Control 4.2: Site Access Reviews and Certification
Control ID: 4.2
Pillar: SharePoint
Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, FINRA 3110, FINRA RN 24-09, SEC 17a-4, NYDFS 500.07
Last UI Verified: May 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Establish periodic reviews of SharePoint site access to help ensure that only authorized users and AI agents retain access to sensitive content, with site attestation policies requiring site owners to certify on a recurring cadence that access permissions remain appropriate. This control is the primary access governance loop for SharePoint sites used as Microsoft 365 Copilot and Microsoft Copilot Studio agent knowledge sources.
Why This Matters for FSI
- GLBA 501(b): Access reviews support administrative safeguards by demonstrating periodic review of who can access nonpublic personal information held in SharePoint sites
- SOX 404: Attestation contributes evidence of control operating effectiveness for ITGC access management testing
- FINRA 4511 / RN 24-09 / Rule 3110: Reviews help limit access to books and records (Rule 4511) to authorized personnel; attestation records provide supervisory evidence under FINRA Rule 3110 and the generative-AI supervisory expectations in FINRA Regulatory Notice 24-09. (FINRA RN 25-07 is a monitored RFC on workplace modernization that touches AI-generated communications recordkeeping; not yet adopted — see framework/regulatory-framework.md.)
- SEC 17a-4: Site attestation responses, access review decisions, and remediation records are themselves business records and should be retained in WORM-protected storage for the regulator-required period (typically 6 years)
- NYDFS 500.07: Reviews help align access with the principle of least privilege and document the authorization decision trail required by Part 500
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
Terminology Note
"Site Access Reviews" in this control refers to access governance workflows initiated through SharePoint Advanced Management Data Access Governance (DAG) reports, not a separately named Microsoft feature. When searching Microsoft documentation, look for "Data Access Governance" or "site access governance."
This control establishes access governance for SharePoint sites, particularly those serving as AI agent knowledge sources. Key capabilities include:
| Capability | Description | FSI Relevance |
|---|---|---|
| Data Access Governance Reports | Snapshot reports on site permissions and sharing | Identify oversharing risks |
| Site Attestation Policies | Automated workflows requiring owner certification | Periodic access validation |
| Entra Access Reviews | Formal access review workflows with auto-remediation | Compliance evidence |
| Service Account Auditing | Review of AI agent service principal permissions | Least privilege validation |
Key Configuration Points
- Generate SharePoint Advanced Management (SAM) Data Access Governance (DAG) reports to baseline the current permission state — start with Content shared with Everyone Except External Users (EEEU), Sharing links, Site permissions, and the Oversharing baseline using permissions report
- Initiate Site Access Reviews from DAG report rows, prioritizing sites surfaced in the EEEU and Oversharing baseline reports and any site flagged in the Agent Insights / Agent Access Insights reports as a high-traffic agent knowledge source
- Use the Content Management Assessment hub (SharePoint Admin Center → Content management assessment) for one-click Copilot readiness scoring across sites — this is a standalone SAM feature (not a DAG report) that runs a suite of essential reports surfacing content organization, labeling, and access-control maturity findings. See Assess your organization's content management status.
- Configure Site Attestation Policies in SharePoint Admin Center for enterprise-managed sites, scoped by sensitivity label (Confidential, Highly Confidential) and/or site template
- Customize the email sent to site owners when initiating a site access review from a DAG report — customization is performed inline during the review initiation flow (DAG report → select sites → Initiate site access review → Customize and preview email) and is saved per report type. Site attestation policy notifications (a separate lifecycle workflow) are not currently documented as supporting the same customization surface.
