Is SharePoint Advanced Management enough to manage Copilot?
Table of contents
SharePoint Advanced Management (SAM) has been around for a few years now, but it’s gained a lot more attention recently as organizations look for ways to make their M365 environments Copilot-ready. If you’re a SharePoint admin or an IT manager trying to figure out what SAM actually covers, here’s a practical breakdown.
First, the licensing for SharePoint Advanced Management
SAM used to cost $3 per user per month as a standalone add-on. Though it might seem like a bargain, the math adds up quickly for larger tenants, and many organizations skipped it as a result.
That changed about a year ago: SAM is now included with Microsoft 365 Copilot. If your tenant has even one M365 Copilot license, SAM is unlocked for everyone. So the actual choice is: pay $30/month for one Copilot license and get SAM for the whole tenant, or pay $3 per user per month without Copilot. The right answer is usually obvious.
What problem is SAM solving?
The short version: SAM is Microsoft’s response to the fact that oversharing and content sprawl in M365 have become serious blockers for AI adoption.
Before Copilot, most organizations tolerated a certain level of governance debt. Overshared sites, abandoned workspaces, and broken permission inheritance existed, but finding them required effort, and fixing them was pushed to the back of the backlog.
Copilot changed the calculus. Copilot will only surface content users already have access to — that part gets misunderstood a lot. It’s not surfacing content it shouldn’t. It’s surfacing content that the user technically has access to but didn’t know existed. “Anyone” links that were shared three years ago. A site that was shared with a broad group as a temporary measure and never cleaned up. That’s not a Copilot problem. That’s a permissions problem that Copilot just made visible.
SAM gives admins a set of tools to find and address those problems. It organizes broadly into two areas: oversharing controls and site lifecycle management.
Microsoft MVP Vlad Catrinescu walked through all of it live. If you want to see it in action before diving into the details, here’s the full webinar recording
Oversharing: finding it and fixing it
Data Access Governance reports
This is the main discovery tool. You’ll find it in the SharePoint admin center under Data Access Governance.
There are two types: snapshot reports and activity reports.
Snapshot reports scan your entire environment and surface sites with potential oversharing signals: number of items with unique permissions (broken inheritance), total permissioned users, guest counts, active “Anyone” links, “Everyone except external users” permissions, sensitivity labels, and more.
You set a minimum permission threshold when creating the report. It is useful for prioritizing, since you probably want to look at sites with 500+ permissioned users before those with only 20.
The limitation here is speed: snapshot reports can take up to five days to run on large tenants. Microsoft is working on improving this, but for now, plan accordingly.
Coming soon: Purview integration that adds sensitivity data to these reports, so you can prioritize by file sensitivity on a site rather than just the number of permissioned users. A site with 200 users and no sensitive content probably matters less than one with 30 users and a folder full of files containing passport numbers or other personal information.
Activity reports show sharing events from the last 28 days, such as new “Anyone” links created, people-in-org links, and external shares by specific people. This is your ongoing monitoring tool, but with a critical caveat: if you don’t run these within 28 days, data collection pauses, and you lose that history. So please, set a reminder.
Site Access Reviews
Once you’ve found overshared sites, Site Access Reviews let you delegate remediation to site owners rather than trying to fix everything yourself as an admin.
You send an email from the admin center directly to the site owner. The email prompts them to review permissions and take action. The review interface shows them the files most likely to be overshared. It doesn’t show them every file, but only the ones with the highest counts of permissioned users. The logic is intentional and a bit obvious: showing every file would overwhelm owners, and they’d ignore it.
From the review, owners can manage access directly. You can customize the email, change the sender address, and add links to your governance policy. It takes a few hours to send after you initiate it.
The upcoming Purview integration will also surface sensitive information types in the review, so an owner will see that a particular file contains US passport numbers, making the decision to restrict access a little less abstract.
Restricted Access Control (RAC)
RAC is your fastest containment tool. Enable it on a site, assign up to ten security groups, and only members of those groups can access the site (regardless of any other permissions they’ve been granted). You can still add users directly to the site, and those records are preserved in the back end, but their access won’t work unless they’re in one of the approved groups.
This means you can lock down an overshared site immediately without breaking permission records or disrupting the ongoing review process. For high-sensitivity sites such as HR, finance, and leadership materials, you can leave RAC on permanently, effectively making IT the gatekeeper for all new access requests.
OneDrive has an equivalent: you can restrict OneDrive sharing to specific groups (like full-time employees only), which prevents external users or contractors from receiving anything shared from personal OneDrive.
Restricted Content Discovery (RCD)
RCD is the Copilot-specific control in SAM. Enable it on a site, and that site’s content becomes invisible to M365 search and Copilot, unless the user has directly opened a file from that site in the last 28 days.
It doesn’t remove access or fix oversharing. It just prevents passive discovery. For sites that you know are overshared but can’t immediately remediate, RCD limits the exposure while the access review process plays out.
