Share via

Initiate site access reviews for Data access governance reports

Site access reviews in the SharePoint admin center allow IT administrators to delegate the process of reviewing data access governance reports to site owners of overshared sites.

This review process is crucial because:

  • IT administrators can't access file-level or item-level details due to compliance reasons.
  • Site owners are best positioned to review and address oversharing issues for their own sites.

Note

Site access review is supported only for SharePoint sites. It is currently not supported for OneDrive accounts.

What do you need to initiate a site access review?

To access the feature discussed in this article, your organization must meet specific licensing and administrative requirements.

What are the license requirements?

To use this feature, your organization must have one of the following base licenses:

  • Office 365 E5 or A5
  • Microsoft 365 E5 or A5

Additionally, you need at least one of these licenses:

  • Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license (this user does not need to be a SharePoint administrator).
  • Microsoft SharePoint Advanced Management license: Available as a standalone purchase.

Administrator requirements

You must be a SharePoint administrator or have equivalent permissions.

Additional information

If your organization has a Copilot license and at least one person in your organization is assigned a Copilot license, SharePoint administrators automatically gain access to the SharePoint Advanced Management features needed for Copilot deployment. The only SharePoint Advanced Management feature that's not included with Copilot is Restricted Site Creation.

For organizations without a Copilot license, you can use SharePoint Advanced Management features by purchasing a standalone SharePoint Advanced Management license.

In addition, before initiating a site access review, ensure that you meet the following requirements:

  • A nongovernment cloud tenant environment or GCC-Moderate government cloud environment. Site access reviews aren't supported in government cloud environments (GCCH, DoD, Gallatin).
  • Admin credentials for accessing the SharePoint admin center.
  • Site owners, who are available to respond to review requests, take necessary actions, and complete the review.

How site access review works

  • You can initiate site access reviews for up to 100 sites directly from the web view of data access governance reports.
  • If you need to review a larger number of sites, use PowerShell to initiate reviews.
  • When a review is initiated, the site owner receives an email tailored to the specific oversharing issue identified in the selected report. For example, if the review is for the "Content shared with 'Everyone except external users'" category, the email will focus only on sharing concerns related to that report.

Supported reports

Site access reviews are available for the following reports:

  • Sharing link reports (Anyone, PeopleInYourOrg, Specific People shared externally)
  • "Content shared with 'Everyone except external users'" reports
  • Oversharing baseline report using permissions

How to initiate a site access review

  1. Sign in to the SharePoint admin center with your admin credentials.

  2. Expand the Reports section and select Data access governance.

  3. Under "Content shared with 'Everyone except external users", select View reports.

  4. Choose a report and select the sites you want to review.

    Screenshot that shows Initiate site access review for sites listed within DAG report

  5. Select Initiate site access review.

  6. Add comments in the provided section to give context to the site owners.

    Screenshot that shows provide comments for context setting for site owners

  7. Select Send to initiate the review request.

Site access reviews can also be initiated using PowerShell commands.

Important

The number of Site access reviews that can be initiated from 'Site permissions across your organization' report is limited to 1000 per calendar month. The limit resets when the month changes.

Track site access reviews

To track all initiated site access reviews, go to the My review requests tab on the Data access governance landing page.

Screenshot that shows track all reviews initiated from a central page

Once a review is initiated, its status remains "pending" until the site owner completes it. After completion, the review status and comments will be updated with the reviewer's name and the date and time of completion. If a review fails (for example, due to an invalid email for the site owner), it's marked as failed.

You can track reviews using this PowerShell command as well.

Site access review process for site owners

When you initiate a review, site owners receive an email containing:

  • A relevant title.
  • Your comments (if any).
  • A request to review site permissions.
  • A link to a detailed access review page, specific to the identified issue in the data access governance report.

Here are examples of the different emails a site owner might receive:

  • Content shared with 'Everyone except external users' report for the past 28 days:

    Screenshot that shows email received by site owners for oversharing via EEEU

  • Sharing links report for the past 28 days:

    Screenshot that shows the detailed oversharing permissions reports email notification.

  • Oversharing baseline report using permissions: Screenshot that shows the sharing links within the last 28 days report email notification.

Review 'Everyone Except External Users' site access requests

Site owners can review and manage access in two main areas:

  • SharePoint groups:

    • View which groups contain 'Everyone except external users.'
    • See when and by whom the group was added.
    • Remove 'Everyone except external users' from groups if necessary:

      1. Open the SharePoint group membership page.

      2. Select Everyone except external users, select Actions, and select Remove users from group.

        Screenshot that shows displays sharepoint group members

  • Individual items (files/folders/lists):

    • View items shared with 'Everyone except external users' in the last 28 days.
    • See sharing details (who shared and when).
    • Manage access and remove permissions as needed:

      1. Select Manage access.

      2. Under the 'Everyone except external users' group in the Groups tab, select the group and select Remove access. See Stop sharing OneDrive or SharePoint files or folders, or change permissions for more information.

        Screenshot that shows view for site owner regarding items shared with eeeu.

Once the site owner opens the email, they're redirected to a detailed sharing links report. This report shows:

  • Files for which links were generated, with the date and the user who created the link.
  • The Manage access button allows site owners to remove or modify permissions.

The following screenshot shows the detailed sharing links report:

Screenshot that shows the detailed sharing links report.

Review 'Oversharing baseline using permissions' reports

When site owners select the email, they're redirected to the site access review page, where they can see the oversharing baseline using permissions report. This report helps site owners identify items with excessive permissions and take necessary actions.

Screenshot that shows the oversharing baseline using permission reports email notification.

The SharePoint admin views the number of users with permissions to a site in the Data access governance report. Site owners can see this number, along with how permissions are distributed across different site items. Items with the highest number of permissioned users are shown first, allowing the site owner to address the most exposed items.

Understanding the permissions report

Number of permissioned users

This column shows the total number of users who have permissions to a specific scope (Site, List, Folder, or File). It reflects the exposure of that item compared to others. However, it's important to note that this number isn't unique—if the same user has both direct and indirect permissions, they're counted multiple times.

Example:

Imagine a folder "F" with the following permissions:

  • 40 users from Group “A”
  • 10 users with direct permissions
  • 20 users with permissions via sharing links

The total number of permissioned users for folder "F" would be 80 (40 from Group “A” + 10 direct + 20 via sharing links). No deduplication is applied, so if the same user is in both Group “A” and has access via a sharing link, they're counted twice.

Additionally, the total number of permissioned users across all scopes might exceed the number of users shown in the email or Data Access Governance report. This happens because users can have permissions on multiple items. While a user might be counted once at the site level, they're counted separately for each item they have access to.

Number of groups

This column shows how many groups have permissions to a specific item or scope. Often, a large portion of exposure comes from permissions granted to groups, especially those with many members. Reducing exposure can be achieved by adjusting group memberships or removing unnecessary groups from permissions.

Select on the Group number to see the membership count of each group. This helps you identify which groups to target for reducing permissions.

Screenshot that shows a specific group and its member count.

This section displays:

  • The number of links (for example, "Anyone" or "People in your organization") that have been shared for the scope.
  • Whether the item is exposed to Everyone or EEEU (Everyone Except External Users).

If the number of links is high or the EEEU/Everyone column says "Yes," this is an immediate indicator that the item has broad exposure, and the site owner should focus on reducing permissions for that item.

Manage Access

The Manage Access button provides a way for the site owner to take action by:

  • Removing individual users
  • Modifying group memberships
  • Deleting links
  • Adjusting permissions

For a SharePoint site, selecting this button redirects to the SharePoint group management page. For individual items, it opens the Manage Access interface, allowing for more granular control over permissions.

Complete site access reviews

Once the site owner makes necessary changes (like modifying or removing permissions), they should:

  1. Select Complete review.
  2. Add any relevant comments.
  3. Submit the review.

Comments are sent back to the IT administrator, and the review will be marked as completed.

Manage multiple site access reviews

Site owners can receive and handle multiple site access review requests simultaneously. To track all review requests:

Screenshot that shows Master page to track all site review for a site.

  1. Go to the Site reviews page via:
    • The link in the review email.
    • The gear icon on the site home page:

      1. Select Site settings.

      2. Select Site reviews.

        Screenshot that shows path to site review page from site home page under gear icon.

      3. View all pending site access reviews.

      4. Complete reviews as necessary.

Data access governance reports

Microsoft SharePoint advanced management