As SharePoint Online continues to evolve, so too does your role as admin. So how can you maintain continuity in your SharePoint environment? Microsoft MVP Drew Madelung (@dmadelung) breaks down the essentials of SharePoint management.
SharePoint’s role within the Microsoft 365 platform has evolved in the past few years. SharePoint Online is not just a structure for site creation and management, it’s also become the main storage platform for Microsoft 365, making it the backbone of content collaboration in the modern workplace.
For SharePoint admins, keeping pace with advanced features and workflows in Microsoft’s world of constant change requires new processes to fit the needs of their organization, and as those needs change over time.
So what does a SharePoint admin need to know about managing SharePoint in Microsoft 365?
Drew covers some important tips for managing SharePoint like a pro.
Watch the webinar, or read through our recap of Drew’s key points and Q&A from the webinar.
- Understanding the structure of SharePoint Online
- Modern SharePoint team sites are powered by Microsoft 365 Groups
- Administering SharePoint Online
- Deploy a governance plan for modern SharePoint in your organization
- Modern SharePoint site provisioning
- Key takeaways
- Can I have separate archiving rules for different document libraries?
- Should OneDrive have the same permissions as SharePoint?
- What should a SharePoint admin be responsible for when it comes to monitoring and governance?
- How do I set up app-based permissions for automation activities?
- What’s the best way to organize SharePoint sites generated by Microsoft Teams?
- How do I implement an architecture strategy?
- How do I track or monitor who’s making changes in all the admin centers as a SharePoint Online/Teams admin?
- Building a new site for external sharing vs. making current sites available for external sharing: What’s best?
- Should I use Microsoft 365 Groups to create item-level permissions?
- How can I manage permissions and use reports for a large tenant using ShareGate?
Understanding the structure of SharePoint Online
In order to manage SharePoint Online effectively, you need to understand how it powers file collaboration across the entire Microsoft 365 ecosystem.
From there, you’ll be able to build your SharePoint environment and configure the policies and controls around it. And you’ll be able to understand how the changes you make in SharePoint Online will impact your Microsoft 365 environment.
Before building and configuring your SharePoint environment, there are a few things you should consider:
- SharePoint provides the content services for all files in Microsoft 365, including files you work with in Teams, Yammer, OneDrive for Business, and Outlook
- All files are stored in SharePoint
- Shared settings should be configured for your SharePoint team site, Microsoft Teams, and OneDrive for Business
- Every OneDrive site is a SharePoint site collection
Modern SharePoint team sites are powered by Microsoft 365 Groups
A Microsoft 365 group gets created automatically when you do the following in these products:
- Planner: Create a new plan
- SharePoint: Create a new site collection
- Outlook: Create a new group
- Power BI: Create a new workspace
- Teams: Create a new team
A team in Teams, a SharePoint team site, and a group in Outlook are all provisioned in Microsoft 365 Groups.
It’s important to understand that you’ll have group-backed SharePoint sites and non-group-backed SharePoint sites. A group-backed SharePoint site will have different capabilities and management options than a SharePoint site that isn’t group-backed, depending on the backend resource.
Administering SharePoint Online
The SharePoint Admin Center isn’t a ‘set-it-and-forget-it’ tool, it’s where you monitor what’s going on in your ever-changing environment.
SharePoint Online provides central administration that’s integrated with the Microsoft 365 admin center. It’s also possible to open separate admin centers for various services which can be used for managing the available settings for the individual services, although this largely depends on the plan and region the organization falls into.
According to Drew, one of the best ways to tackle SharePoint administration is to become familiar with the other areas in Microsoft 365 that impact file collaboration. Some settings for Groups, Teams, and SharePoint in Microsoft 365, particularly related to sharing and group/team and SharePoint site creation, overlap with each other.
|SharePoint||Security & compliance||Microsoft 365|
|Manage sharing||DLP||User management|
|View user profiles||Classification||Initiate signout|
|Site creation||Alerts||Get access|
|Default storage & retention|
|Term store & gallery|
|Link to app catalog|
- Global admins in Microsoft 365 can assign users the SharePoint admin role for help with administering SharePoint. The global admin role already has all the permissions of the SharePoint admin role. Drew recommends no more than 5 global admins in your organization to ensure security.
