| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| SharePoint | App Insights | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/app-insights.md | + Last updated : 11/18/2024 + Title: "Generate App insights reports" +++++audience: Admin +f1.keywords: +- NOCSH +++ms.localizationpriority: medium ++- Highpri +- Tier2 +- M365-sam +- M365-collaboration +- SAM-FY25 +search.appverid: +recommendations: false +description: "Learn how to generate App insights reports to view how non-Microsoft applications registered on your Microsoft Entra admin center access your SharePoint content." +++# Generate App insights reports +++App insights is a [SharePoint Advanced Management](advanced-management.md) feature that lets [IT administrators](/microsoft-365/admin/add-users/about-admin-roles) gain insights on the various non-Microsoft applications registered to your Microsoft Entra admin center and how they access your SharePoint content. This report can help you maintain and protect the integrity of your content. ++The report is based on the Microsoft audit data logged when a non-Microsoft application accesses content through the following set of events: ++- FileAccessed +- FileDownloaded +- FileModified +- FileUploaded ++## Prerequisites ++This feature requires Microsoft SharePoint Premium - SharePoint Advanced Management license. ++## App insights reports in SharePoint admin center ++### Create report ++1. Sign in to SharePoint admin center with your SharePoint admin credentials. +2. In the left pane, expand **Reports** and then select **App insights**. +3. Once on the **App insights** landing page, select **Add a report** to generate a new report. :::image type="content" alt-text="Screenshot of the create reports page for app insights dashboard in SharePoint admin center." source="media/app-insights/1-enterprise-app-insights-landing-page.png" lightbox="media/app-insights/1-enterprise-app-insights-landing-page.png"::: ++ Under **Report range**, you can specify and filter data from a respective time frame for your report. :::image type="content" alt-text="Screenshot of the report range for app insights in SharePoint admin center." source="media/app-insights/2-enterprise-app-insights-create-new-report.png" lightbox="media/app-insights/2-enterprise-app-insights-create-new-report.png"::: ++4. Select **Add and run**. + +> [!NOTE] +> +> - It can take up to several hours for generated reports to be available. +> - Only one report is allowed per report range. +> - Reports can be rerun after 24 hours. ++### Manage reports in SharePoint admin center ++#### View report status ++To check if a report is ready or when it was last updated, see the **Status** column. When a report is ready, select it to view the data. +++You're able to see the top 100 (by request volume) results on the screen. ++You can also filter by App name, App permissions, and Site sensitivity to view relevant results form the top 100 rows. +++> [!IMPORTANT] +> To view up to 1 million results, you must select **Download detailed report**. ++#### Delete report ++To delete a report, select the existing report you want to delete and select **Delete report**. ++#### Rerun a report ++To get updated data for a given report range, select an existing report and select **Run**. ++> [!TIP] +> A rerun prompt also appears if you select **Add a report** and select a report range for which there already exists a report. ++## App insights reports in SharePoint PowerShell Module ++You can generate and manage App insights reports using SharePoint Online Management Shell. ++1. [Download](https://go.microsoft.com/fwlink/p/?LinkId=255251) and install the latest version of SharePoint Online Management Shell. +2. Connect to SharePoint Online as a [SharePoint Administrator](sharepoint-admin-role.md) in Microsoft 365. For more information about SharePoint Online Management Shell, see [Getting started with SharePoint Online Management Shell](/powershell/sharepoint/sharepoint-online/connect-sharepoint-online). +3. Ensure you have the SharePoint Premium - SharePoint Advanced Management license. ++### PowerShell commands for App insights reports ++To perform the necessary operations, use the following commands: ++#### Create a one-day default duration report ++To generate report for the default duration of one day, run the following command: ++```powershell +Start-SPOEnterpriseAppInsightsReport +``` ++#### Create report for any other duration ++To generate report for any other duration, run the following command: ++```powershell +Start-SPOEnterpriseAppInsightsReport -ReportPeriodInDays $ReportPeriodInDays (possible values = 1, 7, 14, 28) +``` ++#### Check status of all active and available reports ++To check status of all active and available reports, run the following command: ++```powershell +Get-SPOEnterpriseAppInsightsReport +``` ++#### Check status of a specific report ++To check status of a specific report, run the following command: ++```powershell +Get-SPOEnterpriseAppInsightsReport -reportID $reportID (for the given report ID) +``` ++#### View a specific report ++To view a specific report, run the following command: ++```powershell +Get-SPOEnterpriseAppInsightsReport -reportID $reportID +``` ++#### Download a report ++To download the report, run the following command: ++```powershell +Get-SPOEnterpriseAppInsightsReport -reportID $reportID -action download +``` ++> [!IMPORTANT] +> Rerun and delete report capabilities are unavailable for PowerShell. The [Create report cmdlets](#create-a-one-day-default-duration-report) can be used with relevant report duration. ++## Known experiences ++- In new tenants, it can take a few days for data to be available and for these reports to be generated successfully. In large tenants, the data can be delayed by up to 48 hours (about two days). +- A report can be rerun only after 24 hours since the last report generation. +- There can only be one report for each value of **Report range**. This means that you can see a maximum of four reports in the **Enterprise Application Insights** homepage. +- These reports are powered by Audit data and don't include all audit events. +- You might see App ID of a non-Microsoft app, but App name of a middle-tier app in some cases. |
