Organizations are seeing massive growth in their digital estate as they continue their digitization journey. Your business runs on content – proposals, contracts, invoices, designs, plans, training videos, and more. Every day, customers add over 1.6 billion new documents to Microsoft 365. Microsoft Syntex brings advanced AI from the Microsoft Cloud to your M365 content, simplifying your everyday business processes at scale. With this exponential content growth, it’s increasingly important to manage and govern your digital estate diligently.
For many organizations, Microsoft SharePoint site content sprawl and oversharing are real problems, no matter your size or geographic distribution. Site content sprawl is high volume creation of SharePoint sites through self-service sites or Teams creation, while content oversharing is about sharing the content beyond the needed audience either intentionally or accidentally. To help SharePoint and IT Admins address sprawl and oversharing, we are thrilled to announce the general availability of Microsoft SharePoint Advanced Management (SAM) add-on, a new set of advanced security and content management capabilities.
Customers who have existing SharePoint licenses, either standalone or through Microsoft 365/Office 365 suite, can purchase the SAM add-on SKU, which is a per-user license. Learn more at https://aka.ms/LearnSAM.
Let’s look at the SAM capabilities under two pillars:
Advanced access policies for secure collaboration
- Data access governance (DAG) insights for SharePoint sites
- Restricted access control (RAC) policy for SharePoint sites
- Restricted access control (RAC) policy for OneDrives
- Conditional access policy for SharePoint sites and OneDrives
- Secure SharePoint Document Libraries
Advanced sites content lifecycle management
- Sites lifecycle management policy for inactive sites
- Recent SharePoint Admin Actions
- Sites history
- Block download policy for SharePoint sites and OneDrives
Once you’ve purchased and licensed the SAM add-on for your users in the tenancy, you can access premium advanced management capabilities in the SharePoint Admin Center under the new “Advanced management” tab, see below:
Figure. A SharePoint admin viewing “Advanced management” tab in the SharePoint Admin Center
Advanced access policies for secure collaboration
SharePoint data access governance (DAG) insights V1 – General Availability
As the sprawl of Teams and SharePoint sites contributes to the exponential growth of your organization’s digital estate, it’s important to know the top sites that require close attention.
A site’s lifecycle starts at creation time and evolves to the active state when users add content and collaborate in the site. During this active state you may wonder how to detect and avoid oversharing, or accidental sharing. Look no further, admins can now use the data access governance (DAG) insights dashboard in SharePoint admin center to address these needs.
Today, we are happy to announce that V1 of SharePoint data access governance (DAG) insights feature is generally available. DAG insights empower you to discover top-100 and top-10,000 sites that matter the most among millions of sites you may have. Two main criteria are used to determine these top sites: 1) Overshared sites i.e., sites with the highest number of anyone or company sharable or specific personal links, and 2) Sites with the highest number of labelled sensitive documents. In addition, you can run periodic DAG reports and monitor/validate/tailor sharing, device, and access policies for those sites that matter the most.
In the future, we’re looking to expand DAG with end-to-end capability such as Site Access Reviews. This allows a SharePoint admin to request the owners of the top-most sites to review and attest the access pattern seen in their sites is expected.
Interested in learning more? Check out the product article here: SharePoint Data access governance (DAG) insights.
Figure. SharePoint admin views SharePoint data access governance (DAG) insights and triggers site access review to site owners
Restricted access control (RAC) policy for SharePoint sites – General availability
Oversharing of content is another common concern in many organizations. Despite the right intent, users mistakenly share content with a broader audience that often results in unauthorized access to content. Especially as hybrid work and external collaboration becomes business existential themes, oversharing problems expand to a new level.
DAG reports help you discover overshared sites in your organization. Then what can you do with those sites? You may want to restrict access to those overshared sites such that no matter how widespread the content was shared, or inheritance was broken at the document level, the access is instantly confined to a set of users only. The solution is here.
Today, we are excited to announce restricted access control (RAC) policy for SharePoint sites is generally available. With this advanced policy, you can now restrict access to a Microsoft 365 Group-connected site only to the existing members of the parent Microsoft 365 group. Users who are not the current members of the Microsoft 365 group will be denied access even if the site or its content was previously shared with them. Whenever admin configures this RAC policy for a given site, it is audited in the Microsoft 365 Audit Logs.
We plan to extend this policy to all SharePoint site templates, be it classic or communication or Shared Channels-connected sites. Simply configure the RAC policy for a site with an Azure Active Directory security group principal. Very powerful access control! This is coming to the SAM add-on in Q2CY23.
To learn more about this premium feature, check out the article here: RAC Policy for SharePoint Sites.
