Control 4.5: SharePoint Security and Compliance Monitoring

Overview

Control ID: 4.5 Control Name: SharePoint Security and Compliance Monitoring Regulatory Reference: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-3/4 Setup Time: 1-2 hours License Requirement: SharePoint Advanced Management Plan 1 for full capabilities

Purpose

Monitor SharePoint security posture, agent activity, and compliance status to ensure AI agents accessing SharePoint-based knowledge sources operate within established governance boundaries. This control provides visibility into how AI agents interact with SharePoint content, enabling proactive identification of security risks, unauthorized access patterns, and compliance gaps before they become incidents. For financial services organizations, continuous monitoring of agent-SharePoint interactions is essential for demonstrating regulatory compliance and maintaining proper supervision over AI-powered systems.

Key Capabilities

Agent Insights

Monitor AI agent activity across SharePoint and OneDrive.

Navigation: SharePoint Admin Center → Reports → Agent insights

Available Reports:

Report	Description	Use Case
SharePoint agents	List of agents created across SharePoint/OneDrive	Agent inventory for governance
Agent access	Agents accessing content across sites	Monitor agent data access patterns

Report Details:

View and download list of SharePoint agents
See which agents are accessing which content
Identify unauthorized agent access to sensitive sites

Data Access Governance Reports

Comprehensive reports on permissions and sharing.

Navigation: SharePoint Admin Center → Reports → Data access governance

Report Categories:

Category	Reports
Snapshot reports	Site permissions, user permissions, sensitivity labels
Activity reports	Sharing links, oversharing indicators
Review requests	Pending governance actions

Dashboard Monitoring

SharePoint Admin Center home dashboard provides at-a-glance metrics.

Navigation: SharePoint Admin Center → Home

Dashboard Cards:

Sensitivity labels across sites (labeled vs. unlabeled)
Information barriers status
OneDrive file activity
Message center announcements

Advanced Management Reports

Microsoft 365 Copilot readiness and content management assessments.

Navigation: SharePoint Admin Center → Advanced management

Assessments:

Assessment	Metrics
Site lifecycle	Site inactivity, missing site ownership
Oversharing	Broken permission inheritance, org-wide permissions, anyone links

Prerequisites

Primary Owner Admin Role: SharePoint Admin Supporting Roles: None

Licenses Required

License	Purpose	Required For
Microsoft 365 E5	Advanced security and compliance features	Full monitoring capabilities
Microsoft Defender for Office 365 P2	Threat detection and response	Real-time threat monitoring
SharePoint Advanced Management	Agent insights and governance reports	Level 2+
Microsoft Purview Audit (Premium)	Extended audit retention	Regulatory compliance
Microsoft Sentinel	SIEM integration	Level 4

Permissions Required

Role	Purpose	Assignment Method
SharePoint Administrator	Full access to SharePoint Admin Center	Entra ID
Security Administrator	Access to security monitoring dashboards	Entra ID
Compliance Administrator	Access to compliance reports and audit logs	Entra ID
Reports Reader	Read-only access to reports	Entra ID
Global Reader	Read-only access to admin centers	Entra ID

Dependencies

Dependency	Description	Verification
SharePoint Online	SharePoint must be enabled in tenant	Check M365 Admin Center
Unified audit logging	Must be enabled at tenant level	Check Purview → Audit
Agent insights	Requires SharePoint Advanced Management	Check license assignment
Microsoft Defender	For threat detection capabilities	Verify Defender portal access
Retention policies	Define log retention periods	Configure in Purview

Pre-Setup Checklist

[ ] SharePoint Admin role assigned to monitoring personnel
[ ] SharePoint Advanced Management license available
[ ] Unified audit logging enabled in Microsoft Purview
[ ] Retention requirements documented per regulation
[ ] SIEM integration requirements identified
[ ] Agent inventory available to identify what to monitor
[ ] Baseline security posture documented

Governance Levels

Baseline (Level 1)

Requirement	Implementation
Agent activity monitoring	Monthly review of Agent insights reports
Basic dashboard review	Weekly review of Home dashboard
Security event awareness	Subscribe to Message center notifications

Implementation Steps:

Navigate to SharePoint Admin Center
Review Home dashboard for key metrics
Navigate to Reports → Agent insights
View "SharePoint agents" report to inventory agents
View "Agent access" report to understand access patterns
Schedule monthly review calendar reminder

Recommended (Level 2-3)

Requirement	Implementation
Weekly agent access review	Review Agent access report weekly
Data access governance monitoring	Monthly permissions and sharing review
Oversharing assessments	Run assessments quarterly
Compliance dashboard	Create custom monitoring dashboard

Additional Steps:

Navigate to Reports → Data access governance
Run all snapshot reports to establish baseline
Schedule weekly review of Activity reports
Navigate to Advanced management
Run "Oversharing" assessment
Create remediation plan for flagged items

