If you're evaluating SharePoint Advanced Management (SAM) as a governance solution for Microsoft 365, there's one thing you should know upfront: SAM only governs SharePoint Online. That's a meaningful boundary when sensitive data, AI agents, and unmanaged sprawl exist across Teams, OneDrive, Power Platform, and Copilot, too.
SAM gives SharePoint admins real capabilities they didn't have before. But if your goal is Copilot readiness or enterprise-wide governance, it's a starting point, not a complete answer.
This article walks through what SAM actually does, how its nine features work, how it's licensed, and where its coverage stops.
Key takeaways:
- SharePoint Advanced Management (SAM) is part of SharePoint Premium and governs SharePoint Online specifically.
- It includes nine features covering security, access control, lifecycle management, and data governance reporting.
- SAM is licensed per user under SharePoint Advanced Management Plan 1, or included in some Microsoft 365 E5 plans.
- SAM does not cover Teams, Power Platform, Copilot Studio agents, or other M365 services.
- For organizations deploying Copilot or managing complex M365 environments, SAM needs to be paired with broader governance tools.
What is SharePoint Advanced Management (SAM)?
SharePoint Premium is Microsoft's advanced content management layer for SharePoint Online. It bundles AI-powered features, OCR capabilities, light process automation, and governance tools into one offering. Most SharePoint Premium features are licensed on a consumption basis through an Azure Pay-As-You-Go subscription. SAM is the exception.
Microsoft SharePoint Advanced Management is a specific component within SharePoint Premium. Its focus is narrower: helping organizations implement security and governance controls inside SharePoint Online without requiring access to other Microsoft admin tools.
Who SAM is designed for
SAM was built for SharePoint admins who need governance controls but may not have access to Microsoft Entra ID, Microsoft Purview, or Microsoft Defender. In many large organizations, those platforms are managed by separate teams. Getting cross-team cooperation can be slow and frustrating.
For day-to-day SharePoint Online policy management, SAM gives admins a practical path forward on their own. It covers the most common policy management scenarios in SharePoint: restricting site access, enforcing conditional access policies, managing the site lifecycle, and reporting on oversharing.
But if you're a CIO, Head of Digital Transformation, or Compliance Officer evaluating SAM as a strategic SharePoint policy management software solution, understand what it was designed for. It's built for operational SharePoint admin work. It doesn't give IT leadership a unified view of compliance posture or cross-platform control across Microsoft 365.
Where SAM fits in the Microsoft governance ecosystem
Microsoft's governance toolkit spans multiple platforms. Purview handles data classification and compliance. Entra ID manages identity and access. Defender covers threat protection. Among the native SharePoint admin tools Microsoft offers, SAM fills a specific gap in SharePoint Online administration.
Think of it as a scoped layer that works alongside these tools. It can connect to Entra conditional access policies and reference Purview sensitivity labels, but its native scope stays within SharePoint Online.
That boundary matters when you're trying to govern a full Microsoft 365 tenant at scale.
Microsoft SharePoint Advanced Management licensing
Unlike most SharePoint Premium features, SAM uses a per-user licensing model. Every user in your organization needs a Microsoft SharePoint Premium - SharePoint Advanced Management license (SAM Plan 1) to use SAM features fully.
That said, several SAM features are also available through Microsoft 365 E5, A5, and G5, as well as related compliance or security licenses. If your organization already holds E5 coverage, check which features are already included before purchasing SAM separately.
Once you assign SAM licenses, a dedicated section appears in the SharePoint Online Admin Center. It lists all nine features, their configuration paths, and links to Microsoft documentation for each.
SharePoint Advanced Management features and their governance gaps
Here's a breakdown of SAM's nine features, what each one does, and where it leaves gaps for organizations with broader governance needs.
1. Block download policy for SharePoint and OneDrive
Requires: SAM Plan 1
The Block Download Policy feature lets SharePoint admins block users from downloading, printing, or syncing files from specific SharePoint sites or OneDrive accounts. Users can still open and edit files through Office Online apps, so productivity isn't fully blocked.
Configuration is done through PowerShell. The policy can target individual sites or apply organization-wide. It also supports sensitivity-label filtering, so you can block downloads of files labeled "Confidential" while allowing others to download freely.
More information: How to set this policy for a SharePoint site
Governance gap: This policy only applies to SharePoint and OneDrive sites. Files in Teams channels or Power Platform environments aren't covered. If sensitive data is generated or accessed elsewhere in your M365 tenant, this control doesn't apply to it.
2. Change the history report
Requires: SAM Plan 1
The Change History feature generates .csv reports of configuration changes made by Global Administrators, SharePoint Administrators, and Site Administrators over the last 180 days. Admins access reports in the SharePoint Admin Center and can filter by date range, site, or user.
Its purpose is to help organizations monitor changes to SharePoint configuration across various levels and catch any deviations from the desired state. A recommended practice is to review these reports regularly. Reports can take a few hours to generate, depending on the criteria chosen.
