SharePoint Oversharing, Governance, and Lifecycle
SharePoint Advanced Management Focusing on the Challenges of the AI Era
An interesting TEC 2024 session covering SharePoint Online security, reporting, and artificial intelligence given by Sanjoyan Mustafi, principal program manager for SharePoint and OneDrive provoked more questions than it answered.
Sanjoyan covered the current and some future capabilities of SharePoint Advanced Management (SAM), a premium add-on license announced in March 2024. SAM includes solutions to address the problems of oversharing, data governance, and lifecycle management for SharePoint Online sites. Sanjoyan noted that nearly 4 billion documents are uploaded to Microsoft 365 daily, a substantial increase in the 2.5 million often cited by Microsoft spokespeople.
SAM spans reports and policies. Some of the reports generated by SAM depend on audit records and reflect historic actions such as people sharing using anyone links. Others use current state data, meaning that they reflect near real time data. Policies include the block download policy and a conditional access policy to restrict access to sensitive SharePoint Online sites using authentication contexts. Another policy restricts access to OneDrive for Business accounts to specific users. These are all useful features to help manage access to SharePoint content.
But the discussion about oversharing made me think that Microsoft is taking an opportunity to sell yet another add-on ($3 user/month) to fix flaws revealed by Microsoft 365 Copilot that are a direct result of poor decisions made by Microsoft in the past.
The Grave Error of Unfettered Group Creation
The biggest example I can give is the decision made in November 2014 not to impose control over who could create Office 365 Groups (now Microsoft 365 Groups). The idea was to foster collaboration. Despite strong argument against the decision based on knowledge of the disaster Exchange public folders became when users were allowed free rein, Microsoft persisted and launched the era of open collaboration at the Ignite conference in May 2015.
The mistake was compounded in November 2016 when Microsoft released the preview of Teams and allowed anyone to create a new team. Even worse, when Entra ID (then Azure AD) introduced a policy to allow tenants to dictate who could create Microsoft 365 groups, they insisted on making this a feature covered by the Entra P1 license. This control should have been part of the base product since day 1.
The result is plain to see with massive team sprawl in many tenants. Sanjoyan said that approximately 90% of the SharePoint sites created in Microsoft 365 are team-enabled. Many of those teams are inactive, badly managed, or ownerless, all of which are factors that contribute to poor data governance. The question must be asked if the same situation would exist had Microsoft had seen sense and allowed tenants to control group creation from the start. I say no, but we are where we are.
The Era of Copilot
None of this mattered too much until Microsoft 365 Copilot arrived. Being grounded in the Graph means that Copilot can access and use any document available to the signed-in user when it responds to user prompts. That doesn’t mean documents containing accurate and useful information. It means any document stored in sites where the user is a member or can be accessed through a sharing link. The corpus of documents available to Copilot can contain misleading, inaccurate, and just plain information. Copilot doesn’t care and can’t tell the difference between an accurate and incorrect fact.
Reasoning over files that contain bad data means that Copilot can include bad information in its responses. This is why Microsoft has rushed to limit the free access Copilot enjoys via Graph queries with solutions like Restricted SharePoint Search and the sensitivity label setting that blocks access for individual documents to Microsoft Content Services. A new solution called Restricted Content Discoverability (RCD) is in private preview. RCD allows tenants to exclude sites from Copilot access. It seems like a much better approach than Restricted SharePoint Search, which limits Enterprise Search to 100 curated sites.
Restricted Access Control (RAC) for SharePoint Online and OneDrive for Business is already available. RAC means that no matter whet sharing links are present on files in a site, the only people who can access the files are users in groups specified in an access list. Microsoft 365 Copilot respects RAC and won’t access files in protected sites unless the signed-in user is in the access list.
Maybe Bundle SharePoint Advanced Management with Microsoft 365 Copilot
SharePoint Advanced Management isn’t all about Microsoft 365 Copilot, but the need to control oversharing for Copilot seems to be the current focus for SAM. Given that, wouldn’t it make sense for Microsoft to bundle SAM with Microsoft 365 Copilot? It sure seems like a good idea to me.
So much change, all the time. It’s a challenge to stay abreast of all the updates Microsoft makes across the Microsoft 365 ecosystem. Subscribe to the Office 365 for IT Pros eBook to receive monthly insights into what happens, why it happens, and what new features and capabilities mean for your tenant.