| SharePoint | Create Sharepoint Site Ownership Policy | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/create-sharepoint-site-ownership-policy.md | If a site is identified as not meeting the ownership criteria for three consecut - If option is chosen and no one can be notified during the three months, the site continues to have its access set to read-only. +## Read-only mode ++A site ownership policy configured with the read-only enforcement action sends additional notifications to inform recipients when there's no response. ++A notification is sent when the site goes into read-only mode. ++Once the site is in read-only mode, a banner is added to the site for users to identify this has happened. ++To remove a site from read-only mode in the **SharePoint admin center**, go to the **Active sites** page, select the site, and then select **Unlock** from the site page panel. ++Site owners can't remove a site from read-only mode and must contact the tenant admin to remove read-only mode. + ## Related topics - [SharePoint Advanced Management overview](advanced-management.md) |
| SharePoint | Data Access Governance Reports | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/data-access-governance-reports.md | Previously updated : 11/14/2024 Last updated : 11/18/2024 Title: "Data access governance reports for SharePoint sites" +search.appverid: description: "In this article, you learn about reports that can help you govern access to data in SharePoint." This feature requires either Microsoft 365 E5 or Microsoft SharePoint Premium - ## Access the reports in the SharePoint admin center -1. As an [administrator](sharepoint-admin-role.md), sign in to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219) for your organization. -2. In the left pane, select **Reports** and then select **Data access governance**. +1. Sign in to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219) with the [SharePoint administrator](sharepoint-admin-role.md) credentials for your organization. +2. In the left pane, expand **Reports** and then select **Data access governance**. The following reports are currently available from the Data access governance landing page: Sharing links reports lets you identify potential sources of oversharing by show To get the latest data for each report, manually run the Data access governance report. You can run all reports or select individual reports to run. It can take a few hours for reports to fully generate. To check if a report is ready or to see when it was last updated, see the **Status** column. > [!NOTE]-> Each report can be run only once in 24 hours. +> A report can only be run once per month. ### View the reports When a report is ready, select the name of the report to view the data. Each sha ### Download the reports -You can also download the reporting as a .csv file for up to 10,000 sites. +You can also download the reporting as a CSV file for up to 10,000 sites. > [!IMPORTANT] > You can download reporting for up to 1 million sites if you have a SharePoint SharePoint Premium - SharePoint Advanced Management license and your tenant is a non-government cloud environment. It's vital for SharePoint admin to understand the permissions setup in their ten ### Creating the oversharing baseline report > [!IMPORTANT]-> Currently, SharePoint admins can generate the report via PowerShell only. The 1st report for the tenant will take up to 5 days. Subsequent reports will be completed in few hours. +> Currently, SharePoint admins can generate the report via PowerShell only. The first report for the tenant can take up to 5 days. ### Run the oversharing baseline report Once you run the Data access governance reports to discover potential oversharin If immediate action needs to be taken, you can configure [Restricted access control (RAC)](./restricted-access-control.md) and restrict access to a specified group (currently in preview). You can also use the ['Change history' report](./change-history-report.md) to identify recent changes to site properties that could lead to oversharing. You can also request the site owner review the permissions before taking necessary actions via [the Site access review feature](site-access-review.md) that is available within the Data access governance reports.--## Auto-run Data access governance reports --As a SharePoint admin, with this 'Auto-run' feature, you can now schedule Data access governance reports to automatically run periodically instead having to remember to manually run every time. Several salient points are mentioned as follows: --1. Auto-run is currently available only from UI. Hence this supports reports present in the DAG landing page only. -1. Auto-run runs ALL available reports in a module at the same time. For example: You can schedule to run ALL sharing link reports at once. You can't schedule a single report with a different frequency. Similar is the case with all Everyone except external user reports and all sensitivity label reports. -1. You can still go ahead and manually run a report anytime. But the limitations with respect to time between multiple runs is still valid. For example: You can run any sharing link report only once a day. If Auto-run triggers the report at least once, you can't run it again manually within the 24 hour time period and vice-versa. -1. Reports are run every 28 days from the day of enablement. There's no configuration yet. -1. Reports are automatically run for the period of six months from the day of enablement. If you want the reports to continue running automatically, you need to re-enable after six months. -1. Once a report is run automatically, all SharePoint admins are notified via an email with the final status. |
| SharePoint | Manage Access Agents In Sharepoint | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/manage-access-agents-in-sharepoint.md | + Last updated : 11/19/2024 + Title: Manage access to agents in SharePoint +++++recommendations: true +audience: Admin +f1.keywords: +- NOCSH ++++- M365-collaboration +- m365copilot +- magic-ai-copilot +- Tier2 ++ms.localizationpriority: medium +search.appverid: +- MET150 +description: "Learn how to manage access to agents in SharePoint with built-in SharePoint permissions models, SharePoint Advanced Management features such as restricted access control, and restricted content discovery." ++# Manage access to agents in SharePoint ++Agents in SharePoint, powered by AI, help employees quickly find information and insights on SharePoint sites, pages, and document libraries. Agents in SharePoint access your organization's data the same way [Copilot in other Microsoft 365 apps](/sharepoint/sharepoint-copilot-best-practices#copilot-and-sharepoint) does, responding to users based on their access permissions to the data. As a SharePoint admin, you can manage employees' access to an agent in multiple ways by managing: +- Who can access the agents +- What information the user can access through the agent +- Whether agents are available in a specific SharePoint site ++## Manage who can access the agents ++Currently, users with a [Microsoft 365 Copilot license](/copilot/microsoft-365/microsoft-365-copilot-licensing) can use the agents. You can use the [Microsoft 365 Copilot setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to assign the required licenses to users. For more information, see [Assign licenses to users in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users) and [Microsoft 365 Copilot requirements](/copilot/microsoft-365/microsoft-365-copilot-requirements). ++> [!NOTE] +> From December 1, 2024, to June 30, 2025, enterprise tenants with 50 or more Microsoft 365 Copilot licenses will receive 10,000 free Agents in SharePoint queries for unlicensed users every month as a trial. SharePoint administrators or above can [check the trial promotion status](/powershell/module/sharepoint-online/get-spocopilotpromooptinstatus) and [set trial promotion](/powershell/module/sharepoint-online/set-spocopilotpromooptinstatus) using PowerShell cmdlets. Please see terms of trial usage [here](/legal/microsoft-365/in-app-trials-terms-of-service). ++## Manage what information a user can access through the agents ++### With built-in SharePoint features ++Agents in SharePoint use SharePoint sites, pages and document libraries as knowledge sources to respond to the user. You can control a userΓÇÖs access to the information when they use an agent by controlling their access to the site. SharePoint provides many tools to control access to a site: ++- Make a site private to ensure only the people who have explicit permission to access the site. +- If the site is associated with a Microsoft 365 group and the site is private, control group membership to control who can visit the site. +- If the site isnΓÇÖt associated with a group and is private, use site permissions to control access. +- Use access governance policies available in the SharePoint admin center and PowerShell to control access based on other criteria. ++Learn more about using SharePoint built-in features to control access [here](/sharepoint/sharepoint-copilot-best-practices#step-2prevent-oversharing-and-control-access-with-sharepoint-and-onedrive). ++## With SharePoint Advanced Management ++Currently, to restrict access to a site by Microsoft 365 Copilot, the SharePoint Admin can set up a [restricted access control policy](/sharepoint/restricted-access-control). As a result, all access to the site is restricted to only the group of users specified in the policy. Accordingly, the content from this site is visible in Microsoft 365 Copilot only for this restricted group of users. You can restrict access to individual sites or OneDrive. +Learn more about additional features to prevent oversharing, control access, and enhance your content governance with SharePoint Advanced Management [here](/sharepoint/get-ready-copilot-sharepoint-advanced-management). ++## Turn off agents in SharePoint with restricted content discovery ++You as a SharePoint Admin can turn off all agent-related features on individual sites with the [restricted content discovery](/sharepoint/restricted-access-control). Once a site is flagged with restricted content discovery, users can't see the Copilot icon on the upper right of the site. Therefore, they donΓÇÖt have access to use the ready-made agent, create new agents, or add content from that site to any other agents. The restricted content discovery policy leaves site access unchanged but prevents the site's content from being surfaced in Microsoft 365 Copilot or organization-wide Search for all users. + |
| SharePoint | Onedrive Document Translation | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/onedrive-document-translation.md | description: Learn about the document translation service in OneDrive. # Translate documents in OneDrive > [!NOTE]-> Through June 2025, you can try out document translation and other selected Microsoft Syntex services at no cost if you have [pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing) set up. For details on how to get started and the limitations, see [Try out Microsoft Syntex and explore its services](/microsoft-365/syntex/promo-syntex). +> Through June 2025, you can try out document translation and other selected Microsoft Syntex services at no cost if you have [pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing) set up. +> +> For details on how to get started and the limitations, see [Try out Microsoft Syntex and explore its services](/microsoft-365/syntex/promo-syntex). -OneDrive, powered by Microsoft Syntex, allows you to translate documents while preserving the original format and structure. With this feature, you can create a translated copy of a single file or a set of files. The translation feature is available for all supported languages and dialects. +OneDrive, powered by Microsoft Syntex, allows you to manually translate documents while preserving the original format and structure. With this feature, you can create a translated copy of a single file or a set of files. The translation feature is available for all supported languages and dialects, and supports up to 10 languages per translation request. :::image type="content" source="media/onedrive-document-translation/1-onedrive-translation.png" alt-text="screenshot of OneDrive document translate feature." lightbox="media/onedrive-document-translation/1-onedrive-translation.png"::: OneDrive, powered by Microsoft Syntex, allows you to translate documents while p ## Key features -- **Manual or automatic translation**: You can manually translate files or set up a rule for automatic translation.-- **Translation of different file types**: Translate various file types, including .docx, .pdf, .pptx, and more.+- **Request multiple languages per translation**: You can select up to 10 languages per document translation. +- **Translation of different file types**: Translate various file types. [Supported file types](#supported-file-types), include .docx, .pdf, .pptx, and more. - **Video transcripts and captions**: The translation feature also supports translating video transcripts and closed caption files. For more information, see [Transcript Translations in Stream for SharePoint](https://support.microsoft.com/office/microsoft-syntex-pay-as-you-go-transcript-translations-in-stream-for-sharepoint-2e34ad1b-e213-47ed-a806-5cc0d88751de). +## Prerequisites ++To enable document translation for your tenant, you must: ++- Link an Azure subscription to [Microsoft Syntex pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing#connect-syntex-to-an-azure-subscription-for-billing). +- Be a [SharePoint Administrator](sharepoint-admin-role.md) or have credentials to access the Microsoft 365 admin center. ++## Enable document translation for your tenant ++> [!NOTE] +> Once an Azure subscription is linked to Microsoft Syntex, the translation feature is automatically set up and turned on for all [SharePoint](/microsoft-365/syntex/translation-setup#set-up-translation) and OneDrive sites. ++## Manage document translation for OneDrive ++Even though OneDrive document translation is enabled by default, you can also turn off the feature. ++To disable document translation for OneDrive: ++1. Sign in to Microsoft 365 admin center and select **[Setup](https://go.microsoft.com/fwlink/p/?linkid=2171997)**. +2. Expand **Files and content** and select **Automate content processes with Syntex**. +3. On the **Automate content processes with Syntex** page, select **Go to Syntex settings**. +4. On the Syntex page, in the **Document & image services** section, select **Document translation**. +5. In the OneDrive section, select **Edit**. On the **Where can document translation be used?