Control 4.2: Site Access Reviews and Certification

Overview

Control ID: 4.2 Control Name: Site Access Reviews and Certification Regulatory Reference: GLBA 501(b), 504(b), 505(b), SOX 404, FINRA 4511 Setup Time: 1-2 hours License Requirement: SharePoint Advanced Management Plan 1 for full capabilities

---

Purpose

Establish periodic reviews of SharePoint site access to ensure only authorized users and agents can access sensitive content. Site attestation policies require site owners to certify that access permissions remain appropriate. In financial services environments, regular access reviews are essential for demonstrating compliance with regulatory requirements around data access controls and maintaining audit evidence of authorization decisions.

---

Key Capabilities

Data Access Governance Reports

Snapshot reports providing visibility into site permissions and sharing activity.

Navigation: SharePoint Admin Center → Reports → Data access governance

Available Reports:

Report	Description	Use Case
Site permissions across your organization	Broad permissions (Everyone, guests, sharing links)	Identify oversharing risks
Site permissions for users	User-specific site access	Verify individual access
Sensitivity labels applied to files	Sensitive content locations	Prioritize review scope
Sharing links	New sharing links (last 28 days)	Monitor sharing activity
Shared with 'Everyone except external users'	Broadly shared content	Identify oversharing

Site Attestation Policies

Automated workflows requiring site owners to certify site information.

Navigation: SharePoint Admin Center → Policies → Site lifecycle management → Site attestation policies

Policy Actions:

• Identify sites due for attestation
• Send notifications to site owners/admins
• Automatically archive or mark sites as read-only if not attested

---

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: Entra Identity Governance Admin, SharePoint Site Collection Admin

Licenses Required

License	Purpose	Required/Optional
Microsoft 365 E5	Full compliance and governance features	Required
Entra ID Governance (P2)	Access review workflows and certifications	Required
SharePoint Advanced Management	Enhanced governance reports and attestation policies	Required
Microsoft 365 E3	Basic functionality (limited features)	Alternative

Permissions Required

Role	Purpose	Scope
SharePoint Administrator	Configure attestation policies and access reports	Tenant-wide
Identity Governance Administrator	Configure access reviews in Entra ID	Entra ID
Global Administrator	Initial setup and delegation	Tenant-wide
Site Collection Administrator	Site-level permission management	Per-site
Compliance Administrator	Review compliance reports	Tenant-wide

Dependencies

Dependency	Control Reference	Status Required
Managed Environments	Control 2.1	Recommended
Sensitivity Labels	Control 1.5	Required for enterprise-managed environments
IAG/RCD Configuration	Control 4.1	Required
Guest Access Controls	Control 4.4	Recommended

Pre-Setup Checklist

• [ ] SharePoint Advanced Management license assigned
• [ ] Entra ID Governance (P2) license assigned for access reviews
• [ ] Site classification or sensitivity labels applied to target sites
• [ ] Site owners identified and documented for each team/enterprise site
• [ ] Governance zones defined and documented
• [ ] Access review frequency requirements documented per governance tier
• [ ] Escalation contacts identified for non-compliant sites

---

Governance Levels

Baseline (Level 1)

Requirement	Implementation
Quarterly access reviews	Manual review of team/enterprise site permissions
Permission documentation	Document who has access to agent knowledge sources
Basic reporting	Run "Site permissions across your organization" report quarterly

Implementation Steps:

1. Navigate to SharePoint Admin Center
2. Go to Reports → Data access governance
3. Click View reports under "Site permissions across your organization"
4. Review sites with broad permissions
5. Document findings and remediation actions
6. Schedule quarterly review calendar reminder

Recommended (Level 2-3)

Requirement	Implementation
Site attestation policies	Configure annual attestation for team/enterprise sites
Automated notifications	Enable owner notifications for certification
Access review workflow	Documented process for reviewing and remediating findings
Agent knowledge source review	Specific review of sites used as agent knowledge

