Close Menu
The Lalit Blogs
    Recent Posts
    • What’s New in SharePoint—April 2025 Updates You Should Know
    • What’s New in Microsoft Teams April 2025
    • What’s New in Microsoft 365 Copilot—April 2025 Highlights
    • What’s New in Copilot Studio: April 2025 Updates
    • Google Gemini vs Microsoft Copilot: Features, Cost & Advice

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram
    Saturday, June 7
    Facebook X (Twitter) Instagram Pinterest YouTube
    The Lalit BlogsThe Lalit Blogs
    • Microsoft Copilot
    • Microsoft 365
      • Microsoft Teams
      • Microsoft Sharepoint
      • Microsoft Power Apps
      • Microsoft Power Platform
      • Microsoft Power Automate
    • Speaker Events
    • About
    • Contact us
    Subscribe
    The Lalit Blogs
    Home»Microsoft Copilot»Small Steps Towards Better Data Governance in Microsoft 365 – Without SharePoint Advanced Management
    Microsoft Copilot

    Small Steps Towards Better Data Governance in Microsoft 365 – Without SharePoint Advanced Management

    Alex HeerBy Alex HeerOctober 21, 20241 Comment6 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Microsoft 365
    Microsoft 365
    Share
    Facebook Twitter LinkedIn Pinterest Email

    SharePoint Advanced Management is great add-on for Microsoft 365 that enhances content governance and security, helps manage content sprawl, control access and streamline content lifecycle management.

    But it comes at a cost… the add-on is an additional $3 per user per month, for everyone with an M365 license (not just your SharePoint admins).

    So if you are a large organization, this cost can really add up. Personally, I feel that offering a tenant level license would have been a more appealing option by Microsoft…

    Is the cost worth it? That’s up to you and your organization, I mean, can you really put a price on good data governance? But if you don’t want to stump up the extra cash, there are some simple ways that you still improve your posture.

    1. Review your sites that are currently set to the privacy type ‘Public’

    Public sites can be accessed by ‘everyone except external guests’ in the organization. Unless you use sensitivity labels (more to come on that…), end users can very easily set a site or team to be public on creation.

    However, they could be potentially storing sensitive information, unaware that these files would be accessible by anyone in the organization (and surfaced by Copilot).

    An administrator should therefore review what sites are currently set to Public. Depending on the number of sites and teams in your tenant, this could be done manually, or by running a PowerShell script.

    The below script will grab this information for you and export into a CSV file, which can then be reviewed.

    Connect-ExchangeOnline -ShowProgress $true 
    
    #Get All Office 365 Groups
    $GroupData = @()
    $Groups = Get-UnifiedGroup -ResultSize Unlimited -SortBy Name | Where-Object { $_.AccessType -eq "Public" } 
     
    #Loop through each Group
    $Groups | Foreach-Object {
        #Get Group Owners and members
        $GroupOwners = Get-UnifiedGroupLinks -LinkType Owners -Identity $_.Id | Select DisplayName, PrimarySmtpAddress
        $GroupMembers = Get-UnifiedGroupLinks -LinkType Members -Identity $_.Id | Select DisplayName, PrimarySmtpAddress
        $GroupData += New-Object -TypeName PSObject -Property @{
                GroupName = $_.DisplayName
                GroupEmail = $_.PrimarySmtpAddress
                Privacy = $_.AccessType            
                OwnerName = $GroupOwners.DisplayName -join "; "
                OwnerIDs = $GroupOwners.PrimarySmtpAddress -join "; "
                MemberName = $GroupMembers.DisplayName -join "; "
                MemberIDs = $GroupMembers.PrimarySmtpAddress -join "; "
                SiteURL = $_.SharePointSiteUrl
                ManagedBy = $_.ManagedByDetails
                ExternalMemberCount = $_.GroupExternalMemberCount
                LastModified = $_.WhenChanged
                GroupNotes = $_.Notes
                ServiceEndpoints = $_.ServiceEndpointUris
        }
    }
    #Get Groups Data
    $GroupData
    $GroupData | Export-Csv "C:\path\Public-m365-Groups.csv" -NoTypeInformation
    

    1.1 Find Owners for ownerless public sites

    When reviewing the list of public sites, you should first focus on sites that do not have an owner.

    If a site is ownerless, who is responsible for the site and governing how it us used and what is stored within that site?

    You could contact users who are explicitly set as ‘members’ asking if anyone wishes to step forward and become an owner (then action accordingly).

    If no-one steps forward, then you have a decision to make – should you proactively change the site privacy to ‘Private’? If you do that, and you suddenly get complaints that the site can no longer be accessed, then that’s one way to grab their attention! 

