Blog

SharePoint Advanced Management (SAM) in SharePoint Premium

21 min read
Header_bloHeadnhi
21 min read

SharePoint Premium provides advanced content management services for SharePoint Online, helping organizations implement content management use cases across large bodies of content efficiently and effectively with AI, OCR, light process automation, and other capabilities.  SharePoint Premium is made up of numerous different features, each with its licensing model and most of them are licensed on a consumption basis (ie. Azure Pay-As-You-Go subscription). 

 Microsoft introduced ‘SharePoint Advanced Management’ as part of the SharePoint Premium family to specifically help SharePoint admins better govern and secure their content in SharePoint Online.  SharePoint Advanced Management is made up of nine features, each addressing a different SharePoint security or governance need.  In this blog, we will discuss each feature, including how they are configured, and licensed and use cases they can help solve. 

Introducing SharePoint Advanced Management 

SharePoint Advanced Management, or SAM, is designed to assist organizations with security and governance use cases within SharePoint Online specifically.   

 As well, we often see in large organizations there are scenarios where a SharePoint Admin needs to implement security or governance controls across their SharePoint content, but they don’t necessarily have access to Entra ID, Purview, or Defender.  They may also not be able to get the admins of those solutions to help.  This is where SAM lets those SharePoint admins move forward with the security and governance controls they need for SharePoint Online use cases specifically. 

Licensing 

Although most SharePoint Premium features are licensed mainly on a consumption basis, SAM is licensed on a per-user basis.  Every user in the organization needs a SharePoint Advanced Management Plan 1 license to use SAM features.  That said, some of the SAM features are available through other licenses, such as a Microsoft 365 E5 license.  So, if you’re interested in only one or two of the SAM features, check which license is needed because you may already have one. 

Once you assign a SAM license to users, you’ll see the following page appear in the SharePoint Online Admin Center.  This page provides helpful information about which features make up SAM, where to go to configure them and where you can get more information. 

Picture 1

SharePoint Advanced Management Features 

SharePoint Advanced Management is made up of the following nine features. 

Block Download Policy for SharePoint and OneDrive

This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license. 

The Block Download Policy feature allows a SharePoint Admin to block the download of files from SharePoint sites or OneDrive accounts without having to configure Entra Conditional Access policies.  It can be configured for individual sites or for the entire organization.  Blocking download helps to mitigate risks of data loss by preventing the downloading, printing or syncing of files from targeted sites.  It allows users to continue to be productive by allowing them to work on files using the Office online applications.   

To configure this policy, you must use PowerShell.  When enabled, users will see a message at the top of targeted sites which reads “Your organization doesn’t allow you to download, print or sync files from this site”.  This policy can also be targeted at team meeting recordings specifically if needed through additional parameters. 

One key use case is when you have specific sites designated to store very sensitive data, and you need to mitigate the risk of those sensitive files being downloaded to devices where they should not remain stored.  The block download policy can easily help SharePoint admins fulfil this requirement.  In addition, they can use one of this policy’s parameters to mark an entire site as read-only.  Finally, this policy can allow admins to block download for files that are labeled with a specific sensitivity label – for example, if you have files labeled as ‘Internal’ or ‘Confidential’ you can block download for those files and still allow other files that are labeled differently to be downloaded. 

For more information on additional parameters, refer to How to set this policy for a SharePoint site. 

Change History Report 

This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license. 

The Change History feature allows admins to create detailed .csv reports of site actions or organization setting changes that are made by Global Administrators, SharePoint Administrators and Site Administrators.  It includes changes made within the last 180 days.  This feature is accessed in the SharePoint Admin Center. 

Its purpose is to allow organizations to monitor changes made to SharePoint configuration across various levels in the organization.  A recommended practice is to review these reports on a regular basis to ensure that there are no changes made to SharePoint settings which deviate from your organization’s desired state.  When generating a report, admins can select to filter the data based on date range, sites and users.  The report can take a few hours to generate depending on the criteria chosen. 

For more information, refer to Create Change History Reports. 

Conditional Access Policies for SharePoint and OneDrive 

This feature requires one of the following licenses:

  • Microsoft SharePoint Premium - SharePoint Advanced Management
  • Microsoft E5/A5/G5, Microsoft 365 E5/A5 Compliance
  • Microsoft 365 E5 Information Protection and Governance
  • Office 365 E5/A5/G5

It can be used in conjunction with the Microsoft Entra Authentication Context to enforce more strict access control policies when users access SharePoint users.  An authentication context can connect one or more SharePoint sites to a Microsoft Entra Conditional Access policy so that when users access those sites specifically, they must satisfy the conditions of the policy. 

A key use case for this feature is if you have highly sensitive sites and you need users to satisfy additional authentication or security requirements before they may access these sites.  These conditions can include any conditions that may be configured through Microsoft Entra Conditional Access policies, such as agreeing to a Terms of Use policy, using only corporate-managed devices, or even additional authentication through a FIDO2 key. 