Additional Steps:

1. Navigate to Policies → Site lifecycle management
2. Click Open under "Site attestation policies"
3. Create new policy:
4. Select sites by sensitivity label or URL pattern
5. Set attestation frequency (annual recommended)
6. Configure notification settings
7. Set action for non-compliance (read-only or archive)
8. Enable the policy

Regulated/High-Risk (Level 4)

Requirement	Implementation
Mandatory annual certification	All enterprise-managed sites require formal attestation
Auditor-signed attestation	Internal audit reviews certification process
Remediation tracking	Track and document all access changes
Formal evidence package	Attestation records retained for audit

Additional Requirements:

• Include attestation in SOX 404 testing scope
• Obtain compliance sign-off on attestation procedures
• Archive all attestation responses for 6+ years
• Document exceptions and compensating controls

---

Setup & Configuration

Step 1: Assess Current Permissions

Generate baseline permissions report:

1. Navigate to Reports → Data access governance
2. Click View reports under "Site permissions across your organization"
3. Export report for analysis
4. Identify sites with:
5. "Everyone except external users" access
6. Guest user access
7. Broad sharing links
8. Prioritize team/enterprise sites and agent knowledge sources

Step 2: Configure Attestation Policies

Create attestation policy for regulated sites:

1. Navigate to Policies → Site lifecycle management
2. Click Open under "Site attestation policies"
3. Click Create policy
4. Configure scope:
5. By sensitivity label (Confidential, Highly Confidential)
6. By site URL pattern
7. By site template
8. Set frequency: Annual for enterprise-managed sites, Quarterly for active agent sites
9. Configure notifications:
10. Reminder before due date
11. Escalation to admin if overdue
12. Set non-compliance action (recommend: read-only)

Step 3: Establish Review Process

Document access review procedures:

• Who performs reviews (site owners, governance team)
• Review frequency by zone
• Required documentation
• Remediation workflow
• Escalation process

Step 4: Document Results

For each review cycle:

• Export permissions report
• Record attestation status
• Document remediation actions
• Archive evidence for audit

Step 5: Monitor Compliance

Track attestation compliance:

• Review attestation completion rates
• Follow up on overdue attestations
• Report to governance committee monthly

---

PowerShell Configuration

Connect to Microsoft Graph for Access Reviews

# Install Microsoft Graph module if not present
# Install-Module Microsoft.Graph -Scope CurrentUser

# Connect to Microsoft Graph with required scopes
Connect-MgGraph -Scopes "AccessReview.ReadWrite.All", "Directory.Read.All", "Sites.Read.All"

# Verify connection
Get-MgContext | Select-Object Scopes, Account

Create Access Review Schedule for SharePoint Sites

# Define the access review schedule definition
$reviewParams = @{
    displayName = "FSI SharePoint Site Access Review - Enterprise Managed"
    descriptionForAdmins = "Quarterly access review for enterprise-managed SharePoint sites containing agent knowledge sources"
    descriptionForReviewers = "Review and certify that users have appropriate access to sensitive SharePoint sites"
    scope = @{
        "@odata.type" = "#microsoft.graph.accessReviewQueryScope"
        query = "/groups?`$filter=(groupTypes/any(c:c eq 'Unified'))"
        queryType = "MicrosoftGraph"
    }
    reviewers = @(
        @{
            query = "/groups/{group-id}/owners"
            queryType = "MicrosoftGraph"
        }
    )
    settings = @{
        mailNotificationsEnabled = $true
        reminderNotificationsEnabled = $true
        justificationRequiredOnApproval = $true
        defaultDecisionEnabled = $true
        defaultDecision = "Deny"
        instanceDurationInDays = 14
        autoApplyDecisionsEnabled = $true
        recommendationsEnabled = $true
        recurrence = @{
            pattern = @{
                type = "absoluteMonthly"
                interval = 3  # Quarterly
                dayOfMonth = 1
            }
            range = @{
                type = "noEnd"
                startDate = (Get-Date).ToString("yyyy-MM-dd")
            }
        }
    }
}

