Part 3 of our Microsoft 365 Governance Series
In the first article in this series, Copilot Doesn’t Create Your Permissions Problem. It Reveals It., I explained why Microsoft 365 Copilot hasn’t suddenly created a permissions problem. It has simply made organisations more aware of one that has often existed for years.
In the second article, SharePoint Advanced Management: Preparing SharePoint for the AI Era, I looked at Microsoft’s continued investment in governance. Features such as Data Access Governance and SharePoint Advanced Management are helping organisations identify oversharing, understand ownership and highlight sites that deserve closer attention.
The next logical question is:
Once you’ve identified a site that needs reviewing, what happens next?
Microsoft’s answer is Site Access Reviews.
Overall, I think Microsoft has made exactly the right decision. Moving responsibility for access reviews away from central IT and towards the people who actually own the information is a sensible direction for Microsoft 365 governance.
Governance Belongs with the Business
One of the biggest challenges I’ve seen throughout my career is that organisations often expect SharePoint Administrators to own permissions across the entire Microsoft 365 estate. On paper that sounds reasonable, but in reality it’s almost impossible.
A SharePoint Administrator understands how permissions work. They understand inheritance, SharePoint Groups, Microsoft 365 Groups and Entra ID security groups. What they don’t understand is the business context behind every collaboration site.
They don’t know whether an external consultant finished working on a project three months ago. They don’t know whether somebody transferred departments last year but still contributes to a particular team. They don’t know whether that confidential Finance site still needs to be shared with a contractor.
The people who understand those things are the Site Owners.
That’s why I completely agree with Microsoft’s direction. Governance shouldn’t be something that’s owned entirely by IT. It should become a shared responsibility, with Site Owners taking ownership of the information they are responsible for.
In my opinion, that’s one of the most positive changes Microsoft has made in recent years.
The Challenge Isn’t Deciding. It’s Understanding.
After nearly twenty years working with SharePoint permissions, I’ve found that Site Owners rarely struggle with deciding whether somebody should have access. They struggle with understanding how that person has access in the first place!
When a Site Owner receives an Access Review request, they’re expected to review the people who currently have access to the site and decide whether that access should continue. As you can see in the below screenshot, the Site Access Review includes content that has the highest number of permissioned users, sharing links, and Everyone permissions or Anyone links.
Unfortunately, once you begin reviewing permissions, the experience relies heavily on SharePoint’s Manage Access panel.
Clicking Manage Access next to one of the items in the Site Access Review report will take you to the Manage Access dialog. You’ll see People, Groups, and Links.
The first thing I clicked was People, because that’s where I’d naturally expect to see everyone who has access to the content I’m being asked to review. Except I didn’t!
The Site Access Review report clearly tells me there are sixteen users with access to this content, yet the People tab only shows four individual users. That’s because Manage Access isn’t showing me the effective users.
If users have been granted access through a custom SharePoint Group, Microsoft Entra Security Group or nested Microsoft 365 Group, they simply don’t appear as individual people within the review.
The review has already told me there are sixteen people with access. So where are the other twelve?
Clicking the Group Names does not display the members of the groups. It also excludes Entra Security Groups and nested M365 Groups. Yet, the site owner is expected to report back that they understand who has permissions to the content.
Links – The links tab is useful. As a Site Owner, you’ll be able to see links and easily remove them, or set an expiration date.
As a Site Owner, I haven’t been asked to review groups. I’ve been asked to review who has access to my content. They’re two very different things.
If users have been granted access through a custom SharePoint Group, I can’t see the members of that group from within the Manage Access experience. The same applies to Microsoft Entra ID Security Groups. I can see that the group has access, but I can’t see who the members of that group actually are. Even where SharePoint Groups are displayed, clicking on them doesn’t reveal their membership within the context of the review.
How can I confidently review access if I can’t actually see everyone who has access?
The Site Access Review has already identified that sixteen people can access the content. Manage Access only shows me four of them.
At that point, the review changes from being a governance exercise into an investigation. I now have to leave the review, navigate elsewhere in SharePoint or Entra ID, inspect multiple groups individually, and manually piece together the effective permissions before I can make an informed decision.
This is where I think there’s still a gap in Microsoft’s approach. Site Owners aren’t being asked to review groups, inheritance or security models, they’re being asked to confirm that the right people have access to their information. Before they can answer that question, they first need a complete view of who those people actually are, regardless of whether access has been granted directly, through a SharePoint Group, a Microsoft 365 Group, an Entra Security Group or a sharing link.
How does the SharePoint Administrator decide which sites should actually be reviewed?
Most organisations don’t have dozens of SharePoint sites. They have hundreds or thousands, and reviewing them appears very overwhelming!
Reviewing every site every month isn’t realistic, nor is it necessary. Personally, I think organisations should review sites based on risk rather than on a fixed schedule.
If a site contains HR records, Finance information, legal documents or executive content, I’d want that reviewed far more frequently than an archive site that nobody has opened in two years.
I’d also prioritise sites that contain:
- External users
- Anonymous sharing links
- Large numbers of sharing links
- Unique permissions
- Sensitive information
- High levels of collaboration
This is exactly where I think SharePoint Advanced Management and Data Access Governance provide real value. Rather than expecting organisations to review every SharePoint site on a fixed schedule, they help identify the sites that genuinely deserve attention. Overshared sites, sites containing sensitive information, sites with large numbers of sharing links or external users, and sites that present a higher governance risk naturally become candidates for a Site Access Review. In that sense, the two capabilities complement each other very well. SharePoint Advanced Management helps answer the question, “Which sites should we review?” Site Access Reviews then help Site Owners answer the equally important question, “Should these people still have access?”
The Content Management Assessment will determine 100 sites with the highest number of unique users. From this report, you can Initiate the Site Access Review.
Final Thoughts
Where I Think There’s Still an Opportunity
Overall, I think Microsoft has taken governance in exactly the right direction. Site Access Reviews encourage organisations to move responsibility for access decisions away from central IT and towards the people who actually own the information. I completely agree with that approach.
Where I think there’s still an opportunity is the experience the Site Owner receives when carrying out that review. The review itself isn’t the problem. The challenge is that the review relies on the Manage Access experience, and that’s where I believe Site Owners are missing some of the information they need.
If I’m being asked to confirm that the right people have access to my content, the first thing I need is a complete picture of everyone who can actually access it.
Unfortunately, that’s not always what Manage Access provides. You can’t review what you can’t see!
