SharePoint is at the heart of many Microsoft 365-powered organizations. That’s why protecting it with the right form of SharePoint governance is crucial.
You have to know and apply the theory in practice to support your business processes and protect your people. Along with managing policies that govern your SharePoint usage and keep your information secure and accessible to the right people.
The good news is you’re in the right place to learn everything you need to know about SharePoint governance.
Microsoft defines SharePoint governance as a “set of policies, roles, responsibilities, and processes that control how your organization’s business divisions and IT teams work together to achieve its goals.”
In other words, how you govern SharePoint forms the basis for how your organization operates, collaborates, and develops. The evolving nature of these elements means SharePoint governance is a continuous process. It’s the opposite of a “set it and forget it” scenario and requires careful and ongoing guidance.
SharePoint’s influence impacts the entire business. Integrations extend across Microsoft 365 services, from Microsoft Teams and Microsoft 365 Groups to Planner, Outlook, and Stream. Apply the right governance, and benefits become apparent across multiple use cases, as shown below.
SharePoint site creation doesn’t happen in isolation, it is a collaborative process. Create a new team in Microsoft Teams, and SharePoint automatically creates a site. This transforms productivity, giving teams an instant repository and collaboration space. However, it also means another resource with lists, libraries, and pages that needs to be monitored and controlled.
Applying SharePoint governance means users can continue finding what they need – even as your organization expands. It also ensures you maintain the necessary levels of consistency and quality throughout your sites and pages. This creates a virtuous circle for users, where positive experiences keep them returning for more.
Data privacy is evolving fast, with legislation forecast to cover three-quarters of the world’s population by 2024. Further complexity comes from how different laws apply to different industries and regions.
Of course, Microsoft offers multiple ways to stay compliant within SharePoint. It just requires governance to regularly adapt procedures to help organizations stay compliant when updates happen, such as HIPAA, GDPR, and PCI DSS.
As data volumes grow (373.3 billion emails sent daily in 2023), governance plays a crucial role in preventing sprawl in the Microsoft365 environment. Collaboration and information sharing can stay aligned, with users able to surface and access the information they need at the right time, instead of needing to waste time due to sprawl.
There’s also the economic impact of effective SharePoint governance. Organizations get 1TB plus 10GB of storage per user license. Although extra storage can be purchased, proactively managing limits can help reduce the need for further investment.
Remote working here to stay (58% of Americans reportedly work from home at least once a week). As a result, workers and their devices need on-demand access to intellectual property, Personally Identifiable Information, and sensitive data. SharePoint offers various safeguarding measures, such as multi-factor authentication, to mitigate threats to data in transit and at rest.
However, effective governance elevates security even further. SharePoint allows you to apply various limits and restrictions when sharing among external users. You can also create sites where external sharing is deactivated. Then it’s simply a case of creating sites to share specific pieces of content.
But before you start putting these sorts of measures into practice, decide on a plan for your SharePoint governance.
SharePoint governance policies will always change over time due to a mix of internal drivers shaped by strategic objectives. Plus, external influences, such as changing privacy laws and legislation. Businesses have to adapt to stay compliant, often changing how they collaborate, store, and share information.
To succeed in this sort of landscape, you need to establish a foundation – in the form of a SharePoint governance plan. And that starts with having the right leaders in place.
SharePoint offers a way to ensure multi-disciplinary teams stay aligned, even across departments and potential silos. This form of cross-functional approach works best when supported by a broad mix of objectives, behavior, and culture, with decision-makers leading by example.
It starts with establishing a steering group responsible for overseeing SharePoint-related activity, with members drawn from a wide range of disciplines. You’ll need to recruit stakeholders with the power to influence, develop, and guide SharePoint governance principles. These should include some or all of the below functions:
The next step is to decide who should implement the agreed vision from the governance team. Whether you’re a top-down organization or a flat hierarchy, you’ll need to establish responsibilities within SharePoint, such as who can:
You’ve built the governance team. You’ve defined roles and assigned the related responsibilities. Now it’s time to confirm what’s needed to maintain momentum and enforce a SharePoint governance plan. This includes:
Best practices are just a starting point. At least until you start getting data and feedback that will help you be informed and able to shape future directions. While you’re waiting, here are some recommendations for governance in SharePoint.
As discussed above, establishing roles and responsibilities should occur at your SharePoint implementation’s planning stage. The objective should be to maintain business continuity if a staff member leaves a team or is unavailable for a governance-related function.
To adjust responsibilities for a SharePoint site’s roles:
1. Click Site settings:
2. Under Users and Permissions, you’ll find clickable options to configure responsibilities and permissions for people, groups, sites, and administrators:
Organizations may be surrounded by data, but uncovering insights means knowing where to look. And the more familiar the layout, the easier users can find what they need. Take this into consideration when you plan these SharePoint elements:
It’s often easier to align information architecture to your existing company structure. Use consistent naming conventions that users already know based on recognized departments and roles. That way, you prioritize usability, clarity, and findability. Plus, your users don’t have to waste time to find what they need.
SharePoint offers multiple ways to manage metadata based on how rigid you want the SharePoint experience to be. For example, Admins can set pre-defined terms that can be used for the taxonomy. These can be locally within specific sites or globally across the entire environment.
