Service | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
SharePoint | Advanced Management | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/advanced-management.md | Previously updated : 06/04/2024 Last updated : 08/19/2024 Title: "Microsoft SharePoint Premium - SharePoint Advanced Management overview" -description: "Learn about Microsoft SharePoint Premium - SharePoint Advanced Management and how you can use it in your organization." +description: "Learn about Microsoft SharePoint Premium - SharePoint Advanced Management and how you can use its features before and after deploying Copilot." # Microsoft SharePoint Premium - SharePoint Advanced Management overview -Microsoft SharePoint Premium - SharePoint Advanced Management is a Microsoft 365 add-on that provides a suite of features that can help you: +Microsoft SharePoint Premium - SharePoint Advanced Management is an essential add-on for Microsoft 365 that equips IT administrators with a powerful suite of tools to bolster content governance throughout the Microsoft Copilot deployment journey. -- Manage and govern SharePoint and OneDrive-- Enhance Microsoft 365 secure collaboration capabilities+Whether preparing for [Copilot deployment](/copilot/microsoft-365/microsoft-365-copilot-setup) or managing content post-implementation, this solution offers capabilities to: -SharePoint Advanced Management features are administered by SharePoint administrators in the SharePoint admin center. Some features can be used by site owners. +- prevent content sprawl, +- streamline access management for SharePoint and OneDrive sites, and +- analyze usage patterns through comprehensive reporting. -## Advanced access policies for secure content collaboration -**[Restrict SharePoint site access with Microsoft 365 groups and Entra security groups](restricted-access-control.md)** - You can restrict the access of a SharePoint site and its content only to the members of Microsoft 365 group (for group-connected sites) or a security group (for non-group connected sites). Users who aren't in the specified groups won't have access to site content even if they previously had site access permissions or a file sharing link. +We recommend utilizing SharePoint Advanced Management features along with our [best practices for Copilot for Microsoft 365](/sharepoint/sharepoint-copilot-best-practices) to reduce the risk of oversharing, control content sprawl, and manage content lifecycle. -**[Restrict OneDrive content access](onedrive-site-access-restriction.md)** - You can limit access to shared content in a user's OneDrive to people in a security group. The OneDrive access restriction policy prevents anyone who is not in the security group from accessing content in that OneDrive even if it's shared with them. +SharePoint Advanced Management features are managed by [IT administrators](/microsoft-365/admin/add-users/about-admin-roles) with access to the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219). Some features can be used by site owners. -**[Restrict OneDrive service access](limit-access.md)** - You can limit OneDrive access to members of a specific security group if you want to allow only certain users to have access. Even if other users outside of these security groups are licensed for OneDrive, they won't have access to their own OneDrive or any shared OneDrive content. -**[Data access governance reports for SharePoint sites](data-access-governance-reports.md)** - These reports help you discover sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies. +SharePoint Advanced Management helps you identify, manage, and resolve common content governance issues such as: -**[Conditional access policy for SharePoint sites and OneDrive](authentication-context-example.md)** - With Microsoft Entra authentication context, you can enforce more stringent access conditions when users access SharePoint sites. Authentication contexts can be directly applied to sites or used with sensitivity labels to connect Microsoft Entra Conditional Access policies to labeled sites. +## Manage content sprawl -## Advanced sites content lifecycle management +**What is content sprawl?** Content sprawl occurs when digital content accumulates without proper management across various storage locations in an organization. This leads to difficulties in accessing information, higher storage expenses, security vulnerabilities, and compliance complexities. You can tackle content sprawl by implementing governance strategies and utilizing tools that centralize control, optimize storage efficiency, and uphold secure data management practices. -**[Block download policy for SharePoint sites and OneDrive](block-download-from-sites.md)** - You can block download of files from SharePoint sites or OneDrive without needing to use Microsoft Entra Conditional Access policies. Users have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. +### Inactive SharePoint sites policy -**[Review your recent changes to SharePoint site properties](recent-actions-panel.md)** - The recent actions panel lets you review and monitor the last 30 changes you've made to a SharePoint site's properties (such as renaming a site, deleting a site, changing storage quota) within the last 30 days in the SharePoint admin center. This feature only shows changes made by you and not other administrators. Also, changes made to site properties at the organization-level will not show in the panel. +You can run automated, rule-based policies to manage and reduce inactive sites with the [**Inactive SharePoint sites policy**](site-lifecycle-management.md) feature from SharePoint Advanced Management. -**[Manage site lifecycle policies](site-lifecycle-management.md)** - You can set up an inactive site policy to automatically detect inactive sites and send notifications to site owners via email. The owners can then confirm whether the site is still active. When you're setting up a site lifecycle policy, you can choose between a simulation policy and an active policy. -**[Create change history reports](change-history-report.md)** - You can create change history reports in the SharePoint admin center to review SharePoint site property changes made within the last 180 days. Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes. +The inactive sites policy combats content sprawl by automatically identifying and managing inactive SharePoint sites. It operates by defining inactivity criteria, such as lack of updates or user activity over a set period. Once identified, site owners receive email notifications to confirm the active/inactive state of the site. ++### AI Insights ++The AI insights feature for [SharePoint Advanced Management](advanced-management.md) uses a language model to identify patterns and potential issues from reporting and receive actionable recommendations to solve issues. ++You can find the **Get AI insights** button next to various reports in the SharePoint admin center. Once selected, the AI insights feature extracts patterns from the report and offers a list of potential actions. +++## Manage oversharing ++Copilot leverages the data stored in SharePoint and OneDrive sites to provide insights and automate tasks across your organization. Confidential data from content in SharePoint and OneDrive sites can populate in Copilot's generated insights, posing security and privacy risks. ++SharePoint Advanced Management ensures this data is securely handled and accessed only by authorized users and/or security groups, maintaining the integrity and security of the insights generated by Copilot​. ++By preventing oversharing and managing access effectively, you can ensure that Copilot's collaboration features are optimized. This leads to more efficient and secure use of Copilot across your organization. ++### Data access governance insights ++**[Data access governance insights](data-access-governance-reports.md)** lets you view reports that identify sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies. +++### Block download policy for SharePoint and OneDrive sites ++**[Block download policy for SharePoint and OneDrive sites](block-download-from-sites.md)** You can block download of files from SharePoint sites or OneDrive without needing to use Microsoft Entra Conditional Access policies. Users have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. +++### Conditional access policy for SharePoint and OneDrive sites ++**[Conditional access policy for SharePoint and OneDrive sites](authentication-context-example.md)** lets you enforce stringent access conditions when users access SharePoint sites. Authentication contexts can be directly applied to sites or used with sensitivity labels to connect Microsoft Entra Conditional Access policies to labeled sites. +++## Control Copilot access to content ++Before enabling Copilot for your organization and tenant, you can proactively set policies to restrict access to sites and manage content discoverability during Copilot and tenant-wide search. ++### Restricted access control for SharePoint ++You can prevent sites and content from being discovered at the site-level by enabling **[Restricted access control for SharePoint sites](restricted-access-control.md)**. Site access restriction allows only users in the specified security group or Microsoft 365 group to access content. This policy can be used with Microsoft 365 group-connected, Teams-connected, and non-group connected sites. +++### Restricted access control for OneDrive ++You can limit access to shared content of a user's OneDrive to only people in a security group with the **[Restricted access control for OneDrive](onedrive-site-access-restriction.md)** policy. ++Once the policy is enabled, anyone who is not in the designated security group won't be able to access content in that OneDrive even if it was previously shared with them. To block users from accessing OneDrive as a service, you can enable the [Restrict OneDrive service access](limit-access.md) feature. +++## Manage content lifecycle ++You can manage the content lifecycle for SharePoint and OneDrive sites with SharePoint advanced management features that streamline content creation, organization, and retention through automated workflows, detailed reporting, and robust compliance settings. ++Effective lifecycle management not only ensures streamlined governance and enhanced collaboration but also optimizes storage, maintains data integrity, and supports regulatory compliance, ultimately improving efficiency and security ++### Recent SharePoint admin actions ++ The **[Recent SharePoint admin actions](recent-actions-panel.md)** policy lets you review and monitor the last 30 changes you've made to a SharePoint site's properties within the last 30 days in the SharePoint admin center. This feature only shows changes made by you and not other administrators. +++### Change history - Site changes ++The **[Change history - Site changes](change-history-report.md)** feature lets you create change history reports in the SharePoint admin center to review SharePoint site property changes made within the last 180 days. Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes. + ## Licensing You can purchase the *SharePoint Advanced Management Plan 1* add-on in the Micro SharePoint Advanced Management is available for Commercial, WW Commercial Public Sector, Education, Charity, and US GCC, GCC-High, and DoD customers. -SharePoint Advanced Management is $3 per user per month for commercial customers. +SharePoint Advanced Management is $3 per user per month for commercial customers. For more details on licensing, please contact your account manager. Licensing details for each feature listed above are included in those articles. Licensing details for each feature listed above are included in those articles. [Microsoft Syntex documentation](/microsoft-365/syntex) [Microsoft 365 Government - how to buy](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/microsoft-365-government-how-to-buy)++[Get started with Microsoft Copilot for Microsoft 365](/copilot/microsoft-365/microsoft-365-copilot-setup) |
SharePoint | Restricted Access Control | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/restricted-access-control.md | Previously updated : 07/18/2024 Last updated : 08/19/2024 Title: "Restrict SharePoint site access with Microsoft 365 groups and Entra security groups" To manage site access restriction for group-connected sites using PowerShell, us |View site access restriction for group-connected site |`Get-SPOSite -Identity <siteurl> -Select RestrictedAccessControl`| |Disable site access restriction for group-connected site |`Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false`| +> [!NOTE] +> Once the policy is enabled for a site, the site owner can view the details of how the site access restriction policy affects the site. ++For group-connected sites, the policy status and the configured control group details are displayed on the **Site Information** and **Permissions** panels. +++ ## Restrict site access to non-group connected sites You can restrict access to non-group connected sites by specifying [Entra security groups](/azure/active-directory/fundamentals/how-to-manage-groups) or Microsoft 365 groups that contain the people who should be allowed access to the site. You can configure up to 10 Entra security groups or Microsoft 365 groups. Once the policy is applied, users in the specified group who have site access permissions are granted access to the site and its content. You can use [dynamic security groups](/azure/active-directory/enterprise-users/groups-create-rule) if you want to base group membership on user properties. To manage site access to a non-group connected site: 1. Select the **Restrict SharePoint site access to only users in specified groups** check box. 1. Add or remove your security groups or Microsoft 365 groups and select **Save**. -In order for site access restriction to be applied to the site, you must add at least one group to the site access restriction policy. + In order for site access restriction to be applied to the site, you must add at least one group to the site access restriction policy. + :::image type="content" source="media/rac-spac/non-group-connected-sites/restricted-access-control-non-group-connected-site-page.png" alt-text="screenshot showing site access restriction security groups being added to non-group connected sites." lightbox="media/rac-spac/non-group-connected-sites/restricted-access-control-non-group-connected-site-page.png"::: To manage site access restriction for non-group connected sites using PowerShell, use the following commands: To manage site access restriction for non-group connected sites using PowerShell |Remove group |`Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS>` | |Reset site access restriction |`Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl` | +After enabling the policy for communication sites, the policy status and all configured control groups are displayed for site owners on the **Site access** panel in addition to the **Site Information** and **Permissions** panels. ++ ## Shared and private channel sites Shared and private channel sites [are separate from the Microsoft 365 group-connected site that standard channels use](teams-connected-sites.md). Because shared and private channel sites aren't connected to the Microsoft 365 group, site access restriction policies applied to the team don't affect them. You must enable site access restriction for each shared or private channel site separately as non-group connected sites. Get-SPOTenant | select RestrictedAccessControlForSitesErrorHelpLink The configured learn more link is launched when the user selects the **Know more about your organizationΓÇÖs policies here** link. -![Screenshot that shows learn more link for restricted access control.](media/rac-spac/2-rac-learn-more-link.png) +![Screenshot that shows learn more link for restricted access control](media/rac-spac/2-rac-learn-more-link.png) ## Restricted site access policy insights |