More information: Create change history reports
3. Conditional access policies for SharePoint and OneDrive
Requires: SAM Plan 1, or Microsoft E5/A5/G5 and related variants
This feature connects SharePoint sites to Microsoft Entra Conditional Access policies through Authentication Contexts. When users access a targeted site, they must satisfy the conditions defined in the Entra policy, such as using a managed device, agreeing to the terms of use, or authenticating with a FIDO2 key.
To configure this feature, admins need to first set up an Authentication Context and a Conditional Access policy in Microsoft Entra ID. The Authentication Context is then applied to the relevant SharePoint sites through one of two methods:
- Apply the Authentication Context directly to the site using PowerShell
- Configure a site-level sensitivity label and apply it to the site
Limitations: The policy can't be applied to the root SharePoint site. Several Microsoft apps don't support authentication contexts, including parts of Teams, Viva Engage, Outlook across platforms, and OneDrive sync.
More information: Conditional Access policy for SharePoint sites and OneDrive
Governance gap: Conditional access via SAM applies only to SharePoint and OneDrive. Copilot Studio agents, Power Automate flows, and other M365 services that access SharePoint data aren't covered by this policy layer. You can restrict where users access content, but not how AI agents consume it.
4. Data access governance reports
Requires: SAM Plan 1 or Microsoft E5
Data access governance reports help admins identify potential oversharing in SharePoint Online. There are three report types:
- Sharing Links Report: Lists sites shared externally via "Anyone" links, "People in the organization" links, or "Specific people" links
- Sensitivity Labels Applied to Files Report: Finds sites containing Office files (Word, Excel, PowerPoint, and PDF) with specific sensitivity labels
- Shared with "Everyone except external users" Report: Identifies sites shared with this broad built-in group, with filters for site template, privacy settings, and permission level
Report outputs are not particularly granular. Each data access report provides a list of sites where oversharing may be occurring, the number of files with selected sensitivity labels, and the primary administrator for each site. That's enough for a SharePoint admin to identify which sites need attention and follow up with the relevant owner to recommend or carry out remediations.
Limitations: Reports are capped at 100 sites when viewed in the admin center. CSV exports allow up to 10,000 sites. Reports can take several hours to generate and can only be run once every 24 hours. OneDrive data is largely excluded.
More information: Data access governance reports for SharePoint sites
Governance gap: These reports give you a SharePoint-only view of oversharing. They don't surface risks in Teams chats, Copilot conversations, or Power Platform connectors. For organizations preparing for Copilot deployment, this partial picture can create a false sense of readiness. Copilot doesn't stop at SharePoint.
5. Default sensitivity labels for document libraries
Requires: Microsoft 365 E5/A5/G5 or compliance/security variants
Note: This feature's licensing has changed. It now requires an E5-tier license rather than SAM Plan 1, even though it still appears in the SharePoint Advanced Management section of the admin center.
This feature automatically applies a sensitivity label to new files uploaded or created in a SharePoint document library. If a file already carries a label with equal or higher priority, the default label doesn't override it.
It provides location-based labeling without requiring content inspection. Files uploaded to a library named "Confidential Contracts," for example, can automatically receive a "Confidential" label from Microsoft Purview Information Protection.
Limitation: The label only applies to new files. Existing documents in the library are not retroactively labeled.
More information: Configure a default sensitivity label for a SharePoint document library
6. OneDrive access restriction policy
Requires: SAM Plan 1
The OneDrive access restriction feature restricts access to a user's OneDrive content to members of a specific Entra security group. Even if a user shares a file with someone outside the group, that person will be blocked from accessing it.
The policy is enforced at access time. Users outside the group can still see files in search results if they hold direct permissions, but they'll be blocked when they try to open them. Configuration is available through the SharePoint Admin Center or PowerShell.
More information: Restrict access to a user's OneDrive content to people in a group
7. Recent SharePoint admin actions
Requires: SAM Plan 1 (for extended history)
With a SAM license, admins can view up to 30 site property changes made within the last 30 days in the SharePoint Admin Center, even across browser sessions. Without SAM, the panel shows only changes from the current session and is cleared when the browser is closed.
Limitations: The panel only shows changes made by the currently logged-in admin, not by other admins. Changes made to site properties at the organization level also don't appear in the panel. It's a lightweight audit tool for individual review. It's not a substitute for centralized audit logging across Microsoft 365.
More information: Review your recent changes to SharePoint site properties
8. Site lifecycle management
Requires: SAM Plan 1
Also called the Inactive Sites Policy, this feature automatically identifies inactive SharePoint sites and notifies their owners. Admins configure inactivity criteria in the SharePoint Admin Center, such as no updates or user activity over a set period.
When a site meets the criteria, the site owner receives an email notification. They must click "Certify site" to keep it. If certified, the site won't be checked again for one year.
If no action is taken, notifications continue monthly for three months, pause for three months, then resume monthly. Admins can download policy execution reports to see which sites have been actioned.
