Skip to content

Control 1.7: SharePoint Advanced Management Readiness for Copilot

Control ID: 1.7 Pillar: Readiness & Assessment Regulatory Reference: GLBA 501(b), FFIEC IT Examination Handbook (Information Security Booklet) Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Evaluate and deploy SharePoint Advanced Management (SAM) capabilities that provide Copilot-specific governance features including Data Access Governance (DAG) reports, site access reviews, Restricted Content Discovery (RCD), Restricted Access Control (RAC), and site lifecycle management. SAM extends the standard SharePoint admin experience with enterprise-grade governance tools that are critical for managing Copilot's interaction with SharePoint content at scale in regulated financial services environments.

Why This Matters for FSI

  • GLBA 501(b): SAM provides the technical tooling to implement and monitor safeguards for customer information stored in SharePoint. DAG reports specifically identify where customer data may be overshared, directly supporting GLBA safeguard requirements. Per GLBA Section 501(b), DAG reports and Restricted Access Control support the safeguards requirement by providing visibility into who has access to customer information and enforcing least-privilege access boundaries.
  • FFIEC IT Examination Handbook (Information Security): SAM features align with FFIEC expectations for access control monitoring, data access governance, and lifecycle management of information assets. These are foundational capabilities for technology risk management.
  • SOX 302/404: SAM site access reviews support periodic access certification requirements for sites containing financial data, supporting internal control assessment obligations.
  • SEC Regulation S-P: Restricted Content Discovery prevents Copilot from surfacing consumer financial information stored on specific SharePoint sites, supporting privacy safeguards. Restricted Access Control enforces least-privilege access boundaries per SEC Regulation S-P requirements.
  • Data Governance Best Practices: SAM represents Microsoft's enterprise governance layer for SharePoint and is a prerequisite for effective Copilot governance at scale.

Control Description

SAM Licensing Requirements

SharePoint Advanced Management (SAM) is included with Microsoft 365 Copilot licenses at no additional cost, enabling SharePoint administrators to deploy all SAM governance capabilities for Copilot environments (announced at Microsoft Ignite 2024, effective early 2025).

License Includes SAM Notes
Microsoft 365 E3 No SAM available via standalone add-on or Copilot license
Microsoft 365 E5 No SAM available via standalone add-on or Copilot license
Microsoft 365 Copilot Yes SAM included at no additional cost for Copilot governance (Ignite 2024)
SharePoint Advanced Management add-on Yes Per-user license for organizations without Copilot licenses (~$3/user/month)
Microsoft Syntex (SharePoint Premium) Yes Includes SAM capabilities

Licensing note: Organizations deploying Microsoft 365 Copilot already have access to all SAM governance capabilities and do not need to factor SAM into their Copilot deployment cost model. For SharePoint administrators who do not hold a Copilot license — such as IT staff managing SharePoint governance without using Copilot — the standalone SAM add-on provides equivalent access to SAM features.

SAM Feature Overview for Copilot Governance

SharePoint Advanced Management includes several features directly relevant to Copilot governance:

SAM Feature Copilot Governance Use Availability
Data Access Governance (DAG) Reports Identify sites with oversharing, broad access, and sharing patterns that Copilot could exploit Included with SAM (Copilot license or add-on)
Site Access Reviews Trigger periodic access reviews with site owners to certify that current permissions are appropriate before Copilot deployment Included with SAM
Restricted Content Discovery (RCD) Exclude specific SharePoint sites from Copilot content discovery while maintaining direct user access Included with SAM
Restricted Access Control (RAC) Enforce a maximum access boundary on SharePoint sites, limiting access to security group members regardless of sharing links Included with SAM
Site Lifecycle Management Automate inactive site detection, owner notification, and archival to remove stale content from Copilot's grounding scope Included with SAM
Block Download Policy Prevent file downloads from specific sites, which also restricts Copilot's ability to process content from those sites Included with SAM
Conditional Access for SharePoint Sites Apply site-level conditional access policies that restrict Copilot access in specific contexts Included with SAM
Change History Track configuration changes to SharePoint sites for audit trail Included with SAM

