Governance and Access Reviews in Microsoft 365 with native tools
Table of contents
This blog post will discuss the native Microsoft functionalities that allow you to effectively govern the Microsoft 365 estate and gain control over access reviews.
Keeping a proper governance posture in Microsoft 365 is important, but today, different drivers make this even more pressing. When we think about security, we need to account for external attacks. Corporate cyberattacks are up 75% due to cloud and identity exploits. Still, companies should also ensure sensitive data is not overshared internally (not only if you are planning to roll out Copilot, but as a rule to avoid data exfiltration and other issues).
Here at Syskit, we have been helping customers with SharePoint governance for over a decade, and governance is like staying healthy. Everybody knows we should eat more veggies and exercise regularly. However, most people will need help with actually doing it. The same applies to governance; it is not rocket science, but you must do it “one bite at a time.” Deploying all the features mentioned in this post in one go is not a best practice, as this would result in a pile of reports no one would look at and many thousands of automated emails your users would not care to read. Companies should have a governance plan and roll it out in stages.
Governance overview
If you are thinking about improving your Microsoft 365 governance posture out of the box, certain tools can help you get started. There are three key functionality groups that you can start with:
- Identity Governance primarily targets memberships of the Entra ID groups and ownerless groups,
- Data Access Governance helps you manage access to SharePoint and OneDrive content (Sharing links, content with sensitivity labels, and data access reviews),
- Lifecycle Governance helps you detect inactive sites and ownerless groups.
The following diagram shows how different components and Microsoft add-on products make the Microsoft 365 governance story.
This article focuses on Entra ID (Users and Groups), SharePoint, and OneDrive. Given that M365 is a vast ecosystem, there are other apps whose content you will have to govern (Exchange, Power Platform, Dynamics/Dataverse, and Viva come to mind), but this is beyond the scope of this article.
Identity Governance and Access Reviews
Identity Governance is part of Microsoft Entra ID Premium Plans (more below), and many different features can be used in concert to achieve various governance goals. There are two types of access reviews that this functionality allows:
- Access reviews for Entra ID applications.
- Access reviews for membership in the Entra ID Teams and Groups.
Access Reviews are pretty flexible and can be configured as one-off or scheduled. Companies can use them to design various approval processes for these reviews. Administrators can hand-pick applications or groups to review or automatically perform a review of all the groups with guest users.
The review procedure is fully customizable, i.e., the number of stages, reviewers, duration, fallback users, notifications, and much more can all be easily configured. Users tasked to conduct a review will receive emails with instructions on how to proceed, and the UI will allow them to Approve or Deny membership for each member along with some additional useful information (like activities or status) that can help make informed decisions. Identity Governance administrators can easily monitor the progress of all access reviews from a central dashboard.
Approvers are notified via email that the approval has started for their resource. The user interface is friendly enough to allow users to perform their tasks efficiently, and the combination of approval steps ensures that multiple people can be involved in the decision. In case a decision is not made, the removal of users or disablement of guest users can be done automatically (by not acting).
Although the initial setup envisions that the administrators set up these access reviews, an additional option is available to allow group owners to create and manage access reviews for groups they own.
Data Access Governance
Data Access Governance is another aspect of governance. It was part of SharePoint Advanced Plan 1 until recently, but it has now been rebranded as SharePoint Premium. The SharePoint Premium functionalities are broad and cover various experiences in the SharePoint interface (like various file viewers and eSignatures), AI-assisted processing of documents and governance, reporting and review capabilities, and backup and archive of M365 content.
In Identity Governance, the focus was on ensuring that the right users have access to a particular group and, in turn, the content this group has access to; the data access governance focuses more on ensuring that we have properly secured our precious content.
There are a couple of use cases when Microsoft 365 administrators can use this functionality in solving various challenges:
- Preparation for introducing Microsoft Copilot – Detecting content that has potentially been overshared, i.e., links that have been shared with “anyone,” links for “people in your organization,” or links for “specific people” yet shared externally.
- These links are big problems and should not generally be used; content owners and administrators should be especially cautious not to use such links with content with “Confidential” sensitivity labels. Administrators should look to disable such links whenever possible, but while M365 was being adopted or during some external projects, it is reasonable to expect some of these.
- Monitoring sensitivity labels and how they are applied to files allows administrators to create comprehensive reports showing all the files that have been applied with a particular sensitivity label.
- Content shared with “Everyone except external users” – a new report currently in preview will allow administrators to review the content shared with everyone. Reviewing the data shown by this report will be an important prerequisite step for any organization looking to introduce Copilot at scale.
Policies
There are two key policies that one can define when working with Microsoft 365, and both are intended to be interactive, i.e., allow administrators to offload some of the work of the site and group owners.
- Ownerless group policy – An administrator can use this to define what happens when the group is left without an owner (e.g., when the owner has left the company). An interactive policy can be implemented to allow group members to choose the next group owner. The policy has a built-in engine to detect the active users and ensure the active users can select the owner. Administrators can fine-tune which sites they want to apply the policy to.
Please note: This is an Azure P1 plan feature; further licensing details are below. - Inactive Site Policies (Lifecycle Management) – The control of lifecycle management is more interactive than the reports. As part of this feature, administrators can define policies on what an interactive site is and how often this policy will run. Once the inactive site is detected, owners will be notified via email to take appropriate action about the site. This policy works well with the ownerless policies we mentioned earlier. As for the lifecycle policy to work, the site needs an owner.
Pricing and packaging
This governance bit of Microsoft 365 is licensed as two separate add-on products for the main Microsoft 365 offering. The Identity Governance component is part of the Premium plan of Entra ID, and it can be procured via Entra ID Premium 2 Plan or Microsoft Ent. Mobility and Security (EMS) E5. The Data Access Governance is packaged as part of SharePoint Premium (previously SharePoint Syntex) and is licensed per user. SharePoint Premium and Entra ID Plan 2 are broader than the features discussed in this blog, so familiarize yourself with the complete feature list before deciding.
At the time of this writing, Entra ID features are offered in a promotional governance edition that only covers functionalities but is 22% cheaper than the full package.
Conclusion
In a world where we are adding 100 petabytes and creating 8 million SharePoint sites monthly and with ever-rising security threats, the right time to start governing Microsoft 365 is today (and many years ago). This journey is a challenging one, and your organization should adequately plan it.
Microsoft governance solutions are 1st party solutions designed to help organizations tackle various governance challenges against different workloads in Microsoft 365. The functionalities are easy to set up, and administrators can benefit from the familiar admin center user interface. However, some of the reporting is underwhelming, while access review policies are inflexible when further refining the tunning via metadata or sensitivity labels. End users might be overwhelmed by many locations from which you can control various governance aspects.
The success of your governance project relies on having complete visibility of the environment. There are third-party tools to help you enforce governance holistically and take full control of the tenant. Complex problems can have simple solutions.