To configure this feature, admins must configure an Authentication Context and a Conditional Access policy in Microsoft Entra ID, and then apply the Authentication Context to your SharePoint site(s) through one of two methods: 

  1. Apply the authentication context directly to the site using PowerShell
  2. Configure a site-level sensitivity label and apply it to the site 

There are some important limitations with this feature to be aware of, such as: 

  • It cannot be applied to the root SharePoint Online site (ex. https://contoso.sharepoint.com)
  • Some apps do not work with authentication contexts, so it is highly recommended that organizations test the apps they use to ensure they can access sites where an authentication context and conditional access policy are applied.  Examples include:
    • Viva Engage
    • Teams web app
    • Adding a OneNote app to a Teams channel (where the site has an auth context)
    • Teams channel meeting recordings uploads
    • SharePoint folder remaining in Teams
    • OneDrive sync on sites
    • Visualize SharePoint List in Power BI
    • Outlook on Windows, Mac, Android and iOS when communicating with sites
    • Multiple-file download feature
    • Third-party apps

 For more information, refer to Conditional Access Policy for SharePoint sites and OneDrive.

Data Access Governance Reports 

This feature requires one of the following licenses: Microsoft SharePoint Premium - SharePoint Advanced Management or Microsoft E5.  

Data Governance Reports in SharePoint Advanced Management allow admins to better govern their data by finding and investigating instances of potential oversharing of SharePoint sites.  They also enable admins to find SharePoint sites that contain sensitive data.  Ultimately, these reports allow admins to better assess sites from a sharing and sensitivity perspective and apply appropriate security and data protection controls where required.  Although the report outputs are not particularly granular, they do provide a list of sites where oversharing may be occurring and the number of files with selected sensitivity labels, along the site’s primary administrator, so a SharePoint admin can follow up with them and recommend or perform any needed remediations. Intext_bloHeadnhi

There are several types of reports available:

  • Sharing Links Report:
    Provides a list of sites which are shared externally using the “Anyone” links, the “People in the organization” links, or the “Specific people” links.

  • Sensitivity Labels Applied to Files Report
    Reports can be used to find sites where files with specific sensitivity labels are stored.  It will only find Office files, such as Word, Excel PowerPoint and PDF, and it will only look for sensitivity labels with the ‘File’ scope configured. 
  • Shared with ‘Everyone except external users’ Report
    Provide a list of sites that are shared with the built-in ‘Everyone except external users’ group.  When running this report, admins can choose to filter the results based on the site template (classic sites, communication sites, etc.), site privacy setting, sensitivity label, or whether ‘Everyone except external users’ is part of the permission membership at the site or the item level.  This last setting is particularly useful for identifying sites where only one or more items are shared with ‘Everyone except external users’ which can be very difficult to find. 

Some important limitations include: 

  • When viewing in the SharePoint Admin Center, the Sharing Links report includes up to 100 sites with the highest number of sharing links created in the last 30 days.  The ‘Everyone except external users’ report includes up to 100 sites that were shared with this group in the last 28 days.   
  • A Sharing Links report can be downloaded as a CSV file that contains up to 10,000 sites with the highest number of sharing links created in the last 30 days.  An ‘Everyone except external users’ report can be downloaded as a CSV with up to 1 million sites with the highest number of items/groups shared  with this group 
  • Reports can take several hours to run, and each can only be run once every 24 hours. 
  • Reports generally do not include OneDrive data except for the Sensitivity Label report. 
  • Only a list of sites is included in the report output, with each site’s primary administrator and site-level security policies that are applied to those sites such as site sensitivity, site unmanaged device policy, and site external sharing policy. 

For more information, refer to Data access governance reports for SharePoint sites. 

Default Sensitivity labels for Document libraries 

This feature was previously considered part of SharePoint Advanced Management and was available with a Microsoft SharePoint Premium - SharePoint Advanced Management license.  However, Microsoft has since made it available only with one of the Microsoft 365 E5/A5/G5 licenses or its security or compliance variants.  Refer to this article for more information on its licensing: Microsoft Purview Information Protection Sensitivity Labeling.  It is still listed as a feature of SharePoint Advanced Management in the SharePoint Admin Center. 

Default sensitivity labels configured for a SharePoint document library will apply a label to all new files that are uploaded or created within a library if the document is not already labeled or it has a lower priority label.  This feature provides a baseline level of protection for files stored within a SharePoint document library.  It can also be used as a form of automatic labeling without needing to configure content inspection (ie. without having to configure policies which look for sensitive information types or SITs).

We sometimes refer to this feature as location-based labeling, as you can configure automatic labels that are applied based on the location in which a document is stored.  For example, if a contract document is stored within a library named “Confidential Contracts” you can have a “Confidential” sensitivity label automatically applied to it. 