SAM's Site Lifecycle Management also includes AI Insights in the admin center. It can analyze inactive site data and suggest potential remediation actions, helping admins prioritize cleanup.
More information: Manage site lifecycle policies
9. Site-level access restriction
Requires: SAM Plan 1
This SAM feature restricts access to a SharePoint site to members of a specific Microsoft 365 group or Entra security group. Users outside the group can't access the site or its content, even if they previously had permissions or received a shared link.
Restrictions must be enabled at the organization level first, then applied site-by-site. Admins configure this policy either in the SharePoint Admin Center or via PowerShell. The policy works with Microsoft 365 group-connected sites, Teams-connected sites, and non-group-connected sites.
Policies are enforced at access time. Users can still see files in search results, but they'll be blocked from opening them if they're not in the designated group.
More information: Restrict SharePoint site access with Microsoft 365 groups and Entra security groups
How does SAM support Copilot governance?
Microsoft has positioned SharePoint Advanced Management as a recommended step in preparing for Microsoft 365 Copilot deployment. The logic is sound: if Copilot can query sites with overly broad permissions, it will surface content users shouldn't see.
SAM's Data Access Governance Reports and Site-Level Access Restriction features directly address this. They help admins identify oversharing and lock down site access before Copilot is enabled.
But that's where the support ends. SAM has no coverage for several risks that directly affect Copilot governance and readiness:
- No visibility into Copilot Studio agents
- Can't detect shadow agents created without oversight
- Can't flag agents referencing confidential SharePoint sites without approval
- Can't alert when an agent is shared with the entire organization
- No detection of outdated files, duplicated content, or stale SharePoint sites that shape what Copilot surfaces to users
- Site Lifecycle Management flags inactive sites, but doesn't help prioritize cleanup or assess knowledge quality for Copilot readiness
For organizations scaling Copilot across business units, SharePoint-only governance leaves significant exposure open.
SharePoint Advanced Management vs Rencore Governance: What's the difference?
SAM covers one service in an environment that spans many. Before comparing features, it helps to understand SAM's three fundamental limitations:
- Scope: SAM only works on SharePoint and OneDrive. It has no insight into Teams, Power Platform, Copilot, or Copilot Studio agents.
- Discovery only: SAM is a pure discovery and management tool. It shows you the status quo but doesn't assess whether it's good or bad, and offers no best practices or policy guidance.
- No automation: SAM shows you what's there. Whether to act on it and how is left entirely to the admin. There's no policy enforcement, no automated remediation, and no reporting history.
If your governance challenge is Microsoft 365 as a whole, you need a tool that goes beyond discovery: Rencore Governance.
|
Capability |
SharePoint Advanced Management (SAM) |
Rencore Governance |
|
SharePoint Online governance |
Yes |
Yes |
|
OneDrive governance |
Partial |
Yes |
|
Teams governance |
No |
Yes |
|
Power Platform governance |
No |
Yes |
|
Copilot agent governance |
No |
Yes |
|
Cross-service lifecycle management |
No |
Yes |
|
M365 license cost visibility |
No |
Yes |
|
Data access governance reports |
SharePoint only |
Across M365 |
|
Centralized governance dashboard |
No |
Yes |
|
Pre-built policy templates |
No |
Yes |
|
Delegated governance for business units |
No |
Yes |
|
Audit-ready reporting |
Limited |
Full |
SAM helps you prepare the SharePoint layer for Copilot deployment. Rencore Governance helps you manage everything Copilot depends on, and everything it creates.
From one central dashboard, Rencore covers Microsoft 365 end-to-end. It assesses your governance posture against best practices, automates remediation workflows, and provides a complete reporting history so you don't have to start from scratch every time. You can enforce policies, review site access, manage agent sprawl, track Copilot license costs, and generate audit reports across all services, not just SharePoint.
You can try Rencore Governance free for 30 days to see how it compares to managing governance through individual Microsoft admin centers.
SAM is a foundation, not a complete governance strategy
SharePoint Advanced Management gives SharePoint admins nine practical controls for SharePoint Online. It covers site access restrictions, block-download policies, conditional access integration, data-sharing reports, lifecycle management, and more. For SharePoint-specific governance, it's a useful and cost-effective layer, especially if you already have relevant Microsoft 365 licensing.
But its scope is fixed. SAM doesn't govern Teams, Power Platform, or Copilot Studio. It doesn't provide IT leadership with a unified view of the compliance posture across M365. And it doesn't address the agent sprawl and cost risks that come with scaled Copilot adoption.
If you're responsible for Microsoft 365 governance at an enterprise level, SAM is worth understanding and enabling. It's not worth treating as your complete answer.
Next steps:
- Review which SAM features your current Microsoft 365 licensing already includes.
- Determine whether your Copilot deployment plan addresses SharePoint oversharing risks.
- Assess whether your governance coverage extends to Teams, Power Platform, and Copilot Studio.
- Explore Rencore Governance for cross-M365 visibility in one central place.