One practical note: RCD can take up to 24 hours to fully take effect after you enable it. So don’t activate it the morning of a presentation.
RCD can also be delegated to site owners so they can control whether their sites’ content is discoverable in Copilot.
Site lifecycle management
Keeping unused sites around has two concrete costs: storage and Copilot accuracy. Every abandoned project site is another data source Copilot has to reason through when looking for relevant content. Old answers from old documents dilute the quality of AI responses.
SAM has three lifecycle policies:
Inactive site policies
Create a policy, set an inactivity threshold (one, two, three, or six months. No 12-month option, which some organizations find limiting), and choose who gets notified: site owners, site admins, or both.
SAM looks at activity across SharePoint and connected M365 apps (Teams, Exchange, Viva Engage) not just SharePoint reads. That’s important context.
After three monthly notifications without a response, the site can go read-only, and after another three months, it can move to M365 Archive. But both of these actions are optional. You can run the policy in report-only mode if you just want visibility without enforcing anything, or configure it to stop at read-only without ever archiving. Total minimum time from first notification to archive, if you choose that path: six months. There’s no way to speed that timeline up, which is a real constraint for organizations trying to aggressively reduce storage or clean up Copilot’s knowledge base.
You can have up to 5 inactive site policies per tenant. For large organizations with different governance rules for different departments or site types, that limit gets tight really fast.
Site ownership policies
When a site falls below the minimum, SAM can notify current site owners, site admins, the previous owner’s manager, or the five most active site members, asking them to claim or reassign ownership. The flexibility here is useful: emailing the manager works well for departed employees, while notifying active members makes sense when the site is still in active use but simply lacks a designated owner.
Whether you want to allow the top five members to self-assign as owners is a cultural and policy question. Larger organizations typically prefer to route this through IT rather than let users claim ownership on their own.
Site attestation policies
The most proactive of the three. Rather than waiting for inactivity, attestation policies prompt site owners to review and confirm their site’s settings, such as members, permissions, and sharing configuration, to ensure they are still accurate and appropriate.
The concept is good. The execution has a gap: the email doesn’t guide owners through what to actually check or how to check it. The result is that many owners click “settings are accurate” without verifying anything because the path forward isn’t clear, and the alternative is to ignore the email. This is a user experience problem that Microsoft hasn’t fully solved yet.
Other SAM features worth knowing
- Conditional access by site: Apply a conditional access policy to a specific SharePoint site rather than to all of SharePoint. Useful for high-sensitivity sites that require additional authentication.
- Block download policy: Allow users to view and work with documents in the browser, but prevent downloading, printing, or syncing to their devices.
- Recent admin actions report: A simplified audit log of admin changes to SharePoint settings, available directly in the admin center without needing Purview permissions. Useful for change tracking and debugging.
The limits of SharePoint Advanced Management
SAM is a solid starting point, especially for smaller tenants or organizations early in their governance journey. But it has constraints worth knowing before you decide if it covers everything you need:
- The snapshot reports take days.
- You’re capped at five lifecycle policies.
- The archive timeline is set to 6 months.
- The user-facing experience (the emails, the review interfaces) doesn’t do much to guide non-technical users through the actual work of governance.
- Site attestation depends on users knowing what they’re supposed to do, an optimistic assumption at best.
If you’re looking for more information, Vlad Catrinescu wrote an in-depth blog post titled “SharePoint Advanced Management limitations.”
Syskit Point vs SharePoint Advanced Management
Here’s how that plays out in practice compared to Syskit Point:
|
Feature |
SAM |
Syskit Point |
|---|---|---|
|
Oversharing reports
|
Snapshot takes up to 5 days |
Real-time, always up to date |
|
Lifecycle policies
|
Max 5 per tenant |
Unlimited, fully configurable |
|
Archive timeline
|
6 months minimum |
Flexible, on your schedule |
|
User-facing reviews
|
Basic email, no guided experience |
Step-by-step, built for non-technical owners |
|
Policy flexibility
|
Fixed thresholds and options |
Adapted to your organization’s rules |
|
Number of owners per site
|
1 or 2 |
Up to 3 and beyond |
|
RAC & RCD support
|
Native Microsoft feature |
Integrates with both |
The goal isn’t to pick one or the other. It’s to use SAM for what it does well natively. RAC and RCD, in particular, are Microsoft-internal controls that no third-party tool can replicate or extend where they fall short. Syskit Point is built to do exactly that: work alongside SAM, not against it.
The bottom line
SAM won’t automatically make your environment Copilot-ready. But if your organization has M365 Copilot licenses, you already have SAM, and not using it means leaving meaningful governance tooling on the table.
Start with the Data Access Governance reports. See what’s actually overshared. Prioritize your most sensitive sites. Enable RAC on the ones that need immediate containment. Set up your inactive site policies before your environment gets any more cluttered.
It’s not glamorous work. But it’s the work that makes everything else (including the AI you’re paying for) actually work the way it’s supposed to.
And when you run into the limitations, we’ll be here to help you.