Figure. Controlling oversharing of a group-connected site with restricted access control (RAC) policy
Restricted access control (RAC) policy for OneDrives – General Availability
Much like oversharing SharePoint sites, users also overshare their OneDrive content, especially with external users.
Today we are excited to announce that restricted access control (RAC) policy for OneDrives is generally available. With this policy, you can now restrict access to all OneDrives in your organization to a set of users. For example, restrict access to only your employees and no one else. You simply create security groups in Azure Active Directory that contains all your employees, then in SharePoint admin center restrict to those groups by configuring the Limit OneDrive Access setting. It’s that simple!
We plan to extend this policy such that you can configure the RAC policy for a given user’s OneDrive. This capability is coming to the SAM add-on in Q2CY23.
To learn more about this feature, check out the article here: Restricted access control (RAC) policy for OneDrives.
Figure. SharePoint admin limiting access to all OneDrives to employees only, no external vendors allowed
Conditional access policies for SharePoint sites and OneDrives – General availability
Security posture of content varies based on its business criticality. General training content should be easily accessible wherein classified strategy content should be accessible only when certain conditions are met. The conditional access requirements should match the sites’ security posture.
Today, we are thrilled to announce the general availability of conditional access policies for SharePoint sites and Teams. Simply use the SharePoint Online PowerShell cmdlet Set-SPOSite -conditionalaccesspolicy AuthentictionContext to set appropriate access policy for a site, which dictates the conditions required for accessing that site.
For example, for your 2025 Strategy site that is expected to have business critical content, you can configure the policy to require MFA (multi-factor-authentication) for all users. Users will be required to go through additional credential gates only when they try accessing sites or teams that contain business-critical information.
You can also configure additional credential gates for OneDrive, in addition to SharePoint sites. For example, for the OneDrive accounts of your senior leadership team members, you can configure a conditional access policy to always require managed devices to access these OneDrives.
If your organization already has sensitivity labels deployed, then you can also associate this policy with the sensitivity labels and simply label the sites or teams appropriately.
To learn more about this feature, check out the product article here: Conditional access policy for sites.
Figure. Securing a SharePoint site with conditional access policy that requires MFA (multi-factor-authentication)
Secure SharePoint Document Libraries – General Availability
SharePoint Document Libraries are the primary source of storage for your documents. Although you can control access through tailored permissioning for a given document library, so far there isn’t a way to apply granular security policies, such as encryption, or watermarking to it. We are uplifting the security posture of the SharePoint document libraries by allowing site owners to set appropriate policies through a sensitivity label.
Today, we are thrilled to announce Secured SharePoint Document Libraries coming to general availability on April 1, 2023. With this new capability you can now protect your document libraries, and hence the Office documents hosted in them, from the get-go and thus protecting from the day documents are created or uploaded to SharePoint document libraries.
Simply set the appropriate content sensitivity label for your document libraries using the Library Settings in the site’s settings information panel. From that point onwards all documents, newly created or modified, in that library will be automatically assigned with that library’s label. Most importantly, they are secure from the get-go with policies associated with that label. Even if the document gets downloaded from the library and if the label has an encryption policy, then the protection will travel with the document.
Learn more about this capability here: Secure SharePoint Document Libraries.
Figure. Site owner setting a default sensitivity label for a SharePoint document library
Advanced sites lifecycle management
Sites lifecycle policies – Inactive sites – Coming in Q2CY23
A site in an active state may enter an inactive state perhaps after a few years. With the sprawl of sites, how would you discover sites that have moved to an inactive state and then take action on them? Standing access, especially by external vendors and third-party applications, to inactive SharePoint sites is one of the sources of data leakage and security incidents. Look no further.
Today, we are thrilled to announce the SharePoint inactive sites policy, coming in Q2CY23. With this advanced management capability admins, can now create a tailored inactive site policy targeting specific SharePoint sites, perhaps Teams created sites or sites labelled as Public or sites with information segment of Research, and trigger alerts to respective site owners. Site owners of these inactive sites can then decide to either keep or delete or take other actions on these sites.
You as the SharePoint admin can also look to apply RAC (Restricted access control) policy on these inactive sites to protect the content and remove any standing access for unauthorized users.
Another hidden gem of this policy is, if a SharePoint site is connected to Teams, then inactivity is determined by evaluating user actions in both Teams and SharePoint site. The Teams owners, in addition to the site owners, will get notified about inactivity in the Team and connected SharePoint site.
This policy is included in the SAM add-on and will activate in your tenant once ready. Stay tuned for more updates on this policy enablement in the upcoming quarter Q2CY23.
