Control 4.2: Site Access Reviews and Certification
Control ID: 4.2 Pillar: SharePoint Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, NYDFS 500.07 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Establish periodic reviews of SharePoint site access to ensure only authorized users and agents can access sensitive content, with site attestation policies requiring site owners to certify that access permissions remain appropriate.
Why This Matters for FSI
- GLBA 501(b): Access reviews demonstrate appropriate access control management for customer information
- SOX 404: Attestation provides evidence of control operating effectiveness for internal control assessment
- FINRA 4511: Reviews help ensure only authorized personnel access records, with attestation providing supervision evidence
- NYDFS 500.07: Reviews help ensure access is limited to those with business need
Control Description
Terminology Note
"Site Access Reviews" in this control refers to access governance workflows initiated through SharePoint Advanced Management Data Access Governance (DAG) reports, not a separately named Microsoft feature. When searching Microsoft documentation, look for "Data Access Governance" or "site access governance."
This control establishes access governance for SharePoint sites, particularly those serving as AI agent knowledge sources. Key capabilities include:
| Capability | Description | FSI Relevance |
|---|---|---|
| Data Access Governance Reports | Snapshot reports on site permissions and sharing | Identify oversharing risks |
| Site Attestation Policies | Automated workflows requiring owner certification | Periodic access validation |
| Entra Access Reviews | Formal access review workflows with auto-remediation | Compliance evidence |
| Service Account Auditing | Review of AI agent service principal permissions | Least privilege validation |
Key Configuration Points
- Generate Data Access Governance reports to assess current permission state
- Configure Site Attestation Policies for enterprise-managed sites
- Establish Entra Access Review schedules (quarterly for Zone 3, semi-annual for Zone 2)
- Include AI agent service accounts in dedicated review tracks
- Set up auto-remediation actions (read-only for non-attested sites)
- Archive attestation records for regulatory retention (6+ years)
Technical Implementation Notes
SharePoint Site Access Reviews vs. Entra ID Access Reviews
This control refers to SharePoint Site Access Reviews, a SharePoint Advanced Management (SAM) feature distinct from Entra ID Access Reviews:
| Feature | SharePoint Site Access Reviews | Entra ID Access Reviews |
|---|---|---|
| Initiation | From DAG reports in SharePoint Admin Center | From Entra ID Governance portal |
| Reviewers | Site owners/admins (not configurable) | Configurable (managers, owners, self) |
| Scope | Sites identified in DAG reports | Groups, applications, access packages |
| Auto-Remediation | Read-only, archive, or delete site | Remove access, deny access |
DAG Report Integration
Site Access Reviews are initiated from Data Access Governance (DAG) reports, not by targeting arbitrary sites. Use the following DAG reports to identify sites requiring review:
- Content Shared with EEEU Report: Sites with "Everyone Except External Users" access (highest priority)
- Site Permissions Report: Sites with >1,000 users or numerous permission levels
- Sharing Links Report: Sites with excessive anonymous or external sharing links
Email Template Customization (GA December 2025)
Site attestation notification emails can now be customized per organization. Configure custom templates in SharePoint Admin Center > Policies > Site Access Review > Email Templates to include organization-specific instructions, compliance reminders, or escalation contacts.
Oversharing Baseline Report (GA)
SharePoint Advanced Management now includes an Oversharing baseline using permissions report type that identifies sites with excessive sharing relative to their sensitivity level. This report:
- Compares actual sharing permissions against organizational baselines
- Identifies sites where sharing exceeds expected patterns for the site's content sensitivity
- Provides actionable recommendations for tightening access controls
- Supports proactive data governance ahead of Copilot deployment to reduce grounding risk
Configure at SharePoint Admin Center > Reports > Data access governance > Oversharing baseline.
Additional Data Access Governance Reports (GA)
- Agent Insights report: Identifies sites with the highest agent counts and agent activity, helping administrators understand where AI agents are most actively accessing content
- Agent Access Insights report: Details how agents access content across SharePoint and OneDrive, including which agents access which sites and with what frequency
- Content Management Assessment: Provides one-click Copilot readiness scoring for sites, evaluating content organization, labeling, and access control maturity
- AI Insights: AI-powered pattern detection across data access governance reports, surfacing anomalies and trends that may require governance attention
Site Access Review Limits
SharePoint Advanced Management supports up to 1,000 site access reviews per month per tenant. Plan review cadences accordingly, prioritizing high-sensitivity sites and sites with the most Copilot agent interactions.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Annual review of broadly-shared personal sites | Baseline safety |
| Zone 2 (Team) | Semi-annual attestation with owner + manager review | Shared data accountability |
| Zone 3 (Enterprise) | Quarterly formal review; Compliance + Legal sign-off; immediate escalation for non-compliance | Highest regulatory scrutiny |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure attestation policies, generate access reports |
| Entra Identity Governance Admin | Configure access reviews in Entra ID |
| SharePoint Site Collection Admin | Site-level permission management, respond to attestation |
| Compliance Officer | Define review requirements, validate evidence |
| AI Governance Lead | Review scope for agent knowledge source sites |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - SharePoint IAG | Reviews identify sites needing restrictions |
| 1.5 - DLP and Sensitivity Labels | Labels determine review scope and frequency |
| 1.18 - Application-Level RBAC | Access reviews validate RBAC implementation |
| 3.1 - Agent Inventory | Identifies agents using SharePoint as knowledge source |
| 4.4 - Guest and External Access | Reviews verify guest access appropriateness |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Data Access Governance reports are accessible and showing current data
- Site Attestation Policies are configured for enterprise-managed sites
- Entra Access Reviews are scheduled with appropriate reviewers
- AI agent service accounts are included in review scope
- Non-compliance actions (read-only/archive) are configured
- Attestation records are archived with appropriate retention
Additional Resources
- Data access governance reports in SharePoint
- Site lifecycle management policies
- SharePoint site attestation
- Create an access review of groups and applications
- Microsoft Graph access reviews API
- SharePoint Advanced Management overview
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current