- Use app-based permissions for automation activities such as SharePoint reporting, instead of using SharePoint admin role accounts or user-based identity.
- Switch to modern authentication that enables features such as multi-factor authentication (MFA), and disable the basic authentication protocol to significantly improve security.
Deploy a governance plan for modern SharePoint in your organization
Drew has some tips for creating an effective SharePoint governance plan that comes with SharePoint Online management and business growth.
While it may be tempting to lock down your environment and restrict access to features, he recommends taking a holistic approach to governance instead.
What do your users need in order for them to work with files in Microsoft 365? What rules do you need to put in place to support your users at an organizational or compliance level? And how should you empower your users to do their best work without being restrictive?
Start by forming a governance steering committee that includes stakeholders from across your organization (not just IT!) and that meets regularly to discuss risks, governance strategy, end-user training, and any steps you need to take to keep data secure in your organization’s intranet.
Together, you should create guidelines around the following governance items:
- Site architecture
- Third-party tools
- Custom integrations
Modern SharePoint site provisioning
SharePoint on-premises doesn’t provide out-of-the-box functionality, which means end users depend on admins to enable certain features for them. Relying on custom solutions to provision sites for end users is now part of the past.
Modern SharePoint provisioning is:
- Microsoft 365 group-powered
- Smarter templating
SharePoint site lifecycle management
SharePoint sites can quickly multiply if you don’t delete them when they’re no longer needed. Keeping outdated sites around contributes to sprawl from a lack of governance, which can make it difficult for people to find information and put the security of company data at risk.
When you start to think about protection, how will you think about finding content? What is the lifecycle of user management? How will you ensure that when someone leaves the organization you can remove access at the appropriate time?
As a site admin, you can use site policies to help control site proliferation:
Expiration policies: implementing an expiration policy in the organization can help secure the data and service access. You can specify an expiration period and any inactive group that reaches the end of that period, and is not renewed, will be deleted, including archived teams. The expiration period begins when the group is created, or on the date it was last renewed.
Retention policies: If security and compliance are a big concern for your organization, then retention policies are probably your best bet. They’re designed to address a specific compliance requirement by preserving or deleting data after the expiration timeline that you’ve set. When you set a retention policy to a SharePoint site, it will apply to all documents—even those that were created before the policy was applied.
Ownerless sites: When a user leaves the organization, their accounts will be deleted from Azure AD–and if that user is a site admin, that site will become ownerless. Your lifecycle management plan should include regular monitoring of your environment so you can identify ownerless sites and assign a new owner ASAP.
Sensitivity labels: With sensitivity labels, you can classify data across your organization, and enforce protection settings based on that classification without hindering collaboration.
If you’re just starting out, these points are a great place to start.
- Governance committee: Keep an open line of communication with business stakeholders.
- Be proactive: Establish delivery of items (i.e., site provisioning, building a governance committee, etc.) based on priority.
- Build workstreams: Establish individual workstreams and assign roles.
- Smart goals: Set realistic dates and goals that you can attain.
- Allow for change: Establish a cadence as your requirements change or new technologies roll out.
The third edition of our Pass the Mic webinar series on SharePoint management sparked a lot of discussion and a ton of live questions. We’ve rounded up some of the top questions we got during our webinar and combined Drew’s and our expertise to create our SharePoint management Q&A!
Can I have separate archiving rules for different document libraries?
The only out-of-the-box archiving solution today is for an entire Microsoft 365 tenant and its supporting SharePoint sites and apps. When you archive a team, all activity for that team ceases. Archiving a team also archives private channels in the team and their associated site collections. However, you can still add or remove members, update roles, and view all team activity in standard and private channels, files, and chats. Archived Teams data will also still be visible in search, so it’s not necessarily true “archiving.” So when you archive a Team, all document libraries in any primary or supporting SharePoint site collection will be marked as read-only.
If you want to do archiving by document library, you will need to create your own process. You can modify the permission of just a document library or move the files from that document library to a new location that has different permissions. Normally, a key component to archiving is removing it from search–but be careful when doing that per library as it will remove it from potential compliance policies that utilize search. You could also apply retention labels to every file in the document library to retain/delete those files, but that would not move them out of visibility in the normal sense of an “archive” request.