There are numerous impacts and limitations for this feature that are important to understand before they are applied, including: 

  • Only apply to new documents uploaded or created within a library where a default label is already configured; cannot be applied to existing documents within a library. 
  • Only apply to documents not already labeled or which have a lower priority label. 
  • When files are uploaded to a library with a default label, it can take a few minutes for the label to be applied.  When a new document is created within a library with a default label, the label is applied after the app is closed. 

For more information, refer to Configure a default sensitivity label for a SharePoint document library. 

OneDrive Access Restriction Policy 

This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license. 

This feature allows admins to restrict access to OneDrive content to only users who are members of a security group.  The policy is applied using Microsoft Entra security groups that should have access to the files in OneDrive. 

When this policy is configured, the people in the security group are not granted permissions to any files in OneDrive directly. The OneDrive owner must still share files with intended users as they normally would. This policy prevents anyone who is not in the security group from accessing the OneDrive content even if it was previously shared with them or shared with them in the future.  

Access restriction policies are enforced at the time when a user attempts to access a file. A user will still see files in search results if they have direct permissions to them.  However, they will be prevented from accessing the files if they're not part of the specified security group. 

This feature can be configured within the SharePoint Admin Center or through PowerShell.   

For more information, refer to Restrict access to a user's OneDrive content to people in a group. 

Recent SharePoint Admin Actions 

If an admin has the Microsoft SharePoint Premium - SharePoint Advanced Management license, they can see the actions beyond the current browser session.  If the admin does not have this license, they can only view actions made in the current session. Once they close the browser or sign out, the recent actions panel will clear its history. 

This feature lets SharePoint admins review and monitor the last 30 changes they’ve made to a SharePoint site's properties within the last 30 days in the SharePoint admin center. This feature only shows changes made by the admin that is logged in, and not by other admins.  As well, changes made to site properties at the organization-level will not appear in the panel 

For more information, refer to Review your recent changes to SharePoint site properties. 

Site Lifecycle Management 

This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license. 

This feature allows admins to run automated, rule-based policies to manage and reduce inactive sites.  It is sometimes referred to as the Inactive Sites Policy.  It helps to reduce content sprawl by automatically identifying inactive SharePoint sites.  

Policies are configured in the SharePoint Admin Center.  An admin defines inactivity criteria (ex. lack of updates or user activity over a set period), and once identified, site owners will receive automated email notifications to confirm the active/inactive state of the site.  When a site owner receives an email notification, to keep the site, the owner must select the Certify site button in the email. Once the owner certifies the site as active, the site lifecycle management policy does not check the activity of the site for one year. 

Site owners are notified monthly for three months and then no notifications are sent for the next three months. After six months, monthly notifications resume if the site is inactive. Admins can download a policy execution report and view a list of sites that are actioned or unactioned by a site owner.  

In the SharePoint Admin Center, within the Inactive Site Policy, admins can also get AI Insights on where they can best clean up sites or protect their organization’s sensitive content.  It can extract patterns from the report and provide a list of potential remediation actions.

Picture 2

For more information, refer to Manage site lifecycle policies. 

Site-Level Access Restriction 

This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license. 

 This feature allows admins to restrict access to SharePoint sites to only users who are members of a specific group by configuring a site access restriction policy. Restricting site access via group membership can help minimize the risk of oversharing content, especially when organizations are considering leveraging a solution like Copilot for Microsoft 365. 

Site access restrictions must first be configured at the organization-level before they can be configured for individual sites.  Admins configure this policy through either the SharePoint Admin Center or through PowerShell.   

Users who are not in the specified group cannot access the site or its content, even if they were previously granted permissions or a shared link. The policy can be used with Microsoft 365 group-connected, Teams-connected, and non-group connected sites.  Site access restriction policies are applied at access time when a user attempts to open a site or access a file. Users with direct permissions to files in a restricted access site can still view the files in search results. However, they will not be able to access the files if they're not part of the specified group.   

For more information, refer to Restrict SharePoint site access with Microsoft 365 groups and Entra security groups.

Over to you

Through the nine features discussed, SharePoint Advanced Management, or SAM, assists organizations with security and governance use cases within SharePoint Online specifically.  It can provide fairly easy ways for admins to implement important security and governance controls to help manage content sprawl, prevent oversharing, and manage content lifecycle.

A note from Rencore

Getting started with SharePoint Advanced Management is a great foundation for your organization's information and data governance approach - especially when combined with an AI strategy. However, SharePoint is merely one of many services that hold information and data. If you are looking for a more holistic approach to Microsoft 365 governance, third-party tools like Rencore Governance have an edge over the multitude of Microsoft services and admin centers. While the latter is mostly limited to one service, comprehensive Microsoft 365 governance tools cover many use cases across all of Microsoft 365.

You can try out Rencore Governance for free for 30 days to see the value in having one central place to solve all your Microsoft 365 governance.

Subscribe to our newsletter