+ :::image type="content" source="media/data-access-governance/dag-landing-page.png" alt-text="Screenshot that shows data access governance dashboard." lightbox="media/data-access-governance/dag-landing-page.png":::

+A new oversharing baseline report using permissions is now available via PowerShell only.

+The definition of oversharing can be different for different customers. Data access governance considers ΓÇÿnumber of usersΓÇÖ as one possible pivot to establish a baseline and then track key contributors to potential oversharing such as sharing links created and sharing to large groups such as Everyone Except External users in the last 28 days.

+|**'Anyone' links**| This report provides a list of sites in which the highest number of "Anyone" links were created. "Anyone" links allow anyone to access files and folders without signing in.|

+|**'People in the organization' links**| This report provides a list of sites in which the highest number of 'People in the organization' links were created. These links can be forwarded internally and allow anyone in the organization to access files and folders.|

+|**'Specific people' links shared externally**| This report provides a list of sites in which the highest number of 'Specific people' links were created for people outside the organization.|

+> Support for OneDrive data is now [available via PowerShell](powershell-for-data-access-governance.md).

+The sensitivity labels for files reports feature lets you control access to sensitive content by finding sites storing [Office files that have sensitivity labels applied](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files). You can review these sites to ensure the correct policies are applied.

+> You can add reports only for sensitivity labels with a scope that includes 'File'.

+- Template: Lists categories of SharePoint site templates (Classic sites, Communication sites, Team sites, others). You can choose multiple values or **All sites**.

+- Privacy: Applicable for Team sites in the scope. You can select **Private**, **Public** or **All**.

+## Setting up oversharing baseline with Permissions based report

+It's vital for SharePoint admin to understand the permissions setup in their tenant, particularly in the wake of Copilot adoption, as it respects user and content permissions. Copilot's data exposure risk increases with the number of users having access. Hence, SharePoint admins need to evaluate sensitive data 'exposure' by checking permissions to items or sites. Data access governance (DAG) can help establish oversharing thresholds by identifying sites with ΓÇÿtoo manyΓÇÖ permissioned users.

+### Creating the oversharing baseline report

+> [!IMPORTANT]

+> Currently, SharePoint admins can generate the report via PowerShell only. The 1st report for the tenant will take up to 5 days. Subsequent reports will be completed in few hours.

+### Run the oversharing baseline report

+See [PowerShell for Data access governance](powershell-for-data-access-governance.md#oversharing-baseline-report-using-permissions) for more information on running the command to generate the oversharing baseline report.

+### View and download the oversharing baseline report

+See [PowerShell for Data access governance](powershell-for-data-access-governance.md#view-and-download-reports-using-powershell) for more information on running the command to view and download the oversharing baseline report.

+> [!NOTE]

+> The report includes both SharePoint and OneDrive data.

+### Understanding the oversharing baseline report

+The output for the report has the following data:

+|Column |Description |

+|||

+|TenantID | GUID identifying the tenant |

+|Site ID | GUID identifying the tenant |

+|Site Name | Name of the site |

+|Site URL | URL of the site |

+|Site Template | Specifies the type of site. Has values such as Communication site, Team site, Team site (no Microsoft 365 group), Other sites |

+|Primary admin | Site administrator marked as Primary in Active sites page |

+|Primary admin email | Email of primary site administrator |

+|ExternalSharing | Specifies whether content can be shared with external guests. Yes or No. |

+|Site Privacy | Applicable in Microsoft 365 connected team sites. Specifies the privacy setting of the group. Has values Public or Private |

+|Site Sensitivity | Specifies the sensitivity label applied to the site |

+|Number of users having access | Unique number of users having access to site content at any level/scope. Min value is 100.|

+|People In Your Org link count | Number of existing PeopleInYourOrg links across all the files in the site |

+|Anyone link count | Number of existing Anyone links across all the files in the site |

+|Report Date | Time of generation of report. It might take up to 48 hours to reflect any changes in the report |

+#### Number of users having access

+This number represents all unique users who have permission to access the site and its content.

