The complete guide to SharePoint governance

Discover the importance of SharePoint governance for effective collaboration, data security, and compliance. Learn how to implement it today.

SharePoint is at the heart of many Microsoft 365-powered organizations. That’s why protecting it with the right form of SharePoint governance is crucial.

You have to know and apply the theory in practice to support your business processes and protect your people. Along with managing policies that govern your SharePoint usage and keep your information secure and accessible to the right people.

The good news is you’re in the right place to learn everything you need to know.

What is SharePoint governance?

Microsoft defines SharePoint governance as a “set of policies, roles, responsibilities, and processes that control how your organization’s business divisions and IT teams work together to achieve its goals.”

In other words, how you govern SharePoint forms the basis for how your organization operates, collaborates, and develops. The evolving nature of these elements means SharePoint governance is a continuous process. It’s the opposite of a “set it and forget it” scenario and requires careful and ongoing guidance.

Why should you consider SharePoint governance?

SharePoint’s influence impacts the entire business. Integrations extend across Microsoft 365 services, from Microsoft Teams and Microsoft 365 Groups to Planner, Outlook, and Stream. Apply the right governance, and benefits become apparent across multiple use cases, as shown below.

SharePoint governance helps you to build collaborative spaces

SharePoint site creation doesn’t happen in isolation. Create a new team in Microsoft Teams, and SharePoint automatically creates a site. This transforms productivity, giving teams an instant repository and collaboration space. However, it also means another resource with lists, libraries, and pages that needs to be monitored and controlled.

Applying SharePoint governance means users can continue finding what they need – even as your organization expands. It also ensures you maintain the necessary levels of consistency and quality throughout your sites and pages. This creates a virtuous circle for users, where positive experiences keep them returning for more.

SharePoint governance helps you to meet legislation and compliance requirements

Data privacy is evolving fast, with legislation forecast to cover three-quarters of the world’s population by 2024. Further complexity comes from how different laws apply to different industries and regions.

Of course, Microsoft offers multiple ways to stay compliant within SharePoint. It just requires governance to regularly adapt procedures to help organizations stay compliant when updates happen, such as HIPAA, GDPR, and PCI DSS.

SharePoint governance ensures you minimize data sprawl and costs

As data volumes grow (373.3 billion emails sent daily in 2023), governance plays a crucial role in preventing sprawl in the Microsoft365 environment. Collaboration and information sharing can stay aligned, with users able to surface and access the information they need at the right time, instead of needing to waste time due to sprawl.

There’s also the economic impact of effective SharePoint governance. Organizations get 1TB plus 10GB of storage per user license. Although extra storage can be purchased, proactively managing limits can help reduce the need for further investment.

SharePoint governance is essential for securing and protecting your business

Remote working here to stay (58% of Americans reportedly work from home at least once a week). As a result, workers and their devices need on-demand access to intellectual property, Personally Identifiable Information, and sensitive data. SharePoint offers various safeguarding measures, such as multi-factor authentication, to mitigate threats to data in transit and at rest.

However, effective governance elevates security even further. SharePoint allows you to apply various limits and restrictions when sharing among external users. You can also create sites where external sharing is deactivated. Then it’s simply a case of creating sites to share specific pieces of content.

But before you start putting these sorts of measures into practice, decide on a plan for your SharePoint governance.

How to create a SharePoint governance plan

Governance policies will always change over time due to a mix of internal drivers shaped by strategic objectives. Plus, external influences, such as changing privacy laws and legislation. Businesses have to adapt to stay compliant, often changing how they collaborate, store, and share information.

To succeed in this sort of landscape, you need to establish a foundation – in the form of a SharePoint governance plan. And that starts with having the right leaders in place.

Start by forming a governance team

SharePoint offers a way to ensure multi-disciplinary teams stay aligned, even across departments and potential silos. This form of cross-functional approach works best when supported by a broad mix of objectives, behavior, and culture, with decision-makers leading by example.

