Implement SharePoint Advanced Management tools to prepare for Microsoft 365 Copilot

Completed

As your organization prepares to enable Microsoft 365 Copilot, it’s crucial to properly govern your organization's SharePoint data to ensure Copilot's results are appropriate, accurate, and compliant. Understanding the significance of content governance in SharePoint when using Copilot begins with knowing how Copilot works through three components:

  • Large language models (LLMs)
  • The Microsoft 365 productivity apps that you use every day, such as Word, Excel, PowerPoint, Outlook, Teams, and others.
  • Content in Microsoft Graphs

When a user makes a request to Copilot, it processes the request using large language models (LLMs). It then generates a response with LLMs by using content from Microsoft Graph and web content (optional). Content in Microsoft Graph includes emails, files, meetings, chats, calendars, and contacts. A significant portion of this content is stored as SharePoint files.

When you share documents with others, these documents become data stored on SharePoint sites, document libraries, and OneDrive. These documents can be: a Word document shared by a colleague, a presentation that you're working on with your team, meeting recordings, project notes you created in Loop and OneNote, and more. To ensure assistance provided by Copilot is appropriate, accurate, and compliant, it's crucial for organizations to ensure that their SharePoint data is appropriately governed from the following three aspects:

  • Manage content sprawl. Content sprawl occurs when digital content accumulates without proper management across various storage locations in an organization. This situation leads to difficulties in accessing information, higher storage expenses, security vulnerabilities, and compliance complexities. You can tackle content sprawl by:
    • Implementing governance strategies and utilizing tools that centralize control
    • Optimizing storage efficiency
    • Upholding secure data management practices
    • Reducing content duplication
    • Ensuring well-planned content creation
    • Ensuring all sites and content are well managed governed by site owners
  • Prevent content oversharing and control content access. Copilot analyzes the data stored in SharePoint and OneDrive sites to provide insights and automate tasks across your organization. Confidential data from content in SharePoint and OneDrive sites can populate in Copilot's generated insights, posing security and privacy risks. SharePoint administrators and site owners can use tools to prevent users from oversharing content. Admins can also limit content access by Copilot with user group settings and other tools.
  • Manage content lifecycle. Effective lifecycle management not only ensures streamlined governance and enhanced collaboration but also optimizes storage, maintains data integrity, and supports regulatory compliance. In doing so, content lifecycle management ultimately improves efficiency and security by removing inactive and outdated content and sites. Doing so ensures the information Copilot accesses is accurate and up to date.

Microsoft helps organizations address their data governance needs through Microsoft SharePoint Premium - SharePoint Advanced Management (SAM). SAM is an essential add-on for Microsoft 365 that organizations should strongly consider implementing as they prepare for Microsoft 365 Copilot. SAM equips IT administrators with a powerful suite of tools to bolster content governance throughout the Microsoft Copilot deployment journey.

Whether preparing for a Copilot deployment or managing content post-implementation, SAM offers capabilities to:

  • Prevent content sprawl
  • Streamline access management for SharePoint and OneDrive sites
  • Analyze usage patterns through comprehensive reporting

Diagram showing the pillars of SharePoint Advanced Management.

Microsoft recommends utilizing SharePoint Advanced Management features along with its best practices with SharePoint to reduce the risk of oversharing, control content sprawl, and manage content lifecycle. IT administrators with access to the SharePoint admin center can manage SharePoint Advanced Management features. Site owners can also access some of the SAM features.

To get ready for your organization’s Microsoft 365 Copilot adoption, there are a few highly recommended steps you can take, primarily using SharePoint Advanced Management tools. The following sections examine the specific steps you can take to reduce accidental oversharing, minimize your content governance footprint, improve Copilot response quality, control content access by Copilot, and ensure data safety specifically for business-critical sites.

Step 1: Reduce accidental oversharing with SharePoint sharing settings

To minimize accidental content oversharing within Copilot results, it's crucial to implement the best practice sharing settings. Proactive safeguards are key. To effectively prepare your organization for Copilot, you should set the appropriate sharing settings for end users at both the organization and site levels.

At the organization level:

  • Update sharing link defaults for your tenant from organization-wide sharing to specific people links.
  • Consider hiding broad-scope permissions from your end users to reduce risks around accidental misuse. This example hides "Everyone Except External Users" in the People Picker control so that no end user can use it.

At the site level:

  • Consider educating site admins on the site-level controls they can use to restrict members from sharing. One key setting here ensures that Site Owners are the recipients of access requests.

Step 2: Clean up unused sites to manage content sprawl

Organizations can manage content sprawl by running the Inactive SharePoint sites policy feature from SharePoint Advanced Management. This policy combats content sprawl by automatically identifying and managing inactive SharePoint sites. It enables you to define inactivity criteria, such as lack of updates or user activity over a set period. Once you identify this criteria, site owners receive email notifications to confirm the active/inactive state of the site.