+Access to the site and its content can be given at any scope.

+- SharePoint groups have access to the entire content within the site as owner, members, or visitors. You can have individuals OR Microsoft Entra groups within SharePoint groups.

+- Access can be limited to a few items/files via unique permissions/broken inheritance. The target recipients could be individual users AND SharePoint groups/Entra groups. These are important to know and manage for oversharing since they are outside the site membership scope.

+This number is calculated by expanding all groups and individuals across all scopes, removing duplicates and by counting the number of unique users.

+In other words, this represents the extent of current ΓÇÿdata exposure.ΓÇÖ If you're adding users directly OR adding Microsoft Entra groups across any scope, then this number increases corresponding to the Microsoft Entra group size and/or number of individuals added.

+However, creating sharing links and sharing the site with ΓÇÿEveryone except external usersΓÇÖ doesn't automatically increase this number since no permissions are directly assigned. These increase the probability that the site/site content is now publicly visible, and more users can access. The number increases only when the users access the content. Hence you can view the number of sharing links or EEEU permission as ΓÇÿpotential exposureΓÇÖ

+This report thereby lists all sites with 'too-many-users' accessing the content and hence more prone for Copilot exposure.

+## Auto-run Data access governance reports

+As a SharePoint admin, with this 'Auto-run' feature, you can now schedule Data access governance reports to automatically run periodically instead having to remember to manually run every time. Several salient points are mentioned as follows:

+1. Auto-run is currently available only from UI. Hence this supports reports present in the DAG landing page only.

+1. Auto-run runs ALL available reports in a module at the same time. For example: You can schedule to run ALL sharing link reports at once. You can't schedule a single report with a different frequency. Similar is the case with all Everyone except external user reports and all sensitivity label reports.

+1. You can still go ahead and manually run a report anytime. But the limitations with respect to time between multiple runs is still valid. For example: You can run any sharing link report only once a day. If Auto-run triggers the report at least once, you can't run it again manually within the 24 hour time period and vice-versa.

+1. Reports are run every 28 days from the day of enablement. There's no configuration yet.

+1. Reports are automatically run for the period of six months from the day of enablement. If you want the reports to continue running automatically, you need to re-enable after six months.

+1. Once a report is run automatically, all SharePoint admins are notified via an email with the final status.

+ Title: "Manage Data access governance reports using SharePoint Online PowerShell"

+recommendations: true

+audience: Admin

+f1.keywords: NOCSH

+ms.localizationpriority: medium

+- Strat_SP_admin

+- Highpri

+- Tier2

+- M365-sam

+- M365-collaboration

+- seo-marvel-apr2020

+- admindeeplinkSPO

+search.appverid: MET150

+description: "Learn about how to use SharePoint Online PowerShell module to manage Data access governance reports"

+# Manage Data access governance reports using SharePoint Online PowerShell

+While [Data access governance](data-access-governance-reports.md) is available in SharePoint admin center portal, large organizations usually look for PowerShell support in order to manage scale via scripting and automation. This document discusses all appropriate PowerShell commands available via SharePoint Online PowerShell module to manage reports from Data access governance.

+> [!IMPORTANT]

+> PowerShell support for Data access governance is available from module "Microsoft.Online.SharePoint.PowerShell" and version "16.0.25409" onwards.

+> [!IMPORTANT]

+> Run the ΓÇÿConnect-SPOServiceΓÇÖ command WITHOUT the **Credential** parameter. We do NOT support login using the **Credential** parameter inline with the latest security practices.

+## Creating reports using PowerShell

+Use the **Start-SPODataAccessGovernanceInsight** command to generate [all reports](data-access-governance-reports.md#access-the-reports-in-the-sharepoint-admin-center) with appropriate filters and parameters

+### Oversharing baseline report using permissions

+The definition of 'oversharing' can be different for different customers. Data access governance considers 'number of users' as one possible pivot to establish a baseline and then track key contributors of potential 'oversharing' such as sharing links created and sharing to large groups such as 'Everyone Except External users' in the last 28 days. You can define your threshold of 'number of users' and generate a report of sites that many users access, at the time of report generation. This report is considered a 'snapshot' report.