It starts with establishing a steering group responsible for overseeing SharePoint-related activity, with members drawn from a wide range of disciplines. You’ll need to recruit stakeholders with the power to influence, develop, and guide SharePoint governance principles. These should include some or all of the below functions:

  • Strategy and execution
    Responsible for the overall success of SharePoint governance and with the necessary authority to request and implement organizational procedures. They will most likely be drawn from the C-Suite, board room, and related senior executive levels.
  •  Finance and procurement
    Large-scale SharePoint success calls for large-scale investment and measuring ROI. You’ll need executive-level support to monitor and report on progress, with expertise coming from the CFO level.
  • Business and operations
    SharePoint governance is about building a system. Like all systems, you need a 360-degree vision of business operations. From architecture and infrastructure to operational aspects such as SLAs and disaster recovery. Alongside understanding how they impact company policies and procedures.
  • Technical and software
    SharePoint’s customization options require specialist leaders who can identify what’s required across the business from the system and the best practices to follow while also maintaining security, reliability, and visibility.
  • End users and evangelists
    A functioning feedback loop relies on engaged and motivated employees. People who are ready and able to identify when and where SharePoint meets their needs. And also confident to voice strong opinions and suggest areas for improvement.
  • Compliance and legal
    The regulatory extent depends on the industry where you operate. At a minimum, there should be transparent tools for monitoring and demonstrating compliance with relevant legislation and audits.

Agree on what needs to be governed in a SharePoint governance plan

The next step is to decide who should implement the agreed vision from the governance team. Whether you’re a top-down organization or a flat hierarchy, you’ll need to establish responsibilities within SharePoint, such as who can:

  • Create, manage, and delete SharePoint sites
    A Super Admin role, often with global privileges.
  • Deal with strategic functions to optimize SharePoint operations
    A senior Admin role, with the ability to monitor SharePoint performance and make recommendations for improvements.
  • Manage routine tasks and requests
    A service or helpdesk role, able to create accounts, manage passwords, and monitor uptime and security.
  • Own SharePoint resources
    A frontline end user role, able to create groups and sites and add content to lists and libraries.
  • Encourage adoption and education
    A power user role, willing to take on new initiatives and lead by example within teams.

Confirm actions and frequency

You’ve built the governance team. You’ve defined roles and assigned the related responsibilities. Now it’s time to confirm what’s needed to maintain momentum and enforce a SharePoint governance plan. This includes:

  • How often will the governance plan be reviewed?
    Due to differing workloads and business demands, you may need to compromise and have C-level/board-level members attend reviews less often than other stakeholders.
  • How will progress be measured?
    Request feedback from the most active users, and identify low-activity users to uncover potential problem areas and provide support to bridge any knowledge gaps.
  • What training is available for users and the agreed roles outlined above?
    Alongside enlisting SharePoint subject matter experts, this may involve working with compliance and legal teams. As data comes in from multiple sources at greater volumes and speeds, governance actions should include anticipating, preparing, and enforcing changes based on legal requirements for information inside SharePoint.
  • How will changes and updates be communicated?
    As with all large-scale transformative projects, communication is key. Decide on how best to engage and motivate staff, such as through SharePoint intranet and internet sites.

SharePoint governance best practices

Best practices are just a starting point. At least until you start getting data and feedback that will help you be informed and able to shape future directions. While you’re waiting, here are some recommendations for governance in SharePoint.

Define roles and responsibilities

As discussed above, establishing roles and responsibilities should occur at your SharePoint implementation’s planning stage. The objective should be to maintain business continuity if a staff member leaves a team or is unavailable for a governance-related function.

To adjust responsibilities for a SharePoint site’s roles:

1. Click Site settings:

SharePoint governance site settings

2. Under Users and Permissions, you’ll find clickable options to configure responsibilities and permissions for people, groups, sites, and administrators: 

SharePoint site settings

Establish information architecture

Organizations may be surrounded by data, but uncovering insights means knowing where to look. And the more familiar the layout, the easier users can find what they need. Take this into consideration when you plan these SharePoint elements:

  • Global navigation
    How you structure all SharePoint sites, including the main intranet and companywide policies, news, and resources.
  • Hub structure
    How you group similar topics, tasks, items, and related content.
  • Local navigation
    How content is arranged and created on specific pages.
  • Metadata architecture
    How content will be indexed and surfaced – and how much access is granted depending on the nature of the content.
  • Search function
    How users will search for information – search box or explore menus?
  • Personalization
    How much content should be generic compared to offering a more granular and customized experience.