# Create the access review schedule definition
$review = New-MgIdentityGovernanceAccessReviewDefinition -BodyParameter $reviewParams
Write-Host "Access Review Created: $($review.DisplayName)" -ForegroundColor Green
Write-Host "Review ID: $($review.Id)" -ForegroundColor Cyan

Get Access Review Status

# Get all access review definitions
$accessReviews = Get-MgIdentityGovernanceAccessReviewDefinition
$accessReviews | Format-Table DisplayName, Status, CreatedDateTime

# Get specific access review instances
$reviewId = "your-review-definition-id"
$instances = Get-MgIdentityGovernanceAccessReviewDefinitionInstance -AccessReviewScheduleDefinitionId $reviewId

# Display instance details
$instances | ForEach-Object {
    Write-Host "Instance: $($_.Id)" -ForegroundColor Yellow
    Write-Host "  Status: $($_.Status)"
    Write-Host "  Start: $($_.StartDateTime)"
    Write-Host "  End: $($_.EndDateTime)"
    Write-Host "  Reviewers Completed: $($_.ReviewersCompleted) / $($_.ReviewersTotal)"
}

# Get pending decisions for an instance
$instanceId = "your-instance-id"
$decisions = Get-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision `
    -AccessReviewScheduleDefinitionId $reviewId `
    -AccessReviewInstanceId $instanceId

$decisions | Where-Object { $_.Decision -eq "NotReviewed" } |
    Format-Table Principal, Resource, Decision, ReviewedDateTime

Export Access Review Results

# Export access review decisions to CSV for audit
$reviewId = "your-review-definition-id"
$instances = Get-MgIdentityGovernanceAccessReviewDefinitionInstance `
    -AccessReviewScheduleDefinitionId $reviewId

$allDecisions = @()

foreach ($instance in $instances) {
    $decisions = Get-MgIdentityGovernanceAccessReviewDefinitionInstanceDecision `
        -AccessReviewScheduleDefinitionId $reviewId `
        -AccessReviewInstanceId $instance.Id `
        -All

    foreach ($decision in $decisions) {
        $allDecisions += [PSCustomObject]@{
            InstanceId = $instance.Id
            InstanceStartDate = $instance.StartDateTime
            PrincipalName = $decision.Principal.DisplayName
            PrincipalType = $decision.Principal.Type
            ResourceName = $decision.Resource.DisplayName
            Decision = $decision.Decision
            Justification = $decision.Justification
            ReviewedBy = $decision.ReviewedBy.DisplayName
            ReviewedDateTime = $decision.ReviewedDateTime
            AppliedBy = $decision.AppliedBy.DisplayName
            AppliedDateTime = $decision.AppliedDateTime
        }
    }
}

# Export to CSV
$exportPath = "C:\Compliance\AccessReview_Export_$(Get-Date -Format 'yyyyMMdd').csv"
$allDecisions | Export-Csv -Path $exportPath -NoTypeInformation
Write-Host "Exported $($allDecisions.Count) decisions to: $exportPath" -ForegroundColor Green

Get SharePoint Site Permissions Report

# Connect to SharePoint Online
# Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-SPOService -Url $adminUrl

# Get sites with sharing settings
$sites = Get-SPOSite -Limit All | Where-Object {
    $_.SharingCapability -ne "Disabled" -and
    $_.Template -notlike "*SPSPERS*"  # Exclude OneDrive
}

# Generate permissions summary
$siteSummary = $sites | ForEach-Object {
    [PSCustomObject]@{
        SiteUrl = $_.Url
        Title = $_.Title
        Owner = $_.Owner
        SharingCapability = $_.SharingCapability
        ExternalSharingEnabled = $_.SharingCapability -ne "Disabled"
        SensitivityLabel = $_.SensitivityLabel
        LastContentModified = $_.LastContentModifiedDate
    }
}

# Export for review
$siteSummary | Export-Csv -Path "C:\Compliance\SPOSitePermissions_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

---

Financial Sector Considerations

Regulatory Mapping

Regulation	Requirement	How This Control Addresses	Evidence Required
FINRA 4511	Supervision and retention of records	Reviews ensure only authorized personnel access records; attestation provides supervision evidence	Attestation records, review completion reports
SEC Reg S-P	Safeguards for customer information	Periodic access reviews validate appropriate access controls	Access review decisions, remediation records
GLBA 501(b)	Administrative safeguards	Site access reviews demonstrate access control management	Review schedules, completion rates, exceptions
SOX 404	Internal control assessment	Attestation provides evidence of control operating effectiveness	Signed attestations, exception reports
NYDFS 500.07	Access privilege limitations	Reviews ensure access is limited to those with business need	Access review decisions with justifications

Governance Tier Review Frequency

Tier	Classification	Review Frequency	Reviewer	Auto-Remediation
Tier 1	Public/General	Annual	Site Owner	Archive if not attested
Tier 2	Internal/Sensitive	Semi-Annual	Site Owner + Manager	Read-only if not attested
Tier 3	Confidential/Regulated	Quarterly	Owner + Compliance + Legal	Immediate escalation

FSI Configuration Example

# FSI SharePoint Access Review Configuration
fsi_access_review:
  organization: "Financial Services Institution"
  control_id: "4.2"
  control_name: "Site Access Reviews and Certification"

  review_schedules:
        tier_3_quarterly:
            name: "Enterprise Managed Quarterly Access Review"
            scope: "All enterprise-managed SharePoint sites with agent knowledge sources"
      frequency: "quarterly"
      duration_days: 14
      reviewers:
        - type: "site_owner"
        - type: "compliance_team"
          group_id: "compliance-reviewers-group-id"
      settings:
        justification_required: true
        recommendations_enabled: true
        default_decision: "Deny"
        auto_apply: true
        reminder_days: [7, 3, 1]
      escalation:
        overdue_days: 7
        escalate_to: "security-ops@company.com"

        tier_2_semiannual:
            name: "Team Collaboration Semi-Annual Access Review"
            scope: "Team collaboration SharePoint sites"
      frequency: "semi-annual"
      duration_days: 21
      reviewers:
        - type: "site_owner"
        - type: "manager"
      settings:
        justification_required: true
        recommendations_enabled: true
        default_decision: "NoAction"
        auto_apply: false

  attestation_policies:
    agent_knowledge_sites:
      name: "Agent Knowledge Source Attestation"
      scope_filter: "sensitivity_label eq 'Confidential' OR url contains 'agent-knowledge'"
      frequency: "quarterly"
      notification_days_before: [30, 14, 7]
      non_compliance_action: "read_only"
      require_acknowledgment:
        - "Data classification is accurate"
        - "Access permissions are appropriate"
        - "No unauthorized external sharing"

  audit_retention:
    attestation_records: "7_years"
    review_decisions: "7_years"
    remediation_actions: "7_years"
    exception_approvals: "7_years"

---

Regulatory Context

Primary Regulations: GLBA 501(b), SOX 404, FINRA 4511

Regulation	Requirement	How This Control Addresses
GLBA 501(b)	Access control to NPI	Reviews ensure appropriate access
SOX 404	Internal controls assessment	Attestation provides control evidence
FINRA 4511	Supervision of records	Reviews ensure proper access governance

---

Zone-Specific Configuration

Zone 1 (Personal Productivity):

• Apply a baseline minimum of SharePoint access reviews and certification that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
• Avoid expanding scope beyond the user’s own data unless explicitly justified.
• Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

• Apply run periodic access reviews/attestations for agent knowledge sites for shared agents and shared data sources; require an identified owner and an approval trail.
• Validate configuration in a pilot environment before broader rollout; retain review exports/attestation records.
• Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

• Require the strictest configuration for SharePoint access reviews and certification and enforce it via policy where possible (not manual-only).
• Treat changes as controlled (change ticket + documented testing); retain review exports/attestation records.
• Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Test Procedure

1. Navigate to SharePoint Admin Center → Reports → Data access governance
2. Click "Get started" to generate snapshot report
3. Run "Site permissions across your organization" report
4. Navigate to Policies → Site lifecycle management
5. Verify attestation policies are configured
6. Check policy notification and action settings

Expected Results:

• [ ] Data access governance reports accessible
• [ ] Site permissions report shows permission details
• [ ] Attestation policy configured for team/enterprise sites
• [ ] Notifications enabled for site owners
• [ ] Non-compliance action configured

Verification Evidence

Evidence Type	Location	Retention
Permissions report export	Data access governance	1 year
Attestation policy screenshot	Site lifecycle management	1 year
Attestation responses	Site lifecycle management	6 years
Remediation records	Governance documentation	6 years

---

Troubleshooting & Validation

Common Issues and Solutions

Issue	Possible Cause	Solution
Data access governance reports not available	SharePoint Advanced Management not licensed	Verify SharePoint Advanced Management Plan 1 license is assigned; navigate to M365 Admin Center > Billing to confirm
Site attestation policy not sending notifications	Email settings misconfigured or owners not defined	Verify site owners are assigned; check notification settings in policy; review mail flow rules
Access review not starting automatically	Recurrence pattern misconfigured	Verify recurrence settings in review definition; check that start date is not in the past
Decisions not being auto-applied	Auto-apply disabled or permissions insufficient	Enable autoApplyDecisionsEnabled in review settings; verify service principal has appropriate permissions
Export fails with permission error	Insufficient Graph API permissions	Ensure AccessReview.ReadWrite.All scope is consented; reconnect with appropriate scopes
Site owners not receiving attestation requests	Owner property not set on site	Use Get-SPOSite to verify owner; use Set-SPOSite -Owner to assign appropriate owner
Compliance reports showing stale data	Snapshot not recently generated	Navigate to Data access governance and click "Get started" to generate fresh snapshot

Diagnostic Commands

# Check access review health
Get-MgIdentityGovernanceAccessReviewDefinition |
    Select-Object DisplayName, Status, LastModifiedDateTime |
    Format-Table

# Verify site ownership
Get-SPOSite -Identity "https://tenant.sharepoint.com/sites/agent-knowledge" |
    Select-Object Url, Owner, SecondaryContact

# Check attestation policy status (via admin center - no direct PowerShell)
Write-Host "Navigate to: SharePoint Admin Center > Policies > Site lifecycle management" -ForegroundColor Yellow

---

Additional Resources

• Data access governance reports in SharePoint
• Site lifecycle management policies
• SharePoint site attestation
• Create an access review of groups and applications
• Review access to groups and applications
• Microsoft Graph access reviews API
• SharePoint Advanced Management overview

---

Related Controls

Control	Relationship	Priority
1.6 Sensitivity Labels	Labels determine review scope and frequency	High
1.18 RBAC	Access reviews validate RBAC implementation	High
2.1 Managed Environments	Provides governance framework for review processes	Medium
4.1 IAG / RCD	Reviews identify sites needing restrictions	High
4.3 Site Classification	Classification determines review requirements	High
4.4 Guest Access	Reviews verify guest access appropriateness	High
4.5 Monitoring	Continuous monitoring complements periodic reviews	Medium
3.1 Agent Inventory	Identifies agents using SharePoint as knowledge source	Medium

---

Support & Questions

For implementation support or questions about this control, contact:

• SharePoint Administrator: Report generation and policy configuration
• Identity Governance Administrator: Access review workflows in Entra ID
• AI Governance Lead: Review scope and procedures for agent-related sites
• Compliance Officer: Attestation requirements and regulatory evidence
• Internal Audit: Review process validation and evidence collection

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification