Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Customize Sss | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/customize-sss.md | search.appverid: description: "Customize the SharePoint Success Site." -# Customize the SharePoint Success Site +# Customize the SharePoint Success Site -The SharePoint Success Site is a ready to deploy, up-to-date, and customizable SharePoint communication site that helps your organization maximize the adoption of SharePoint. The SharePoint Success Site helps end users improve the quality and impact of the sites they build for internal audiences, while helping ensure they follow your organization's site usage guidelines. +The SharePoint Success Site is a ready to deploy, up-to-date, and customizable SharePoint communication site that helps your organization maximize the adoption of SharePoint. The SharePoint Success Site helps end users improve the quality and impact of the sites they build for internal audiences, while helping ensure they follow your organization's site usage guidelines. The SharePoint Success Site is prepopulated with web parts and content to guide your viewers through the most up-to-date SharePoint site creation training content. However, there are several opportunities to customize the experience to better suit your organization's goals and usage policy. Learn about what's included in a SharePoint Success Site, and then get started customizing. The SharePoint Success Site is prepopulated with web parts and content to guide ![Image of the SharePoint Success Site landing page](media/sss-landing.png) - ## Before you share the site with end-users- + There are several customization opportunities to align the site content, look, and feel with your organization. Before you publish your site and share it with users, review and customize the following elements: -- Training content in Microsoft 365 learning pathways -- The SharePoint Success Site template +- Training content in Microsoft 365 learning pathways +- The SharePoint Success Site template - The Viva Engage conversation, People, and Forms web parts - Content in the site usage guidelines page - Content in the success story page - Branding details like the site logo and theme - Navigational elements +### Summary of site requirements and permissions -#### Summary of site requirements and permissions Before getting started customizing, ensure that the SharePoint Success Site has been set up by your SharePoint administrator. You need to be a Site owner or Site member for **both** Microsoft 365 learning pathways *and* the SharePoint Success Site in order to have permission to make site customizations. If you're not sure your tenant has the site, contact your SharePoint administrator to verify that the SharePoint Success Site been provisioned and ask for the Microsoft 365 learning pathways and SharePoint Success Site URLs. If you're the Global Administrator (formerly called the Tenant admin) and Microsoft 365 learning pathways hasn't been provisioned, see the [provisioning guidance](./provision-sss.md#provision-the-sharepoint-success-site-1). - **Who has permissions to customize the site template?**+ - Global Administrators and SharePoint Administrators - SharePoint Site owner or Site member level permissions-<br> **Who can create custom playlists and hide or show content in M365 learning pathways?**+ - The Site collection administrator for Microsoft 365 learning pathways - SharePoint Site owner or Site member permissions for Microsoft 365 learning pathways-<br> **Who has permissions to use the SharePoint Success Site as a user?**-- Office 365 user permissions or SharePoint Site visitor permissions or higher +- Office 365 user permissions or SharePoint Site visitor permissions or higher ## Get started customizing+ Once you confirm the necessary access and permission to customize the site, you're ready to get started with the customization process.-The SharePoint Success Site is hosted in your Microsoft 365 tenant, so you need to sign into Microsoft 365 and then navigate to the site. +The SharePoint Success Site is hosted in your Microsoft 365 tenant, so you need to sign into Microsoft 365 and then navigate to the site. ++### Sign in -##### Sign in 1. Open a web browser and navigate to [office.com](https://www.office.com/) or your organization's sign-in location. 2. Sign in with your username and password. 3. Navigate to the location of the site using the URL supplied by your tenant administrator or select SharePoint from the Microsoft 365 home page, and then select the **SharePoint Success Site**. - ### Explore and review the prepopulated training content ![Image of the SharePoint Success Site landing page, Plan your site](media/sss-content-landing.png) Review the **Plan, Build, Launch and manage, and Advanced** playlist sections to ![Image of the SharePoint Success Site landing page, close up of the content controls](media/sss-content-module.png) -**Select a topic, and navigate through content using controls at the top of the article** +#### Select a topic, and navigate through content using controls at the top of the article Select content categories and subcategories, and then navigate through the playlist using arrows and bread crumbs in the control bar to get a sense for how the SharePoint Success Site content is organized and displayed. ---### Customize playlist content +### Customize playlist content > [!div class="mx-imgBorder"] > ![Image of the M365 learning pathways, SharePoint success site page](media/m365-lp-sss.png) --**Navigate to the Microsoft 365 learning pathways admin page:** +#### Navigate to the Microsoft 365 learning pathways admin page 1. Navigate to the Microsoft 365 learning pathways by selecting **Home > Administration**. 2. Next, select the **gear icon** in the web part. 3. Then, select **Home > Learning pathways administration**. 