** panel, clear the **Available in OneDrive** checkbox. ++For more information about managing document translation for SharePoint sites, see [Set up and manage document translation in Microsoft Syntex](/microsoft-365/syntex/translation-setup#manage-sites). ++## Translate a document ++Sign in to [OneDrive](https://go.microsoft.com/fwlink/p/?LinkID=2119709) with your Microsoft account credentials. ++1. Select **My files**. ++2. Select the file you want to translate and select the **More commands (...)** button in the ribbon. ++ Alternatively, you can get to this feature by selecting **More Actions (...)** beside the file name. ++3. Select **Translate**. ++4. Choose up to 10 languages and select **Translate**. ++ :::image type="content" source="media/onedrive-document-translation/3-onedrive-translation-max-languages.png" alt-text="Screenshot of OneDrive document translate feature with maximum of 10 languages selected." lightbox="media/onedrive-document-translation/3-onedrive-translation-max-languages.png"::: ++The translated file is saved in the same location as the file you selected to translate. ++> [!NOTE] +> It might take up to several hours to generate the translated file(s). +++ ## Requirements and limitations ### Supported file types The maximum file size for translation is 40 MB. ### Supported languages -Translation in Syntex is available for all supported languages and dialects. +Translation in Syntex is available for all [supported languages and dialects](/azure/ai-services/translator/language-support#translation). For more information, see the following resources: - [Document Translation: FAQ](/azure/ai-services/translator/document-translation/faq#document-translation-faq) - [How does Translator count characters?](/azure/ai-services/translator/translator-faq#how-does-translator-count-characters)++## Related topics ++- [Overview of document translation in Microsoft Syntex](/microsoft-365/syntex/translation-overview) +- [Set up and manage document translation in Microsoft Syntex](/microsoft-365/syntex/translation-setup) +- [Translate a document in Microsoft Syntex](/microsoft-365/syntex/translation) +- [Configure Microsoft Syntex for pay-as-you-go billing](/microsoft-365/syntex/syntex-azure-billing) |
| SharePoint | Restricted Content Discovery | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/restricted-content-discovery.md | + Last updated : 11/14/2024 + Title: "Restrict discovery of SharePoint sites and content" +++recommendations: true +++audience: Admin +f1.keywords: +- NOCSH +++ms.localizationpriority: medium ++ - has-azure-ad-ps-ref ++- M365-collaboration +- M365-SAM +- Tier2 +search.appverid: +description: "Learn how to restrict the discovery of SharePoint sites from Microsoft 365 Copilot Business Chat and tenant-wide search." +++# Restrict discovery of SharePoint sites and content +++For organizations onboarding to Microsoft 365 Copilot, maintaining strong data governance controls for SharePoint content is critical to deploying Copilot in a safe manner. Sites identified with the highest risk of oversharing can use Restricted Content Discovery to protect content while taking time to ensure that permissions are accurate and well-managed. ++## What is Restricted Content Discovery? ++With Restricted Content Discovery, organizations can limit the ability of end users to search for files from specific SharePoint sites. Enabling Restricted Content Discovery for each site prevents the sites from surfacing in organization-wide search and Microsoft 365 Copilot Business Chat, unless a user had a recent interaction. ++> [!NOTE] +> Restricted Content Discovery does not impact existing permissions on sites. Users with access can still open files on sites with Restricted Content Discovery toggled on. ++While child content is hidden by default, users in your organization can still discover files they own or recently interacted with. End users can still find relevant content they need for their day-to-day tasks, even if Restricted Content Discovery is applied to the parent site. ++Restricted Content Discovery doesn't affect searches originating from a site context or other intelligent features such as Microsoft 365 Feed and Recommendations. ++## Use cases for Restricted Content Discovery ++Restricted Content Discovery can be applied to any SharePoint site in your organization. The key use case for this feature is to prevent accidental discovery of high-risk sites. ++We recommend using tools such as Data access governance reports and SharePoint admin center's **Active sites** tab to first compile a selective list of targeted sites. ++> [!NOTE] +> This feature can't be applied to OneDrive sites. ++> [!CAUTION] +> Overuse of Restricted Content Discovery can negatively affect performance across search, SharePoint, and Copilot. Removing sites or files from tenant-wide discovery means that there's less content for search and Copilot to ground on, leading to inaccurate or incomplete results. ++Restricted Content Discovery is a site-level setting that needs to be propagated to the search index, a large number of transactions could lead to a long queue in the ingestion pipeline and higher update latency times. ++## Prerequisites ++The Restricted Content Discover policy requires the following prerequisites: ++- Have a [Microsoft SharePoint Premium - SharePoint Advanced Management subscription](advanced-management.md). +- Download and install the latest version of SharePoint Online Management Shell. +- Connect to SharePoint Online as a SharePoint Administrator in Microsoft 365. ++## Configure Restricted Content Discovery ++By default, Restricted Content Discovery is off for all sites. As an IT administrator, you can enable or disable this feature, and check the current state of a given site. ++### Enable Restricted Content Discovery for a site ++Complete the following steps to apply Restricted Content Discovery on a site: ++To apply Restricted Content Discovery on a SharePoint site, run the following command: ++```powershell +Set-SPOSite –identity <site-url> -RestrictContentOrgWideSearch $true +``` ++### Check the state of Restricted Content Discovery ++Check for the state of Restricted Content Discovery with the following command: ++```powershell +Get-SPOSite –identity <site-url> | Select RestrictContentOrgWideSearch +``` ++### Remove Restricted Content Discovery from a site ++To remove Restricted Content Discovery on a SharePoint site, run the following command: ++```powershell +Set-SPOSite –identity <site-url> -RestrictContentOrgWideSearch $false +``` ++## Next steps ++Restricted Content Discovery gives organizations time to review and/or audit permissions and deploy access controls while onboarding Copilot in a safe manner. ++Ultimately for sites that are overshared, the goal is to ensure that proper controls are in place to manage access. SharePoint Advanced Management has a suite of features, such as advanced site content lifecycle management, to help site owners and admins create a robust SharePoint governance framework. ++## Frequently Asked Questions ++**Is my organization eligible to use Restricted Content Discovery?** ++Customers who are licensed for Copilot and have SharePoint Advanced Management available to them can configure Restricted Content Discovery. ++**What search scenarios enforce Restricted Content Discovery?** ++Restricted Content Discovery only affects tenant-wide search (SharePoint home, Office.com, Bing) and Microsoft 365 Copilot. Only Copilot Discovery scenarios are in scope; Copilot experiences that use data-in-use, such as "summarize the current document" in Word aren't impacted. ++**Does Restricted Content Discovery impact other features with dependencies on the search index, such as the Microsoft Purview product suite?** ++No, Restricted Content Discovery doesn't remove content from the tenant search index, which means Microsoft Purview features such as eDiscovery and autolabeling aren't impacted. ++**How soon can I expect Search and Copilot to reflect an update made to the Restricted Content Discovery configuration of a site?** ++Restricted Content Discovery is a site-level property. Index update latency is highly dependent on the number of items in the site and the number of sites getting updated at the same time. For sites with more than 500,000 items, the Restricted Content Discovery update could take more than a week to fully process and reflect in search and Copilot. ++**How does Restricted Content Discovery affect the end user experience in Copilot?** ++Based on usage of this feature, Copilot has less information available to reference, which could negatively affect its ability to provide accurate and comprehensive responses. ++**How does Restricted Content Discovery fit into an overall approach to prepare SharePoint data for Microsoft 365 Copilot?** ++Restricted Content Discovery is designed to limit the ability of end users to search for content from specific SharePoint sites. For a more comprehensive guidance on preparing your data for Copilot, check out this [blueprint](https://aka.ms/Copilot/OversharingBlueprintLearn). ++## Related topics ++[Overview of SharePoint Advanced Management](advanced-management.md) ++[Manage access agents in SharePoint](manage-access-agents-in-sharepoint.md) |
| SharePoint | Search Limits | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/search-limits.md | Previously updated : 07/11/2018 Last updated : 11/14/2024 Title: "Search limits for SharePoint" The following table lists the limits for SharePoint search. |Limit|Maximum value|Limit type|Notes| |:--|:--|:--|:--|-|Size of document that can be downloaded by the crawl components |150 MB|Boundary |Search downloads metadata of the document only for files >150 MB. The content of the document isn't downloaded. | +|Size of document that can be downloaded by the crawl components |All File Types: 150 MB <br/> PDF, PPTX, PPT, DOC, DOCX: 512 MB |Boundary | Crawl processing supports files up to 150 MB for all types, with an extended limit of 512 MB for PDF, PPTX, PPT, DOC, and DOCX formats. For files exceeding these limits, only document metadata is downloaded, while the full content is NOT downloaded and remains unavailable for search. | |Parsed content size |2 million characters |Boundary |Search stops parsing an item after it has parsed up to 2 million characters of content from it, including the item's attachments. The actual number of parsed characters can be lower than this limit because search uses a maximum of 30 seconds on parsing a single item and its attachments. When search stops parsing an item, the item is marked as partially processed. Any unparsed content isn't processed and therefore isn't indexed. | |Characters processed by the word breaker |1,000,000 |Boundary |Search breaks content into individual words (tokens). The word breaker produces tokens from the first 1,000,000 characters of a single item, including the item's attachments. <br/> The actual amount of tokens can be lower than this limit because search uses a maximum of 30 seconds on word breaking. Any remaining content isn't processed. | |Indexed managed property size |512 KB per managed property that is set to either "searchable" or "queryable" |Boundary || |
| SharePoint | Site Access Review | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/site-access-review.md | Previously updated : 11/14/2024 Title: "Initiate site access reviews for data access governance reports" Last updated : 11/18/2024 + Title: "Initiate site access reviews for Data access governance reports" +search.appverid: description: "Learn about how to initiate site access reviews as a remedial action for data access governance for SharePoint sites." -# Initiate site access reviews for data access governance reports +# Initiate site access reviews for Data access governance reports [!INCLUDE[Advanced Management](includes/advanced-management.md)] When you initiate a review, site owners receive an email for each site that requ - A request to review site permissions - A link to a detailed access review page. This page is specific for the scenario as specified in the data access governance report. - :::image type="content" source="./media/data-access-governance/email-eeeu-files-folders-lists.png" alt-text="Screenshot that shows Email received by site owners for oversharing via EEEU" lightbox="./media/data-access-governance/email-eeeu-files-folders-lists.png"::: +The following image shows the email notification regarding 'Everyone except external users' last 28 days report: +++The following image shows a report of shared links generated in the last 28 days: +++The following image shows the oversharing baseline report using permissions: #### Review 'Everyone except external users' site access review requests (for site owners) Site owners can review and manage access in two main areas: - **SharePoint groups:**- - View which groups contain 'Everyone except external users' - - See when and by whom the group was added + - View which groups contain 'Everyone except external users'. + - See when and by whom the group was added. - Remove 'Everyone except external users' from groups if necessary: 1. Selecting the SharePoint group opens the group membership page that displays all members of this SharePoint group. 2. Select **Everyone except external users** and **Actions** and choose to **remove users from group**. Site owners can review and manage access in two main areas: :::image type="content" source="./media/data-access-governance/manage-sharepoint-group-membership.png" alt-text="Screenshot that shows displays sharepoint group members" lightbox="./media/data-access-governance/manage-sharepoint-group-membership.png"::: - **Individual items (files/folders/lists):**- - See items shared with 'Everyone except external users' in the last 28 days - - View sharing details (who shared and when) + - See items shared with 'Everyone except external users' in the last 28 days. + - View sharing details (who shared and when). - Manage access and remove permissions as needed: 1. Select **Manage access**. 1. Under the 'Everyone except external users' group in the **Groups** tab, select the group and select **remove access**. See [Stop sharing OneDrive or SharePoint files or folders, or change permissions](https://support.microsoft.com/office/stop-sharing-onedrive-or-sharepoint-files-or-folders-or-change-permissions-0a36470f-d7fe-40a0-bd74-0ac6c1e13323) for more information. Once the site owner selects the email, they're redirected to the site access rev The site owner gets a view of files for whom links were generated along with the exact time of generation and who generated the links. The 'Manage access' button can be used to navigate to the link section and remove it/modify the permissions. +The following image shows an email notification about the sharing links report using permissions: + #### Review 'Oversharing baseline using permission reports' site access review requests (for site owners) Once the site owner selects the email, they're redirected to the site access review detailed report generated for the site. -The SharePoint admin views the unique number of permissioned users for this site in the DAG report and that number is also visible to site owner in the site access review email. This list shows how those users are distributed across the site content in terms of permissions and scopes. +The following image shows an email notification about oversharing baseline report using permissions: ++The SharePoint admin views the unique number of permissioned users for this site in the Data access governance report and that number is also visible to site owner in the site access review email. This list shows how those users are distributed across the site content in terms of permissions and scopes. -All items created in the site, by default, inherit permissions of the site and thus the 'site' acts like a parent. However, if the inherited permissions are broken due to sharing of an item by creating links, providing direct access to individuals or groups, removing users/groups etc., a unique scope is created for that item. Now this item acts as a new 'parent' and its children inherit its permissions. The site access review page is a list of such uniquely permissioned 'parents' with the appropriate scope and name. It's NOT the list of ALL items/files/folders in the site. The item with the highest number of permissioned users is shown first. Up to 100 items are shown in descending order so that site owner can focus on items with highest 'exposure' first. +All items created in the site, by default, inherit permissions of the site and thus the 'site' acts like a parent. However, if the inherited permissions are broken due to sharing of an item by creating links, providing direct access to individuals or groups, removing users/groups etc., a unique scope is created for that item. Now this item acts as a new 'parent' and its children inherit its permissions. The site access review page is a list of such uniquely permissioned 'parents' with the appropriate scope and name. It's not the list of all items/files/folders in the site. The item with the highest number of permissioned users is shown first. Up to 100 items are shown in descending order so that site owner can focus on items with highest 'exposure' first. ##### Understanding the site access review report for permission based reports Once the site owner takes the necessary actions like modifying or removing permi 2. Add any relevant comments. 3. Submit the completed review. -Comments are shared back to the IT administrator who raised the review request. The review request is then marked as completed. + Comments are shared back to the IT administrator who raised the review request. The review request is then marked as completed. #### Manage multiple site access review requests (for site owners) A site owner can receive review requests for multiple sites, or receive multiple For site owners handling multiple reviews: 1. Access the 'site reviews' page via:- - The link in the review email + - The link in the review email. - The gear icon on the site home page: 1. Select **Site settings**. 1. Select **Site reviews**. |
| SharePoint | Unlicensed Onedrive Accounts | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/unlicensed-onedrive-accounts.md | Previously updated : 10/10/2024 Last updated : 11/18/2024 Title: "Manage unlicensed OneDrive user accounts" In this article, you learn how to identify, monitor, and manage unlicensed OneDr ## Changes to storage policies for unlicensed OneDrive accounts > [!IMPORTANT]-> Beginning January 27, 2025, any OneDrive user account that has been unlicensed for longer than 93 days becomes inaccessible to admins and end users. The unlicensed account is automatically archived, viewable via admin tools, but remains inaccessible until administrators take action on them. These changes do not apply to EDU, GCC, or DoD customers. +> +> Beginning January 27, 2025, any OneDrive user account that has been unlicensed for more than 93 days will undergo the following actions: +> +> - Unlicensed accounts will be automatically archived. This means they will still be visible to admins through admin tools, but both admins and end users will no longer have access. Access will remain restricted until administrators take action. (Note: These changes do not apply to EDU, GCC, or DoD customers.) +> - Unlicensed accounts tied to active users (users who are not assigned a license but are still considered active in the system) will be deleted instead of archived. ## Reporting The following table provides more information on data shown in the unlicensed On ||| | Unlicensed accounts | Total number of OneDrive accounts that aren't licensed as of the date the report is generated.| | Storage used | Total storage consumed by these unlicensed OneDrive accounts as of the report's date.|-| Retention period | Unlicensed accounts with a [set retention period](set-retention.md) during the process of license removal or user account deletion. The retention period is honored, and the content will remain in an archived state until the period expires.| -| Retention policy | Unlicensed accounts subject to a [retention policy](/purview/retention) set up in Microsoft Purview. The retention policy is honored, and the content will remain in an archived state until the policy expires.| -| Active user with no license | Unlicensed accounts where the user's license was removed, but the account wasn't deleted as part of the [user deletion process](/microsoft-365/admin/add-users/delete-a-user) Starting in January 2025, unlicensed OneDrive accounts in this category will be moved to the recycle bin for 93 days before being permanently deleted. | -| Duplicate account | Unlicensed accounts created when an employee transfers to a different country, region, or firm within the organization. If these duplicate accounts are unnecessary, it's recommended to use the downloadable CSV from the SharePoint admin center to identify and delete them. If no action is taken, the accounts are automatically archived starting in January 2025 and will incur archive charges.| +| Retention period | Unlicensed accounts with a [set retention period](set-retention.md) during the process of license removal or user account deletion. The retention period is honored, and the content remains in an archived state until the period expires.| +| Retention policy | Unlicensed accounts subject to a [retention policy](/purview/retention) set up in Microsoft Purview. The retention policy is honored, and the content remains in an archived state until the policy expires.| +| Active user with no license | Accounts where the user's license was removed, but the account wasn't deleted as part of the [user deletion process](/microsoft-365/admin/add-users/delete-a-user). Starting in January 2025, users who aren't assigned a license but are still considered active in the system are deleted instead of archived. | +| Duplicate account | Unlicensed accounts created when an employee transfers to a different country/region, or firm within the organization. If these duplicate accounts are unnecessary, we recommend using the downloadable CSV from the SharePoint admin center to identify and delete them. If no action is taken, the accounts are automatically archived starting in January 2025 and incurs archive charges.| ## Unlicensed OneDrive account management options You can also bulk assign licenses using either of the following methods: - [Assign licenses to user accounts in the Microsoft 365 admin center](/microsoft-365/admin/manage/assign-licenses-to-users) - [Assign licenses to user accounts with PowerShell](/microsoft-365/enterprise/assign-licenses-to-user-accounts-with-microsoft-365-powershell) -**After the unlicensed OneDrive account archival** - The account must be reactivated from the archived state before a license can be assigned. If the archived account has an associated user, the IT admin can give the user a valid license and the account will automatically get reactivated within 24 hours. If the archived account doesn't have an associated user (for example, if the identity was deleted), then we recommend admins move any actively needed content to a SharePoint site or an active and licensed OneDrive account. +**After the unlicensed OneDrive account archival** - The account must be reactivated from the archived state before a license can be assigned. If the archived account has an associated user, the IT admin can give the user a valid license and the account is automatically reactivated within 24 hours. If the archived account doesn't have an associated user (for example, if the identity was deleted), then we recommend admins move any actively needed content to a SharePoint site or an active and licensed OneDrive account. ### Delete unlicensed OneDrive account You can also bulk assign licenses using either of the following methods: Once you delete the unlicensed account, both the OneDrive account and its files are moved to the recycle bin. After 93 days, it will be permanently deleted, and the user is no longer able to sign in to their work or school account. -**After the unlicensed OneDrive account archival** - An account can be deleted from the archived state without reactivation. However, if the account is subject to a retention policy, the unlicensed account can't be deleted, and the administrator will receive an error message. +**After the unlicensed OneDrive account archival** - An account can be deleted from the archived state without reactivation. However, if the account is subject to a retention policy, the unlicensed account can't be deleted, and the administrator receives an error message. ### Archive unlicensed OneDrive account If you want to access the data of the now inaccessible unlicensed OneDrive accou 1. Set up and link Azure subscription in [Syntex pay-as-you-go](/microsoft-365/syntex/syntex-azure-billing). 2. Must have Global admin or SharePoint admin permissions.-3. [Enable Microsoft 365 Archive](/microsoft-365/syntex/syntex-azure-billing) Unlicensed Account billing (billing is available starting April 2025). +3. [Enable Microsoft 365 Archive](/microsoft-365/syntex/syntex-azure-billing) Unlicensed Account billing (billing is available starting December 2024). -After the setup is completed and reactivation is triggered, it may take up to 24 hours for the account to become accessible. Once reactivated, the account remains active for 30 days before being automatically archived again. +After the setup is completed and reactivation is triggered, it might take up to 24 hours for the account to become accessible. Once reactivated, the account remains active for 30 days before being automatically archived again. > [!NOTE] > These changes do not apply to EDU, GCC, or DoD customers. After the setup is completed and reactivation is triggered, it may take up to 24 Microsoft 365 Archive charges for both storage and account reactivation. For more information about Microsoft 365 Archive pricing, see [Pricing model for Microsoft 365 Archive (Preview)](/microsoft-365/syntex/archive/archive-pricing). -Once a payment method is provided, billing follows the routine cycle for archived content. If the billing is put down to reactivate one particular unlicensed account, the reactivation fee is applied for $0.60/GB for that account, and from that month onward, the storing fee of $0.05/GB/Month will also be applied for all unlicensed accounts within the organization that's longer than 90 days. +Once a payment method is provided, billing follows the routine cycle for archived content. If the billing is put down to reactivate one particular unlicensed account, the reactivation fee is applied for $0.60/GB for that account, and from that month onward, the storing fee of $0.05/GB/Month is applicable for all unlicensed accounts within the organization that's longer than 90 days. For example, if an organization has 100 unlicensed OneDrive accounts, each consuming 1 TB for a total of 100 TB, and enforcement occurs between January and March 2025, the 100 unlicensed accounts are automatically archived. If the organization needs to reactivate a specific account in October 2025 and set up billing, they incur the following costs: For example, if an organization has 100 unlicensed OneDrive accounts, each consu Archived OneDrive accounts fully honor retention policies, settings, and litigation hold and eDiscovery hold. For example, if your company has a five-year retention policy, it remains unchanged whether the OneDrive account is active or archived. Archiving doesn't reset the timeline of the retention policy or holds. -Microsoft Purview eDiscovery and Content Search are still discoverable in archived content. Exporting the content that's supporting the search results won't require manual reactivation of the archived account, and it takes up to 24 hours to complete. +Microsoft Purview eDiscovery and Content Search are still discoverable in archived content. Exporting the content that's supporting the search results doesn't require manual reactivation of the archived account, and it takes up to 24 hours to complete. -When a change is made to retention policies, it's applied to archived accounts. For example, if the company reduces the retention policy from five years to three years, this update syncs with all archived accounts, for any accounts that have fulfilled the updated retention period, those accounts are moved to recycle bin, and the recycle bin process will begin. +Changes made to retention policies apply to archived accounts. For example, if the company reduces the retention policy from five years to three years, this update syncs with all archived accounts, for any accounts that fulfill the updated retention period, those accounts are moved to recycle bin, and the recycle bin process begins. ++## Unlicensed OneDrive accounts and education tenants ++An education tenant is any tenant with more than 50% education licenses. Any tenant with fewer than 50% education licenses is considered commercial. However, for any education tenant, unlicensed OneDrive accounts consume pooled storage and can pose security and compliance risks. IT admins can view the unlicensed accounts on the OneDrive accounts page to identify unlicensed accounts and take action. ## Frequently Asked Questions For more information on deleting users, see [Delete a user from your organizatio **5. How does it impact eDiscovery in Microsoft Purview?** -**Answer:** Microsoft Purview eDiscovery and Content Search are still discoverable in archived content. Exporting the content that's supporting the search results won't require manual reactivation of the archived account, and it takes up to 24 hours to complete. +**Answer:** Microsoft Purview eDiscovery and Content Search are still discoverable in archived content. Exporting the content that's supporting the search results doesn't require manual reactivation of the archived account, and it takes up to 24 hours to complete. **6. How does it impact Retention Policy, Retention Setting, or Litigation Hold?** For more information on deleting users, see [Delete a user from your organizatio **Answer:** Once a payment method is provided, billing follows the routine cycle for archived content. If there's no retention policy and billing stops, your content is deleted within a 93-day period. If a retention policy is still active, the policy is honored regardless of billing status. If the account has no retention and billing, the 93-day content deletion lifecycle begins. -As an example, if the billing is put down to reactivate one particular unlicensed account, the reactivation fee is applied for $0.60/GB for that account, and from that month onward, the storing fee of $0.05/GB/Month will also be applied for all unlicensed accounts within the organization that's longer than 90 days. +As an example, if the billing is put down to reactivate one particular unlicensed account, the reactivation fee is applied for $0.60/GB for that account, and from that month onward, the storing fee of $0.05/GB/Month is applied for all unlicensed accounts within the organization that's longer than 90 days. **9. What's the guidance on 'duplicate accounts'?** As an example, if the billing is put down to reactivate one particular unlicense **12. What's the process to relicense an account once it's archived?** -**Answer:** If the archived account has an associated user, the IT admin can give the user a valid license and the account will automatically get reactivated within 24 hours. If the archived account doesn't have an associated user (for example, if the identity was deleted), then we recommend admins move any actively needed content to a SharePoint site or an active and licensed OneDrive account. +**Answer:** If the archived account has an associated user, the IT admin can give the user a valid license and the account automatically reactivates within 24 hours. If the archived account doesn't have an associated user (for example, if the identity was deleted), then we recommend admins move any actively needed content to a SharePoint site or an active and licensed OneDrive account. **13. If a change is made to retention policies, will that change sync down to the archived sites?** -**Answer:** Yes. As an example, if the company retention policy is shortened from five years to three years, this change is synced with all archived accounts, and the recycle bin process will start for accounts that have completed the retention policy. +**Answer:** Yes. As an example, if the company retention policy is shortened from five years to three years, this change is synced with all archived accounts, and the recycle bin process begins for accounts that completed the retention policy. ## Related topics |