-### Inactive SharePoint sites policy

-### AI Insights

-The AI insights feature for [SharePoint Advanced Management](advanced-management.md) uses a language model to identify patterns and potential issues from reporting and receive actionable recommendations to solve issues.

-You can find the **Get AI insights** button next to various reports in the SharePoint admin center. Once selected, the AI insights feature extracts patterns from the report and offers a list of potential actions.

-## Manage oversharing

-### Data access governance insights

-**[Data access governance insights](data-access-governance-reports.md)** lets you view reports that identify sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply appropriate security and compliance policies.

-### Conditional access policy for SharePoint and OneDrive sites

-**[Conditional access policy for SharePoint and OneDrive sites](authentication-context-example.md)** lets you enforce stringent access conditions when users access SharePoint sites. Authentication contexts can be directly applied to sites or used with sensitivity labels to connect Microsoft Entra Conditional Access policies to labeled sites.

-## Control Copilot access to content

-Before enabling Copilot for your organization and tenant, you can proactively set policies to restrict access to sites and manage content discoverability during Copilot and tenant-wide search.

-### Restricted access control for SharePoint

-You can prevent sites and content from being discovered at the site-level by enabling **[Restricted access control for SharePoint sites](restricted-access-control.md)**. Site access restriction allows only users in the specified security group or Microsoft 365 group to access content. This policy can be used with Microsoft 365 group-connected, Teams-connected, and non-group connected sites.

-### Restricted access control for OneDrive

-You can limit access to shared content of a user's OneDrive to only people in a security group with the **[Restricted access control for OneDrive](onedrive-site-access-restriction.md)** policy.

-Once the policy is enabled, anyone who is not in the designated security group won't be able to access content in that OneDrive even if it was previously shared with them. To block users from accessing OneDrive as a service, you can enable the [Restrict OneDrive service access](limit-access.md) feature.

-## Manage content lifecycle

-You can manage the content lifecycle for SharePoint and OneDrive sites with SharePoint advanced management features that streamline content creation, organization, and retention through automated workflows, detailed reporting, and robust compliance settings.

-Effective lifecycle management not only ensures streamlined governance and enhanced collaboration but also optimizes storage, maintains data integrity, and supports regulatory compliance, ultimately improving efficiency and security

-### Recent SharePoint admin actions

- The **[Recent SharePoint admin actions](recent-actions-panel.md)** policy lets you review and monitor the last 30 changes you've made to a SharePoint site's properties within the last 30 days in the SharePoint admin center. This feature only shows changes made by you and not other administrators.

-### Change history - Site changes

-The **[Change history - Site changes](change-history-report.md)** feature lets you create change history reports in the SharePoint admin center to review SharePoint site property changes made within the last 180 days. Create up to five reports for a given date range and filter by sites and users. You can download the report as a .csv file to view the site property changes.

-> - The standard version of this feature is currently available to organizations that have no more than 10,000 total SharePoint sites and OneDrive accounts combined.

-> The reports don't include OneDrive data

-## Setting up oversharing baseline with Permissions based report

-description: "Learn how to manage access to agents in SharePoint with built-in SharePoint permissions models, SharePoint Advanced Management features such as restricted access control, and restricted content discovery."

-Agents in SharePoint, powered by AI, help employees quickly find information and insights on SharePoint sites, pages, and document libraries. Agents in SharePoint access your organization's data the same way [Copilot in other Microsoft 365 apps](/sharepoint/sharepoint-copilot-best-practices#copilot-and-sharepoint) does, responding to users based on their access permissions to the data. As a SharePoint admin, you can manage employees' access to an agent in multiple ways by managing:

-> From December 1, 2024, to June 30, 2025, enterprise tenants with 50 or more Microsoft 365 Copilot licenses will receive 10,000 free Agents in SharePoint queries for unlicensed users every month as a trial. SharePoint administrators or above can [check the trial promotion status](/powershell/module/sharepoint-online/get-spocopilotpromooptinstatus) and [set trial promotion](/powershell/module/sharepoint-online/set-spocopilotpromooptinstatus) using PowerShell cmdlets. Please see terms of trial usage [here](/legal/microsoft-365/in-app-trials-terms-of-service).

-Agents in SharePoint use SharePoint sites, pages and document libraries as knowledge sources to respond to the user. You can control a userΓÇÖs access to the information when they use an agent by controlling their access to the site. SharePoint provides many tools to control access to a site:

-## With SharePoint Advanced Management

-Learn more about additional features to prevent oversharing, control access, and enhance your content governance with SharePoint Advanced Management [here](/sharepoint/get-ready-copilot-sharepoint-advanced-management).

-## Turn off agents in SharePoint with restricted content discovery

-You as a SharePoint Admin can turn off all agent-related features on individual sites with the [restricted content discovery](/sharepoint/restricted-access-control). Once a site is flagged with restricted content discovery, users can't see the Copilot icon on the upper right of the site. Therefore, they donΓÇÖt have access to use the ready-made agent, create new agents, or add content from that site to any other agents. The restricted content discovery policy leaves site access unchanged but prevents the site's content from being surfaced in Microsoft 365 Copilot or organization-wide Search for all users.

-This triggers emails to site owner as described [here](site-access-review.md#initiate-a-site-access-review).

-Site access review in the [SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185219) lets [IT administrators](/microsoft-365/admin/add-users/assign-admin-roles) delegate the review process of [data access governance reports](data-access-governance-reports.md) to the site owners of overshared sites.

-Site access review involves site owners in the review process so they can address the concern of overshared sites identified in data access governance reports. This feature is crucial because:

-To use the site access review feature, you must fulfill the following prerequisites:

-## Support matrix

-Currently, site access review is available for

-## Initiate a site access review

-1. Sign in to SharePoint admin center with your admin credentials.

-1. Select a report and choose the sites you want to review.

-1. Add comments in the provided section to give context to site owners.

-For reports available only via PowerShell such as Oversharing baseline report using permissions, site access review can also be initiated using [PowerShell commands](powershell-for-data-access-governance.md#initiate-site-access-review-using-powershell).

-### Track initiated site access reviews

-To see a list of all initiated site access reviews, select the **My review requests** tab from the data access governance landing page.

-When you initiate a site access review, it remains in a pending state until the site owner completes the review. Once the site owner completes the review, the status and comments are updated with the name of the reviewer and time and date of completion. A review can be marked as failed if site access review couldn't determine a valid email ID for the site owner to deliver the site access review.

-For reports available only via PowerShell such as Oversharing baseline report using permissions, site access review can also be tracked using this [PowerShell command](powershell-for-data-access-governance.md#track-site-access-reviews-using-powershell).

-### Site access review process (for site owners)

-When you initiate a review, site owners receive an email for each site that requires attention. The email includes:

-The following image shows the email notification regarding 'Everyone except external users' last 28 days report:

-The following image shows a report of shared links generated in the last 28 days:

-The following image shows the oversharing baseline report using permissions:

-#### Review 'Everyone except external users' site access review requests (for site owners)

- - View which groups contain 'Everyone except external users'.

- 1. Selecting the SharePoint group opens the group membership page that displays all members of this SharePoint group.

- 2. Select **Everyone except external users** and **Actions** and choose to **remove users from group**.

- - See items shared with 'Everyone except external users' in the last 28 days.

- - View sharing details (who shared and when).

- 1. Under the 'Everyone except external users' group in the **Groups** tab, select the group and select **remove access**. See [Stop sharing OneDrive or SharePoint files or folders, or change permissions](https://support.microsoft.com/office/stop-sharing-onedrive-or-sharepoint-files-or-folders-or-change-permissions-0a36470f-d7fe-40a0-bd74-0ac6c1e13323) for more information.

- :::image type="content" source="./media/data-access-governance/site-owner-view-foreeeu-files.png" alt-text="Screenshot that shows view for site owner regarding items shared with eeeu" lightbox="./media/data-access-governance/site-owner-view-foreeeu-files.png":::

-#### Review 'Sharing link reports' site access review requests (for site owners)

-Once the site owner selects the email, they're redirected to the site access review detailed report generated for the site.

-The site owner gets a view of files for whom links were generated along with the exact time of generation and who generated the links. The 'Manage access' button can be used to navigate to the link section and remove it/modify the permissions.

-The following image shows an email notification about the sharing links report using permissions:

-#### Review 'Oversharing baseline using permission reports' site access review requests (for site owners)

-Once the site owner selects the email, they're redirected to the site access review detailed report generated for the site.

-The following image shows an email notification about oversharing baseline report using permissions:

-The SharePoint admin views the unique number of permissioned users for this site in the Data access governance report and that number is also visible to site owner in the site access review email. This list shows how those users are distributed across the site content in terms of permissions and scopes.

-All items created in the site, by default, inherit permissions of the site and thus the 'site' acts like a parent. However, if the inherited permissions are broken due to sharing of an item by creating links, providing direct access to individuals or groups, removing users/groups etc., a unique scope is created for that item. Now this item acts as a new 'parent' and its children inherit its permissions. The site access review page is a list of such uniquely permissioned 'parents' with the appropriate scope and name. It's not the list of all items/files/folders in the site. The item with the highest number of permissioned users is shown first. Up to 100 items are shown in descending order so that site owner can focus on items with highest 'exposure' first.

-##### Understanding the site access review report for permission based reports

-**Number of permissioned users:** This column represents the number of users permissioned to that scope (Site/List/Folder/File) and hence illustrates the current 'exposure' for that item, as compared to other items. However, this number is NOT a unique number of users. In case the same user has both direct and indirect permissions to this item, the user is double counted.

-For example, a folder 'F' was shared to a group ΓÇ£AΓÇ¥ consisting of 40 members and is directly shared with 10 individuals and 20 more individuals arrived using sharing links. The number of permissioned users is the sum of all users - 80 (40+10+20). No deduplication is done to see if the same user exists in groups or came via sharing links as well.

-Also, the sum of permissioned users across all scopes might not equal the number of users in the email and/or Data access governance report and could be greater. This scenario can happen when a user has permissions across multiple items. At the site-level, such a user is counted once. However, at an item-level, that user is counted individually.

-**Number of groups:** As the name suggests, this shows the number of groups having permissions to this scope/item. Usually, the exposure is caused by groups containing many users. Reducing exposure removes the permissions of groups and can edit their memberships. Select **Group number** to view the membership count of each group and identify which groups to target.

-The other columns show the number of ALL existing links (Anyone, PeopleInOrg) and the presence of EEEU/Everyone. If the number of links are high, or the EEEU/Everyone column says yes, the site owner can immediately target the relevant item/scope for reducing permissions.

-**Manage Access:** The 'Manage access' button allows the site owner to remove individual users, groups, delete links, or modify permissions accordingly. For a 'SharePoint site' scope, the button directs the site owner to SharePoint group management page, whereas for individual items, it uses the existing 'Manage access' experience.

-With this report, a site owner gets an overview of 'exposure' of parent items in their sites, can gauge the contribution of exposure and act via 'manage access' without having to manually iterate through every permission of every item in the site.

-#### Complete site access review requests (for site owners)

-Once the site owner takes the necessary actions like modifying or removing permissions, the site owner should:

-3. Submit the completed review.

- Comments are shared back to the IT administrator who raised the review request. The review request is then marked as completed.

-#### Manage multiple site access review requests (for site owners)

-A site owner can receive review requests for multiple sites, or receive multiple reviews for different scenarios for the same site. A site owner can track all requests by selecting the **Site reviews** page found in the left panel.

-For site owners handling multiple reviews:

-1. Access the 'site reviews' page via:

- 1. Select **Site settings**.

- 1. Select **Site reviews**.

- :::image type="content" source="./media/data-access-governance/site-review-from-gear-icon.png" alt-text="Screenshot that shows path to site review page from site home page under gear icon" lightbox="./media/data-access-governance/site-review-from-gear-icon.png":::

-1. View all pending site access reviews.

-1. Complete reviews as necessary.

-[Data access governance](data-access-governance-reports.md)