This SAM policy enables organizations to reduce their governance footprint and improve Copilot response quality. Inactive sites often contain outdated content, cluttering Copilot’s data source and leading to less accurate responses. Removing these sites helps Copilot focus on current information for better results.

  • Within less than five minutes you can set up and run an Inactive Site in Simulation mode to identify sites that users haven't accessed for an extended (configurable) period of time.
  • Once the report is generated, select the Get AI insights button to get AI insights generated for the report to help you identify issues with the sites and possible actions to address these issues.
  • Once ready, set the policy to Active mode to notify the Site Owner to attest whether the site is still needed.

The AI insights feature for SharePoint Advanced Management uses a language model to identify patterns and potential issues from reporting and receive actionable recommendations to solve issues. You can find the Get AI insights button next to various reports in the SharePoint admin center. Once you select the AI insights button, the feature extracts patterns from the report and offers a list of potential actions.

Screenshot of the AI insights pane for a selected inactive site policy.

Step 3: Identify sites with potentially overshared content

When you don't look at the actual content on sites, how can you quickly identify sites with potentially overshared content? There's usually a greater chance the content on a site is overshared if you see content with one of the following sharing options: Everyone Except External Users, People in your organization, and Anyone. The following activity-based reports in SharePoint Advanced Management let you quickly identify most actively overshared sites:

Sites with these three types of usage are at a greater risk of oversharing compared to sites without such usages. Once the report is generated, select the Get AI insights button to get AI insights generated for the report. These insights can help you identify issues with the sites and provide possible actions to address these issues.

SharePoint Advanced Management also ensures that confidential data in SharePoint and OneDrive sites is securely handled and accessed only by authorized users and/or security groups, maintaining the integrity and security of the insights generated by Copilot. When you prevent oversharing and manage access effectively, you can ensure that Copilot's collaboration features are optimized. These actions lead to more efficient and secure use of Copilot across your organization. Then following SAM tools can help limit content access of confidential data by Copilot.

Data access governance insights

The Data access governance insights feature lets you view reports that identify sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies.

Screenshot of the data access governance reports dashboard.

Block download policy for SharePoint and OneDrive sites

You can use the Block download policy for SharePoint and OneDrive sites tool from SharePoint Advanced Management to block the download of files from SharePoint sites or OneDrive without needing to use Microsoft Entra Conditional Access policies. Blocking download of files allows users to remain productive while addressing the risk of accidental data loss. Users have browser-only access with no ability to download, print, or sync files. This SAM policy also blocks users from accessing content through apps, including the Microsoft Office desktop apps. When web access is limited, users see this message at the top of sites, "Your organization doesn't allow you to download, print, or sync from this site. For help, contact your It department."

This SAM policy is enabled through a PowerShell command that you must run in the SharePoint Online Management Shell. You must begin by connecting to SharePoint as a SharePoint Administrator in Microsoft 365. To learn how, see Getting started with SharePoint Online Management Shell.

Once you're connected to the SharePoint Online Management Shell, you must run the following command:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true

For example:

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -BlockDownloadPolicy $true.

You can apply this cmdlet to OneDrive as well by changing the URL. For example, to change the URL to the OneDrive account for a user named John, you would use a URL such as: https://contoso-my.sharepoint.com/personal/John.

The following parameters can be used with this cmdlet to fine-tune it:

  • This parameter exempts site owners from the policy, and they can fully download any content for the site.

    -ExcludeBlockDownloadPolicySiteOwners $true
    
  • This parameter exempts users from the mentioned groups from the policy, and they can fully download any content for the site.

    -ExcludedBlockDownloadGroupIds <comma separated group IDs>
    
  • This parameter exempts users from the mentioned SharePoint groups from the policy, and they can fully download any content for the site.

    -ExcludeBlockDownloadSharePointGroups <comma separated group names>
    
  • This parameter marks the site as read only in addition to preventing downloads.

    -ReadOnlyForBlockDownloadPolicy $true
    

Conditional access policy for SharePoint and OneDrive sites

SharePoint Advanced Management also includes a Conditional access policy for SharePoint and OneDrive sites that lets you enforce stringent access conditions when users access SharePoint sites. Authentication contexts can be directly applied to sites or used with sensitivity labels to connect Microsoft Entra Conditional Access policies to labeled sites.

Screenshot of the conditional access policy dashboard.

