Control 4.2: Site Access Reviews and Certification
Control ID: 4.2
Pillar: SharePoint
Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, FINRA 25-07, SEC 17a-4, NYDFS 500.07
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish periodic reviews of SharePoint site access to help ensure that only authorized users and AI agents retain access to sensitive content, with site attestation policies requiring site owners to certify on a recurring cadence that access permissions remain appropriate. This control is the primary access governance loop for SharePoint sites used as Microsoft 365 Copilot and Copilot Studio agent knowledge sources.
Why This Matters for FSI
- GLBA 501(b): Access reviews support administrative safeguards by demonstrating periodic review of who can access nonpublic personal information held in SharePoint sites
- SOX 404: Attestation contributes evidence of control operating effectiveness for ITGC access management testing
- FINRA 4511, FINRA 25-07: Reviews help limit access to books and records to authorized personnel; attestation records provide supervisory evidence under FINRA Rule 3110
- SEC 17a-4: Site attestation responses, access review decisions, and remediation records are themselves business records and should be retained in WORM-protected storage for the regulator-required period (typically 6 years)
- NYDFS 500.07: Reviews help align access with the principle of least privilege and document the authorization decision trail required by Part 500
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
Terminology Note
"Site Access Reviews" in this control refers to access governance workflows initiated through SharePoint Advanced Management Data Access Governance (DAG) reports, not a separately named Microsoft feature. When searching Microsoft documentation, look for "Data Access Governance" or "site access governance."
This control establishes access governance for SharePoint sites, particularly those serving as AI agent knowledge sources. Key capabilities include:
| Capability | Description | FSI Relevance |
|---|---|---|
| Data Access Governance Reports | Snapshot reports on site permissions and sharing | Identify oversharing risks |
| Site Attestation Policies | Automated workflows requiring owner certification | Periodic access validation |
| Entra Access Reviews | Formal access review workflows with auto-remediation | Compliance evidence |
| Service Account Auditing | Review of AI agent service principal permissions | Least privilege validation |
Key Configuration Points
- Generate SharePoint Advanced Management (SAM) Data Access Governance (DAG) reports to baseline the current permission state — start with Content shared with Everyone Except External Users (EEEU), Sharing links, Site permissions, and the Oversharing baseline using permissions report
- Initiate Site Access Reviews from DAG report rows, prioritizing sites surfaced in the EEEU and Oversharing baseline reports and any site flagged in the Agent Insights / Agent Access Insights reports as a high-traffic agent knowledge source
- Configure Site Attestation Policies in SharePoint Admin Center for enterprise-managed sites, scoped by sensitivity label (Confidential, Highly Confidential) and/or site template
- Customize site attestation notification email templates (GA December 2025) with organization-specific compliance language and escalation contacts
- Establish complementary Microsoft Entra Access Reviews for the Microsoft 365 Groups and security groups that grant SharePoint access (quarterly for Zone 3, semi-annual for Zone 2)
- Include AI agent service principals (and Sites.Selected grants) in a dedicated review track separate from human users
- Set up auto-remediation actions (read-only for non-attested sites; deny / remove membership for declined access review decisions)
- Apply a Purview retention label or retention policy to the storage location holding attestation responses, access review decisions, and remediation records so that they are retained for the regulator-required period (commonly 6 years for FINRA / SEC books-and-records firms)
Technical Implementation Notes
SharePoint Site Access Reviews vs. Entra ID Access Reviews
This control refers to SharePoint Site Access Reviews, a SharePoint Advanced Management (SAM) feature distinct from Entra ID Access Reviews:
| Feature | SharePoint Site Access Reviews | Entra ID Access Reviews |
|---|---|---|
| Initiation | From DAG reports in SharePoint Admin Center | From Entra ID Governance portal |
| Reviewers | Site owners/admins (not configurable) | Configurable (managers, owners, self) |
| Scope | Sites identified in DAG reports | Groups, applications, access packages |
| Auto-Remediation | Read-only, archive, or delete site | Remove access, deny access |
DAG Report Integration
Site Access Reviews are initiated from Data Access Governance (DAG) reports, not by targeting arbitrary sites. Use the following DAG reports to identify sites requiring review:
- Content Shared with EEEU Report: Sites with "Everyone Except External Users" access (highest priority)
- Site Permissions Report: Sites with >1,000 users or numerous permission levels
- Sharing Links Report: Sites with excessive anonymous or external sharing links
Email Template Customization (GA December 2025)
Site attestation notification emails can now be customized per organization. Configure custom templates in SharePoint Admin Center > Policies > Site Access Review > Email Templates to include organization-specific instructions, compliance reminders, or escalation contacts.
