SharePoint Premium provides advanced content management services for SharePoint Online, helping organizations implement content management use cases across large bodies of content efficiently and effectively with AI, OCR, light process automation, and other capabilities. SharePoint Premium is made up of numerous different features, each with its licensing model and most of them are licensed on a consumption basis (ie. Azure Pay-As-You-Go subscription).
Microsoft introduced ‘SharePoint Advanced Management’ as part of the SharePoint Premium family to specifically help SharePoint admins better govern and secure their content in SharePoint Online. SharePoint Advanced Management is made up of nine features, each addressing a different SharePoint security or governance need. In this blog, we will discuss each feature, including how they are configured, and licensed and use cases they can help solve.
SharePoint Advanced Management, or SAM, is designed to assist organizations with security and governance use cases within SharePoint Online specifically.
As well, we often see in large organizations there are scenarios where a SharePoint Admin needs to implement security or governance controls across their SharePoint content, but they don’t necessarily have access to Entra ID, Purview, or Defender. They may also not be able to get the admins of those solutions to help. This is where SAM lets those SharePoint admins move forward with the security and governance controls they need for SharePoint Online use cases specifically.
Although most SharePoint Premium features are licensed mainly on a consumption basis, SAM is licensed on a per-user basis. Every user in the organization needs a SharePoint Advanced Management Plan 1 license to use SAM features. That said, some of the SAM features are available through other licenses, such as a Microsoft 365 E5 license. So, if you’re interested in only one or two of the SAM features, check which license is needed because you may already have one.
Once you assign a SAM license to users, you’ll see the following page appear in the SharePoint Online Admin Center. This page provides helpful information about which features make up SAM, where to go to configure them and where you can get more information.
SharePoint Advanced Management is made up of the following nine features.
This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license.
The Block Download Policy feature allows a SharePoint Admin to block the download of files from SharePoint sites or OneDrive accounts without having to configure Entra Conditional Access policies. It can be configured for individual sites or for the entire organization. Blocking download helps to mitigate risks of data loss by preventing the downloading, printing or syncing of files from targeted sites. It allows users to continue to be productive by allowing them to work on files using the Office online applications.
To configure this policy, you must use PowerShell. When enabled, users will see a message at the top of targeted sites which reads “Your organization doesn’t allow you to download, print or sync files from this site.”. This policy can also be targeted at team meeting recordings specifically if needed through additional parameters.
One key use case is when you have specific sites designated to store very sensitive data, and you need to mitigate the risk of those sensitive files being downloaded to devices where they should not remain stored. The block download policy can easily help SharePoint admins fulfil this requirement. In addition, they can use one of this policy’s parameters to mark an entire site as read-only. Finally, this policy can allow admins to block download for files that are labeled with a specific sensitivity label – for example, if you have files labeled as ‘Internal’ or ‘Confidential’ you can block download for those files and still allow other files that are labeled differently to be downloaded.
For more information on additional parameters, refer to How to set this policy for a SharePoint site.
This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license.
The Change History feature allows admins to create detailed .csv reports of site actions or organization setting changes that are made by Global Administrators, SharePoint Administrators and Site Administrators. It includes changes made within the last 180 days. This feature is accessed in the SharePoint Admin Center.
Its purpose is to allow organizations to monitor changes made to SharePoint configuration across various levels in the organization. A recommended practice is to review these reports on a regular basis to ensure that there are no changes made to SharePoint settings which deviate from your organization’s desired state. When generating a report, admins can select to filter the data based on date range, sites and users. The report can take a few hours to generate depending on the criteria chosen.
For more information, refer to Create Change History Reports.
This feature requires one of the following licenses: Microsoft SharePoint Premium - SharePoint Advanced Management, Microsoft E5/A5/G5, Microsoft 365 E5/A5 Compliance, Microsoft 365 E5 Information Protection and Governance, or Office 365 E5/A5/G5.
It can be used in conjunction with the Microsoft Entra Authentication Context to enforce more strict access control policies when users access SharePoint users. An authentication context can connect one or more SharePoint sites to a Microsoft Entra Conditional Access policy so that when users access those sites specifically, they must satisfy the conditions of the policy.
A key use case for this feature is if you have highly sensitive sites and you need users to satisfy additional authentication or security requirements before they may access these sites. These conditions can include any conditions that may be configured through Microsoft Entra Conditional Access policies, such as agreeing to a Terms of Use policy, using only corporate managed devices, or even additional authentication through a FIDO2 key.
To configure this feature, admins must configure an Authentication Context and a Conditional Access policy in Microsoft Entra ID, and then apply the Authentication Context to your SharePoint site(s) through one of two methods:
There are some important limitations with this feature to be aware of, such as:
For more information, refer to Conditional Access Policy for SharePoint sites and OneDrive.
This feature requires one of the following licenses: Microsoft SharePoint Premium - SharePoint Advanced Management or Microsoft E5.
Data Governance Reports in SharePoint Advanced Management allow admins to better govern their data by finding and investigating instances of potential oversharing of SharePoint sites. They also enable admins to find SharePoint sites that contain sensitive data. Ultimately, these reports allow admins to better assess sites from a sharing and sensitivity perspective and apply appropriate security and data protection controls where required. Although the report outputs are not particular granular, they do provide a list of sites where oversharing may be occurring and the number of files with selected sensitivity labels, along the site’s primary administrator, so a SharePoint admin can follow up with them and recommend or perform any needed remediations.