Step 4: Control access to content

Before enabling Copilot for your organization and tenant, you can proactively set policies to restrict access to sites and manage content discoverability during Copilot and tenant-wide search. When you use Microsoft Copilot, the results come from content in Microsoft Graph, based on each individual user’s profile and permissions. In Step 3, you identified sites with potentially overshared content. Next, you want to ensure Copilot only has access to content when appropriate. Currently, you can initiate a Site Access Review for site owners to confirm overshared content and take remediation steps. Meanwhile, the SharePoint administrator can use the following Restricted Access Control policies in SharePoint Advanced Management to restrict access to a site or OneDrive account with overshared content.

  • Restricted access control for SharePoint. You can prevent sites and content from being discovered at the site-level by enabling the Restricted access control for SharePoint sites policy. Site access restriction allows only users in the specified security group or Microsoft 365 group to access content. This policy can be used with Microsoft 365 group-connected, Teams-connected, and nongroup-connected sites.
  • Restricted access control for OneDrive. You can limit access to shared content of a user's OneDrive to only people in a security group with the Restricted access control for OneDrive policy. Once the policy is enabled, anyone who isn't in the designated security group can't access content in that OneDrive even if it was previously shared with them. To block users from accessing OneDrive as a service, you can enable the Restrict OneDrive service access feature.

Step 5: Take proactive measures on business-critical sites

For business-critical sites, you should take proactive measures to ensure the content is appropriately shared, and access to content is limited to the minimum level. You can lock down your most important sites with the following measures:

  • Use Restricted Access Control (RAC) to proactively protect against oversharing. Even better: as part of your custom site provisioning process, configure RAC policy on new sites from the get-go and proactively avoid oversharing forever.
  • Consider blocking downloads from selected sites via a block download policy. Or specifically block the download of Teams meeting recordings and transcripts.
  • Finally, consider applying encryption action with "extract rights" enforced on business-critical office documents. Learn more here.

New SharePoint Advanced Management policies coming soon

The following policies are currently in preview and will soon be generally available in SharePoint Advanced Management.

Use the Site Ownership policy to ensure all sites have valid owners

Site owners are the critical role on point for executing governance tasks at scale. Specifically, you need site owners to:

  • Help attest if inactive sites are still needed in Step 2- cleaning up unused sites.
  • Perform the Site Access Reviews to confirm whether potentially overshared content is indeed being overshared and take remediation to address oversharing risks in Step 4 – control access.

It's essential to confirm all sites have valid owners before cleaning up unused sites and asking owners to take care of overshared content. SharePoint Advanced Management's Site Ownership policy helps identify ownerless sites and find the appropriate owners when needed. You can run a Site Ownership policy in Simulation mode to identify any sites that don't have a minimum of two owners. You can set up the policy in simulation mode to identify owners based on your desired criteria. You can then upgrade the policy to Active mode to enable notifications to site owner candidates.

Use the Inactive Sites – Read only and Inactive Sites – Archive policies to clean up unused sites

After identifying inactive sites (see step 2), you should ask site owners to attest if the sites are still needed. If the site owners confirm the sites aren't needed, you must put the sites either in read only mode, or move the sites to Microsoft 365 Archive. With this feature, you can use the Inactive Sites – Read only and Inactive Sites – Archive capabilities to perform the following actions at scale:

  • Make the site read only
  • Move the site to Microsoft 365 Archive

Use the Oversharing Baseline Report for Sites, OneDrive accounts, and Files policy to identify oversharing risks

Step 3 examined how to run three SAM usage reports to identify potentially overshared content. With this upcoming feature, you can run a single report to learn where content overexposure risk exists in all sites on your tenant, regardless of site activities.

  • You can start by running an “Oversharing Baseline Report for Sites, OneDrive accounts, and Files” report from the Data Access Governance (DAG) PowerShell commands in the SharePoint Online PowerShell module. This report scans all sites in your tenant, and lists sites that share content with more than a specified number of users (you specify the number).
  • You can sort, filter or download the report, and identify the sites with potentially overshared content.

Use the Restricted Content Discoverability policy to further control accidental content discoverability

In Step 4, you were advised to begin with the Site Access Review policy to verify whether the potentially overshared content identified in Step 3 is truly overshared. Following this step, you can apply the Restricted Access Control policy to limit access to designated user groups. With the new Restricted Content Discoverability policy that's coming soon, you can further control accidental content discoverability by preventing the content from being available to Microsoft 365 Copilot and organization-wide search experiences.

The Restricted Content Discoverability policy leaves site access permissions unchanged. However, it prevents the site’s content from being surfaced in Microsoft 365 Copilot or organization-wide search. The SharePoint administrator can set Restricted Content Discoverability on that site.

Use AI Powered Semantic matching to find similar sites

You discovered a site containing crucial business data that lacks proper protection. Are there more sites like this one that might have similar vulnerabilities? Soon, AI Powered Semantic matching helps you locate these sites using the site you discovered as the example. The AI powered semantic matching tool reads through all the sites you have, including content, files, metadata, and gives you a list of similar sites based on your example site.