Alternatively, you may allow enterprise keywords or keyphrases. Users can add these at either list or library level. These can be any text, allowing freedom that is either a benefit or a problem, depending on your preferred approach. To activate this function:
1. Open or create the list or library in SharePoint:
2. Select Settings:
3. Under Permissions and Management, click Enterprise Metadata and Keywords Settings.
4. Tick the box under Enterprise Keywords:
Expiries can be defined based on use cases. For example, HIPAA states six years’ retention from when content was last used or effective. Meanwhile, PCI DSS’s Requirement 3.1 states merchants should “keep cardholder data storage to a minimum.”
For non-sensitive data, a common approach is based on usage. Site owners can be prompted to confirm they still need sites to remain active.
To set expiration policies:
1. Open the SharePoint admin center
2. Click Policies > Sharing
3. Scroll down to Choose expiration and permissions options for Anyone links
4. Tick the box next to These links must expire within this many days and enter the number of days:
5. Within this section, you’ll also find other options for sharing and permissions related to files and folders
It’s also possible to set an expiration policy for Microsoft 365 Groups in Azure AD. Active groups can be auto-renewed, saving time on manual checking. Group owners receive notifications to renew or delete inactive groups (30, 15, and 1 day prior).
You’ll need to be a Global Administrator of your Azure AD organization and then:
1. Go to https://portal.azure.com/
2. In the sidebar under Settings, click Expiration:
3. You can now set the number of days in a group’s lifetime, contact email addresses for groups without owners, and set whether expiration applies to all groups, some or none
SharePoint allows you to track activity by users within sites. You can also drill down to view actions within lists, libraries, content types, items, and files – at levels to help you meet necessary compliance and security requirements.
Here’s how to do it in SharePoint Classic:
1. Open Site Settings
2. Under Site Collection Administration, click Site collection audit settings:
3. You’ll find options to configure the audit log’s maximum retention period, event types to audit, and event actions:
For SharePoint Modern, you can access audit logs using Microsoft Purview. To check if you have audit logs turned on, first run this command in Exchange PowerShell and check the True value is present:
1. Now go to https://compliance.microsoft.com
2. Click Audit:
3. You’ll find parameters to configure the audit, including dates, times, activities, users, workloads, record types, files, folders, and sites:
To minimize the overlap of tools and channels, include use cases to guide users within SharePoint.
For example, documents relating to projects and sprints should be stored in Microsoft Teams under the Wiki tab. Corporate documents impacting the wider business should be stored in SharePoint.
Admins can also set storage limits for SharePoint sites to minimize risks of exceeding quotas:
1. Go to your SharePoint admin center
2. Click Settings
3. Click Site storage limits:
4. Select Manual:
5. Open a site in SharePoint where you want to set a storage limit
6. Click Edit under Storage limit:
7. Enter the maximum storage allowed. You can also set the threshold for alerting owners when a site is approaching its storage limit:
By default, items are retained and then deleted after five years. Applying SharePoint retention policies and labels gives you more granular control, so you can:
There are three main types of retention settings:
To configure and apply SharePoint retention policies and labels:
1. Go to https://compliance.microsoft.com
2. Under Solutions in the sidebar, click Data lifecycle management:
3. Select a tab to set retention policies, labels, and label policies:
4. Within the data policies tab, it’s also possible to automatically apply labels to content (depending on your Microsoft Purview subscription). Simply click Auto-apply a label:
Auto-applied retention label policies won’t override existing retention labels. You’ll have to manually remove any applied retention labels first.
A copy of the original (pre-modified) version is stored in the Preservation Hold library for content modified or deleted during the retention period. When a user leaves your organization, the content they create in SharePoint is retained, unlike content in their mailbox or OneDrive account.
With so many features and functions within SharePoint, it’s little surprise there are myths floating around. So let’s look into some of the misconceptions that often crop up and see what’s what:
Are you ready to go ahead with your SharePoint governance? Wait just one second. Here’s something to help you on your way.
The considerations below are designed to form a foundation for your SharePoint governance. They contain lists of questions designed to address common areas and considerations. In particular, how to:
For easier use, please view the SharePoint governance template on your desktop or laptop:
|
Element
|
Considerations
|
Ideas and examples
|
|---|---|---|
| Vision statement |
What do we want SharePoint to achieve? |
This should come from your governance team. Crucial questions to answer include:
|
| Policy guidelines |
What regulatory requirements do we need to follow? What types of permissions and restrictions are required for files and sites? How many roles will be in use for SharePoint users? |
Factors influencing your answer will include your approaches around Zero Trust and Principle of Least Privilege (POLP). Explore how to define permissions at two levels within SharePoint: 1) Sites, folders, and files Explore best practices for SharePoint’s default roles and controls. |
| Branding |
Are there established site designs and templates all users should follow? |
Use SharePoint Site Templates as a foundation for consistency. |
| Indexing and ‘searchability’ |
What are the guidelines for using metadata in SharePoint, such as when provisioning sites? |
Make use of metadata tracking in Microsoft Purview. |
| Retention labels and expiry policies |
Alongside the relevant regulatory requirements, your answers also depend on how much freedom you want to allow users in SharePoint. |
Discover how to define who has access to content within your environment, and for how long. |
| Sharing and access requests |
This is a common balancing act. You’ll need to weigh up user experience and speed of access, against security and governance requirements. |
Global Admins and SharePoint Admins should review Microsoft guidance for changing sharing settings. |
You should review the progress of this template regularly, usually monthly, during the initial stages. And with that our of the way, it’s safe to say you’re now ready to develop, apply, and optimize SharePoint governance within your organization!