Data Access Governance (DAG) Reports

DAG reports are purpose-built for identifying access risks that Copilot amplifies:

Report Type What It Shows Copilot Relevance
Sharing links report Sites with the most sharing links (anonymous, company-wide, specific people) Sharing links are access paths Copilot can traverse
Sensitivity labels report Sites with and without sensitivity labels applied Unlabeled sites cannot be governed by label-based Copilot controls
"Everyone except external users" report Sites shared with EEEU group EEEU is the #1 oversharing vector for Copilot
Oversharing baseline report Aggregate oversharing score across the tenant Overall risk metric for Copilot deployment readiness
Content sharing report Detailed sharing activity per site Identifies actively shared content that Copilot will likely surface
Site permissions snapshot report Point-in-time view of all site permissions across the tenant Supports pre-deployment Copilot readiness audits; captures full permission state before Copilot go-live

The site permissions snapshot report is particularly useful for establishing a permission baseline before Copilot deployment and for compliance evidence demonstrating that permissions were reviewed before enabling AI access to SharePoint content.

Site Access Reviews

SAM enables automated site access review workflows:

1. TRIGGER: Admin initiates access review for selected sites
       |
2. NOTIFY: Site owners receive access review request
       |
3. REVIEW: Site owners review and certify current permissions
       |
4. REMEDIATE: Site owners remove inappropriate access
       |
5. CERTIFY: Review completion documented with timestamp
       |
6. REPORT: Admin reviews certification status across all sites

Access review parameters:

Parameter Configuration Options
Scope All sites, sites with specific labels, sites above sharing threshold
Frequency One-time, quarterly, semi-annual, annual
Reviewer Site owner (primary), site collection admin (secondary)
Escalation Auto-escalate uncompleted reviews to admin after deadline
Auto-remediation Optionally restrict access on sites with uncompleted reviews

Restricted Content Discovery (RCD)

RCD is a per-site control that excludes specific SharePoint sites from Copilot content discovery:

Aspect RCD Behavior
Copilot search Content on RCD-enabled sites is excluded from Copilot grounding queries
Direct access Users can still navigate directly to the site and access content normally
SharePoint search Content may still appear in direct SharePoint search results (configurable)
Scope Per-site configuration -- applied to individual site collections
Use case Sites containing sensitive data that should not be surfaced by Copilot (e.g., HR data, legal holds, M&A data rooms)

Configuration path: SharePoint Admin Center > Sites > Active sites > [site] > Settings > Restricted Content Discovery

Restricted Access Control (RAC)

Restricted Access Control is a SAM capability that enforces a maximum access boundary on SharePoint sites, directly supporting oversharing remediation for Copilot governance:

Aspect RAC Behavior
How it works Restricts access to a SharePoint site to only members of the site's associated security group, regardless of existing sharing permissions
Key distinction Unlike sharing permissions which grant additional access, RAC enforces a maximum access boundary -- anyone not in the designated security group cannot access the site even if they have a sharing link
Copilot impact Copilot cannot surface content from a RAC-enabled site to users who are not in the designated security group, even if those users hold a sharing link
Scope Per-site configuration
Use case Sensitive sites that should only be accessible to a defined group — financial model repositories, M&A deal rooms, regulatory examination sites, NPI datastores

Configuration path: SharePoint Admin Center > Sites > Active sites > [site] > Settings > Restricted Access Control

RAC is a strong complement to RCD: RCD excludes a site from Copilot discovery while RAC ensures only authorized users can access the site at all. Sites containing non-public material information (MNPI) or non-public personal information (NPI) should consider both controls.

