Governance in SharePoint isn’t always the most exciting thing to talk about. But it quickly becomes urgent when files get overshared, inactive sites clutter your storage, or Copilot starts surfacing sensitive content that was never meant to be public.
That’s exactly where SharePoint Advanced Management (SAM) steps in. It’s purpose-built to help IT admins and content owners rein in clutter, plug security gaps, and enforce smart, consistent governance across SharePoint and OneDrive before things spiral.
Whether you’re getting ready for a Copilot rollout or just buried under messy, unmanaged content, SAM has your back. It helps handle the trickiest parts of SharePoint governance, smartly, automatically, and without the usual headache.
What Is SharePoint Advanced Management?
SharePoint Advanced Management is a premium add-on for Microsoft 365 that gives IT admins a stack of advanced features to:
- Tame content sprawl
- Manage permissions and access with ease
- Define robust access controls
- Get deep, actionable usage insights
- Automate site lifecycle
- Secure sensitive data
- And do it all with AI-driven insights
SAM is tightly connected with securing and prepping your SharePoint content for Copilot’s smart features.
It’s a paid add-on. It’s $3/user/month (excluding guests)), but if you already have Microsoft 365 Copilot, good news—many of SAM’s key features are included in that license.
1. Managing SharePoint Permissions and Access
Copilot is smart but it can surface anything that’s technically discoverable, even if it wasn’t meant to be. That’s why solid content governance is a must.
Since Copilot pulls insights from your data, you need to make sure that data is locked down properly. If not, sensitive info could show up in someone’s Copilot experience who really shouldn’t be seeing it.
Before you even think about enabling Copilot across your organization, SAM lets you proactively set policies to restrict access to sites and manage content discoverability, both for Copilot and tenant-wide search. Trust me, setting this up early can save you a ton of headaches later!
👉Apply Block Download Policies
Want to allow users to view files in the browser, but not download, print, or sync them? Use the Block Download policy in SharePoint Advanced Management.
Set-SPOSite –Identity<SiteUrl> -BlockDownloadPolicy $true
This one’s gold without needing Microsoft Entra Conditional Access, you can block download/print/sync on browser access! Users can still view content—but that’s it.
👉 Set Up Restricted Access Control for SharePoint & OneDrive
Not every site should be searchable or accessible to everyone! With the ‘Restricted access control’ feature, you can lock site level, or limit access to shared content in OneDrive, to only users within a specified security group or Microsoft 365 group.
Even if someone had a link or access earlier, if they’re not in the allowed group, they’re blocked. Perfect for confidential projects, ensuring that content remains strictly within its intended audience!
👉 Know Your Third-Party App Access
Ever wonder which third-party apps are accessing your SharePoint content? SAM provides App Insights reports on how various non-Microsoft applications (registered in Entra) are touching your data. You get a clear view to review, approve, or revoke access as needed.
👉 Conditional Access Policy for SharePoint and OneDrive Sites
For even more stringent control, SAM allows you to enforce Conditional access policy for SharePoint and OneDrive sites.
With SAM, you can apply authentication contexts directly to sites or link them with sensitivity labels to connect Microsoft Entra Conditional Access policies to labeled sites.
This provides incredibly granular control over who can access what, and under what conditions. So instead of enforcing access across the entire tenant, you can say:
“Only users in Group X can access Site Y, and only under Condition Z.”
👉 Data Access Governance Management
Wondering which sites might be overshared or holding sensitive content? SAM’s Data Access Governance (DAG) reports help you spot and fix those risks early. You can See which sites have “Everyone” or “Anyone with the link” permissions.
Big organizations thrive on automation—and SAM gets it! That’s why it supports Data Access Governance through PowerShell too. You can script and scale your report generation with ease.
To check all SharePoint sites and who has access? Use:
Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot -Workload SharePoint -CountOfUsersMoreThan 0 -Name "ReportForTestingLatestFixes"
Concerned about oversharing via “Everyone Except External Users”? If EEEU is added to site membership, the whole site goes public. Use this to find such cases from the past 28 days:
Start-SPODataAccessGovernanceInsight -ReportEntity EveryoneExceptExternalUsersAtSite -Workload SharePoint -ReportType RecentActivity -Name "PublicSiteViaEEEU"
More Scripts here: https://learn.microsoft.com/en-us/sharepoint/powershell-for-data-access-governance
👉 Site Access Reviews: Cleanups Made Easy
Use Site Access Reviews to put cleanup in the hands of those who know the sites best—the site owners. This feature lets you delegate the review of overshared sites directly to them, so they can take action on the risks flagged in the DAG reports. It’s all about shared responsibility and smarter, more efficient governance.
Manage Content Sprawl in SharePoint
Content sprawl happens when SharePoint and OneDrive sites grow out of control—old project sites, duplicate files, forgotten shared links, and content that hasn’t been touched in ages. It clutters your tenant, hikes up storage costs, and creates security and compliance headaches. Here’s what it often looks like:
- Inactive sites from old projects
- Duplicate documents in multiple places
- Shared links no one remembers creating
- And a whole lot of content nobody’s touched in months
With SAM (SharePoint Advanced Management), you can finally take control using policies that clean up and organize your environment.
👉 Inactive Site Policies
Tired of old project sites lingering around? The Inactive Sites Policy uses automated rules to detect inactivity (like absence of edits or user activity). Once flagged, site owners get notified to confirm if the site’s still needed. If not? Archive or delete.
That’s a lifesaver for tenants with hundreds (or thousands) of sites.
👉 Site Lifecycle Management
Ever seen a site where the owner left the org years ago? Not great for governance. With Site Ownership Policy, SAM keeps ownership details current. It sends reminders and enforces updates, so someone’s always responsible for the site.
Note: This feature is specifically enabled for Copilot-licensed orgs from May 31st, 2025 onward.
👉 ️Let AI Spot the Patterns for You
This one’s a hidden gem! Instead of reading through pages of reports, use AI Insights in SAM to get smart summaries and instant recommendations.
Click “Get AI insights” in the SharePoint admin center—and boom, it highlights risks before you even notice them. For example, it could say:
“Site A has external sharing turned on + 400 documents with sensitivity labels + no site owner for 60 days.”
Instant red flag, it is! It doesn’t just highlight the problem; it gives you recommendations like “Consider removing anonymous links,” or “Notify owner to review access.”
Managing the Entire Content Lifecycle
Content isn’t just “create and forget.” It needs to be organized, updated, retained, or removed based on your company’s policies. And lifecycle management isn’t just about avoiding sprawl, it’s about smart governance!
SharePoint Advanced Management (SAM) simplifies it—from creation to retention—with automated workflows, in-depth reporting, and compliance-ready controls.
It’s the backbone of better governance, smoother collaboration, optimized storage, data integrity, and compliance alignment.
👉 Site Change History Reports
Have you ever wondered who changed what, and when, on a critical SharePoint site?
The Site change history report feature is your answer!
- You can generate these detailed reports right from the SharePoint admin center, covering SharePoint site property changes made in the last 180 days.
- You can create up to five reports for a given date range.
- Filter by date, site, or user, and download as a .csv file for deep-dive analysis.
Honestly, this level of transparency is invaluable for auditing, troubleshooting, and ensuring compliance!
👉 Recent Site Actions: Your Personal Activity Log
While the Site Change History Report is great for a broader view, sometimes you just need to quickly see what you did recently.
Here, the Recent SharePoint admin actions comes in handy. It shows you the last 30 changes you’ve made to a SharePoint site’s properties within the last 30 days, directly in the SharePoint admin center itself!
(Small catch: this only covers the actions you initiated, not actions by peers!)
💰Licensing and Availability
So, if you think, how do I get all these amazing features?
SharePoint Advanced Management (SAM) is licensed per user, meaning only those who need the features require a license (guest users excluded). They must also have SharePoint K, P1, or P2—standalone or as part of a Microsoft 365 plan.
Available across commercial, government, education, charity, and public sector clouds.
But here’s the twist: many core SAM features are already included in Microsoft 365 Copilot licenses! That’s a big win for organizations aiming to roll out Copilot securely and at scale.
So, if you’ve licensed Copilot (or select SKUs like Sales Copilot, Copilot for Finance, etc.), you likely already have access to:
- Advanced tenant rename
- AI insights
- DAG insights
- Site lifecycle policies
- Site access reviews
- Block download
- Change history
- PowerShell RCD
- Restricted access control
- Recent admin logs
So, if you’ve invested in Copilot, you’re not just getting AI, you’re also getting built-in governance tools from SAM to help protect and manage the very content Copilot relies on. It’s a sweet deal bundled with Copilot, considering how important these controls are in securing the content Copilot uses.
Best Practices for SharePoint Governance
To wrap things up, here’s some real-world advice from me to make the most of SharePoint Advanced Management:
- Establish site ownership and lifecycle policies early. It’s easier to stay organized than to clean up years of sprawl.
- Use AI Insights to spot trouble early, catching trends before they turn into fires.
- Leverage DAG and site access reviews to prevent oversharing, especially in high-impact departments like finance, HR, and legal.
- Delegate reviews to site owners. They know the content best, so delegate wisely.
- Automate, automate, automate. Don’t waste time on repetitive admin. Use PowerShell, set up scheduled reports, and use templates for common site patterns.
- Review policies annually. Your environment evolves—your governance should too!
If you’re managing even a mid-sized M365 tenant, SAM is more than worth it. I I’ve seen orgs save hours monthly just by using inactive site policies and DAG reports alone. If you’re serious about smart, secure SharePoint management—don’t sleep on SAM.
If you’re rolling out SharePoint Advanced Management or planning your Copilot governance strategy, I’d be happy to help, just drop a comment or ping me!
Governance doesn’t have to be scary and with tools like SAM, it’s way more manageable than it used to be!