It’s often easier to align information architecture to your existing company structure. Use consistent naming conventions that users already know based on recognized departments and roles. That way, you prioritize usability, clarity, and findability. Plus, your users don’t have to waste time to find what they need.

Implement managed metadata

SharePoint offers multiple ways to manage metadata based on how rigid you want the SharePoint experience to be. For example, Admins can set pre-defined terms that can be used for the taxonomy. These can be locally within specific sites or globally across the entire environment.

Alternatively, you may allow enterprise keywords or keyphrases. Users can add these at either list or library level. These can be any text, allowing freedom that is either a benefit or a problem, depending on your preferred approach. To activate this function:

1. Open or create the list or library in SharePoint:

SharePoint library

2. Select Settings:

3. Under Permissions and Management, click Enterprise Metadata and Keywords Settings.

SharePoint enterprise metadata and keywords settings

4. Tick the box under Enterprise Keywords:

Enterprise metadata and keyword settings

Set policies for SharePoint content retention and expiry

Expiries can be defined based on use cases. For example, HIPAA states six years’ retention from when content was last used or effective. Meanwhile, PCI DSS’s Requirement 3.1 states merchants should “keep cardholder data storage to a minimum.”

For non-sensitive data, a common approach is based on usage. Site owners can be prompted to confirm they still need sites to remain active.

To set expiration policies:

1. Open the SharePoint admin center

2. Click Policies > Sharing

3. Scroll down to Choose expiration and permissions options for Anyone links

4. Tick the box next to These links must expire within this many days and enter the number of days:

SharePoint links expiration policy

5. Within this section, you’ll also find other options for sharing and permissions related to files and folders

It’s also possible to set an expiration policy for Microsoft 365 Groups in Azure AD. Active groups can be auto-renewed, saving time on manual checking. Group owners receive notifications to renew or delete inactive groups (30, 15, and 1 day prior).

You’ll need to be a Global Administrator of your Azure AD organization and then:

1. Go to https://portal.azure.com/

2. In the sidebar under Settings, click Expiration

Azure AD setting an expiration policy

3. You can now set the number of days in a group’s lifetime, contact email addresses for groups without owners, and set whether expiration applies to all groups, some or none

Track audit logs

SharePoint allows you to track activity by users within sites. You can also drill down to view actions within lists, libraries, content types, items, and files – at levels to help you meet necessary compliance and security requirements.

Here’s how to do it in SharePoint Classic:

1. Open Site Settings 

2. Under Site Collection Administration, click Site collection audit settings:

SharePoint Classic Site collection audit settings location

3. You’ll find options to configure the audit log’s maximum retention period, event types to audit, and event actions:

SharePoint Classic configure audit settings

For SharePoint Modern, you can access audit logs using Microsoft Purview. To check if you have audit logs turned on, first run this command in Exchange PowerShell and check the True value is present:

Get-AdminAuditLogConfig | Format-List UnifiedAuditLogIngestionEnabled 

1. Now go to https://compliance.microsoft.com

2. Click Audit:

Microsoft Purviewaudit screenshot

3. You’ll find parameters to configure the audit, including dates, times, activities, users, workloads, record types, files, folders, and sites:

Microsoft Purview edit parameters screenshot

Define rules for SharePoint usage

To minimize the overlap of tools and channels, include use cases to guide users within SharePoint.

For example, documents relating to projects and sprints should be stored in Microsoft Teams under the Wiki tab. Corporate documents impacting the wider business should be stored in SharePoint.

Admins can also set storage limits for SharePoint sites to minimize risks of exceeding quotas:

1. Go to your SharePoint admin center

2. Click Settings

3. Click Site storage limits:

SharePoint Site storage limits settings

4. Select Manual:

SharePoint site storage limits manual

5. Open a site in SharePoint where you want to set a storage limit 

6. Click Edit under Storage limit:

SharePoint edit storage limit

7. Enter the maximum storage allowed. You can also set the threshold for alerting owners when a site is approaching its storage limit:

SharePoint limit used storage

Apply retention policies and labels

By default, SharePoint items are retained and then deleted after five years. Applying retention policies and labels gives you more granular control, so you can:

  • Help comply with legislation that specifies how long to retain data.
  • Reduce security risks by minimizing how long SharePoint data is available.
  • Support employees to find and share relevant and timely content.

There are three main types of retention settings:

  • Retain-only
    Retain content within SharePoint permanently or for specified time periods.
  • Delete-only
    Delete content after specified time periods.
  • Retain-and-delete
    Retain content for specified time periods, and then permanently delete.

To configure and apply retention policies and labels:

1. Go to https://compliance.microsoft.com

2. Under Solutions in the sidebar, click Data lifecycle management:

Microsoft Purview data lifecycle management

3. Select a tab to set retention policies, labels, and label policies:

Microsoft Purview retention policies edit

4. Within the data policies tab, it’s also possible to automatically apply labels to content (depending on your Microsoft Purview subscription). Simply click Auto-apply a label:

Microsoft Purview auto apply a label

Auto-applied retention label policies won’t override existing retention labels. You’ll have to manually remove any applied retention labels first.

A copy of the original (pre-modified) version is stored in the Preservation Hold library for content modified or deleted during the retention period. When a user leaves your organization, the content they create in SharePoint is retained, unlike content in their mailbox or OneDrive account.

SharePoint governance myths

With so many features and functions within SharePoint, it’s little surprise there are myths floating around. So let’s look into some of the misconceptions that often crop up and see what’s what:

  • SharePoint governance should always be top-down
    This depends on the nature of the business. However, the free-flowing nature of modern data means a similarly non-linear approach is often suitable. After all, with SharePoint, there’s no start and end point – usage is an organic process.
  • SharePoint governance should be prescriptive
    Users should be empowered in their SharePoint experience, including encouraging self-service. They just need the security of a configured and clear governance plan in place and easy to use tools and solutions.
  • SharePoint is IT’s responsibility
    Yes, the IT team provides the tools, setup, and recommendations for procurement. As for day-to-day usage, collaboration, site, and document creation? That’s down to the end users.
  • SharePoint search results aren’t intuitive
    Planning information architecture, optimizing metadata, and establishing correct taxonomy – all contribute to generating better search results. A little education goes a long way too. For example, letting users know they can use * at the end of a search term, so “govern*” would show results about governance, government, and governed.

Are you ready to go ahead with your SharePoint governance? Wait just one second. Here’s something to help you on your way.

SharePoint governance template

The considerations below are designed to form a foundation for your SharePoint governance. They contain lists of questions designed to address common areas and considerations. In particular, how to:

  • Keep SharePoint streamlined and fit for purpose.
  • Support the environment’s security and compliance postures. 
  • Maximize ROI, efficiency, and productivity.
  • Ensure continuous improvement.
  • Minimize disruption to business continuity.

For easier use, please view the template on your desktop or laptop:


Vision statement


What do we want SharePoint to achieve?  

Ideas and examples

This should come from your governance team. Crucial questions to answer include: 

  • What factors will support this objective? 
  • Who (specific individuals) are responsible for SharePoint? 

Policy guidelines

What regulatory requirements do we need to follow? 

Factors influencing your answer will include your approaches around Zero Trust and Principle of Least Privilege (POLP).

What types of permissions and restrictions are required for files and sites? 

Explore how to define permissions at two levels within SharePoint:  
1) Sites, folders, and files 
2) Users and groups 

How many roles will be in use for SharePoint users? 

Explore best practices for SharePoint’s default roles and controls.  


Are there established site designs and templates all users should follow?

Use SharePoint Site Templates as a foundation for consistency.

Indexing and ‘searchability’

What are the guidelines for using metadata in SharePoint, such as when provisioning sites? 

Retention labels and expiry policies

Alongside the relevant regulatory requirements, your answers also depend on how much freedom you want to allow users in SharePoint.

Sharing and access requests

This is a common balancing act. You’ll need to weigh up user experience and speed of access, against security and governance requirements.

Global Admins and SharePoint Admins should review Microsoft guidance for changing sharing settings.

You should review the progress of this template regularly, usually monthly, during the initial stages. And with that our of the way, it’s safe to say you’re now ready to develop, apply, and optimize SharePoint governance within your organization!

Subscribe to our Newsletter

Related Posts