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload SharePoint -CountOfUsersMoreThan 100 -Name "ReportForTestingLatestFixes"

+```

+This command generates a list of all sites where more than 100 users can access any content within the site. More information about the list of sites and how to interpret the results is provided [here](data-access-governance-reports.md#understanding-the-oversharing-baseline-report).

+> [!NOTE]

+> Currently the report consists of both SharePoint sites and OneDrive accounts and can generate up to 1M sites and/or accounts.

+### Sharing link reports

+These reports are useful in identifying sites which are active in collaboration and hence needs quicker intervention to mitigate any potential oversharing risk. These 'RecentActivity' based reports identify sites which are generating the most number of sharing links in the last 28 days.

+#### Anyone sharing links created in last 28 days

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Anyone -Workload SharePoint -ReportType RecentActivity

+```

+Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.

+#### PeopleInYourOrg sharing links created in last 28 days

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_PeopleInYourOrg -Workload SharePoint -ReportType RecentActivity

+```

+Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.

+#### Specific people (guests) sharing links created in last 28 days

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity SharingLinks_Guests -Workload SharePoint -ReportType RecentActivity

+```

+Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.

+### Content shared with Everyone except external users in last 28 days

+While Sharing links are one possible contributor for potential oversharing, another key contributor is 'Everyone except external users' (EEEU) which makes content 'public' that is, visible to entire organization and makes it easy for others to discover content and get access. These reports identify sites which actively used EEEU at various scopes in last 28 days.

+#### Sites shared with Everyone except external users in last 28 days

+When EEEU is added to a site membership (owners, members, or visitors), the entire content of the site becomes public and more prone to oversharing. The following PowerShell command triggers the report to capture such sites in the last 28 days:

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"

+```

+> [!NOTE]

+> Currently report for OneDriveForBusiness with EEEU at the site level is not supported.

+#### Items shared with Everyone except external users in last 28 days

+The following PowerShell command triggers the report to capture sites where specific items (files/folders/lists) were shared with EEEU in the last 28 days:

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"

+```

+Provide the workload value as 'OneDriveForBusiness' to get all OneDrive accounts with the same criteria.

+### Sensitivity label in files report

+This PowerShell command triggers the report to list sites where specific items were labeled with a given 'label', as of report generation date.

+First, retrieve the label name or label GUID using "Security and compliance" PowerShell module.

+```powershell

+Get-Label | Format-Table -Property DisplayName, Name, GUID, ContentType

+```

+Then, use the Name AND GUID to retrieve sites with files labeled with the given label name or GUID.

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret

+```

+> [!NOTE]

+> Currently, the report for 'OneDriveForBusiness' accounts with labelled files is not supported.

+## Tracking reports using PowerShell

+> [!IMPORTANT]

+> All report creations will result in a GUID as output which could be used to track the report status

+```powershell

+Start-SPODataAccessGovernanceInsight -ReportEntity SensitivityLabelForFiles -Workload SharePoint -ReportType Snapshot -FileSensitivityLabelGUID "a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1" -FileSensitivityLabelName Secret

+```

+```output

+ReportId Status

+--

+a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 NotStarted

+```

+Use the **Get-SPODataAccessGovernanceInsight** command to retrieve the current status of a specific Data access governance report using the report ID.

+```powershell

+Get-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+```

+```output

+ReportId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+ReportEntity : SharingLinks_Anyone

+Status : InQueue

+Workload : SharePoint

+TriggeredDateTime : 11/13/2024 19:32:34

+CreatedDateTime : 11/13/2024 20:09:23

+ReportStartTime : 10/17/2024 19:32:33

+ReportEndTime : 11/13/2024 19:32:33

+ReportType : RecentActivity

+SitesFound : 120

+```

+The ReportStartTime and ReportEndTime indicate the period of data to generate the report. The status is marked as 'Completed' when the report generation is complete.

