Work With SharePoint in Microsoft 365

In recent years, SharePoint’s role within the Microsoft 365 platform has evolved. SharePoint Online is more than just a framework for site creation and management; it has also evolved into the primary storage platform for Microsoft 365, serving as the foundation for content collaboration in the modern workplace.

Keeping up with advanced features and workflows in Microsoft’s world of constant change requires new processes to fit their organization’s needs, and as those needs change over time.

So, what does a SharePoint administrator need to know about SharePoint management in Microsoft 365?

Understanding the structure of SharePoint Online

To effectively manage SharePoint Online, you must first understand how it powers file collaboration across the entire Microsoft 365 ecosystem.

You’ll be able to build your SharePoint environment and configure the policies and controls that go with it from there. You’ll also be able to see how changes you make in SharePoint Online affect your Microsoft 365 environment.

There are a few things you should think about before building and configuring your SharePoint environment:

• SharePoint provides the content services for all files in Microsoft 365, including files you work with in Teams, Yammer, OneDrive for Business, and Outlook
• All files are stored in SharePoint
• Shared settings should be configured for your SharePoint team site, Microsoft Teams, and OneDrive for Business
• Every OneDrive site is a SharePoint site collection

Modern SharePoint team sites are powered by Microsoft 365 Groups

 Microsoft 365 group gets created automatically when you do the following in these products:

• Planner: Create a new plan
• SharePoint: Create a new site collection
• Outlook: Create a new group
• Power BI: Create a new workspace
• Teams: Create a new team

In Microsoft 365 Groups, a team in Teams, a SharePoint team site, and an Outlook group are all provisioned.

It’s critical to understand that you’ll have both group-backed and non-group-backed SharePoint sites. Depending on the backend resource, a group-backed SharePoint site will have different capabilities and management options than a non-group-backed SharePoint site.

Administering SharePoint Online

The SharePoint Admin Center isn’t a “set it and forget it” tool; rather, it’s where you can keep track of what’s going on in your ever-changing environment.

SharePoint Online offers centralized management that is integrated with the Microsoft 365 admin center. It’s also possible to set up separate admin centers for different services, which can be used to manage the available settings for the individual services, though this is largely dependent on the organization’s plan and region.

One of the best ways to approach SharePoint administration is to become acquainted with the other areas of Microsoft 365 that affect file collaboration. Some Groups, Teams, and SharePoint settings in Microsoft 365, particularly those related to sharing and group/team and SharePoint site creation, overlap.

Admin centers

SharePoint	Security & compliance	Microsoft 365
Manage sharing	DLP	User management
Sites	Retention	Licensing
View user profiles	Classification	Initiate sign out
Site creation	Alerts	Get access
Sync	Content search
Default storage & retention
Home site
Notifications
Term store & gallery
Migration
API access
Link to app catalog

Admin roles

1.Global administrators in Microsoft 365 can grant users the SharePoint admin role to assist with SharePoint administration. The global admin role already has all of the SharePoint admin role’s permissions. We recommend that your organization have no more than 5 global admins to ensure security.

2.Instead of using SharePoint admin role accounts or user-based identity, use app-based permissions for automation activities such as SharePoint reporting.

3.To significantly improve security, use modern authentication that includes features like multi-factor authentication (MFA) and disable the basic authentication protocol.

Deploy a governance plan for modern SharePoint in your organization

While it may be tempting to lock down your environment and restrict access to features, we recommend instead taking a comprehensive approach to governance.

What do your users require to work with files in Microsoft 365? What rules must you implement to support your users on an organizational or compliance level? And how should you empower your users to do their best work while remaining non-restrictive?

Gathering those requirements and determining the level of adoption required for SharePoint leads to the IT controls that will be implemented.

Begin by forming a governance steering committee that includes stakeholders from across your organization (not just IT!) and meets on a regular basis to discuss risks, governance strategy, end-user training, and any other steps necessary to keep data secure on your intranet.

You should collaborate to develop guidelines for the following governance items:

• Site architecture
• Navigation
• Security
• Branding
• Third-party tools
• Custom integrations
• Training
• Support

Modern SharePoint site provisioning

SharePoint on-premises does not provide out-of-the-box functionality, so end users must rely on administrators to enable specific features for them. Using custom solutions to provision sites for end users is no longer an option.

Provisioning in modern SharePoint is:

• Self-service
• Microsoft 365 group-powered
• Smarter templating
• Fast

SharePoint site lifecycle management

If you don’t delete SharePoint sites when they’re no longer needed, they can quickly multiply. Keeping outdated sites around contributes to sprawl caused by a lack of governance, making it difficult for people to find information and jeopardizing the security of company data.

How will you think about content when you start thinking about security? What is the user management lifecycle? How will you ensure that when someone leaves the organisation, access is removed as soon as possible?

Site policies can be used by site administrators to help control site proliferation:

Expiration policies: instituting an expiration policy in the organization can aid in the security of data and service access. You can specify an expiration period, after which any inactive group that does not renew will be deleted, including archived teams. The group’s expiration period begins when it is created or when it was last renewed.

Retention policies: If your organization is concerned about security and compliance, retention policies are probably your best bet. They are intended to meet a specific compliance requirement by preserving or deleting data after the expiration date you specify. When you apply a retention policy to a SharePoint site, it applies to all documents, including those created before the policy was applied.

