SharePoint Advanced Management is great add-on for Microsoft 365 that enhances content governance and security, helps manage content sprawl, control access and streamline content lifecycle management.
But it comes at a cost… the add-on is an additional $3 per user per month, for everyone with an M365 license (not just your SharePoint admins).
So if you are a large organization, this cost can really add up. Personally, I feel that offering a tenant level license would have been a more appealing option by Microsoft…
Is the cost worth it? That’s up to you and your organization, I mean, can you really put a price on good data governance? But if you don’t want to stump up the extra cash, there are some simple ways that you still improve your posture.
1. Review your sites that are currently set to the privacy type ‘Public’
Public sites can be accessed by ‘everyone except external guests’ in the organization. Unless you use sensitivity labels (more to come on that…), end users can very easily set a site or team to be public on creation.
However, they could be potentially storing sensitive information, unaware that these files would be accessible by anyone in the organization (and surfaced by Copilot).
An administrator should therefore review what sites are currently set to Public. Depending on the number of sites and teams in your tenant, this could be done manually, or by running a PowerShell script.
The below script will grab this information for you and export into a CSV file, which can then be reviewed.
Connect-ExchangeOnline -ShowProgress $true
#Get All Office 365 Groups
$GroupData = @()
$Groups = Get-UnifiedGroup -ResultSize Unlimited -SortBy Name | Where-Object { $_.AccessType -eq "Public" }
#Loop through each Group
$Groups | Foreach-Object {
#Get Group Owners and members
$GroupOwners = Get-UnifiedGroupLinks -LinkType Owners -Identity $_.Id | Select DisplayName, PrimarySmtpAddress
$GroupMembers = Get-UnifiedGroupLinks -LinkType Members -Identity $_.Id | Select DisplayName, PrimarySmtpAddress
$GroupData += New-Object -TypeName PSObject -Property @{
GroupName = $_.DisplayName
GroupEmail = $_.PrimarySmtpAddress
Privacy = $_.AccessType
OwnerName = $GroupOwners.DisplayName -join "; "
OwnerIDs = $GroupOwners.PrimarySmtpAddress -join "; "
MemberName = $GroupMembers.DisplayName -join "; "
MemberIDs = $GroupMembers.PrimarySmtpAddress -join "; "
SiteURL = $_.SharePointSiteUrl
ManagedBy = $_.ManagedByDetails
ExternalMemberCount = $_.GroupExternalMemberCount
LastModified = $_.WhenChanged
GroupNotes = $_.Notes
ServiceEndpoints = $_.ServiceEndpointUris
}
}
#Get Groups Data
$GroupData
$GroupData | Export-Csv "C:\path\Public-m365-Groups.csv" -NoTypeInformation
1.1 Find Owners for ownerless public sites
When reviewing the list of public sites, you should first focus on sites that do not have an owner.
If a site is ownerless, who is responsible for the site and governing how it us used and what is stored within that site?
You could contact users who are explicitly set as ‘members’ asking if anyone wishes to step forward and become an owner (then action accordingly).
If no-one steps forward, then you have a decision to make – should you proactively change the site privacy to ‘Private’? If you do that, and you suddenly get complaints that the site can no longer be accessed, then that’s one way to grab their attention!
1.2 Ask owners of public sites to review the privacy
Contact the owners of public sites and ask them to review the privacy setting (you could do this via a mail merge, or get crafty with a Power App)
- Should the site remain public?
- Should it be changed to private? (if yes, who needs to be added in as members?)
- Or can the site be deleted or archived? (no longer required)
When you have collated their responses, you can then take necessary action. For those sites changed to private, perhaps send the owners some instructions on how they can add/remove members accordingly.
2. Use Sensitivity Labels
This is it’s own beast and I’ll likely post in greater detail about this in the future. But if you aren’t using these, a quick and easy way to get started would be to create sensitivity labels for ‘sites’ only.
The labels can then be deployed to everyone via a label policy and enforced so that any users creating a new SharePoint site or Team are prompted to select a label as a mandatory field. You can also set the most permissive sharing link allowed.
Going back to step 1, I mentioned that all users can create public sites or teams. If that’s something that you wish to prevent, then why not publish only labels that set the privacy to ‘Private’ to end users?
You can create a separate label policy that makes the ‘Public’ label available to only a specific group of users (such as an IT team that manage SharePoint)
Examples:
| Label Name | Privacy Type | Sharing Links | Who can see this label | Notes |
| Private Site | Private | New and Existing Guests | All Users | Default label. Private site and can share with new and existing guests. |
| Sensitive Site | Private | No external sharing | All Users | Private site, but prevents external sharing |
| Public Site | Public | New and Existing Guests | SharePoint Team Only | Public site. We only want the SharePoint team to have the option to apply this label. |
3. Check your tenants SharePoint/OneDrive Sharing settings
It’s a very good idea to check what level of sharing you allow in your M365 tenant for SharePoint (including Teams) and OneDrive.
As a SharePoint administrator, go to the SharePoint Admin Center > Policies > Sharing
Using the slider, select the most permissive level of sharing link available. I’m not one to tell people, but ‘Anyone’ sharing links are a risk, because (as the name suggests) they can be accessed by ‘Anyone’ with the link, without any sign-in required.
So a document that was shared using this link type could potentially be posted / forwarded on, outside of your control (Although links can be revoked and you can set a link expiration date)
Hopefully these quick wins will help you in your data governance journey.
Conclusion
These simple steps can significantly improve your data governance without the added cost of SharePoint Advanced Management.
By reviewing public sites, assigning ownership, using sensitivity labels, and managing sharing settings, you can protect your data while maintaining a balance between convenience and security.
Great insight! The first step I’d recommend is identifying teams that are no longer needed. Sites that meet any of these criteria are likely good candidates:
– No activity in the last 12 months
– No members or only one owner
– Owners who have left the organisation
– No attached files and no activity in the last 3 months
Rather than asking for permission to keep these sites, I would lead with: “This team will be archived for 6 months and then deleted in accordance with our information governance policy.”