+You can also view the current status of DAG reports by using the filter **ReportEntity** instead of ID. The reportID is listed in the output and is required later to download a specific report.

+```powershell

+Get-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers

+```

+```output

+ReportId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+ReportName : PermissionReportFor1AsOfSept

+ReportEntity : PermissionedUsers

+Status : Completed

+Workload : SharePoint

+TriggeredDateTime : 09/18/2024 11:06:16

+CreatedDateTime : 09/22/2024 12:12:48

+ReportType : Snapshot

+CountOfUsersMoreThan : 1

+CountOfSitesInReport : 7

+CountOfSitesInTenant : 22

+Privacy : All

+Sensitivity : {All}

+Templates : {All}

+ReportId : b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2

+ReportName : PermissionReportFor1AsOfOct

+ReportEntity : PermissionedUsers

+Status : Completed

+Workload : SharePoint

+TriggeredDateTime : 10/09/2024 14:15:40

+CreatedDateTime : 10/09/2024 15:18:23

+ReportType : Snapshot

+CountOfUsersMoreThan : 100

+CountOfSitesInReport : 0

+CountOfSitesInTenant : 26

+Privacy : All

+Sensitivity : {All}

+Templates : {All}

+```

+## View and download reports using PowerShell

+To download a specific report, you need the reportID. Retrieve the reportID using the **Get-SPODataAccessGovernanceInsight** command and use the **Export-SPODataAccessGovernanceInsight** command to download the report to a specified path.

+```powershell

+Export-SPODataAccessGovernanceInsight -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -DownloadPath "C:\Users\TestUser\Documents\DAGReports"

+```

+This downloads a CSV file to the specified path. Details of the CSV/view for each report are discussed [here](data-access-governance-reports.md#access-the-reports-in-the-sharepoint-admin-center).

+> [!NOTE]

+> The default download path is the 'Downloads' folder.

+## Remedial actions using PowerShell

+Once Data access governance reports are generated, SharePoint admins can perform remedial actions as described [here](data-access-governance-reports.md#remedial-actions-from-data-access-governance-reports). The following section describes PowerShell commands to trigger and track 'site access review' as a remedial action.

+### Initiate Site access review using PowerShell

+Use **Start-SPOSiteReview** command to initiate a site access review for a specific site, listed under a Data access governance report. The Data access governance report provides the context under which the review should be initiated. Retrieve the reportID, site ID from the CSV file and provide comments to give clarity to the site owner regarding the purpose of the review.

+```powershell

+Start-SPOSiteReview -ReportID a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1 -SiteID c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3 -Comment "Check for org wide access"

+```

+```output

+ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3

+ReviewInitiatedDateTime : 13-11-2024 20:55:41

+ReportEntity : PermissionedUsers

+Status : Pending

+AdminComment : Check for org wide access

+SiteName : All Company

+```

+This triggers emails to site owner as described [here](site-access-review.md#initiate-a-site-access-review).

+### Track Site access reviews using PowerShell

+Use **Start-SPOSiteReview** command to track the status of site access reviews. For specific reviews, you can use the `ReviewID` value as shown in the output. To retrieve all review related to a reporting module, use the `ReportEntity` parameter.

+```powershell

+Get-SPOSiteReview -ReportEntity PermissionedUsers

+```

+```output

+ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3

+ReviewInitiatedDateTime : 13-11-2024 20:55:41

+ReviewCompletedDateTime :

+ReportCreatedDateTime : 13-11-2024 23:25:41

+ReportEndDateTime : 13-11-2024 23:25:41

+ReportEntity : PermissionedUsers

+Status : Pending

+AdminComment : Check for org wide access

+SiteName : All Company

+ReviewerEmail :

+ReviewerComment :

+ReviewId : a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1

+SiteId : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3

+ReviewInitiatedDateTime : 24-10-2024 11:07:39

+ReviewCompletedDateTime : 15-11-2024 11:07:39

+ReportCreatedDateTime : 15-10-2024 09:24:47

+ReportEndDateTime : 15-10-2024 11:39:52

+ReportEntity : PermissionedUsers

+Status : Completed

+AdminComment : Check for org wide access

+SiteName : All Company

+ReviewerEmail : Jon@contosofinance.com

+ReviewerComment : Removed EEEU for sensitive documents

+```

+- Have site owners respond to the review requests, take necessary actions, and complete the review

+## Support matrix

+Currently, site access review is available for

+- All Sharing link reports (Anyone, PeopleInYourOrg, Specific people shared externally)

+- "Content shared with 'Everyone except external users'" reports.