4. Select the **SharePoint Success Site** tab. -**Show or hide sections to the playlist content** +#### Show or hide sections to the playlist content -Select which content to display in your SharePoint Success Site by [hiding and showing](/office365/customlearning/custom_hideshowsub) subcategories of content. For example, if you don't want users to have access to the Advanced site creation section, you can hide that subcategory so it won't be visible to end-users. Decide which content is appropriate for your SharePoint Success Site. +Select which content to display in your SharePoint Success Site by [hiding and showing](/office365/customlearning/custom_hideshowsub) subcategories of content. For example, if you don't want users to have access to the Advanced site creation section, you can hide that subcategory so it won't be visible to end-users. Decide which content is appropriate for your SharePoint Success Site. > [!IMPORTANT] > Hiding playlists does not hide the associated page in the SharePoint Success Site, nor will adding custom playlists automatically create site pages for them. [Add](https://support.microsoft.com/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec#bkmk_addpage) or [delete](https://support.microsoft.com/office/delete-a-page-from-a-sharepoint-site-1d4197b8-31b6-460d-906b-3fb492a51db1) pages within the site as needed. -**Add your own custom playlists** +#### Add your own custom playlists With Microsoft 365 learning pathways, you can [create custom playlists](/office365/customlearning/custom_createnewplaylist) that are tailored to the unique needs of your organization. For example, create a playlist for team site integration with Microsoft Teams. - ### Customize the look and feel of your site+ The following sections of the SharePoint Success Site can be customized to meet your requirements, prior to sharing with end users. There are several different ways you can make the SharePoint Success Site template your own. Customize the following elements of your site to fit the need of your organization: - Update the SharePoint Success Site [branding](https://support.microsoft.com/office/customize-your-sharepoint-site-320b43e5-b047-4fda-8381-f61e8ac7f59b) to align with your organization. The following sections of the SharePoint Success Site can be customized to meet - Add [new pages](https://support.microsoft.com/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec) to more support or training resources. ### Customize the site navigation+ As a Site owner you have full control of the site navigation. Use the following resources to help you make changes that align with business outcomes: -- Customize the [site navigation](https://support.microsoft.com/office/customize-the-navigation-on-your-sharepoint-site-3cd61ae7-a9ed-4e1e-bf6d-4655f0bf25ca). +- Customize the [site navigation](https://support.microsoft.com/office/customize-the-navigation-on-your-sharepoint-site-3cd61ae7-a9ed-4e1e-bf6d-4655f0bf25ca). - [Associate this site with a hub](https://support.microsoft.com/office/associate-a-sharepoint-site-with-a-hub-site-ae0009fd-af04-4d3d-917d-88edb43efc05). - Use [audience targeting](https://support.microsoft.com/office/target-navigation-news-and-files-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293) to target specific navigational links to specific users. For example, in the **Home** navigation drop-down you see a shortcut to the Microsoft 365 learning pathways administration page. Target that page to Site owners for the SharePoint Success Site to prevent end-users from seeing it. - [Delete unwanted pages](https://support.microsoft.com/office/delete-a-page-from-a-sharepoint-site-1d4197b8-31b6-460d-906b-3fb492a51db1) if you need to. As a Site owner you have full control of the site navigation. Use the following ![Image of the Button web part](media/sss-form.png) #### Customize the Success stories page-The success stories section is a gallery for organizations to showcase internal SharePoint site success stories to inspire new Site owners with their site creation. ++The success stories section is a gallery for organizations to showcase internal SharePoint site success stories to inspire new Site owners with their site creation. ![Image of an example success story](media/sss-success-story-example.png) -If available, add SharePoint success stories to your portal. If there are no ready-to-publish success stories, consider working with internal partners to create SharePoint successes by building high priority sites that align with business outcomes. Highlighting these "early wins" will help inspire others in the organization on the possibilities for using SharePoint themselves to achieve business outcomes. +If available, add SharePoint success stories to your portal. If there are no ready-to-publish success stories, consider working with internal partners to create SharePoint successes by building high priority sites that align with business outcomes. Highlighting these "early wins" will help inspire others in the organization on the possibilities for using SharePoint themselves to achieve business outcomes. **Here are some sample questions to consider using in your form:** -- Name of solution -- Project team members -- Who is the sponsor of the project? -- What Microsoft 365 technologies (for example, SharePoint, Viva Engage, Stream, Flow) were used as part of the solution? -- What were the reasons for building the SharePoint site? -- Provide a description of the solution -- What impact or results has the SharePoint site generated? -- What best practices for planning and implementing your solution would you recommend to other who are building their own SharePoint site? +- Name of solution +- Project team members +- Who is the sponsor of the project? +- What Microsoft 365 technologies (for example, SharePoint, Viva Engage, Stream, Flow) were used as part of the solution? +- What were the reasons for building the SharePoint site? +- Provide a description of the solution +- What impact or results has the SharePoint site generated? +- What best practices for planning and implementing your solution would you recommend to other who are building their own SharePoint site? Learn more about how to [create a form](https://support.microsoft.com/office/create-a-form-with-microsoft-forms-4ffb64cc-7d5d-402f-b82e-b1d49418fd9d) using Microsoft Forms. Or, [delete unwanted pages](https://support.microsoft.com/office/delete-a-page-from-a-sharepoint-site-1d4197b8-31b6-460d-906b-3fb492a51db1) if you don't want to include this page in your site. - ### Customize the Site creation guidelines page-To ensure the proper use of SharePoint in your organization, it's important to communicate your site usage guidelines to new and existing site owners. This should include guidelines for how people should create sites in your tenant, design standards, and how people should share information using SharePoint and Microsoft 365. ++To ensure the proper use of SharePoint in your organization, it's important to communicate your site usage guidelines to new and existing site owners. This should include guidelines for how people should create sites in your tenant, design standards, and how people should share information using SharePoint and Microsoft 365. ![Image of the site creation guidelines page](media/sss-creation-guidelines.png) -The example site creation and usage guidelines aren't intended to be a final policy document. Once you have created your own unique usage guidelines, remove the content from the Site usage guidelines page and replace it with your organization's usage guidelines. See how to [create and use modern pages](https://support.microsoft.com/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec?ui=en-us&rs=en-us&ad=us) on a SharePoint site. +The example site creation and usage guidelines aren't intended to be a final policy document. Once you have created your own unique usage guidelines, remove the content from the Site usage guidelines page and replace it with your organization's usage guidelines. See how to [create and use modern pages](https://support.microsoft.com/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec?ui=en-us&rs=en-us&ad=us) on a SharePoint site. Create site usage guidelines that are appropriate for your organization by reviewing our [site usage guidelines checklist](./sites-usage-guidelines.md) that will help you create guidelines that: Create site usage guidelines that are appropriate for your organization by revie - Capacity guidelines - Site lifecycle policy - #### Provide contact information for SharePoint support-If your organization has an intranet team to support site owners, consider profiling the intranet team members on the SharePoint Success Site homepage using the People web part. -The home page of the SharePoint Success Site has a [People web part](https://support.microsoft.com/office/show-people-profiles-on-your-page-with-the-people-web-part-7e52c5f6-2d72-48fa-a9d3-d2750765fa05?ui=en-us&rs=en-us&ad=us) you can use to add your own Intranet team. If you don't a dedicated team supporting site owners, remove the current People web part. +If your organization has an intranet team to support site owners, consider profiling the intranet team members on the SharePoint Success Site homepage using the People web part. +The home page of the SharePoint Success Site has a [People web part](https://support.microsoft.com/office/show-people-profiles-on-your-page-with-the-people-web-part-7e52c5f6-2d72-48fa-a9d3-d2750765fa05?ui=en-us&rs=en-us&ad=us) you can use to add your own Intranet team. If you don't a dedicated team supporting site owners, remove the current People web part. ## Share the site with end-users-[Share your site with others](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658). Partner with others in your organization to ensure the SharePoint Success Site is widely known and adopted. ++[Share your site with others](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658). Partner with others in your organization to ensure the SharePoint Success Site is widely known and adopted. Key success factors to managing the SharePoint Success Site: Key success factors to managing the SharePoint Success Site: - Build culture and community by integrating a [Viva Engage web part](https://support.microsoft.com/office/use-a-yammer-web-part-in-sharepoint-online-a53cfa0c-3d09-42c8-a286-1038a81c59da#conversations). - Integrate and customize your organization's high-value training content. -#### Adoption and awareness strategy +### Adoption and awareness strategy -To help build, grow, and sustain your SharePoint adoption efforts, it's recommended to [create a SharePoint user group community in Viva Engage](https://support.microsoft.com/office/create-a-group-in-yammer-b407af4f-9a58-4b12-b43e-afbb1b07c889). Your SharePoint champions and power users can answer SharePoint related questions posted in the Viva Engage group and encourage site owners to share their successes and best practices. See the [champions guidance](/office365/customlearning/champ_findthem) for more information on how to identify and build a successful champions program. +To help build, grow, and sustain your SharePoint adoption efforts, it's recommended to [create a SharePoint user group community in Viva Engage](https://support.microsoft.com/office/create-a-group-in-yammer-b407af4f-9a58-4b12-b43e-afbb1b07c889). Your SharePoint champions and power users can answer SharePoint related questions posted in the Viva Engage group and encourage site owners to share their successes and best practices. See the [champions guidance](/office365/customlearning/champ_findthem) for more information on how to identify and build a successful champions program. To increase visibility and engagement within your portal champions community, integrate the Viva Engage group hosting your community into the SharePoint Success Site using the [Viva Engage conversations web part](https://support.microsoft.com/office/use-a-yammer-web-part-in-sharepoint-online-a53cfa0c-3d09-42c8-a286-1038a81c59da).- |
SharePoint | Data Access Governance Reports | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/data-access-governance-reports.md | Previously updated : 06/04/2024 Last updated : 07/02/2024 Title: "Data access governance reports for SharePoint sites" -description: "In this article, you'll learn about reports that can help you govern access to data in SharePoint." +description: "In this article, you learn about reports that can help you govern access to data in SharePoint." # Data access governance reports for SharePoint sites [!INCLUDE[Advanced Management](includes/advanced-management.md)] -As sprawl and oversharing of SharePoint sites increase with exponential data growth, organizations need help to govern their data. Data access governance reports provide info that helps you govern access to SharePoint data. The reports let you discover sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies. +As sprawl and oversharing of SharePoint sites increase with exponential data growth, organizations need help with governing their data. Data access governance reports can help you govern access to SharePoint data. The reports let you discover sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply the appropriate security and compliance policies. ## Requirements This feature requires either Microsoft 365 E5 or Microsoft SharePoint Premium - SharePoint Advanced Management. -While admins with Microsoft 365 E5 licensing can access Data access governance reporting, they are not able to view or utilize the other [SharePoint Advanced Management features](advanced-management.md). -+> [!NOTE] +> IT administrators with Microsoft 365 E5 licensing can access Data access governance reporting, but are unable to view or utilize the other [SharePoint Advanced Management features](advanced-management.md). ## Access the reports in the SharePoint admin center -1. Go to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219), and sign in with an account that has [admin permissions](./sharepoint-admin-role.md) for your organization. -2. In the left pane, select **Reports** > **Data access governance**. The following reports are currently available: +1. As an [administrator](sharepoint-admin-role.md), sign in to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219) for your organization. +2. In the left pane, select **Reports** and then select **Data access governance**. ++ The following reports are currently available from the Data access governance landing page: - Sharing links - Sensitivity labels applied to files- :::image type="content" source="media/data-access-governance-screen.png" alt-text="Data access governance page"::: + - Shared with 'Everyone except external users' + :::image type="content" source="media/data-access-governance/dag-landing-page.png" alt-text="Screenshot that shows data access governance dashboard." lightbox="media/data-access-governance/dag-landing-page.png"::: ## Sharing links reports -The Sharing links reports help you identify potential oversharing by seeing the sites where users created the most new sharing links. A report is available for the following links: +Sharing links reports lets you identify potential sources of oversharing by showing the sites where users created the most new sharing links. A report is available for the following links: ++|Name of report|Description| +||| +|**"Anyone" links**| This report provides a list of sites in which the highest number of "Anyone" links were created. "Anyone" links allow anyone to access files and folders without signing in.| +|**"People in the organization" links**| This report provides a list of sites in which the highest number of "People in the organization" links were created. These links can be forwarded internally and allow anyone in the organization to access files and folders.| +|**"Specific people" links shared externally**| This report provides a list of sites in which the highest number of "Specific people" links were created for people outside the organization.| -- **"Anyone" links**: This report gives you a list of sites in which the highest number of Anyone links were created. These links let anyone access files and folders without signing in.-- **"People in the organization" links**: This report gives you a list of sites in which the highest number of “People in the organization” links were created. These links can be forwarded internally and let anyone in the organization access files and folders.-- **"Specific people" links shared externally**: This report gives you a list of sites in which the highest number of “specific people” links were created for people outside the organization. :::image type="content" source="media/sharing-links-screen.png" alt-text="Sharing links page"::: ### Run the reports -To get the latest data for a report, run the report. You can run all reports or select individual reports to run. It might take a few hours for reports to run. To check if a report is ready or when it was last updated, see the **Status** column. +To get the latest data for each report, manually run the Data access governance report. You can run all reports or select individual reports to run. It can take a few hours for reports to fully generate. To check if a report is ready or to see when it was last updated, see the **Status** column. > [!NOTE] > Each report can be run only once in 24 hours. ### View the reports -When a report is ready, select it to view the data. Each sharing link report includes: +When a report is ready, select the name of the report to view the data. Each sharing link report includes: - Up to 100 sites with highest number of [sharing links](modern-experience-sharing-permissions.md) created in the last 30 days.-- The policies applied to these sites – [site sensitivity](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), [site unmanaged device policy](control-access-from-unmanaged-devices.md), and [site external sharing policy](external-sharing-overview.md).-- The primary admin for each site.+- The types of policies applied to the sites – [site sensitivity](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), [site unmanaged device policy](control-access-from-unmanaged-devices.md), and [site external sharing policy](external-sharing-overview.md). +- The name of the primary administrator for each site. -Note that the reports don't include OneDrive data. +> [!NOTE] +> The reports don't include OneDrive data. ### Download the reports -You can download a .csv file to get the same information for up to 10,000 sites. +You can also download the reporting as a .csv file for up to 10,000 sites. ## Sensitivity labels for files reports -The "Sensitivity labels for files" reports help you control access to sensitive content by finding sites storing [Office files that have sensitivity labels applied](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files). You can review these sites to ensure the correct policies are applied. +The Sensitivity labels for files report lets you control access to sensitive content by finding sites storing [Office files that have sensitivity labels applied](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files). You can review these sites to ensure the correct policies are applied. ### Add the reports To get the latest data for a report, run the report. You can run all reports or ### Download reports -After you run a report, select it to download the data. The report includes: +After you run a report, select the report to download the data. The report includes: - Up to 10,000 sites with the highest number of [Office files that have sensitivity labels applied](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files).-- The policies applied on these sites - [site sensitivity](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), [site unmanaged device policy](control-access-from-unmanaged-devices.md), and [site external sharing policy](external-sharing-overview.md).+- The policies applied on the following sites - [site sensitivity](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), [site unmanaged device policy](control-access-from-unmanaged-devices.md), and [site external sharing policy](external-sharing-overview.md). + :::image type="content" source="media/details-screen.png" alt-text="Downloaded .csv file"::: +## Content shared with 'Everyone except external users' (EEEU) reports ++Everyone except external users (EEEU) is part of a built-in group that represents the entire organization without any external guests. It's used in following scenarios where content needs to be visible to the entire organization: ++- Public sites - The site is publicly visible to users within your entire organization - Everyone except external users (EEEU) group is part of the site membership, that is, site owners/visitors/members. +- Public items - You can select EEEU in the people picker to share a particular item (file/folder) and then that item is visible to the entire organization. ++Now organizations can discover potential oversharing occurring via EEEU using the new Data access governance (DAG) report that captures the above mentioned events in the last 28 days. ++### Create Everyone except external users reports ++When creating a report, you can select various options like create focused reports or filter later within the report. +++- Report name: Provide a unique name for the report. +- Template: Lists categories of SharePoint site templates (Classic sites, Communication sites, Team sites, others). You can choose multiple values or 'All sites'. +- Privacy: Applicable for Team sites in the scope. You can select 'Private', 'Public' or 'All'. +- Site sensitivity: Lists all sensitivity labels. Select one or many labels if you want to report to run within the scope of labeled sites. For for example: 'Identify files within sites labeled as 'Confidential', that were shared with EEEU in the last 28 days. +- Report type: To select the scenario as discussed above, that is, whether you want a report for recent 'public sites' or for recent 'public items'. ++### Run Everyone except external users reports ++To get the latest data for a report, run the report. You can run all reports or select individual reports to run. It might take a few hours for reports to run. To check if a report is ready or when it was last updated, see the **Status** column. ++> [!NOTE] +> Each report can be run only once in 24 hours. ++### View EEEU reports ++Each EEEU report includes data as shown in the screenshot below +++- Up to 100 sites with highest number of items/groups shared with EEEU in the last 28 days. +- Policies applied to these sites – [site sensitivity](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites), site privacy and [site external sharing policy](external-sharing-overview.md). +- Primary admin for each site. ++> [!NOTE] +> The reports don't include OneDrive data ++### Download Everyone except external users reports ++After running the report, select the report to download the data. In the report: ++- The site with the most number of items/groups shared with EEEU appears first and the report includes up to 1 million such sites. +- Other site related information such as the primary admin, admin's email address, site template, privacy, sensitivity label etc. + ## Limitations or known issues -- These reports work only if you have non-pseudonymized report data selected for your organization. To change this setting, you must be Global Administrator. Go to the [Reports setting in the Microsoft 365 admin center](https://admin.microsoft.com/#/Settings/Services/:/Settings/L1/Reports) and clear **Display concealed user, group, and site names in all reports**.-- Data in these reports might be delayed by up to 48 hours. In new tenants, it might take a few days for data to be available and for these reports to be generated successfully.+- Reports work if you have nonpseudonymized report data selected for your organization. To change this setting, you must be a Global Administrator. Go to the [Reports setting in the Microsoft 365 admin center](https://admin.microsoft.com/#/Settings/Services/:/Settings/L1/Reports) and clear **Display concealed user, group, and site names in all reports**. +- Report data may be delayed by up to 48 hours. In new tenants, it can take a few days for data to be generated successfully and available for viewing. ++## Remedial actions from Data access governance reports ++Once you run the Data access governance reports to discover potential oversharing, the next step is to take actions to remediate such risks. We recommend considering factors like sensitivity of the content, amount of content exposed and disruption to existing status. ++If immediate action needs to be taken, you can configure [Restricted access control (RAC)](./restricted-access-control.md) and restrict access to a specified group (currently in preview). You can also use the ['Change history' report](./change-history-report.md) to identify recent changes to site properties that could lead to oversharing. ++You can also request the site owner review the permissions before taking necessary actions via the Site access review feature that is available within the Data access governance reports. |
SharePoint | Restricted Access Control | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/restricted-access-control.md | Previously updated : 07/16/2024 Last updated : 07/17/2024 Title: "Restrict SharePoint site access with Microsoft 365 groups and Entra security groups" To manage site access restriction for a group-connected site in SharePoint admin 1. In the **Settings** tab, select **Edit** in the **Restricted site access** section. 1. Select the **Restrict access to this site** box and select **Save**. -To enable site access restriction for a group-connected site, run the following command: +To manage site access restriction for group-connected sites using PowerShell, use the following commands: -```PowerShell -Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true -``` --To view site access restriction for a group-connected site, run the following command: --```PowerShell -Get-SPOSite -Identity <siteurl> | Select RestrictedAccessControl -``` --To disable site access restriction for a group-connected site, run the following command: --```PowerShell -Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false -``` +| Action | PowerShell command | +||| +|Enable site access restriction for group-connected site |`Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true`| +|View site access restriction for group-connected site |`Get-SPOSite -Identity <siteurl> -Select RestrictedAccessControl`| +|Disable site access restriction for group-connected site |`Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false`| ## Restrict site access to non-group connected sites Get-SPOTenant | select RestrictedAccessControlForSitesErrorHelpLink The configured learn more link is launched when the user selects the **Know more about your organizationΓÇÖs policies here** link. -![Screenshot that shows learn more link for restricted access control.](../SharePointOnline/media/rac-spac/2-rac-learn-more-link.png)" +![Screenshot that shows learn more link for restricted access control.](media/rac-spac/2-rac-learn-more-link.png) -## Reporting +## Restricted site access policy insights As an IT administrator, you can view the following reports to gain more insight on SharePoint and OneDrive sites protected with restricted site access policy: As an IT administrator, you can view the following reports to gain more insight ### Sites protected by restricted site access policy report (preview) -You can run the following commands in SharePoint PowerShell to generate, view, and download the report: --#### Generate report --To generate a new report, run the following command: --```powershell -Start-SPORestrictedAccessForSitesInsights -RACProtectedSites -``` --#### View report --To fetch and view the generated report, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -``` --The report shows the top 100 sites with the highest page views that are protected with the policy. --#### Download report --To download the generated report, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -Action Download -``` --The downloaded report is located on the path where the command was run. --> [!IMPORTANT] -> You must run the command as an administrator in order to download the report. --### Percentage of sites protected with restricted site access report --You can also view the percentage of sites that are protected with restricted site access out of total number of sites, using the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -InsightsSummary -``` +You can run the following commands in SharePoint PowerShell to generate, view, and download the reports: -### Access denials due to restricted site access report +| Action | PowerShell command | Description | +|||| +|Generate report |`Start-SPORestrictedAccessForSitesInsights -RACProtectedSites`| Generates a list of site protected by restricted site access policy| +|View report |`Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID>` | The report shows the top 100 sites with the highest page views that are protected by the policy.| +|Download report |`Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -Action Download`| This command must be run as an administrator. The downloaded report is located on the path where the command was run.| +|Percentage of site protected with restricted site access report|`Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -InsightsSummary`|This report shows the percentage of sites that are protected by the policy out of the total number of sites| -#### Create report +### Access denials due to restricted site access policy -To create a new report for fetching access denial details, run the following command in PowerShell: +You can run the following commands to create, fetch, and view report for access denials due to restricted site access reports: -```powershell -Start-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -``` --#### Fetch report status --To fetch the status of the generated report, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -``` --#### View access denials in the last 28 days report --To get the list of access denials in the last 28 days, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content AllDenials -``` --The PowerShell output contains most recent 100 access denials. To view up to 10,000 denials, you can download the report. --#### View list of top users who were denied access --To get the list of top users who were denied access, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopUsers -``` --The PowerShell output contains the top 100 users who faced the highest access denials. To view up to 10,000 users, download the report. --#### View list of top sites that received maximum access denials --To get the list of top sites that received maximum access denials, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopSites -``` --The PowerShell output contains the top 100 sites that had the highest access denials. To view up to 10,000 sites, download the report. --#### View distribution of access denials across different types of sites report --To view the distribution of access denials across different types of sites, run the following command: --```powershell -Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content SiteDistribution -``` --> [!IMPORTANT] -> You must run the command as an administrator to download the report. +| Action | PowerShell command | Description | +|||| +|Create access denials report |`Start-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy`| Creates a new report for fetching access denial details| +|Fetch access denials report status |`Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy`| Fetches the status of the generated report.| +|Last 100 access denials in the past 28 days report |`Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content AllDenials`| Gets a list of the most recent 100 access denials that occurred in the past 28 days| +|Top 100 users denied access report| `Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopUsers`|Gets a list of the top 100 users who received the most access denials| +|View list of top sites that received the most access denials|`Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopSites`| Gets a list of the top 100 sites that had the most access denials| +|Distribution of access denials across different types of sites report|`Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content SiteDistribution`|This command must be run as an administrator in order to download the report. Shows the distribution of access denials across different types of sites| > [!NOTE]-> The downloaded report will be located on the path from where command has been run. +> To view up to 10,000 denials, you must download the reports. The downloaded reports will be located on the path from where command was run. ## Auditing |
SharePoint | Site Access Review | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/site-access-review.md | + Last updated : 07/17/2024 + Title: "Initiate site access reviews for data access governance reports" +++++recommendations: true +audience: Admin +f1.keywords: NOCSH +++ms.localizationpriority: medium ++- Strat_SP_admin +- Highpri +- Tier2 +- M365-sam +- M365-collaboration ++- seo-marvel-apr2020 +- admindeeplinkSPO +search.appverid: MET150 +description: "Learn about how to initiate site access reviews as a remedial action for data access governance for SharePoint sites." +++# Initiate site access reviews for data access governance reports +++Site access review in the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219) lets [IT administrators](/microsoft-365/admin/add-users/assign-admin-roles) delegate the review process of [data access governance reports](data-access-governance-reports.md) to the site owners of overshared sites. ++Site access review involves site owners in the review process so they can address the concern of overshared sites identified in data access governance reports. This feature is crucial because: ++- IT administrators can't have access to file-level or item-level details due to compliance reasons. +- Site owners are best positioned to review and address oversharing issues for their own sites. ++## Prerequisites ++To use the site access review feature, you must fulfill the following prerequisites: ++- [Microsoft SharePoint Premium - SharePoint Advanced Management](advanced-management.md) subscription +- Admin credentials to access the SharePoint admin center ++## How site access review works ++- Site access review is accessible only for the top 100 sites shown in the data access governance reports. Site access review specifically targets the oversharing scenario identified in the selected data access governance report. +- When you initiate a review, the system generates a context-specific email for the site owner. +- For example, if you initiate a site access review for a report from