sesha Mani
Group Product Manager

 

Jolene Tam
Senior Product Marketing Manager

Updated Oct 15, 2023
Version 2.0
  • TobiasAT's avatar
    TobiasAT
    Steel Contributor

    Will be the SharePoint Advanced Management Add-on part of an E5 license package? In the past (during the Preview) some features were usable with an E5 license. 

  • skims's avatar
    skims
    Copper Contributor

    While some features exclusively benefit SharePoint site administrators, such as the SharePoint inactive sites policy, it requires licensing for every user in the tenant. This seems quite unreasonable.

  • Jonas006's avatar
    Jonas006
    Brass Contributor

    Sesha_Mani 

    Any news when the "Site Access Reviews" will be available? I just activated the trial but can't see it.
    The reporting page that is shown on the actual site to manage sharing links, is this something that will be permanently visible on the site? currently site owner/members have to download a csv to get this info but that aint user friendly. 

    Thanks in advance.

  • BRichards1385's avatar
    BRichards1385
    Copper Contributor

    It's insane to expect small businesses to add $3 per year for users that will never need to manage the security in a library or onedrive. Do you have to license every guest user too? 

     

    This should be a per admin license like so many other 365 licenses. That would makes it reasonable. 

     

    Or at least you need some kind of bundle tenant wide licenses for companies under say 100 or 75 like SBS.  A lot of SMB's moved from SBS to the cloud because it made financial and management sense. But licenses like this that unlock BASIC security that should already be there are going to push them to go back to on premise. 

  • Baelaw's avatar
    Baelaw
    Copper Contributor

    I am equally keen to understand what TobiasAT raises as we have a specific requirement to block downloads on specific SharePoint sites, this was originally available in Preview with no license wall but now sits behind the SP Advanced Management license so understanding how E5 plays a part here is key for us.

  • HanssieH's avatar
    HanssieH
    Copper Contributor

    I have M365BP and according to this site it should be possible. I was able to use the trial.

    I have a Suite, and it contains P1 

     

    Microsoft SharePoint Premium - SharePoint Advanced Management overview - SharePoint in Microsoft 365 | Microsoft Learn

     

    Licensing

    SharePoint Advanced Management is a per-user license. To use SharePoint Advanced Management, you must have a license for each user in your organization. (It's not required for guests.) Users must also be licensed for SharePoint K, P1, or P2 via standalone or a Microsoft 365 suite.