Regulated/High-Risk (Level 4)

Requirement	Implementation
Real-time threat monitoring	Integrate with Microsoft Sentinel
SOC integration	Alert SOC on security events
Automated response	Configure automated containment actions
Comprehensive audit trail	All monitoring data retained per regulation

Additional Requirements:

Configure Microsoft Sentinel data connector for SharePoint
Create analytics rules for agent-related security events
Establish incident response procedures for SharePoint threats
Integrate monitoring with broader SIEM/SOC operations

Setup & Configuration

Step 1: Enable Reporting Access

Ensure appropriate access:

Assign SharePoint Administrator role to monitoring personnel
For Report Readers: Assign Reports Reader role
Verify access to SharePoint Admin Center

Step 2: Configure Agent Insights Monitoring

Establish agent monitoring:

Navigate to Reports → Agent insights
Click View reports under "SharePoint agents"
Review agent list and document findings
Click View reports under "Agent access"
Identify agents accessing sensitive sites
Cross-reference with governance approval records

Step 3: Establish Data Access Governance Baseline

Create baseline reports:

Navigate to Reports → Data access governance
Click Get started to run initial assessment
Generate all snapshot reports
Export reports for baseline documentation
Identify immediate remediation items

Step 4: Configure Advanced Management Assessments

Run Copilot readiness assessment:

Navigate to Advanced management → Overview
Click Start assessment
Review Site lifecycle results:
Site inactivity
Missing site ownership
Review Oversharing results:
Broken permission inheritance
Org-wide site permissions
Organization and anyone sharing links
Click View recommendations for remediation guidance

Step 5: Establish Monitoring Cadence

Create monitoring schedule:

Activity	Frequency	Responsible Role
Dashboard review	Daily	SharePoint Admin
Agent insights review	Weekly	AI Governance Lead
Data access reports	Monthly	Compliance
Advanced assessments	Quarterly	Governance Committee
Comprehensive audit	Annually	Internal Audit

PowerShell Configuration

Connect to SharePoint and Purview

# Connect to SharePoint Online
Connect-SPOService -Url https://contoso-admin.sharepoint.com

# Connect to Security & Compliance Center for Purview
Connect-IPPSSession -UserPrincipalName admin@contoso.com

# Verify connection
Get-SPOTenant | Select-Object SharingCapability, ConditionalAccessPolicy

Search Audit Logs for SharePoint Events

# Define search parameters
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

# Search for SharePoint file access by agents/Copilot
$sharepointEvents = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -RecordType SharePoint -Operations FileAccessed,FileDownloaded,FileModified `
    -ResultSize 5000

Write-Host "Found $($sharepointEvents.Count) SharePoint events"

# Filter for agent-related access patterns
$agentAccessEvents = $sharepointEvents | Where-Object {
    $_.AuditData -like "*Copilot*" -or $_.AuditData -like "*Agent*"
}

Write-Host "Found $($agentAccessEvents.Count) agent-related events"

# Export to CSV for analysis
$sharepointEvents | Select-Object CreationDate, UserIds, Operations, AuditData |
    Export-Csv -Path "SharePoint-Audit-Log-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

Get Sensitive File Access

# Search for access to files with sensitivity labels
$sensitiveFileAccess = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -RecordType SharePoint -Operations FileAccessed,FileDownloaded `
    -FreeText "Sensitivity" -ResultSize 5000

# Parse and analyze results
$accessReport = $sensitiveFileAccess | ForEach-Object {
    $auditData = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Timestamp = $_.CreationDate
        User = $_.UserIds
        Operation = $_.Operations
        FileName = $auditData.ObjectId
        SiteUrl = $auditData.SiteUrl
        SensitivityLabel = $auditData.SensitivityLabelId
    }
}

$accessReport | Export-Csv -Path "Sensitive-File-Access-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

Export Security Monitoring Configuration

# Export SharePoint security settings
$securityConfig = @{
    TenantSettings = Get-SPOTenant | Select-Object *
    SharingSettings = Get-SPOTenant | Select-Object SharingCapability, DefaultSharingLinkType,
        ExternalUserExpirationRequired, ExternalUserExpireInDays
    ConditionalAccess = Get-SPOTenant | Select-Object ConditionalAccessPolicy,
        AllowDownloadingNonWebViewableFiles
    ExportDate = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
}

$securityConfig | ConvertTo-Json -Depth 10 |
    Out-File "SharePoint-Security-Config-$(Get-Date -Format 'yyyy-MM-dd').json"

# Export site-level settings for high-risk sites
$highRiskSites = Get-SPOSite -Limit All | Where-Object {
    $_.SensitivityLabel -eq "Highly Confidential" -or
    $_.LockState -ne "Unlock"
}