There are several types of reports available:
Some important limitations include:
For more information, refer to Data access governance reports for SharePoint sites.
This feature was previously considered part of SharePoint Advanced Management and was available with a Microsoft SharePoint Premium - SharePoint Advanced Management license. However, Microsoft has since made it available only with one of the Microsoft 365 E5/A5/G5 licenses or its security or compliance variants. Refer to this article for more information on its licensing: Microsoft Purview Information Protection Sensitivity Labeling. It is still listed as a feature of SharePoint Advanced Management in the SharePoint Admin Center.
Default sensitivity labels configured for a SharePoint document library will apply a label to all new files that are uploaded or created within a library if the document is not already labeled or it has a lower priority label. This feature provides a baseline level of protection for files stored within a SharePoint document library. It can also be used as a form of automatic labeling without needing to configure content inspection (ie. without having to configure policies which look for sensitive information types or SITs).
We sometimes refer to this feature as location-based labeling, as you can configure automatic labels that are applied based on the location in which a document is stored. For example, if a contract document is stored within a library named “Confidential Contracts” you can have a “Confidential” sensitivity label named automatically applied to it.
There are numerous impacts and limitations for this feature that are important to understand before they are applied, including:
For more information, refer to Configure a default sensitivity label for a SharePoint document library.
This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license.
This feature allows admins to restrict access to OneDrive content to only users who are members of a security group. The policy is applied using Microsoft Entra security groups that should have access to the files in OneDrive.
When this policy is configured, the people in the security group are not granted permissions to any files in OneDrive directly. The OneDrive owner must still share files with intended users as they normally would. This policy prevents anyone who is not in the security group from accessing the OneDrive content even if it was previously shared with them or shared with them in the future.
Access restriction policies are enforced at the time when a user attempts to access a file. A user will still see files in search results if they have direct permissions to them. However, they will be prevented from accessing the files if they're not part of the specified security group.
This feature can be configured within the SharePoint Admin Center or through PowerShell.
For more information, refer to Restrict access to a user's OneDrive content to people in a group.
If an admin has the Microsoft SharePoint Premium - SharePoint Advanced Management license, they can see the actions beyond the current browser session. If the admin does not have this license, they can only view actions made in the current session. Once they close the browser or sign out, the recent actions panel will clear its history.
This feature lets SharePoint admins review and monitor the last 30 changes they’ve made to a SharePoint site's properties within the last 30 days in the SharePoint admin center. This feature only shows changes made by the admin that is logged in, and not by other admins. As well, changes made to site properties at the organization-level will not appear in the panel
For more information, refer to Review your recent changes to SharePoint site properties.
This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license.
This feature allows admins to run automated, rule-based policies to manage and reduce inactive sites. It is sometimes referred to as the Inactive Sites Policy. It helps to reduce content sprawl by automatically identifying inactive SharePoint sites.
Policies are configured in the SharePoint Admin Center. An admin defines inactivity criteria (ex. lack of updates or user activity over a set period), and once identified, site owners will receive automated email notifications to confirm the active/inactive state of the site. When a site owner receives an email notification, to keep the site, the owner must select the Certify site button in the email. Once the owner certifies the site as active, the site lifecycle management policy does not check the activity of the site for one year.
Site owners are notified monthly for three months and then no notifications are sent for the next three months. After six months, monthly notifications resume if the site is inactive. Admins can download a policy execution report and view a list of sites that are actioned or unactioned by a site owner.
In the SharePoint Admin Center, within the Inactive Site Policy, admins can also get AI Insights on where they can best clean up sites or protect their organization’s sensitive content. It can extract patterns from the report and provide a list of potential remediation actions.
For more information, refer to Manage site lifecycle policies.
This feature requires a Microsoft SharePoint Premium - SharePoint Advanced Management license.
This feature allows admins to restrict access to SharePoint sites to only users who are members of a specific group by configuring a site access restriction policy. Restricting site access via group membership can help minimize the risk of oversharing content, especially when organizations are considering leveraging a solution like Copilot for Microsoft 365.
Site access restrictions must first be configured at the organization-level before they can be configured for individual sites. Admins configure this policy through either the SharePoint Admin Center or through PowerShell.
Users who are not in the specified group cannot access the site or its content, even if they were previously granted permissions or a shared link. The policy can be used with Microsoft 365 group-connected, Teams-connected, and non-group connected sites. Site access restriction policies are applied at access time when a user attempts to open a site or access a file. Users with direct permissions to files in a restricted access site can still view the files in search results. However, they will not be able to access the files if they're not part of the specified group.
For more information, refer to Restrict SharePoint site access with Microsoft 365 groups and Entra security groups.
Through the nine features discussed, SharePoint Advanced Management, or SAM, assists organizations with security and governance use cases within SharePoint Online specifically. It can provide fairly easy ways for admins to implement important security and governance controls to help manage content sprawl, prevent oversharing, and manage content lifecycle.