Should OneDrive have the same permissions as SharePoint?
OneDrive permissions will never be the same as SharePoint for a user unless a user creates their own SharePoint site just for their use. By default, when a OneDrive site collection is created by the user, the user will be the site collection owner and any files shared will grant access to another user by file or folder. Overall, users are not adding permissions to the entire OneDrive site collection.
SharePoint site permissions will at first be granted to the owners defined during site creation. The owners can then manipulate the permissions of that site by adding and removing members at the site collection level to grant access to all its content.
What should a SharePoint admin be responsible for when it comes to monitoring and governance?
Global Reader is the most efficient way to grant access to the admin portals and determine the configurations that exist across the tenant that will impact SharePoint. Report Reader can be used for high-level reports, but this will not grant access across the different admin centers.
How do I set up app-based permissions for automation activities?
Microsoft provides a good walkthrough of putting together app-only access to SharePoint Online using Microsoft Graph permissions granted through an Azure AD application. You can then use this to connect to SharePoint Online using the PnP PowerShell module to automate specific activities. Check out the official Microsoft documentation about the topic.
There’s also a new permission level for specific site collections that’s available via the Microsoft Graph if you need to perform activities to only a subset of site collections. Check out Microsoft’s article about controlling app access on a specific SharePoint site collections in Microsoft Graph.
What’s the best way to organize SharePoint sites generated by Microsoft Teams?
There’s no need to organize SharePoint site collections generated by Microsoft Teams. We can now see which site collections in the SharePoint admin center have a Microsoft Team connected to it so if you’re making any policy changes, you’ll be able to know the impact on the team. Microsoft Teams will continue to create new site collections whether they’re for the primary site or private and shared channels. If you need to govern or classify those SharePoint site collections, it should be done at the container or group level, and using sensitivity labels is the most efficient way because they’re built-in to the creation and editing process.
Any advice on how to implement an architecture strategy?
When it comes to Information Architecture (IA), admins may not know what’s best for the organization. You need to establish open lines of communication with your end users to gather feedback on what IA would benefit them. This can start with a champion network or a way to educate your end users about what their options are when it comes to hub sites and how to build web parts that connect between sites. As things get more advanced, the usage of content types and managed metadata columns between site collections can add more value. This is built through requirement gathering processes within your organization and establishing a plan to deliver it. Don’t build IA solutions without actual business needs.
How do I track or monitor who’s making changes in all the admin centers as a SharePoint Online/Teams admin?
All changes that go through M365 admin centers should go through a change-tracking or approval process that different admins know about. Establishing a RACI for M365 will help establish who should be informed of specific changes in different admin centers. At a minimum, a changelog can be used and made available to the appropriate admins. For example, a changelog can be as easy as a Microsoft Teams channel that includes what change was put in and when.
Building a new site for external sharing vs. making current sites available for external sharing: What’s best?
I think the best way to manage external sharing per site collection is through sensitivity labels. This will allow either architecture decision to have a single site or multiple. There can be specific reasons that a single site would be better such as a specific vendor that needs controls managed per site. This is most common in an extranet scenario that requires limited external access and isn’t expected to change. When using sensitivity labels, you can deploy the label that allows external sharing to only specific people so it can still be scoped down.
Should I use Microsoft 365 Groups to create item-level permissions?
There’s nothing wrong with using Microsoft 365 Groups to grant permissions throughout Microsoft 365 including item-level permissions. If there’s a need to grant access at that level, it’s most likely better to use Groups for item-level permissions because then you have less direct permissions by user and it’s easier to grant access to items that are needed to have extended access beyond a single person.
How can I manage permissions and use reports for a large tenant using ShareGate?
Try limiting the scope by using a report as the first step in identifying a subset of your sites. Then, run security reports from the results. Watch our demo video to see how to run a security report from the results of another report.
A third-party tool like ShareGate can help you stay on top of SharePoint and Teams management and security as you scale. Get full visibility into your SharePoint environment, automate external sharing reviews, customize policies, and course-correct on an ongoing basis.
Test out all these features with a ShareGate free trial!