Ownerless sites: When a user leaves the organization, their Azure AD accounts are deleted, and if that user is a site admin, the site becomes ownerless. Regular monitoring of your environment should be part of your lifecycle management strategy so that you can identify ownerless sites and assign a new owner as soon as possible.

Sensitivity labels: Sensitivity labels allow you to categories data across your organization and enforce protection settings based on that classification without interfering with collaboration.

If you don’t have to, delete your SharePoint sites. And use the group expiration policies to start removing content before you need to.

Key takeaways

If you’re just starting out, these points are a great place to start.

1. Governance committee: Keep an open line of communication with business stakeholders.
2. Be proactive: Establish delivery of items (i.e., site provisioning, building a governance committee, etc.) based on priority.
3. Build workstreams: Establish individual workstreams and assign roles.
4. Smart goals: Set realistic dates and goals that you can attain.
5. Allow for change: Establish a cadence as your requirements change or new technologies roll out.

Can I have separate archiving rules for different document libraries?

Today, the only out-of-the-box archiving solution is for an entire Microsoft 365 tenant, including all SharePoint sites and apps. When you archive a team, all activity on that team comes to a halt. When you archive a team, you also archive the team’s private channels and associated site collections. You can, however, add or remove team members, update roles, and view all team activity in standard and private channels, files, and chats. Archived Teams data will still be searchable, so it’s not always true “archiving.” As a result, when you archive a Team, all document libraries in any primary or supporting SharePoint site collection become read-only.

If you want to do document library archiving, you must develop your own process. You can change the permissions of a single document library or move the files in that document library to a different location with different permissions. Normally, removing it from search is a key component of archiving–but be careful when doing so per library as it will remove it from potential compliance policies that use search. You could also apply retention labels to each file in the document library to retain/delete those files, but this would not remove them from view in the traditional sense of a “archive” request.

Should OneDrive have the same permissions as SharePoint?

Unless a user creates their own SharePoint site specifically for their use, OneDrive permissions will never be the same as SharePoint permissions. When a user creates a OneDrive site collection, the user becomes the site collection owner by default, and any files shared grant access to another user by file or folder. Users are not adding permissions to the entire OneDrive site collection in general.

SharePoint site permissions will initially be granted to the owners specified when the site is created. The owners can then modify the permissions of that site by adding and removing members at the site collection level in order to grant access to all of its content.

What should a SharePoint admin be responsible for when it comes to monitoring and governance?

Global Reader is the most efficient way to grant access to admin portals and identify tenant-wide configurations that will impact SharePoint. Report Reader can be used for high-level reports, but it does not provide access across admin centers.

How do I set up app-based permissions for automation activities?

Microsoft provides a good walkthrough for configuring app-only access to SharePoint Online via Microsoft Graph permissions granted via an Azure AD application. You can then use this to connect to SharePoint Online and automate specific tasks using the PnP PowerShell module. Examine the official Microsoft documentation on the subject.

If you only need to perform activities on a subset of site collections, there’s a new permission level for specific site collections available through the Microsoft Graph. Check out Microsoft’s article on controlling app access in Microsoft Graph on specific SharePoint site collections.

What’s the best way to organize SharePoint sites generated by Microsoft Teams?

There is no need to organize Microsoft Teams-generated SharePoint site collections. We can now see which site collections in the SharePoint admin center are linked to a Microsoft Team, so if you make any policy changes, you’ll know the impact on the team. Microsoft Teams will continue to create new site collections for the primary site as well as private and shared channels. If you need to govern or classify those SharePoint site collections, you should do so at the container or group level, and the most efficient way is to use sensitivity labels, which are built into the creation and editing processes.

Any advice on how to implement an architecture strategy?

Administrators may not know what is best for the organization when it comes to Information Architecture (IA). You must maintain open lines of communication with your end users in order to gather feedback on how IA can benefit them. This can begin with a champion network or a method of educating your end users about their options for hub sites and how to build web parts that connect between sites. As technology advances, the use of content types and managed metadata columns between site collections can provide additional value. This is built through requirement gathering processes within your organization and the development of a delivery plan. Build IA solutions only when there are actual business needs.

How do I track or monitor who’s making changes in all the admin centers as a SharePoint Online/Teams admin?

All changes made through M365 admin centers should go through a change-tracking or approval process that all administrators are aware of. Creating a RACI for M365 will assist in determining who should be notified of specific changes in various admin centers. At the very least, a changelog can be used and distributed to the appropriate administrators. A changelog, for example, can be as simple as a Microsoft Teams channel that includes what change was made and when.

Building a new site for external sharing vs. making current sites available for external sharing: What’s best?

Sensitivity labels, in my opinion, are the best way to manage external sharing per site collection. This allows either architecture decision to have a single or multiple sites. There may be specific reasons why a single site would be preferable, such as a specific vendor who requires controls to be managed per site. This is most common in an extranet scenario where external access is limited and isn’t expected to change. When using sensitivity labels, you can deploy one that restricts external sharing to only specific people, allowing it to be scoped down.

Should I use Microsoft 365 Groups to create item-level permissions?

Nothing prevents you from using Microsoft 365 Groups to grant permissions across Microsoft 365, including item-level permissions. If that level of access is required, it’s probably better to use Groups for item-level permissions because you have less direct permissions by user and it’s easier to grant access to items that require extended access beyond a single person.