Oversharing Baseline Report (GA)
SharePoint Advanced Management now includes an Oversharing baseline using permissions report type that identifies sites with excessive sharing relative to their sensitivity level. This report:
- Compares actual sharing permissions against organizational baselines
- Identifies sites where sharing exceeds expected patterns for the site's content sensitivity
- Provides actionable recommendations for tightening access controls
- Supports proactive data governance ahead of Copilot deployment to reduce grounding risk
Configure at SharePoint Admin Center > Reports > Data access governance > Oversharing baseline.
Additional Data Access Governance Reports (GA)
- Agent Insights report: Identifies sites with the highest agent counts and agent activity, helping administrators understand where AI agents are most actively accessing content
- Agent Access Insights report: Details how agents access content across SharePoint and OneDrive, including which agents access which sites and with what frequency
- Content Management Assessment: Provides one-click Copilot readiness scoring for sites, evaluating content organization, labeling, and access control maturity
- AI Insights: AI-powered pattern detection across data access governance reports, surfacing anomalies and trends that may require governance attention
Site Access Review Limits
SharePoint Advanced Management supports up to 1,000 site access reviews per month per tenant. Plan review cadences accordingly, prioritizing high-sensitivity sites and sites with the most Copilot agent interactions.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Annual owner-led review of OneDrive and personal sites flagged in EEEU or Sharing links DAG reports; non-compliance action: notify owner | Baseline safety; minimizes overhead for low-risk content |
| Zone 2 (Team) | Semi-annual site attestation with site owner + group manager review; Entra access review of underlying M365 Group quarterly; non-compliance action: archive | Shared data accountability and Copilot grounding hygiene |
| Zone 3 (Enterprise) | Quarterly Site Attestation; quarterly Entra access review of underlying groups and any Sites.Selected service principals; Compliance + Legal sign-off on review decisions; non-compliance action: read-only and immediate escalation; retention of all evidence under SEC 17a-4 / FINRA 4511 retention schedule | Highest regulatory scrutiny; agent knowledge sources for regulated business processes |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure Site Attestation Policies and email templates; generate and triage DAG reports; initiate Site Access Reviews from DAG rows |
| Entra Identity Governance Admin | Configure Entra Access Reviews for M365 Groups, security groups, and Sites.Selected service principal grants |
| SharePoint Site Owner | Respond to attestation requests; certify site membership and sharing posture; act on review decisions |
| Purview Records Manager | Apply retention labels / policies to attestation and review evidence to meet SEC 17a-4 / FINRA 4511 retention windows |
| Compliance Officer | Define review cadence by zone; sign off on Zone 3 review decisions; maintain WSP language describing the review program |
| AI Governance Lead | Define which sites in the Agent Inventory are in-scope for accelerated review based on Copilot/agent grounding |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - SharePoint IAG | Reviews identify sites needing restrictions |
| 1.5 - DLP and Sensitivity Labels | Labels determine review scope and frequency |
| 1.18 - Application-Level RBAC | Access reviews validate RBAC implementation |
| 3.1 - Agent Inventory | Identifies agents using SharePoint as knowledge source |
| 4.4 - Guest and External Access | Reviews verify guest access appropriateness |
| 4.8 - Item-Level Permission Scanning | Item-level scanning validates individual file permissions within reviewed sites |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SAM Data Access Governance reports (EEEU, Sharing links, Site permissions, Oversharing baseline, Agent Insights, Agent Access Insights) are accessible and refreshed within the last 30 days
- Site Attestation Policies are configured and active for all sites carrying Confidential and Highly Confidential sensitivity labels
- Entra Access Reviews are scheduled with the cadence defined for each zone, with reviewers, fallback reviewers, and auto-apply settings configured
- AI agent service principals — including Sites.Selected grants — are enumerated and included in a dedicated review track
- Non-compliance actions (read-only, archive, or deny) are configured and have been observed firing on at least one test cycle
- Attestation responses and access review decisions are exported on each cycle and stored in a location covered by a retention label / policy aligned with SEC 17a-4 / FINRA 4511 (typically 6 years, WORM-protected)
- Review decisions and remediation actions are reflected in the Purview audit log (
AccessReview*and SharePoint sharing operations) and tied back to the Agent Inventory record for any agent-grounded site
Additional Resources
- Data access governance reports in SharePoint
- Site lifecycle management policies
- SharePoint site attestation
- Create an access review of groups and applications
- Microsoft Graph access reviews API
- SharePoint Advanced Management overview
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current