+- Oversharing baseline report using permissions

+For reports available only via PowerShell such as Oversharing baseline report using permissions, site access review can also be initiated using [PowerShell commands](powershell-for-data-access-governance.md#initiate-site-access-review-using-powershell).

+For reports available only via PowerShell such as Oversharing baseline report using permissions, site access review can also be tracked using this [PowerShell command](powershell-for-data-access-governance.md#track-site-access-reviews-using-powershell).

+#### Review 'Sharing link reports' site access review requests (for site owners)

+Once the site owner selects the email, they're redirected to the site access review detailed report generated for the site.

+The site owner gets a view of files for whom links were generated along with the exact time of generation and who generated the links. The 'Manage access' button can be used to navigate to the link section and remove it/modify the permissions.

+#### Review 'Oversharing baseline using permission reports' site access review requests (for site owners)

+Once the site owner selects the email, they're redirected to the site access review detailed report generated for the site.

+The SharePoint admin views the unique number of permissioned users for this site in the DAG report and that number is also visible to site owner in the site access review email. This list shows how those users are distributed across the site content in terms of permissions and scopes.

+All items created in the site, by default, inherit permissions of the site and thus the 'site' acts like a parent. However, if the inherited permissions are broken due to sharing of an item by creating links, providing direct access to individuals or groups, removing users/groups etc., a unique scope is created for that item. Now this item acts as a new 'parent' and its children inherit its permissions. The site access review page is a list of such uniquely permissioned 'parents' with the appropriate scope and name. It's NOT the list of ALL items/files/folders in the site. The item with the highest number of permissioned users is shown first. Up to 100 items are shown in descending order so that site owner can focus on items with highest 'exposure' first.

+##### Understanding the site access review report for permission based reports

+**Number of permissioned users:** This column represents the number of users permissioned to that scope (Site/List/Folder/File) and hence illustrates the current 'exposure' for that item, as compared to other items. However, this number is NOT a unique number of users. In case the same user has both direct and indirect permissions to this item, the user is double counted.

+For example, a folder 'F' was shared to a group ΓÇ£AΓÇ¥ consisting of 40 members and is directly shared with 10 individuals and 20 more individuals arrived using sharing links. The number of permissioned users is the sum of all users - 80 (40+10+20). No deduplication is done to see if the same user exists in groups or came via sharing links as well.

+Also, the sum of permissioned users across all scopes might not equal the number of users in the email and/or Data access governance report and could be greater. This scenario can happen when a user has permissions across multiple items. At the site-level, such a user is counted once. However, at an item-level, that user is counted individually.

+**Number of groups:** As the name suggests, this shows the number of groups having permissions to this scope/item. Usually, the exposure is caused by groups containing many users. Reducing exposure removes the permissions of groups and can edit their memberships. Select **Group number** to view the membership count of each group and identify which groups to target.

+The other columns show the number of ALL existing links (Anyone, PeopleInOrg) and the presence of EEEU/Everyone. If the number of links are high, or the EEEU/Everyone column says yes, the site owner can immediately target the relevant item/scope for reducing permissions.

+**Manage Access:** The 'Manage access' button allows the site owner to remove individual users, groups, delete links, or modify permissions accordingly. For a 'SharePoint site' scope, the button directs the site owner to SharePoint group management page, whereas for individual items, it uses the existing 'Manage access' experience.

+With this report, a site owner gets an overview of 'exposure' of parent items in their sites, can gauge the contribution of exposure and act via 'manage access' without having to manually iterate through every permission of every item in the site.