Figure. SharePoint admin creates an inactive site policy in SharePoint admin center and site owner responds to the policy notification
Recent admin actions by SharePoint admins – General availability
As the SharePoint admin managing the content lifecycle in your tenancy, you may make many configuration changes. Having a panoramic view of all your recent changes in SharePoint admin center will come in handy if you make any unintentional changes that risk disrupting your users.
Today, we are excited to announce Recent Admin Actions (RAA) in SharePoint Admin Center generally available. This new recent admin actions panel in the SharePoint Admin Center shows the latest changes you make to site properties such as site name, site URL, sharing settings, storage limit etc., It allows you to view and export 30 days worth of changes. The recent admin actions (RAA) capability shows the actions taken by you as the SharePoint admin for that given session.
Soon, we will also showcase SharePoint tenant settings changes, such as sharing settings or quota changes, in this panel so that you get full visibility.
To learn more, check out Recent Admin Actions product article: Review recent SharePoint site actions - SharePoint in Microsoft 365 | Microsoft Learn
Figure. SharePoint admin viewing recent actions panel in SharePoint Admin Center
SharePoint Site history – Coming in Q2CY23
As SharePoint admins, often you are tasked with troubleshooting inaccessible team sites. Also, to understand and manage a site’s lifecycle, it is imperative to know all the activities carried out by site owners. The new Site History capability in SharePoint admin center aims to address these needs.
Today we are thrilled to announce SharePoint Site History general availability coming in Q2CY23. Site History capability shows every change site owners and admins have made to site properties. This historical view helps you investigate and resolve helpdesk tickets in hours rather than days.
This capability is included in the SAM add-on and will activate in your tenant once ready. Stay tuned for more updates on this capability in the upcoming quarter, Q2CY23.
Figure. SharePoint admin viewing recent actions panel in SharePoint Admin Center
Block download policy for SharePoint sites and OneDrives – General Availability
Whether in active state or inactive state, certain SharePoint sites content in your organization may need an extra layer of protection. For example, SharePoint sites that host the critical elements of your organization’s five-year plan, trade secret documents, or historical intellectual property collateral. These SharePoint sites are worthy of daily monitoring, and to take the security one step further you may want to block the download of files from these sites.
To that end, we now introduce block download policy that will allow you to control download behavior in SharePoint sites or OneDrives.
Today, we are thrilled to announce block download policy for SharePoint sites and OneDrives is becoming generally available. Simply set the block download policy for a SharePoint site of your choice and rest assured the content is completely secured within that site. Users can access the content only through browsers, and won’t be able to print, sync, download or access it through Office desktop apps. If you need to exempt some users, you can achieve this by configuring an exemption list of security groups.
Also, you can even specifically block download of Teams Meeting Recording files from SharePoint and OneDrive at the tenant level. Simply, run the SharePoint Admin PowerShell cmdlet Set-SPOTenant -BlockDownloadFileTypePolicy $true -BlockDownloadFileTypeIds TeamsMeetingRecording. It’s that simple! This capability is coming in Q2CY23.
Want to learn more about this capability? Check out Block download policy for SharePoint sites and OneDrives.
Figure. SharePoint admin configuring block download policy for a site in SharePoint Admin PowerShell and end user experience showing policy in action
We know, these are a lot of advanced management capabilities to digest and learn about! For more information about SharePoint Advanced Management and the SAM licensing information, check out the SAM product articles landing page at:
https://aka.ms/LearnSAM
Get started!
If you are already a Microsoft 365 customer and have SharePoint licenses, then you can purchase the SAM add-on SKU from your M365 Admin Portal by simply searching for “SharePoint Advanced Management Plan 1” in the purchase services tab. You can also purchase through CSP or volume licensing enrollment.
If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
Listen to the latest Intrazone podcast episode to hear a segment about SharePoint Advanced Management directly from the product team who built them.
To learn more about the above features in detail, check out the SAM product capabilities documentations below:
• What is SAM (SharePoint/Syntex Advanced Management)
• SharePoint data access governance (DAG) insights
• Restricted access control (RAC) policy for SharePoint Sites
• Restricted access control (RAC) policy for OneDrives
• Conditional access policy for SharePoint sites and OneDrives
• Secure SharePoint Document Libraries
• Review recent SharePoint site actions - SharePoint in Microsoft 365 | Microsoft Learn
• Block download policy for SharePoint sites and OneDrives
• What’s new in SharePoint Admin Center
• SharePoint and OneDrive Security Cookbook
Thank you!
Sesha Mani
Group Product Manager
Jolene Tam
Senior Product Marketing Manager