- Establish complementary Microsoft Entra Access Reviews for the Microsoft 365 Groups and security groups that grant SharePoint access (quarterly for Zone 3, semi-annual for Zone 2)
- Include AI agent service principals (and Sites.Selected grants) in a dedicated review track separate from human users
- Set up auto-remediation actions (read-only for non-attested sites; deny / remove membership for declined access review decisions)
- Apply a Purview retention label or retention policy to the storage location holding attestation responses, access review decisions, and remediation records so that they are retained for the regulator-required period (commonly 6 years for FINRA / SEC books-and-records firms)
Technical Implementation Notes
SharePoint Site Access Reviews vs. Entra ID Access Reviews
This control refers to SharePoint Site Access Reviews, a SharePoint Advanced Management (SAM) feature distinct from Entra ID Access Reviews:
| Feature | SharePoint Site Access Reviews | Entra ID Access Reviews |
|---|---|---|
| Initiation | From DAG reports in SharePoint Admin Center | From Entra ID Governance portal |
| Reviewers | Site owners/admins (not configurable) | Configurable (managers, owners, self) |
| Scope | Sites identified in DAG reports | Groups, applications, access packages |
| Auto-Remediation | Read-only, archive, or delete site | Remove access, deny access |
DAG Report Integration
Site Access Reviews are initiated from Data Access Governance (DAG) reports, not by targeting arbitrary sites. Use the following DAG reports to identify sites requiring review:
- Content Shared with EEEU Report: Sites with "Everyone Except External Users" access (highest priority)
- Site Permissions Report: Sites with >1,000 users or numerous permission levels
- Sharing Links Report: Sites with excessive anonymous or external sharing links
Site Access Review Email Customization
When initiating a site access review from a Data Access Governance report, SharePoint administrators can customize the email sent to site owners. Customizable values:
- From address: Populated from the custom username configured in Microsoft 365 admin center under organizational profile
- Title: Email subject line
- Message: Body text describing the request
- Comments: Additional context for the site owner
- Link: A reference link to any SharePoint page (e.g., internal compliance policy)
Customizations are saved per report type and automatically apply to subsequent reviews initiated from that report. Use Reset to revert to Microsoft defaults.
Navigation: SharePoint Admin Center → Reports → Data access governance → [select report] → select sites → Initiate site access review → Customize and preview email.
Site attestation policy notifications (configured via Request-SPOSiteAttestation / SharePoint Admin Center → Policies → site lifecycle) are a separate workflow; equivalent email customization for attestation policy emails is not separately documented in current Microsoft Learn material.
Oversharing Baseline Report (GA)
SharePoint Advanced Management now includes an Oversharing baseline using permissions report type that identifies sites with excessive sharing relative to their sensitivity level. This report:
- Compares actual sharing permissions against organizational baselines
- Identifies sites where sharing exceeds expected patterns for the site's content sensitivity
- Provides actionable recommendations for tightening access controls
- Supports proactive data governance ahead of Copilot deployment to reduce grounding risk
Configure at SharePoint Admin Center > Reports > Data access governance > Oversharing baseline.
Additional Data Access Governance Reports (GA)
- Agent Insights report: Identifies sites with the highest number of agents created across SharePoint and OneDrive (creation inventory sourced from
FileCreated/FileRenamedaudit events). Use to spot agent-development hub sites and apply RAC/RCD policies. (Admin center: Reports → Agent Insights) - Agent Access Insights report: Shows how agents access content at runtime across SharePoint and OneDrive — which agents access which sites, frequency, and agent distribution by site type. Use for ongoing supervisory monitoring per FINRA RN 24-09. (Admin center: Reports → Agent Insights → Agent Access)
AI insights are an inline action, not a separate report
Each DAG report in the SharePoint admin center includes a Get AI insights button (up to five insights per report). When selected, the feature extracts patterns from that specific report's data and offers a list of recommended actions. This is an on-demand analysis of an existing report — not a separately navigable report. See Generate AI insights for SharePoint Advanced Management.
Content Management Assessment is a SAM hub, not a DAG report
The Content Management Assessment hub (SharePoint Admin Center → Content management assessment) provides one-click Copilot readiness scoring across sites — it is a standalone SAM feature distinct from the DAG report suite. See Assess your organization's content management status. (Configuration also referenced in Key Configuration Points.)
Site Access Review Limits
Microsoft documents a limit of up to 1,000 site access reviews per calendar month initiated from the Site permissions across your organization report; the limit resets when the month changes. A separate 100-site web-UI ceiling applies when initiating reviews from any DAG report — for larger batches, use the Start-SPOSiteReview PowerShell cmdlet. Limits for other DAG report types (EEEU, Sharing links, Oversharing baseline) are not separately documented. Plan cadences accordingly and verify current limits at Initiate site access reviews for DAG reports before finalizing.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Annual owner-led review of OneDrive and personal sites flagged in EEEU or Sharing links DAG reports; non-compliance action: notify owner | Baseline safety; minimizes overhead for low-risk content |
| Zone 2 (Team) | Semi-annual site attestation with site owner + group manager review; Entra access review of underlying M365 Group quarterly; non-compliance action: archive | Shared data accountability and Copilot grounding hygiene |
| Zone 3 (Enterprise) | Quarterly Site Attestation; quarterly Entra access review of underlying groups and any Sites.Selected service principals; Compliance + Legal sign-off on review decisions; non-compliance action: read-only and immediate escalation; retention of all evidence under SEC 17a-4 / FINRA 4511 retention schedule | Highest regulatory scrutiny; agent knowledge sources for regulated business processes |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| SharePoint Admin | Configure Site Attestation Policies and email templates; generate and triage DAG reports; initiate Site Access Reviews from DAG rows |
| Entra Identity Governance Admin | Configure Entra Access Reviews for M365 Groups, security groups, and Sites.Selected service principal grants |
| SharePoint Site Owner | Respond to attestation requests; certify site membership and sharing posture; act on review decisions |
| Purview Records Manager | Apply retention labels / policies to attestation and review evidence to meet SEC 17a-4 / FINRA 4511 retention windows |
| Compliance Officer | Define review cadence by zone; sign off on Zone 3 review decisions; maintain WSP language describing the review program |
| AI Governance Lead | Define which sites in the Agent Inventory are in-scope for accelerated review based on Copilot/agent grounding |
Related Controls
| Control | Relationship |
|---|---|
| 4.1 - SharePoint IAG | Reviews identify sites needing restrictions |
| 1.5 - DLP and Sensitivity Labels | Labels determine review scope and frequency |
| 1.18 - Application-Level RBAC | Access reviews validate RBAC implementation |
| 3.1 - Agent Inventory | Identifies agents using SharePoint as knowledge source |
| 4.4 - Guest and External Access | Reviews verify guest access appropriateness |
| 4.8 - Item-Level Permission Scanning | Item-level scanning validates individual file permissions within reviewed sites |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- SAM Data Access Governance reports (EEEU, Sharing links, Site permissions, Oversharing baseline, Agent Insights, Agent Access Insights) are accessible and refreshed within the last 30 days
- Site Attestation Policies are configured and active for all sites carrying Confidential and Highly Confidential sensitivity labels
- Entra Access Reviews are scheduled with the cadence defined for each zone, with reviewers, fallback reviewers, and auto-apply settings configured
- AI agent service principals — including Sites.Selected grants — are enumerated and included in a dedicated review track
- Non-compliance actions (read-only, archive, or deny) are configured and have been observed firing on at least one test cycle
- Attestation responses and access review decisions are exported on each cycle and stored in a location covered by a retention label / policy aligned with SEC 17a-4 / FINRA 4511 (typically 6 years, WORM-protected)
- Review decisions and remediation actions are reflected in the Purview audit log (
AccessReview*and SharePoint sharing operations) and tied back to the Agent Inventory record for any agent-grounded site
Additional Resources
- Data access governance reports in SharePoint
- Site lifecycle management policies
- SharePoint site attestation
- Create an access review of groups and applications
- Microsoft Graph access reviews API
- SharePoint Advanced Management overview
Updated: June 2026 | Version: v1.6.2 | UI Verification Status: Current