    1.2 Ask owners of public sites to review the privacy

    Contact the owners of public sites and ask them to review the privacy setting (you could do this via a mail merge, or get crafty with a Power App)

    • Should the site remain public?
    • Should it be changed to private? (if yes, who needs to be added in as members?)
    • Or can the site be deleted or archived? (no longer required)


    When you have collated their responses, you can then take necessary action. For those sites changed to private, perhaps send the owners some instructions on how they can add/remove members accordingly.

    2. Use Sensitivity Labels

    This is it’s own beast and I’ll likely post in greater detail about this in the future. But if you aren’t using these, a quick and easy way to get started would be to create sensitivity labels for ‘sites’ only. 

    The labels can then be deployed to everyone via a label policy and enforced so that any users creating a new SharePoint site or Team are prompted to select a label as a mandatory field. You can also set the most permissive sharing link allowed.

    Going back to step 1, I mentioned that all users can create public sites or teams. If that’s something that you wish to prevent, then why not publish only labels that set the privacy to ‘Private’ to end users?

    You can create a separate label policy that makes the ‘Public’ label available to only a specific group of users (such as an IT team that manage SharePoint)

    Examples:

    Label NamePrivacy TypeSharing LinksWho can see this labelNotes
    Private SitePrivateNew and Existing GuestsAll UsersDefault label.
    Private site and can share with new and existing guests.
    Sensitive SitePrivateNo external sharingAll UsersPrivate site, but prevents external sharing
    Public SitePublicNew and Existing GuestsSharePoint Team OnlyPublic site. We only want the SharePoint team to have the option to apply this label. 

    3. Check your tenants SharePoint/OneDrive Sharing settings

    It’s a very good idea to check what level of sharing you allow in your M365 tenant for SharePoint (including Teams) and OneDrive.

    As a SharePoint administrator, go to the SharePoint Admin Center > Policies > Sharing

    Using the slider, select the most permissive level of sharing link available. I’m not one to tell people, but ‘Anyone’ sharing links are a risk, because (as the name suggests) they can be accessed by ‘Anyone’ with the link, without any sign-in required.

    So a document that was shared using this link type could potentially be posted / forwarded on, outside of your control (Although links can be revoked and you can set a link expiration date)

    Hopefully these quick wins will help you in your data governance journey.

    Conclusion

    These simple steps can significantly improve your data governance without the added cost of SharePoint Advanced Management.

    By reviewing public sites, assigning ownership, using sensitivity labels, and managing sharing settings, you can protect your data while maintaining a balance between convenience and security.

    Alex Heer

    A multi-certified Microsoft Professional with 18+ years of experience, Alex specializes in Microsoft 365 collaboration tools, user adoption, and data governance, helping organizations boost productivity and manage data efficiently.


    Microsoft 365 SharePoint admin tips SharePoint Advanced Management Site ownership in M365
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleMicrosoft 365 Copilot in Excel with Python: A Game-Changer for Data Analysis
    Next Article GitHub Copilot vs Tabnine: Best AI Assistance in 2024
    Alex Heer
    • Website

    Alex Heer is a multi-certified Microsoft Professional with over 18 years of experience in IT support, infrastructure, and management. Based in Birmingham, England, Alex specializes in Microsoft 365 collaboration tools, user adoption, and data governance, with a passion for helping organizations enhance productivity and manage data seamlessly.

    Related Posts

    Microsoft Copilot

    What’s New in Microsoft 365 Copilot—April 2025 Highlights

    May 16, 2025
    Microsoft Copilot

    What’s New in Copilot Studio: April 2025 Updates

    May 7, 2025
    Microsoft Copilot

    Google Gemini vs Microsoft Copilot: Features, Cost & Advice

    April 25, 2025
    View 1 Comment

    1 Comment

    1. Rupert on October 22, 2024 12:51 pm

      Great insight! The first step I’d recommend is identifying teams that are no longer needed. Sites that meet any of these criteria are likely good candidates:

      – No activity in the last 12 months
      – No members or only one owner
      – Owners who have left the organisation
      – No attached files and no activity in the last 3 months

      Rather than asking for permission to keep these sites, I would lead with: “This team will be archived for 6 months and then deleted in accordance with our information governance policy.”

      Reply
    Leave A Reply Cancel Reply

    Top Posts

    What’s New in Microsoft 365 Copilot—April 2025 Highlights

    May 16, 2025

    What’s New in Copilot Studio: April 2025 Updates

    May 7, 2025

    Google Gemini vs Microsoft Copilot: Features, Cost & Advice

    April 25, 2025

    What’s New in Copilot Studio: March 2025 Updates

    April 22, 2025
    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • YouTube
    • LinkedIn
    • WhatsApp
    Facebook X (Twitter) Pinterest YouTube LinkedIn
    © 2025 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.