Site Lifecycle Management

SAM's site lifecycle management helps reduce Copilot's exposure to stale content:

Lifecycle Stage SAM Capability Copilot Impact
Active Site activity monitoring, owner verification Content available to Copilot within permission scope
Inactive detection Automated detection of sites with no activity for configurable period Identifies stale content that may produce outdated Copilot responses
Owner notification Automated email to site owners requesting confirmation of site need Prompts cleanup of unnecessary content
Archival Move inactive sites to archive state Archived content removed from active Copilot grounding scope
Deletion Scheduled deletion of confirmed unnecessary sites Permanent removal from Copilot scope

Copilot Surface Coverage

Copilot Surface SAM Governance Relevance Key Feature
Microsoft 365 Copilot Chat Critical RCD, RAC, and DAG directly govern what Copilot Chat can access in SharePoint
SharePoint Copilot Critical SAM governs the primary content repository for SharePoint Copilot
Teams Copilot High Teams-linked SharePoint sites are governed by SAM
Word / Excel / PowerPoint High Documents stored in SharePoint are subject to SAM governance
OneDrive Copilot Low SAM primarily governs SharePoint, not OneDrive
Outlook Copilot Low SAM does not directly govern Exchange content
Copilot Pages Medium Pages may reference SharePoint content governed by SAM
Loop Copilot Medium Loop may reference SharePoint content governed by SAM
Viva Copilot Medium Viva may surface SharePoint content governed by SAM

Governance Levels

Level Requirement Rationale
Baseline Verify SAM licensing (included with Copilot licenses). Generate DAG reports to understand current sharing and oversharing posture, including the site permissions snapshot report for a pre-deployment permission baseline. Document SAM feature availability and gap analysis. Minimum awareness of SAM capabilities and current data access posture. Organizations with Copilot licenses already have SAM available -- this tier is about activating and using the baseline reporting capabilities.
Recommended All Baseline requirements plus: enable DAG reporting with monthly review cadence. Configure RCD for sites containing highly sensitive data that should not be in Copilot scope. Deploy RAC on the 10 most sensitive sites (e.g., sites containing NPI, MNPI, or regulatory examination materials). Initiate site access reviews for top 50 sites with broadest sharing. Enable site lifecycle management for inactive site detection. Active use of SAM governance features to manage Copilot's SharePoint interaction at enterprise scale. RAC provides an additional oversharing safeguard beyond sharing permissions alone.
Regulated All Recommended requirements plus: configure quarterly site access reviews for all sites containing regulated data. Enable RCD for all sites that have not passed data hygiene certification. Enable RAC on all sites containing NPI or MNPI with quarterly review of security group membership. Implement automated site lifecycle management with 90-day inactivity detection. Integrate DAG reports into compliance dashboards. Document SAM governance configuration in regulatory examination file. Establish SAM configuration change management process. Comprehensive SAM governance that provides examination-ready data access controls and documented evidence of SharePoint governance for Copilot.

Setup & Configuration

Step 1: Verify SAM Licensing

Navigate to Microsoft 365 Admin Center > Billing > Licenses and verify: - If the organization has Microsoft 365 Copilot licenses, SAM is already included -- no additional purchase is required - If the organization does not have Copilot licenses, verify whether the SharePoint Advanced Management add-on is provisioned and assigned to SharePoint administrators

Step 2: Enable and Run DAG Reports

Navigate to SharePoint Admin Center > Data access governance and:

  1. Run the "Sharing links" report to identify sites with broad sharing
  2. Run the "Sensitivity labels" report to identify unlabeled sites
  3. Run the "Everyone except external users" report to identify EEEU sharing
  4. Run the "Site permissions snapshot" report for a point-in-time view of all site permissions (use as pre-deployment baseline evidence)
  5. Review the oversharing baseline report for aggregate risk scoring
  6. Schedule recurring report generation (monthly minimum)

Step 3: Configure Restricted Content Discovery

For sites that should be excluded from Copilot content discovery:

Navigate to SharePoint Admin Center > Sites > Active Sites > [Select site] > Settings

Enable Restricted Content Discovery for the selected site. Verify that Copilot queries no longer surface content from the site (test with a licensed Copilot user).

