Initiate site access reviews for Data access governance reports
Some features in this article require Microsoft SharePoint Premium - SharePoint Advanced Management
Site access reviews in the SharePoint admin center allow IT administrators to delegate the process of reviewing data access governance reports to site owners of overshared sites.
This review process is crucial because:
- IT administrators can't access file-level or item-level details due to compliance reasons.
- Site owners are best positioned to review and address oversharing issues for their own sites.
Before initiating a site access review, ensure that you meet the following requirements:
- A Microsoft SharePoint Premium - SharePoint Advanced Management subscription.
- A nongovernment cloud tenant environment. Site access reviews aren't supported in government cloud environments (GCCH, GCC-Moderate, DoD, Gallatin).
- Admin credentials for accessing the SharePoint admin center.
- Site owners are available to respond to review requests, take necessary actions, and complete the review.
Site access reviews can be initiated for the top 100 sites listed in data access governance reports. These reviews specifically target oversharing issues identified in the selected reports.
When you initiate a review, the system sends a context-specific email to the site owner. For example, if the review is for the "Content shared with 'Everyone except external users'" category, the email focuses solely on sharing issues for that report.
Site access reviews are available for the following reports:
- Sharing link reports (Anyone, PeopleInYourOrg, Specific People shared externally)
- "Content shared with 'Everyone except external users'" reports
- Oversharing baseline report using permissions
Sign in to the SharePoint admin center with your admin credentials.
Expand the Reports section and select Data access governance.
Under "Content shared with 'Everyone except external users", select View reports.
Choose a report and select the sites you want to review.
Select Initiate site access review.
Add comments in the provided section to give context to the site owners.
Select Send to initiate the review request.
For reports that are only available via PowerShell (such as the Oversharing baseline report using permissions), site access reviews can also be initiated using PowerShell commands.
To track all initiated site access reviews, go to the My review requests tab on the Data access governance landing page.
Once a review is initiated, its status remains "pending" until the site owner completes it. After completion, the review status and comments will be updated with the reviewer's name and the date and time of completion. If a review fails (for example, due to an invalid email for the site owner), it's marked as failed.
For reports available via PowerShell, such as the Oversharing baseline report, you can track reviews using this PowerShell command.
When you initiate a review, site owners receive an email containing:
- A relevant title.
- Your comments (if any).
- A request to review site permissions.
- A link to a detailed access review page, specific to the identified issue in the data access governance report.
Here are examples of the different emails a site owner might receive:
Content shared with 'Everyone except external users' report for the past 28 days:
Sharing links report for the past 28 days:
Site owners can review and manage access in two main areas:
SharePoint groups:
- View which groups contain 'Everyone except external users.'
- See when and by whom the group was added.
- Remove 'Everyone except external users' from groups if necessary:
Individual items (files/folders/lists):
- View items shared with 'Everyone except external users' in the last 28 days.
- See sharing details (who shared and when).
- Manage access and remove permissions as needed:
Select Manage access.
Under the 'Everyone except external users' group in the Groups tab, select the group and select Remove access. See Stop sharing OneDrive or SharePoint files or folders, or change permissions for more information.
Once the site owner opens the email, they're redirected to a detailed sharing links report. This report shows:
- Files for which links were generated, with the date and the user who created the link.
- The Manage access button allows site owners to remove or modify permissions.
The following screenshot shows the detailed sharing links report:
When site owners select the email, they're redirected to the site access review page, where they can see the oversharing baseline using permissions report. This report helps site owners identify items with excessive permissions and take necessary actions.
The SharePoint admin views the number of users with permissions to a site in the Data access governance report. Site owners can see this number, along with how permissions are distributed across different site items. Items with the highest number of permissioned users are shown first, allowing the site owner to address the most exposed items.
This column shows the total number of users who have permissions to a specific scope (Site, List, Folder, or File). It reflects the exposure of that item compared to others. However, it's important to note that this number isn't unique—if the same user has both direct and indirect permissions, they're counted multiple times.
Example:
Imagine a folder "F" with the following permissions:
- 40 users from Group “A”
- 10 users with direct permissions
- 20 users with permissions via sharing links
The total number of permissioned users for folder "F" would be 80 (40 from Group “A” + 10 direct + 20 via sharing links). No deduplication is applied, so if the same user is in both Group “A” and has access via a sharing link, they're counted twice.
Additionally, the total number of permissioned users across all scopes might exceed the number of users shown in the email or Data Access Governance report. This happens because users can have permissions on multiple items. While a user might be counted once at the site level, they're counted separately for each item they have access to.
This column shows how many groups have permissions to a specific item or scope. Often, a large portion of exposure comes from permissions granted to groups, especially those with many members. Reducing exposure can be achieved by adjusting group memberships or removing unnecessary groups from permissions.
Select on the Group number to see the membership count of each group. This helps you identify which groups to target for reducing permissions.
This section displays:
- The number of links (for example, "Anyone" or "People in your organization") that have been shared for the scope.
- Whether the item is exposed to Everyone or EEEU (Everyone Except External Users).
If the number of links is high or the EEEU/Everyone column says "Yes," this is an immediate indicator that the item has broad exposure, and the site owner should focus on reducing permissions for that item.
The Manage Access button provides a way for the site owner to take action by:
- Removing individual users
- Modifying group memberships
- Deleting links
- Adjusting permissions
For a SharePoint site, selecting this button redirects to the SharePoint group management page. For individual items, it opens the Manage Access interface, allowing for more granular control over permissions.
Once the site owner makes necessary changes (like modifying or removing permissions), they should:
- Select Complete review.
- Add any relevant comments.
- Submit the review.
Comments are sent back to the IT administrator, and the review will be marked as completed.
Site owners can receive and handle multiple site access review requests simultaneously. To track all review requests:
- Go to the Site reviews page via:
Data access governance reports
Microsoft SharePoint Premium - SharePoint advanced management