Skip to content

Control 4.2: Site Access Reviews and Certification - Portal Walkthrough

This playbook provides portal configuration guidance for Control 4.2.

Prerequisites

  • SharePoint Admin role assigned
  • Access to SharePoint Admin Center
  • Access to Microsoft Entra Admin Center
  • SharePoint Advanced Management Plan 1 license assigned to tenant
  • Entra ID Governance (P2) license for access review workflows
  • Site owners identified and documented for each team/enterprise site

Step-by-Step Configuration

Step 1: Assess Current Permissions with Data Access Governance Reports

Generate baseline permissions report:

  1. Navigate to SharePoint Admin Center
  2. Go to Reports > Data access governance
  3. Click Get started to run initial assessment (if first use)
  4. Click View reports under "Site permissions across your organization"
  5. Export report for analysis
  6. Identify sites with:
  7. "Everyone except external users" access
  8. Guest user access
  9. Broad sharing links
  10. Prioritize team/enterprise sites and agent knowledge sources

EEEU (Everyone Except External Users) Priority

Sites shared with "Everyone except external users" represent the highest oversharing risk for Copilot and should be prioritized for access review. EEEU-shared content is accessible to all internal users including Copilot, which can surface sensitive data in AI-generated responses. See Control 4.7 for EEEU risk assessment guidance.

Step 2: Configure Site Attestation Policies

Create attestation policy for regulated sites:

  1. Navigate to Policies > Site lifecycle management
  2. Click Open under "Site attestation policies"
  3. Click Create policy
  4. Configure scope:
  5. By sensitivity label: Confidential, Highly Confidential
  6. By site URL pattern: (optional)
  7. By site template: (optional)
  8. Set frequency:
  9. Quarterly: For enterprise-managed sites
  10. Annual: For team collaboration sites
  11. Configure notifications:
  12. Reminder before due date: 30, 14, 7 days
  13. Escalation to admin if overdue
  14. Set non-compliance action:
  15. Read-only: Recommended for regulated sites
  16. Archive: For long-term non-response
  17. Click Save and enable the policy

Step 3: Configure Access Reviews in Entra ID (for Groups)

Create access review schedule for M365 Groups/Teams:

  1. Navigate to Microsoft Entra Admin Center
  2. Go to Identity governance > Access reviews
  3. Click New access review
  4. Configure review:
  5. Review name: "FSI SharePoint Site Access Review - Quarterly"
  6. Description: Review and certify access to sensitive SharePoint sites
  7. Scope: Groups and Teams
  8. Review scope: Specific groups (select site-connected M365 groups)
  9. Configure reviewers:
  10. Group owners: Primary reviewer
  11. Fallback reviewers: Compliance team
  12. Configure settings:
  13. Duration: 14 days
  14. Recurrence: Quarterly
  15. Auto-apply results: Yes
  16. Default decision if no response: Deny
  17. Justification required: Yes
  18. Click Create

Step 4: Establish Review Process for Agent Knowledge Sources

Document access review procedures:

  1. Identify sites used as agent knowledge sources (from Agent Inventory)
  2. Document review requirements per zone:
  3. Zone 1: Annual review (site owner)
  4. Zone 2: Semi-annual review (owner + manager)
  5. Zone 3: Quarterly review (owner + compliance)
  6. Create checklist for reviewers:
  7. Is each user's access still needed?
  8. Are permissions appropriate for role?
  9. Are any external users present?
  10. Is agent access documented and approved?

Step 5: Monitor Compliance

Track attestation compliance:

  1. Navigate to Policies > Site lifecycle management
  2. Review "Site attestation policies" dashboard
  3. Check attestation completion rates
  4. Follow up on overdue attestations
  5. Export reports for governance documentation

Configuration by Governance Level

Setting Baseline Recommended Regulated
Access review frequency Annual Semi-annual Quarterly
Attestation policy None Annual Quarterly
Reviewers Site owner Owner + manager Owner + compliance + legal
Auto-remediation None Archive if no response Read-only + escalation
Justification required No Yes Yes with documentation

Service Account Access Reviews for AI Agents

For AI agents using service accounts or service principals:

  1. Identify agent service accounts from Agent Inventory
  2. Review API permissions granted to each service principal
  3. Validate least privilege:
  4. Prefer Sites.Selected over Sites.Read.All
  5. Document business justification for each permission
  6. Include service accounts in quarterly access review cycle
  7. Document findings using the Service Account Review Checklist

Validation

After completing these steps, verify:

  • Data access governance reports accessible and current
  • Site attestation policy configured for regulated sites
  • Access review schedules created in Entra ID
  • Notification templates configured
  • Non-compliance actions set appropriately
  • Review process documented and communicated to site owners

Back to Control 4.2 | PowerShell Setup | Verification Testing | Troubleshooting

Updated: January 2026 | Version: v1.2