SharePoint Advanced Management - Oversharing (2 of 4)

Jurgen Wiersema |

This sequence of posts is about my first impressions of the SharePoint Advanced Management add-on features for M365/SharePoint Online.
There are four posts in total:

Features against oversharing

A common problem for many companies using M365 and SharePoint is that a lot of content is overshared. This can lead to security incidents, especially when there are M365 services that push that content into people's awareness. Previously, Delve suffered from this issue, because of surfacing content on the Delve site. Now, Copilot suffers from the same problem, some sensitive content that was invisible before now shows up in the answer to a query.

A big part of the issue is the usage of the Everyone Except External Users (EEEU) group, which is the easiest way to share content with a lot of colleagues but because of that also leads to oversharing.

SharePoint Advanced Management contains two new ways to combat oversharing to the usage of the EEEU group:

  • Data governance reporting and site reviews
  • SharePoint site access restriction

Data governance reporting and site reviews

There are currently 4 types of reports available in the SharePoint admin center.
Site access reviews are available for the following reports:

  • Sharing link reports (Anyone, PeopleInYourOrg, Specific People shared externally)
  • Content shared with 'Everyone except external users'" reports
  • Oversharing baseline report using permissions (only via PowerShell)

There is one other report which concerns sensitivy labels, but it doesnt support a site review.

This feature lets you run a report on content that is shared with the EEEU group for example. Then, once the report has been created, you can initiate a site review for sites in the report. A site review means the site owner gets a mail, and he can then go to a special, new site review page in the site and then remediate the oversharing issues. If he doesn't complete the review, he will be reminded a number of times to do it.

Site sharing admin report Site sharing admin report

Site review email Site review email

Site review page Site review page

My review comments

  • Provides useful reporting with excel download, and the reports can be started from PowerShell.
  • Site review process for site owners is completely new and can help IT admins and Security department delegate oversharing remediation.
  • The feature is reactive. It will allow people to remediate oversharing after the fact has happened, it will not prevent it. It also depends on the site owners willingness to remediate the issues.
  • Only related to sharing in last 30 days. This is a big limitation in large, and older tenants that are already suffering from oversharing for a long time
  • Reports can only run once every 24h
  • A site review creates a new list in the site called DO_NOT_DELETE_SITE_REVIEW. This is ugly, don't understand why this list is not hidden.
  • Site review action can be initiated only for top 100 from the admin center.
  • These are reports that can initiate a review process (with reminders), but they are not policies that do continuing, recurring remediations over a longer period of time.
  • Powershell support for initiating site review based on a report via Start-SPOSiteReview.
  • To test: Check if site review can be initiated via PS for all sites in a report, not just top 100.
  • I ran into a few bugs on our test environment where the site review page didnt work correctly.
  • Microsoft learn page - data governance reports

SharePoint site access restriction

This feature will block people from outside the site’s main security group to access the site. It can also prevent sharing of the site and files with any other group or user.
The access restriction for a site can only be enabled by an IT admin from the admin center or via PowerShell.
The sharing control settings for the restricted access sites has to first be enabled via PowerShell for the whole tenant (so all sites with restricted access enabled).
Once enabled: Sharing is allowed with Microsoft Entra Security or M365 groups which are part of the restricted access control groups list. Thus, sharing with all other groups including Everyone except external users (EEEU) or individual users won’t be allowed.

User access denied User outside of the M365 group trying to access a RAC enabled site

Sharing denied group Trying to share site or file with 'Everyone Except Externals group' denied

My review comments

  • A "Read more" message and link can be configured for the page users see when they are blocked on the site.
  • As Admin you can use PowerShell to generate a report on access denials for users, and on which sites RAC is enabled.
  • PowerShell is supported. This means the RAC setting can be automatically applied to new Highly confidential sites within your site provisioning process. This feature could be used to prevent sharing with ‘Everyone’ for new Highly confidential sites.
  • But it will have considerable user impact: Users will not be able to share files on a Highly confidential site with others, not even one single file. They will need to find another location to share those files, outside of their main site for the team, department or project.
  • When you enable RAC on an existing site with files shared with other users, they will immediately lose access.
  • The feature is proactive, when enabled on a site it immediately prevents any oversharing on newly created sites and also stops oversharing on existing sites.
  • MS Learn page - Site access control

Continue to Site lifecycle features - page 3 of 4

Show Comments