Step 4: Configure Restricted Access Control

For sites that require hard access boundaries (not just Copilot exclusion):

Navigate to SharePoint Admin Center > Sites > Active Sites > [Select site] > Settings > Restricted Access Control

  1. Enable Restricted Access Control for the site
  2. Specify the designated security group whose members are permitted to access the site
  3. Verify that users with existing sharing links who are not in the security group can no longer access the site
  4. Document the RAC configuration and security group membership in governance records

Step 5: Initiate Site Access Reviews

Navigate to SharePoint Admin Center > Data access governance > Site access reviews:

  1. Select sites for review (start with sites flagged by DAG reports)
  2. Configure review parameters (scope, deadline, escalation)
  3. Notify site owners
  4. Monitor completion status
  5. Document outcomes

Step 6: Configure Site Lifecycle Management

Navigate to SharePoint Admin Center > Policies > Site lifecycle management:

  1. Set inactivity detection threshold (e.g., 180 days for Baseline, 90 days for Regulated)
  2. Configure owner notification templates
  3. Set archival automation rules
  4. Define deletion timelines for confirmed unnecessary sites

Financial Sector Considerations

  • SAM Licensing Clarification: Organizations deploying Microsoft 365 Copilot have SAM included in their licensing at no additional cost. SharePoint administrators who do not personally hold a Copilot license should use the standalone SAM add-on to access SAM administration capabilities.
  • RCD for Regulatory Data: Sites containing regulatory examination materials, enforcement actions, consent orders, or examination responses should have RCD enabled to prevent Copilot from surfacing these materials in non-regulatory contexts.
  • RAC for MNPI and NPI Sites: Sites containing material non-public information (M&A deal rooms, pre-announcement financials) or non-public personal information (customer account data, credit files) should have RAC enabled to enforce hard access boundaries. RAC is particularly effective for ensuring that sharing links do not bypass intended access restrictions, per GLBA 501(b) and SEC Regulation S-P requirements.
  • Access Review Regulatory Alignment: SAM site access reviews can serve dual purpose for SOX access certification requirements. Coordinate SAM access reviews with existing SOX compliance calendars to avoid duplicative effort.
  • M&A Data Room Governance: Deal-related SharePoint sites should have both RCD and RAC enabled by default, with DAG reporting used to monitor for permission drift during deal lifecycle. RAC ensures that even if sharing links are inadvertently created during deal activity, access remains bounded to authorized deal team members.
  • Site Lifecycle for Regulatory Retention: Site lifecycle management automation must respect regulatory retention obligations. Configure archival and deletion policies to align with FINRA 4511, SEC 17a-4, and institution-specific retention schedules.
  • DAG Report Distribution: Consider distributing DAG report summaries to first-line risk managers (not just IT) to integrate SharePoint access governance into the institution's three lines of defense model.

Verification Criteria

  1. SAM licensing status has been evaluated and confirmed (included with Copilot licenses; documented)
  2. DAG reports have been generated and reviewed within the past 30 days
  3. Site permissions snapshot report has been generated as a pre-deployment baseline (documented with date)
  4. DAG report findings have been triaged and assigned for remediation
  5. RCD is enabled for sites containing highly sensitive data that should not be in Copilot scope (Recommended and Regulated levels)
  6. RAC is enabled for sites containing NPI or MNPI with documented security group membership (Recommended and Regulated levels)
  7. Site access reviews have been initiated for sites with broadest sharing (Recommended and Regulated levels)
  8. Site access review completion rates are tracked and reported
  9. Site lifecycle management is configured with appropriate inactivity thresholds (Recommended and Regulated levels)
  10. DAG reporting cadence is established (monthly minimum for Recommended; continuous for Regulated)
  11. SAM configuration (RCD, RAC, lifecycle policies) is documented in the organization's Copilot governance documentation
  12. SAM governance features and their outputs are included in regulatory examination readiness materials (Regulated level)

Additional Resources

FSI Copilot Governance Framework v1.2.1 - March 2026