the "Content shared with 'Everyone except external users'" category, the review email exclusively addresses sharing issues regarding that particular report. ++> [!IMPORTANT] +> Currently, site access review is available only for "Content shared with 'Everyone except external users'" reports. ++## Initiate a site access review ++1. Sign in to SharePoint admin center with your admin credentials. +1. Expand the **Reports** section and select **Data access governance**. +1. Under "Content shared with 'Everyone except external users", select **View reports**. +1. Select a report and choose the sites you want to review. ++ :::image type="content" source="./media/data-access-governance/initiate-site-access-review.png" alt-text="Screenshot that shows Initiate site access review for sites listed within DAG report" lightbox="./media/data-access-governance/initiate-site-access-review.png"::: + +1. Select **Initiate site access review**. +1. Add comments in the provided section to give context to site owners. + + :::image type="content" source="./media/data-access-governance/comments-site-access-review.png" alt-text="Screenshot that shows provide comments for context setting for site owners"::: + +1. Select **Send** to initiate the review request. ++### Track initiated site access reviews ++To see a list of all initiated site access reviews, select the **My review requests** tab from the data access governance landing page. +++When you initiate a site access review, it remains in a pending state until the site owner completes the review. Once the site owner completes the review, the status and comments are updated with the name of the reviewer and time and date of completion. A review can be marked as failed if site access review couldn't determine a valid email ID for the site owner to deliver the site access review. ++### Site access review process (for site owners) ++When you initiate a review, site owners receive an email for each site that requires attention. The email includes: ++- Relevant title +- Your comments (if any) +- A request to review site permissions +- A link to a detailed access review page. This page is specific for the scenario as specified in the data access governance report. ++ :::image type="content" source="./media/data-access-governance/email-eeeu-files-folders-lists.png" alt-text="Screenshot that shows Email received by site owners for oversharing via EEEU" lightbox="./media/data-access-governance/email-eeeu-files-folders-lists.png"::: ++> [!NOTE] +> In the screenshot, the link says "View shared items" since the review was initiated for a site from "Content shared with 'Everyone except external users'" report. ++#### Review 'Everyone except external users' site access review requests (for site owners) ++Site owners can review and manage access in two main areas: ++- **SharePoint groups:** + - View which groups contain 'Everyone except external users' + - See when and by whom the group was added + - Remove 'Everyone except external users' from groups if necessary: + 1. Selecting the SharePoint group opens the group membership page that displays all members of this SharePoint group. + 2. Select **Everyone except external users** and **Actions** and choose to **remove users from group**. ++ :::image type="content" source="./media/data-access-governance/manage-sharepoint-group-membership.png" alt-text="Screenshot that shows displays sharepoint group members" lightbox="./media/data-access-governance/manage-sharepoint-group-membership.png"::: ++- **Individual items (files/folders/lists):** + - See items shared with 'Everyone except external users' in the last 28 days + - View sharing details (who shared and when) + - Manage access and remove permissions as needed: + 1. Select **Manage access**. + 1. Under the 'Everyone except external users' group in the **Groups** tab, select the group and select **remove access**. See [Stop sharing OneDrive or SharePoint files or folders, or change permissions](https://support.microsoft.com/office/stop-sharing-onedrive-or-sharepoint-files-or-folders-or-change-permissions-0a36470f-d7fe-40a0-bd74-0ac6c1e13323) for more information. ++ :::image type="content" source="./media/data-access-governance/site-owner-view-foreeeu-files.png" alt-text="Screenshot that shows view for site owner regarding items shared with eeeu" lightbox="./media/data-access-governance/site-owner-view-foreeeu-files.png"::: ++#### Complete site access review requests (for site owners) ++Once the site owner takes the necessary actions like modifying or removing permissions, the site owner should: ++1. Select **Complete review**. +2. Add any relevant comments. +3. Submit the completed review. ++Comments are shared back to the IT administrator who raised the review request. The review request is then marked as completed. ++#### Manage multiple site access review requests (for site owners) ++A site owner can receive review requests for multiple sites, or receive multiple reviews for different scenarios for the same site. A site owner can track all requests by selecting the **Site reviews** page found in the left panel. +++For site owners handling multiple reviews: ++1. Access the 'site reviews' page via: + - The link in the review email + - The gear icon on the site home page: + 1. Select **Site settings**. + 1. Select **Site reviews**. + + :::image type="content" source="./media/data-access-governance/site-review-from-gear-icon.png" alt-text="Screenshot that shows path to site review page from site home page under gear icon" lightbox="./media/data-access-governance/site-review-from-gear-icon.png"::: + +1. View all pending site access reviews. +1. Complete reviews as necessary. ++## Related topics ++[Data access governance](data-access-governance-reports.md) ++[Microsoft SharePoint Premium - SharePoint advanced management](advanced-management.md) |