$highRiskSites | Select-Object Url, Owner, SensitivityLabel, SharingCapability,
    ConditionalAccessPolicy, LockState |
    Export-Csv -Path "HighRisk-Sites-$(Get-Date -Format 'yyyy-MM-dd').csv" -NoTypeInformation

Create Compliance Reports

# Generate comprehensive compliance report
$complianceReport = @{
    ReportDate = Get-Date -Format "yyyy-MM-dd"
    TotalSites = (Get-SPOSite -Limit All).Count
    LabeledSites = (Get-SPOSite -Limit All | Where-Object { $_.SensitivityLabel }).Count
    ExternalSharingSites = (Get-SPOSite -Limit All | Where-Object {
        $_.SharingCapability -ne "Disabled"
    }).Count
    RestrictedSites = (Get-SPOSite -Limit All | Where-Object {
        $_.RestrictedToGeo -or $_.ConditionalAccessPolicy -ne "AllowFullAccess"
    }).Count
}

# Export compliance summary
$complianceReport | ConvertTo-Json |
    Out-File "SharePoint-Compliance-Summary-$(Get-Date -Format 'yyyy-MM-dd').json"

# Create audit event summary for regulators
$auditSummary = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) `
    -RecordType SharePoint -ResultSize 5000 |
    Group-Object Operations |
    Select-Object Name, Count |
    Sort-Object Count -Descending

$auditSummary | Export-Csv -Path "SharePoint-Audit-Summary-90Days.csv" -NoTypeInformation

Write-Host "Compliance reports generated successfully"

Financial Sector Considerations

Regulatory Mapping

Regulation	Section	Requirement	How This Control Addresses
FINRA 4511	(a)(1)	Books and records retention	Agent insights provide audit trail of AI access to records
FINRA 4511	(c)	Supervision requirements	Continuous monitoring enables supervisory oversight
SEC 17a-4	(f)	Electronic records accessibility	Data access reports verify content remains accessible
SEC 17a-4	(b)(4)	Index availability	Governance reports enable content indexing verification
GLBA 501(b)	Security program	Ongoing risk assessment	Dashboard monitoring identifies security risks
GLBA 501(b)	Information security	Monitor access to customer data	Agent access reports track customer data access
SOX 404	(a)	Internal controls assessment	Reports provide evidence for control testing
SOX 404	(b)	Control effectiveness	Continuous monitoring validates control operation

Tier-Specific Monitoring Requirements

Tier	Monitoring Level	Key Metrics	Review Frequency
Tier 1	Basic	Agent count, basic access patterns	Monthly
Tier 2	Standard	Agent access, sharing activity, oversharing	Weekly
Tier 3	Enhanced	All metrics, anomaly detection, real-time alerts	Daily

FSI Example YAML

# SharePoint Security Monitoring Configuration for FSI
sharepoint_monitoring:
  organization: "Contoso Financial Services"
  environment: "Production"
  last_updated: "2025-01-15"

  monitoring_levels:
    zone_1:
      name: "Internal Productivity"
      review_frequency: "monthly"
      dashboards:
        - home_dashboard
      reports:
        - agent_insights_monthly
      alerts: false

    zone_2:
      name: "Business Operations"
      review_frequency: "weekly"
      dashboards:
        - home_dashboard
        - data_access_governance
      reports:
        - agent_insights_weekly
        - sharing_activity
        - oversharing_assessment
      alerts: true
      alert_threshold: "high_severity"

    zone_3:
      name: "Customer Facing"
      review_frequency: "daily"
      dashboards:
        - home_dashboard
        - data_access_governance
        - security_dashboard
      reports:
        - agent_access_daily
        - sensitive_content_access
        - permissions_snapshot
        - anomaly_detection
      alerts: true
      alert_threshold: "medium_severity"
      soc_integration: true

    zone_4:
      name: "Highly Regulated"
      review_frequency: "continuous"
      dashboards:
        - all_dashboards
      reports:
        - real_time_monitoring
        - comprehensive_audit
        - regulatory_evidence
      alerts: true
      alert_threshold: "all"
      soc_integration: true
      sentinel_integration: true
      automated_response: true

  compliance_requirements:
    finra_4511:
      enabled: true
      retention_years: 6
      supervision_review: "weekly"

    sec_17a4:
      enabled: true
      worm_storage: true
      retention_years: 7

    glba:
      enabled: true
      customer_data_monitoring: true
      risk_assessment_frequency: "quarterly"

    sox_404:
      enabled: true
      control_testing: "annual"
      evidence_retention: true

  reporting:
    executive_dashboard: true
    regulatory_reports: true
    export_format: "CSV"
    retention_days: 2555  # 7 years

Regulatory Context

Primary Regulations: GLBA 501(b), SOX 404, FINRA 4511, SEC 17a-3/4

Regulation	Requirement	How This Control Addresses
GLBA 501(b)	Ongoing security monitoring	Continuous SharePoint security visibility
SOX 404	Control monitoring and testing	Dashboard and reports provide control evidence
FINRA 4511	Supervision of communications	Agent access monitoring enables supervision
SEC 17a-3/4	Records accessibility	Reports verify content accessibility

Advanced Management Features Reference

Based on Advanced management → All features tab:

Feature	Location	Purpose
Block download policy	PowerShell	Prevent downloads for sensitive sites
Change history	Reports → Change history	Track configuration changes
Conditional access policies	Microsoft Entra	Control access by conditions
Data access governance reports	Reports → Data access governance	Permission visibility
OneDrive access restriction	Access control	Restrict OneDrive access
Recent actions	Active sites → Recent actions	View recent site changes
Site lifecycle management	Policies → Site lifecycle management	Automate site lifecycle
Site-level access restriction	Access control	Restrict site access

Zone-Specific Configuration

Zone 1 (Personal Productivity):

Apply a baseline minimum of SharePoint Security and Compliance Monitoring controls that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
Avoid expanding scope beyond the user’s own data unless explicitly justified.
Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

Apply the control for shared agents and shared data sources; require an identified owner and an approval trail.
Validate configuration in a pilot environment before broader rollout; retain evidence (screenshots/exports/logs).
Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

Require the strictest configuration for SharePoint Security and Compliance Monitoring controls and enforce it via policy where possible (not manual-only).
Treat changes as controlled (change ticket + documented testing); retain evidence (screenshots/exports/logs).
Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Test Procedure

Navigate to SharePoint Admin Center → Home
Verify dashboard cards are displaying data
Navigate to Reports → Agent insights
Click "View reports" for both agent reports
Navigate to Reports → Data access governance
Run "Site permissions across your organization" report
Navigate to Advanced management
Review assessment results

Expected Results:

[ ] Home dashboard displays current metrics
[ ] Agent insights reports show agent inventory
[ ] Agent access report shows content access patterns
[ ] Data access governance reports generate successfully
[ ] Advanced management assessments complete

Verification Evidence

Evidence Type	Location	Retention
Dashboard screenshot	Home page	Weekly
Agent insights report export	Agent insights	Monthly
Permissions report export	Data access governance	Monthly
Assessment results	Advanced management	Quarterly

Troubleshooting & Validation

Common Issues

Issue	Symptoms	Solution
Agent insights not appearing	"View reports" shows no data or errors	Verify SharePoint Advanced Management license is assigned; data may take 24-48 hours to populate initially
Data access reports empty	Reports generate but show no content	Ensure site activity exists; run "Get started" to initialize baseline if first use
Dashboard cards missing data	Home dashboard shows blanks or errors	Check SharePoint Admin role assignment; verify browser isn't blocking scripts
Audit log search returns no results	Search completes but finds nothing	Verify unified audit logging is enabled; check date range (max 90 days for standard)
Advanced management features unavailable	Features grayed out or missing	Confirm SharePoint Advanced Management license; some features require E5
Export failures	Report export times out or fails	Reduce date range; filter by specific users or operations; try during off-peak hours
Real-time alerts not triggering	Expected alerts not received	Check alert policy configuration; verify recipient email; review alert threshold settings

Diagnostic Steps

Verify licensing:

Get-MgSubscribedSku | Where-Object { $_.SkuPartNumber -like "*SPE_E5*" -or $_.SkuPartNumber -like "*SHAREPOINTENTERPRISE*" }

Check audit logging status:

Get-AdminAuditLogConfig | Select-Object UnifiedAuditLogIngestionEnabled

Verify SharePoint Admin access:

Get-MgUserMemberOf -UserId "admin@contoso.com" | Where-Object { $_.AdditionalProperties.displayName -like "*SharePoint*" }

Test report generation:
Navigate to SharePoint Admin Center → Reports → Data access governance
Click "Get started" to run initial assessment
Wait for completion (may take several hours for large tenants)

Additional Resources

Control	Relationship
1.7 Audit Logging	Audit logs complement SharePoint monitoring for comprehensive visibility
1.10 Communication Compliance	Monitor agent communications involving SharePoint content
3.1 Agent Inventory	Agent insights feeds inventory; use together for complete agent visibility
3.9 Sentinel Integration	Advanced security monitoring and SIEM integration for SharePoint events
4.1 IAG / RCD	Monitoring identifies content requiring access restrictions
4.2 Access Reviews	Reports support periodic access certification reviews
4.3 Site and Document Retention	Monitor retention policy application and compliance
4.4 Guest Access Controls	Guest access monitoring identifies governance gaps

Support & Questions

For implementation support or questions about this control, contact:

SharePoint Administrator: Report configuration and site settings
Security Operations: Threat monitoring and incident response
AI Governance Lead: Agent access review and policy enforcement
Compliance Team: Regulatory evidence and audit support

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification