SharePoint Site Ownership Policies comes with SharePoint Advanced management or Copilot and is part of Site Lifecycle Management. In a nutshell, it does 1) Identify sites that don’t meet organization’s ownership criteria, 2) send notifications to find new site owners or admins and 3) automatically mark sites in read-only (or just report). Below is my deep dive in this policy.
I will not retell what is already documented by Microsoft, but you can find some gotchas below.
Notification emails start coming in a few minutes after you activate the policy. From email address is SharePoint Online <no-reply@sharepointonline.com> .
Here is how a notification email looks like (in case site has one owner and need another one):
Site Name (title) is mentioned 4 times. There are 3 links in the email (SharePoint logo, site title and “Go to site” button) – all lead you to the root of the site that needs an owner.
The email template is not customizable at the moment (June 2025) and might mislead a little, as it says “Site Name” needs a site owner. but site does have an owner. Policy want an existing single owner to assign as second owner, which is said further in smaller font and not much people are able to force themselves to read. (Update: we expect Microsoft released Site lifecycle management policies v 2 before Sep 2025).
What I really do not like here is that even for group-based sites (e.g. teams) the policy asks to add a “site owner“, though it should be “team owner”. The only difference is if the site is a teams-connected site – there is a subtitle “Connected to Teams”:
I’d also assume that some users will need additional instructions – how to add a second owner to the site. There might be a confusion in terminology – who is the site owner, like “there are plenty people in ‘My Site Owners’ group – why am I asked to add one more?”
In case the site does not have owners and the policy is configured to send messages to site members and/or manager, here is an example of the email notification:
Basically, the difference is it says “Would you like to be a site owner?” vs “Identify an additional site owner to ensure compliance.” and the button says “Become a site owner” vs “Go to site“.
You cannot forward this email to other users (you can, but content will not be the same). Here is the example:
There are other cases an email comes as “This email contains actionable items that aren’t supported by this client. Use a supported client to view the full email.”
Policy scope
Sites regulated by policy
Configuring the policy, we can choose site template – e.g. Classic sites, Communication sites, Group connected sites without teams, Team sites without Microsoft 365 group and Teams-connected sites to scope down the policy with the kind of sites the policy will be applied to.
We know, that template site was created with does not actually guarantee the kind of site in it’s current state. E.g. we can convert classic site to a group-based site or we can create site with no team and later create a team for the site.
With that said, Question: what Microsoft means by “Sites regulated by policy” – template site was created with or current site category?
Policy configuration
Owners vs Admins
Another moment I’d like to clarify is what Microsoft means by owner and admin, as configuring the policy
Under the “Who should be responsible for each site?” we can specify “Site owners” and/or “Site admins”
Under the “Who should be notified (via email) to assign or claim site responsibility?” we can not only specify “Current site owners” and/or “Current site admins”, but also “Manager of previous site owner and admin” and “Active members”, which is really nice.
We know that for group-based sites “Group owners” of the Microsoft 365 group associated with site is actually goes to site collection administrators and nobody is added to SharePoint “site Owners” group by default. At the same time at the SharePoint site you can add users to site collection admins and/or to the default SharePoint “site Owners” group (the one with “Full Control” permissions. Moreover, nothing prevents us to create a SharePoint group “Site Business Owners” with e.g. read-only permissions to the site or e.g. create a SharePoint group “Board Members” with “Full Control” permissions to the site.
So, question: who according to Microsoft’s policy implementation are considered as site owners and site admins? Does it change for different types of sites?
Here is what I got from experience
“Who should be responsible for each site?” If “Site owners” selected – the policy will count members of the default site owners associated group for standalone (non group-based sites) towards the “Minimum owners or admins required for each site”. Also (NB!) – when a user who received a notification clicks “Become a site owner” – a user will be added to the default site owners group (not to site collection admins).
When “Site admins” selected – the policy will count site collection admins for standalone (non group-based sites) towards the “Minimum owners or admins required for each site”. When a user clicks “Become a site owner” – a user will be added to the site collection admins (not to default site owners group).
Does the policy count groups or disabled accounts? – TBC.
What if we select both – “Site owners” and “Site admins” under “Who should be responsible for each site”? Would that mean the policy would count both? I.e. one admin and one owner make the policy happy? Or there should be two admins and two owners? If a user accepts “Would you like to be a site owner – would the policy add user to admins ow owners? – TBC.
For the group-based sites this policy overlaps with the “Ownerless groups” policy (included in m365 subscription, configured under m365 admin -> Settings -> Org Settings -> Microsoft 365 Groups). What I noticed is in the case of two policies configured – this policy says “Message was already sent by another policy”.
“Who should be notified (via email) to assign or claim site responsibility?” If this is a group-based site – “active site members” are only Microsoft 365 group members. If there are users in the SharePoint site members group – they’d be ignored.
Microsoft Ownerless Groups policy vs Site Ownership policy
There is a well-known and well-documented way of connecting to Microsoft 365 SharePoint and Graph API from Azure Function App via keeping credentials (Client id and client secret) in the Azure Key Vault. In this article I explained how to configure Azure Key Vault so Azure Function can get credential and use them to access Microsoft 365 SharePoint and call Graph API. For this to work we need an App registration with permissions provided. But what if we assign permissions directly to the Function App? As per Microsoft, managed identities enable Azure resources to authenticate to cloud services (e.g. Azure Key Vault) without storing credentials in code. Is it possible to use function managed identity to access Microsoft 365 SharePoint via PnP or Graph API? Follow me.
I assume we already have an Entra Id, a Microsoft 365 subscription in it and an Azure subscription in the same tenant.
Create a User Assigned Managed Identity
There are two types of managed identities in Azure – System assigned and user assigned. If you go to Azure Function app -> Settings -> Identity – you’ll see these two options:
System assigned Managed Identity will be created automatically if you select Status:On and Save. Having System-assigned Managed Identity you can provide permissions to Azure resources (e.g. storage, key vault) to this specific instance of function app. If you create another function app that’d need the same access – you’d need to enable system assigned Managed Identity again, for this new instance and again provide permissions.
User assigned managed identity is created as standalone Azure resource, and will have it’s own lifecycle. A single Azure resource (e.g. Function App) can utilize multiple user assigned managed identities. Similarly, a single user assigned managed identity can be shared across multiple resources. So if you deploy another Function App that need the same permissions as your existing function app – you’d just assign the same managed identity to this new function app.
So before we assign a user-assigned managed identity to a resource, we need to create a user-assigned managed identity:
For the Name of your User Assigned Managed Identity consider something that would uniquely identify you (your team) and your project/app at tenant level, e.g. “m365-Enterprise-SharePoint-Engineering-Managed-Identity-Demo”:
I use PowerShell Core as runtime stack and Windows.
Once Function App is created – we need to create a function. I’ll do it via Azure Portal for simplicity and I’ll select timer-triggered function:
Ensure that this function works ootb correctly by triggering test run:
Then we’d need to assign a managed identity earlier created to this function app. Navigate to Function App -> Settings -> Identity, select “User Assigned” and managed identity:
Disable Az
Navigate to Function App -> Functions -> App Files. Select “profile.ps1”. Remove or comment out part that use Az module cmdlets:
Update function dependencies
Since I use PowerShell and PnP for this demo, I need PnP module loaded. Navigate to Function App -> Functions -> App Files. Select “requirements.psd1”. Update your code by adding ‘PnP.PowerShell’ = ‘2.12.0’ to the required modules. Do not enable Az module:
It takes time for the function app to download and install PnP module so you can use it in functions.
Now you can Test/run the function or wait 5 minutes, then check what is in logs. You should see, that
connection ran successfully, but
getting site failed with “ERROR: The remote server returned an error: (401) Unauthorized.”
And that is ok, as
With Connect-PnPOnline we are authenticating. And since managed id exist – we were recognized
Our managed Id does not have any permissions yet, so any request will fail
Now it’s time to provide actual permissions for the managed identity to the site.
Grant permissions for the managed identity to access SharePoint via Graph API
Here is the most interesting part – somehow we need to provide our user assigned managed identity with permissions to access SharePoint (or any other Microsoft 365 service) via Microsoft Graph API and/or SharePoint API. We already know how to grant permissions to an App Registration in Azure – there is a GUI for that. But with respect to managed identity – there is no GUI. It’s done via Microsoft Graph API or PowerShell. And we need admin permissions to assign roles to a managed identity.
Who can grant roles to a managed identities
It says a Global Admin permissions required to provide roles to a managed identity.
As usual, there are two options: delegated permissions and application permissions (here is where differences explained). In both cases you’d need an App Registration with the following API permissions assigned and consented :
Application.Read.All (or higher)
AppRoleAssignment.ReadWrite.All
If you have an app with delegated permissions – you’d need a Global admin role to be activated. Or you need an app with application permissions configured as below:
If you are getting something like this:
That means you configured an app incorrectly.
Assigning permissions with Microsoft Graph API:
tbp…
Assigning permissions with PnP PowerShell
Here is the code:
$Id = "..." # User Assigned Managed Identity Object Id = Principal Id
Get-PnPAzureADServicePrincipalAssignedAppRole -Principal $Id
$role = "Sites.FullControl.All"
Add-PnPAzureADServicePrincipalAppRole -Principal $Id -AppRole $role -BuiltInType MicrosoftGraph
Add-PnPAzureADServicePrincipalAppRole -Principal $Id -AppRole $role -BuiltInType SharePointOnline
Issues found
What I found is that connection to a specific site does not work, .i.e. the following code:
returns [Error] ERROR: The remote server returned an error: (401) Unauthorized.
Update: it’s probably just a matter of time… After some hours the same code started working well. Though here Microsoft says “To ensure that changes to permissions for managed identities take effect quickly, we recommend that you group Azure resources using a user-assigned managed identity with permissions applied directly to the identity”
Sites.Selected
Would everything above work if we need to provide access for the function app user assigned managed identity to a specific SharePoint site via Sites.Selected?
It works! I used a separate user-assigned managed identity, provided it with Sites.Selected API permissions, provided access for the managed identity to a specific site and it worked!
PnP.PowerShell version
Is there a difference in behavior of PnP.PowerShell v2 and v3? Let us see…
As for now, it works with both versions – PnP.PowerShell 2.12.0 and PnP.PowerShell 3.1.0
SharePoint Advanced Management includes Inactive Site Policies under Site lifecycle management. Effective content lifecycle management is a key pillar of SharePoint governance. It plays a vital role in optimizing storage, preserving data integrity, and ensuring regulatory compliance. By systematically removing inactive or outdated sites, it also enhances security. Additionally, it supports successful Copilot implementation by ensuring that the information accessed is both accurate and current. So, how exactly this Inactive site policy works and what is the difference between Entra Id groups expiration policy and SharePoint Inactive Site Policy.
SharePoint Inactive Site Policy vs m365 Groups Expiration Policy
The Groups Expiration Policy has been a feature of Azure AD (Entra ID) for quite some time. It is included at no additional cost. This policy automatically notifies group owners about upcoming expirations and provides options to renew or delete the group. Since all self-created Teams teams and Viva Engage communities are backed by SharePoint sites and managed through Microsoft 365 Groups, this policy also plays a significant role in SharePoint governance ensuring that information stored in SharePoint remains current and properly maintained. I have an article Microsoft 365 group expiration policy deep dive.
Inactive Site Policy is a feature of SharePoint Advanced Management (SAM), which is an add-on and require premium SharePoint license. It also Identifies inactive sites, Sends notifications to site owners and can automatically archive or make sites read-only. Sound like very similar to to groups expiration policy.
Key differences
Feature
Groups Expiration Policy
Inactive Site Policy
Where to configure Who can configure
Entra Id Groups Admin
SharePoint Admin center SharePoint Admin
Scope (policy is applied to)
Microsoft 365 Groups (including group-based sites, like teams, yammer)
SharePoint Sites (including both – group-based and non-group-based sites)
Who is notified
Group Owners
Site admin (group owner), site owners (*) TBC
Notifications come from email
msgroupsteam@microsoft.com
no-reply@sharepointonline.com
What if resource is active
group is automatically renewed, no emails sent
policy is not triggered against active sites
Can admin download report (list of inactive groups/sites)
No
Yes
Period of inactivity configuration
Configured in days, should be greater than or equal to 30 days
Options are: 1, 2, 3 or 6 months
Actions available (Options provided) to a resource owner
renew the group delete the group
certify site learn how to delete a site
What happens with resources owner did not take action (or with orphan resources).
Notifications is sent to a specific email address, group is deleted
site is archived or set to read-only or nothing
Inactive site policy user experience
Here is how the email notification looks like:
Note that
The email subject includes “Action required” and site title (name). It always says “… has been inactive for more than a month” even if the policy configured for “6 months”. It shows SharePoint logo, which might mislead “teams-oriented” users. Site title is not clickable, so site admin/owner cannot just click site link but have to navigate to site manually. When user clicks button “Certify site” – a message “The action completed successfully” pops up at the bottom of the email for a few seconds and then disappears. The email itself does not change, so when a user opens the same email again – there is no visual evidences the action was taken.
At the bottom of the email Microsoft mentions tenant name.
The email template is the same for all kinds of policies – it does not matter if the policy action is configured configured as “do nothing”, or to automatically enforce archive site or set it to read-only. I.e. email just says “Select Certify site to confirm if it’s still in use, or consider deleting it if the site is no longer needed.”. Email does not inform users that site will be set to read-only or archived.
Also there is no link where a user can get more info on the subject, but Microsoft says that inactive sites policy email template will be customizable – in the Site lifecycle management policies v2 expected summer 2025.
Admin – Inactive sites report
You can download a csv report of inactive sites generated by policy. Report includes fields: Site name, URL, Template, Connected to Teams, Sensitivity label, Retention Policy, Site lock state, Last activity date (UTC), Site creation date (UTC), Storage used (GB), Number of site owners, Email address of site owners, Number of site admins, Email address of site admins, Action status, Total notifications count, Action taken on (UTC), Duration in Read-Only.
There is no GUI to see the list of inactive sites (you can only download a csv file), but there is a magic button “Get AI insights”.
Get AI insights
Here are insights I have seen so far:
Inactive sites with significant storage usage
Multiple sites owned by the same account
Sites with Multiple Owners
Sites inactive for over a year
Inactive sites policy behavior
Policy sends emails immediately after policy activation. That means if you have thousands of inactive sites you might hit a 10k exchange limit of daily emails sent.
If a user owns multiple inactive sites – he/she will get multiple emails.
You can scope the policy down by site template, sensitivity label and creation source if you want different behavior for different types of sites, e.g. if you want to setup longer period of inactivity for one type of sites and shorter for others… not sure when it makes sense…
Implementing an Inactive sites policy
First of all – It is highly recommended to take care of ownerless sites (find owners) before triggering an Inactive sites policy.
If you have a relatively new tenant – you probably have not much inactive sites, so turning the policy on should not be a problem. The older your tenant is the more inactive sites you have. For older tenants you probably already have a lot of inactive sites – ant that could be a problem. So we’d need to take care of initial policy implementation, and after some time it will just work so we could forget about it.
There is no way to pilot this policy with pre-selected scope of sites or users. You can scope the policy down by site template, sensitivity label and creation source, but you cannot scope the policy down the way only sites or uses you want to be a testers or pilot project members will be the target of the policy.
In small orgs there should be no problems implementing this policy. Still I would start from just getting a report. There is a “How long after the last activity should a site be considered inactive?” configuration, so I’d start from the longest – 6 months, then move to the shortest you need. Medium orgs could get some ideas from recommendations to large orgs below.
In large orgs you might
trigger a spike in number of tickets submitted by users who needs help
hit a maximum sending limit with Exchange Online which is 10,000 email recipients per day
So it would be crucial for enterprises to avoid an initial surge and start from smaller number of recipients, and gradually let the policy work at a full strength. One of the options to achieve that would be
configure the policy for reports only, get inactive sites report
select sites owner and admins in a separate list – then select only unique ones – so every user will get only one email, split this list into small chunks
communicate to site owners (by chunks) – using enterprise-approved “send from” email and enterprise-branded email template saying that the policy is gonna be implemented, you might receive an email (like this one – screenshot), you can trust this email and click buttons. A list of site urls user owns must be included in the email, so user could visit these sites (Optionally) you can instruct users how they can delete sites if site is no longer needed or archive sites if they are not sure if it is still needed or not
If so – it’d
forewarn users so they would know to do and not be surprised and would create less tickets
users might choose to delete or archive sites which would also
users would visit their inactive sites and trigger sites activity, and that should dramatically decrease number of emails sent to users initially, on the day one of policy implementation ideally – if users visit all sites – you’d have no inactive sites, so you’d just turn the policy on with no fear
then you’d wait for a couple of weeks, get new report to ensure that you have much less inactive sites – and you’d just enable the inactive sites policy (starting from the longest period – 6 month of inactivity)
This article is for SharePoint or Microsoft 365 admins focusing on governance and information protection. If you have SharePoint Advanced Management (SAM, aka SharePoint Premium) licensed or you got at least one Copilot for Microsoft 365 license (as having m365 Copilot license automatically enables SharePoint Advanced Management in tenant), then under reports – Data access governance (in SharePoint admin center) – you can not only get Content shared with ‘Everyone except external users’ (EEEU) reports, but also initiate access review. Let us look more closely at this functionality and discuss the pros and cons..
First of all, report does not provide you with all SharePoint content shared with “Everyone except external users”. Report helps you with what was shared with EEEU in the last 28 days. That drastically limits usage of this feature. I.e. you should first get initial report on the all content shared with EEEU, and somehow take care of it by other means (consider How to Find Content Shared with Everyone in SharePoint and Teams), and only then you can use this Microsoft’s content shared with EEEU report and access review.
You can share content with EEEU or directly – by adding EEEU to resource permissions directly or by including EEEU into SharePoint group. So content shared with EEEU reports come in two flavors – “Specific files, folders and lists” and “Site membership”
“Specific files, folders and lists” user experience
When you initiate access review from the “Specific files, folders and lists” type of report – users (site admins/owners) get email notification that says “You have sites with specific files, folders or lists shared with ‘Everyone except external users’. This means everyone in your organization has access to this content. Review the items shared for potential oversharing and manage their access.“
Scrolling down, in the email, site owner can see a list (table) of incompliant sites with the following columns: Site name, privacy, sensitivity, external sharing and “Items shared”. Site name is clickable and sends user to the root of the site.
Below the list of sites there is a button “View shared items” that sends user to the special system page – “https://orgname.sharepoint.com/teams/site01/_layouts/15/siteaccessreview.aspx/<id>” where he/she can see list of SharePoint items shared with EEEU. Columns are: (item) Name, Shared on (date), Shared by (email), Action (manage access). Item name and manage access are clickable.
If an item is a library item – e.g. document or a folder – it is displayed correctly – with icon according to the doc type and doc name. Clicking on the doc name – an actual document opens so you can review it’s content.
If item is a list item – it is displayed incorrectly – no icon, no meaningful info about the item (it is displayed as “”). Clicking on the link – a warning icon and message “Can’t preview this file. Open the file or download it to view in your desktop app”. Buttons “Open” and “Download” are there but not helpful as well.
Clicking on “Manage access” opens almost standard “Manage access” dialogue you can have via “manage access” item context menu, but with no “…” more options at the top right:
which makes this dialogue screen useless, as you can only provide additional access to the item or remove all access. You cannot remove EEEU from access without three dots “More options”.
Manage Access from the Policy:
Regular Manage Access:
“Stop sharing” literally removes all permissions to the item except owners
Under the “Groups” tab – you’d see that the item is shared with “Everyone except external users” but you will not be able to remove just this group from access…
By clicking on a group name – site owner will be able to change this group permissions, but the option “No direct access” is not selectable…
“Site membership” user experience
In the case with a “Site membership” report, text would be slightly different: “You have sites where ‘Everyone except external users’ has been added to the site membership. This means everyone in your organization has access to this site. Review site permissions for potential oversharing and manage access.“, which makes sense.
Right after that, in the email, site owner can see a list of incompliant sites with the following columns: Site name, privacy, sensitivity, external sharing and “Groups with org-wide access”. Site name is clickable and sends user to the root of the site.
Then there is a button “View SharePoint groups” that sends user to the special system page – “https://orgname.sharepoint.com/teams/site01/_layouts/15/siteaccessreview.aspx/<id>” where he/she can see list of SharePoint groups (clickable) with EEEU as members.
By clicking on a group name – admin opens standard SharePoint “People and Group” membership page: /_layouts/15/people.aspx?MembershipGroupId=X, which is nice, because from this screed a site owner can simply remove this group from the access list using Actions-> Remove:
siteaccessreview.aspx page
User can navigate directly to the reviews page: “https://orgname.sharepoint.com/teams/site01/_layouts/15/siteaccessreview.aspx” and if there were reviews initiated by SharePoint admins – and it’ll work – admin will see all access reviews initiated for this site – columns are: Review name, Description, Requested on (date), Status, reviewed by (email) and admin comment. In case no reviews were initiated against tie site – “You have no reviews to take action on” will be displayed. That’s good.
Complete review
On the bottom of the siteaccessreview.aspx page you’ll see “Complete review”
Click on it, add comment (optionally) and confirm:
SharePoint Admin is able to see the status of every site access review stats – pending or completed – in GUI and in the .CSV report saved.
Admin experience: GUI only
Once you got report – you can initiate access review. All must be done in GUI, click-click-click selecting sites… But what if you have thousands? There is no PowerShell cmdlets or API for this functionality, which really limits your ability to implement it gracefully, especially in large Microsoft 365 environments and automate it.
Download detailed report
Report “Specific files/folders/lists…” does not include files, folders, list – i.e. it does not include what exactly is shared with EEEU. Report includes site id, url, name, template, is it teams-connected, sensitivity (?), privacy, external sharing, primary admin name and email, and number of items (?) shared with EEEU.
So technically you can communicate to site owners, but you’d need to rely on them to figure out what content is shared with everyone.
Email template
When you initiate Site access review – an e-mail notification is send to site owners. This e-mail is not customizable at all. The only admin can do is to add a message (for every “initiate Site access review” action). But the email looks really similar to the site lifecycle policies email notification, and Microsoft is working on version 2 of the policies with a customizable email template.
This email comes from “SharePoint Online <no-reply@sharepointonline>” address (not customizable), so comes “from outside of your organization” and can be considered as scam.
Microsoft’s logos and other graphics are blocked by default and e-mail includes a button “View shared items” – enough red flags for users to consider it as spam. Keep this in mind.
The good news is e-mail contains site name – so site owner can recognize it at act accordingly.
Usage scenarios
Small tenants
In small Microsoft 365 environments – yes, this functionality probably can be used “as is” (and should be used). Especially for new tenants – I’d recommend enable reports and use this feature on a regular basis.
Medium-size tenants
I’m not sure. It depends on your governance rules and company culture.
Enterprises would not like it
I’m very pessimistic if this functionality is useful in large environments. Reasons are:
In enterprises usually all the communication must follow approved templates, branding and so on. Currently SAM DAG does not support custom templates (though there are rumors Microsoft is working on it)
User experience of “reviewing shares with everyone”… and “managing permissions” designed very poorly… You SharePoint users need clearness and simplicity. Existing UX makes everything wort. In enterprise you do not want to deal with thousands of tickets from site owners who could not figure it out
In enterprises you’d think of automation. Currently all is just GUI.
if your tenant is not new – you already have a lot of overshared content. This functionality covers only new shares, so you still need to come up with your custom solution (idk – PowerShell scripts?) to deal with oversharing. But once you designed your custom solution – why don’t you continue to use it?
SharePoint Advanced Management is an add-on to Microsoft 365 for admins. Microsoft says that it is a powerful suite of tools for IT admins to bolster content governance throughout the Microsoft Copilot deployment journey. Let us have a closer look at what SharePoint Advanced Management (SAM) is how exactly it helps with governance enforcement in the Copilot era.
Microsoft recently updated SAM features (this KBA is based on Oct 2025 features set). Now Advanced management page has a dashboard – “Overview” tab and “All features” tab.
Advanced management – Overview
On the “Overview” page Microsoft wants us to run assessment. “Start assessment” button starts assessment immediately. So let us click “Start assessment” button and see what it does exactly. Btw, it might take from days to weeks for your tenant – depending on the tenant size. While assessment is in progress – it’ll display “Assessment in progress. This might take some time. We’ll display the results as soon as they’re ready.”
It took 3-4 hours for my small dev tenant to assess Site lifecycle and find 62 sites require attention:
Advanced management – All features
Microsoft classifies SAM’s features as “Manage content sprawl”, “Manage content lifecycle”, “Manage permissions and access”. I’d put SAM’s tools into these buckets: Reports, Policies, Search, Features.
SAM Reports
SharePoint SAM reports provide structured, actionable data that you can analyze to optimize governance strategies and implement immediate improvements. Reports available are:
Agent Insights – how agents are accessing the content on the sites
App insights – review apps registered in Entra allowed access to SharePoint sites
Change history reports – site actions or organization setting changes you can choose org-wide or site-level settings, specify date range, sites and all or specific admins
Content services reports – Term store, term sets and terms
Data Access Governance (4 different ones)
Site permissions across your organization
Sharing Links with 3 pre-configured reports: Anyone links, People in your org links and Specific People links shared externally
Sensitivity labels applied to files: select label -> generate report
Content Shared with Everyone Except External Users: to discover specific sites whose content was made accessible for EEEU you can choose from two types of report: where specific files/folders/lists are shared with EEEU or “Site membership” where EEEU was added as a member and initialize access review (see Deep Dive into SAM DAG Content shared with EEEU access review)
OneDrive Accounts report – about unlicensed OneDrive accounts
Site policy comparison – control oversharing by identifying sites with similar files and different policies
SAM Policies
Policies in SharePoint SAM define governance rules that are enforced automatically, minimizing manual intervention and ensuring consistent compliance. SharePoint Advanced Management policies are:
Site Lifecycle management: Inactive Site Policy. Allows:
AI Insights – report feature that uses a language model to identify patterns and potential issues and provide actionable recommendations to solve issues
Features
Features are smaller that policies, more like an update to existing functionality.
Conditional access to SharePoint site policy This enhances existing conditional access Entra Id feature with the ability to apply the policy to SharePoint sites directly or via Site sensitivity label.
OneDrive access restriction
SharePoint site-level access restrictions
Block download policy
Your recent actions
Default sensitivity labels for document libraries
Site access review
SAM for Search
I put it separately:
restrict discovery of SharePoint sites and content
Found an issue in Microsoft 365 – it seems like if a sensitivity label is not published for a user – this user will see inconsistency when different sources display sensitivity label differently.
Scenario: A site/group sensitivity label was created under the Purview center. Label enforces some settings to the group/site, like privacy and external sharing. User cannot assign label to site/group until label is published to that user. In this scenario sensitivity label was published to the admin1 but not published to the admin2.
Admin1 assigned sensitivity label to a group-based site.
What admin2 can see in this case is:
Product
Sensitivity Label
Teams
correct sensitivity label
SharePoint Site
correct sensitivity label
My Groups – Groups I Own – View experience
correct sensitivity label
My Groups – Groups I Own – Edit experience
no label
SharePoint Admin Center
correct sensitivity label
Teams Admin Center
correct sensitivity label
Microsoft 365 Admin Center – Teams&Groups
no label
Entra Id – Groups
no label
Moreover, in some cases you could even see incorrect sensitivity label under Entra Id…
Microsoft says it’s by design. For me this kind of design simply does not make sense.
There is a Design Change Request: https://feedback.azure.com/d365community/idea/4246b7a8-2119-f011-9d47-7c1e52d4bdd3
If you think this behavior must be changed – please vote for the DCR.
Recently I helped one client to connect his Tableau Cloud to SharePoint, so let me share how it’s done, as Tableau documentation was not very helpful, so I had to do my own research.
...Note the pod your Tableau Cloud site is located to ensure you enter the correct redirect URL during the registration process in Step 2 below. The redirect URL uses the following format:
https://<your_pod>.online.tableau.com/auth/add_oauth_token
For example, https://us-west-2b.online.tableau.com/auth/add_oauth_token
So, you would check this part in bold of your Tableau cloud instance: https://us-west-2b.online.tableau.com/ and construct a Redirection URI: https://us-west-2b.online.tableau.com/auth/add_oauth_token
You need an App Registration under Entra Id, with API permissions consented and Authentication configured
API permissions must be the following: Under Graph API, delegated Files.Read.All, Sites.Read.All, User.Read, offline_access:
Authentication blade. You’d add platform: Web and use Redirect URI as above. Example:
Secret
Secret you’d generate under App Registration Certificates and secrets:
Once secret is generated, copy the secret value in a safe place and do not share it.
Also, get your app id and tenant id (those are not secrets but I still prefer not to share):
At this moment you should have from your App registration:
Tenant Id
Client (App) Id
Client Secret
Redirect Url
Now we are ready to configure
OAuth Client at the Tableau Site Settings
Having Site Admin permissions (Tableau Site Admin, not SharePoint), you should be able from the left menu navigate to the bottom “Settings” and under General tab scroll down to the “OAuth client registry” and click “Add OAuth Client”.
You’d need two OAuth client configured – one for “OneDrive and SharePoint Online” and the other one for “SharePoint List (JDBC)”.
“OneDrive and SharePoint Online” Experience is:
Here your OAuth instance Url would be: https://login.microsoftonline.com/<Teanan tId>/
Client Id, Client secret and Reirect Url you can get from Step 2.
“SharePoint List (JDBC)” experience:
Same here. OAuth instance Url is: https://login.microsoftonline.com/<your tenant id>/ Client Id, client secret and redirect Url you get from Step2.
Now you are ready to connect…
Tableau Connect to Data: OneDrive and SharePoint Online
Connecting to Data from Tableau, you’d select “OneDrive and SharePoint Online” or “SharePoint List (JDBC)”
Connecting to “OneDrive and SharePoint Online” – you’ll be asked to provide “OAuth Instance Url” again:
So, again, you’d put your tenant Id instead of “common”. After connected, you’d see something like this:
Under OneDrive (personal files) – you’d see your own content located at your personal OneDrive site. Under OneDrive (shared with you) – you’d see content shared with you and located at other’s personal OneDrive sites. Under SharePoint sites – you’d see content of SharePoint sites you have access to – all content – documents, lists etc.
Connecting to “SharePoint List (JDBC)” – experience would be
So, you’d provide a specific site collection Url (not list), e.g. https://contoso.sharepoint.com/teams/Test-Site-01 and you’d provide “OAuth Instance Url” again, just remember – replace “common” with your Tenant Id.
In both cases you should get a pop-up authentication window – provide your credentials after that you should be able to see data in SharePoint.
Possible error messages
Client secret
Client secret is an essential part. It is not market as required in the form, but without secret connection is not working. You can get something like this:
Tableau received an OAuth error from your request. Please see the error message for more information: 401 Unauthorized POST https://login.microsoftonline.com/—/oauth2/v2.0/token. (errorCode=170006)
Reply address
If you did not configure Authentication at your App Reg or configured incorrectly – you might get error message “Sorry, but we’re having trouble signing you in” “AADSTS900971: No reply address provided.”
It says “Unable to create” and “We were unable to create this agent due to an error. Try again.” or “Unable to update” and “We were unable to update this agent due to an error. Try again.”
Cause: In my case the cause was my license was assigned a few hours before, so it seems like it takes some time for Microsoft to populate updates. In the other case I troubleshooted it turned out user did not have a license assigned (license was removed), but “Create an agent” button was available.
Solution: Ensure you have a license for Microsoft 365 copilot assigned and (ideally) wait 24 hours. Microsoft: “If you recently purchased a license or started a free trial, it may take up to 24 hours for the license to take effect.”
Below is the sample Python code to authenticate against Microsoft 365 as current user with MSA library and to call Microsoft Graph API – specifically get SharePoint Site, get Site lists with requests library.
But first, you have to have an App Registration in Azure (Entra ID) with delegated permissions consented and authentication configured.
Delegated Permissions
If your solution needs access to all SharePoint sites – consider Sites.FullControl.All or Sites.Manage.All or Sites.ReadWrite.All or Sites.Read.All depending on access level you need. Effective permissions would be an intersection (minimum) from both – permissions configured for app registration and permissions current user have. Once consented at the app registration – these permissions will work right away.
If your solution needs access to a one (or a few) SharePoint sites – consider Sites.Selected API permissions as it will scope down access to the only sites that are required for your solution to work. Remember, Sites.Selected API permissions, even consented at the app registration, require second step – SharePoint admin should provide (read or write or manage or fullcontrol) permissions for the app registration to a specific site or sites.
Authentication
You’d also need to configure authentication blade. How? It depends on the kind of application you are building etc. For example for native apps I do: – add platform – “Mobile and Desktop app” – select “https://login.microsoftonline.com/common/oauth2/nativeclient” – select “msal096fd951-7285-4e4f-9c1f-23a393556b19://auth (MSAL only)” – add custom Redirect URI: “http://localhost”
This config works for Python code below
Python Code
You’d need to install/import the libraries: json, configparser, msal, requests
Here is the code:
import json
import configparser
import msal
import requests
config = configparser.ConfigParser()
config.read('config.cfg')
client_id = config.get('delegated','clientId')
authority = config.get('delegated','authority')
scopes = config.get('delegated','scope').split()
siteId = config.get('delegated','siteId')
print( client_id)
print( authority)
print( scopes)
print( siteId)
global_token_cache = msal.TokenCache()
global_app = msal.PublicClientApplication(
client_id,
authority=authority, # For Entra ID or External ID
token_cache=global_token_cache,
)
def acquire_and_use_token():
# The pattern to acquire a token looks like this.
result = None
result = global_app.acquire_token_interactive(scopes)
if "access_token" in result:
print("Token was obtained from:", result["token_source"]) # Since MSAL 1.25
# print("Token acquisition result", json.dumps(result, indent=2))
return result["access_token"]
else:
print("Token acquisition failed", result) # Examine result["error_description"] etc. to diagnose error
return None
token = acquire_and_use_token()
http_headers = {'Authorization': 'Bearer ' + token,
'Accept': 'application/json',
'Content-Type': 'application/json'}
graph_url = 'https://graph.microsoft.com/v1.0/sites/' + siteId + '?$select=id,webUrl,displayName'
siteResponse = requests.get(graph_url, headers=http_headers)
print(siteResponse.status_code)
site = json.loads(siteResponse.content)
# print("Site (raw) : ")
# print(site)
print("Site webUrl : ", site["webUrl"])
print("Site displayName : ", site["displayName"])
# Lists
graph_url = 'https://graph.microsoft.com/v1.0/sites/' + siteId + '/lists'
listsResponse = requests.get(graph_url, headers=http_headers)
print(listsResponse.status_code)
lists = json.loads(listsResponse.content)
# print("Site lists (raw):")
# print(lists)
print("Site lists:")
for list in lists["value"]:
print(" Display Name:", list["displayName"])
print(" Id:", list["id"])
print(" Web Url:", list["webUrl"])
print(" Created Date:", list["createdDateTime"])
print(" Last Modified Date:", list["lastModifiedDateTime"])
Application permissions
If your scenario is to call Graph API from Python with application permissions (aka unattended or daemon app) – the main difference is authentication. It is described here. It also requires App registration configured like this.
With Microsoft officially announcing the retirement of legacy Azure Access Control Services (ACS), SharePoint administrators are now racing against time. For over a decade, ACS-based permissions—commonly known as SharePoint app-only service principals—have been widely used, with countless tutorials and blog posts guiding users on how to implement them in their applications.
However, many of these ACS-based apps are still actively accessing SharePoint sites. When Microsoft eventually disables ACS, we want to avoid a scenario where critical business processes suddenly break and teams are left scrambling.
To stay ahead of this change, our goal is to identify all app-only principals still relying on ACS to access SharePoint. This includes gathering details about the apps, their owners, the sites they access, and the site owners. The ultimate objective is to proactively reach out to the responsible stakeholders, inform them about the upcoming retirement, and encourage them to migrate their solutions to modern authentication methods.
Below is my deep dive into tracking/inventoring ACS apps, but for those who just want a quick solution – there is a Summary in the end.
Technical details
What kind of apps we are talking about, specifically? I can see the following options:
Apps that were registered in SharePoint via AppRegNew.aspx (aka SharePoint app-only service principals) and provided with permissions in SharePoint via AppInv.aspx
Apps that were registered in Azure (Entra Id) and provided with permissions in SharePoint via AppInv.aspx
Let us start with pulling data, then I’ll provide step by step instructions how to discover App-Only apps, get these apps activity and actions need to be taken.
Techniques we can use to get data
analyze audit log to get events where apps are accessing sites
analyze audit log to get events where ACS permissions were provided to sites
get data from system that tracks request for new ACS permissions
use reports from admin center
use the PnP Microsoft 365 Assessment Tool
get report on apps owners and permissions from from Entra Id
Let us deep dive into each data source to see if it is actually helps us to get ACS apps in use…
Audit log: apps accessing sites
Microsoft 365 audit log is supposed to save all events happening in Microsoft 365. It is available for admins via GUI, PowerShell Exchange Module and Graph API. GUI Search m365 audit log now lives under Microsoft Purview – Solutions – Audit.
Unfortunately, when an App registered in Azure is accessing SharePoint sites – not all events are logged. Here are some of the events that are stored in the Microsoft 365 unified audit log:
Accessing list items:
List Item Viewed
List Item Created
List Item Updated
List Item Deleted
Accessing Documents in libraries:
File Accessed
File Uploaded
File Modified
File Downloaded
File Deleted
Events would have a UserId “app@sharepoint”. Other event details include activity/operation (PageViewed, FileModified etc.), Item (full Url of a document or page etc.), AppAccessContext (includes ClientAppid, ClientAppName), ApplicationId (yes, this is how we know what app access what url on the site), and many other details. When an app fails to access SharePoint – due to expired secret or missing permissions or because ACS is disabled – no events are logged.
Unfortunately, from analyzing audit log events – you cannot say if the App that is accessing SharePoint were provided with ACS permissions (via appinv) or Graph API (e.g. Sites.Selected via Entra Id).
Get Service Principals activity via Microsoft Graph API
The following reports are available via MS Graph API (some as v1.0, others in preview only under beta):
Service principal sign-in activity
This report is available through the servicePrincipalSignInActivity resource type and details the sign-in activity for a service principal in your tenant. The sign-in activity can be delegated or application-only scenarios. For application-only scenarios, the application credential activity provides additional information on the credential usage.
Service principal sign-in activity report provides the following details for every service principal:
This report is available through the appCredentialSignInActivity resource type and details the usage of an app credential (secret, certificate, or federated identity credential) in your tenant.
Application credential sign-in activity report provides the following details for every service principal credential:
Graph API allows you to get Entra Id audit log events, including logins of service principals: Microsoft Entra audit logs API. Microsoft: “Microsoft Entra provides an audit trail of all user and app activity in your tenant to help you track all activities in your tenant and also be compliant. These logs include both app and user sign in activity“. Available under “/auditLogs/signIns”. The only thing is it does not work for us.
First (minor issue) – I could not get app sign in activity under production API (v1.0), only under beta (Feb 2026). The biggest issue is id does not catch events we want it to catch. See the table:
Action
Audit Log Event status, ErrorCode, FailureReason
(ACS enabled) Connect-PnPOnline: OK Get-PnPSite: Failed (secret expired)
Status: Failure errorCode=7000222; failureReason=The provided client secret keys for app ‘{identifier}’ are expired.
(ACS enabled) Connect-PnPOnline: OK Get-PnPSite: OK (secret renewed)
I.e. when ACS is disabled – the app is not able to get site, and no errors in Entra Id audit log…
Microsoft 365 Audit log ACS permissions provided events
This is relatively easy. There are just two kinds of events that might help us to understand ACS usage in tenant:
SharePointAppPermissionOperation
Pull audit logs with record type is SharePointAppPermissionOperation so you’d get events where permissions were provided to apps. Operation type (activity) would be like AppPermissionGrant.
Microsoft started logging this record type not long ago and there is no documentation found (as of Feb 2025). So the only I noticed that might help is:
if user id is “app@sharepoint” – that indicates Sites.Selected permissions were provided to the app (e.g. via Grant-PnPAzureADAppSitePermission ) under “AppId” you’d have an app (client) id of the client app (permissions provided to) in the form of “i:0i.t|ms.sp.ext|<appId>@<tenantId>” under “ApplicationId” and “AppAccessContext – ClientAppId” – you’d have an app (client) id of the admin app (permissions provided via) ApplicationDisplayName would contain the display name of the admin app Other fields: RecordType 205, UserType 5, AuthenticationType OAuth
if user id is one of your actual user’s account in tenant – that indicates ACS permissions were provided to the app (e.g. via appinv.aspx page at SharePoint site) under “AppId” you’d have an app (client) id of the client app (permissions provided to) in the form of “i:0i.t|ms.sp.ext|<appId>@<tenantId>” there would be no “ApplicationId” field and under “AppAccessContext” no ClientAppId ApplicationDisplayName Unknown Other fields: RecordType 205, UserType 0, AuthenticationType FormsCookieAuth
Appregnew.aspx and appinv.aspx pages viewed
You can pull audit logs with record type is SharePoint and activity type (operation) is PageViewed and keyword for free search is appregnew. You’d get events when there was an attempt to register a new SharePoint app-only service principal.
The same but with appinv as a search keyword – to get events when there was an attempt to provide ACS permissions for a SharePoint app-only service principal or for an Azure App registration.
In both cases we know that there was an intention to have a principal with an ACS access. We can reach these people to inform that ACS is deprecated and so and so. Worst scenario – we notify somebody who already know that.
Some time ago (around mid – 2023) Microsoft by default disabled ability for site owners registering apps and providing permissions in SharePoint via Appregnew.aspx and appinv.aspx. So since then only SharePoint service admins could provide ACS permissions to apps. In this case you’d check with your request tracking system – to whom ACS were provided.
System that tracks request for new ACS permissions
In case you have a process of providing ACS permissions… Process might include tickets to service desk or similar kind of system… Anyway – check if you can get data from that system – like who requested for what app to what site etc…
Reports available from Microsoft 365 Admin Center
So far the only report that might help is in development (see Microsoft 365 Roadmap – feature Id 417481) and scheduled to be available in May 2025. So far (July 2025) what I can see is the report is not working.
“Enterprise Application Insights is a powerful report which helps SharePoint Administrators to discover all the SharePoint sites that are allowed access by third-party applications registered in your tenant. The report also provides details on the application’s permission and requests count to help admins take further action to strengthen the security of the site. It is part of SharePoint Advanced Management capabilities.”
The feature is already documented here: Generate App insights reports and is seems like the report will not be available for all tenants – but just for tenants with Microsoft SharePoint Premium (SharePoint Advanced Management) or Copilot license assigned.
PnP Microsoft 365 Assessment Tool
Microsoft 365 Assessment Tool is an utility designed by PnP team a while ago and since then serves SharePoint admins very well. In particular, it helps us identify and evaluate the Azure ACS usage for tenant by providing the usage data of ACS principals, and even generating a Power BI reports.
If you run this tool specifying AddInsACS mode, it provides you with:
classicacsprincipals.csv report that includes all apps with access to SharePoint. Details are: App Ids, if the app has Tenant or Site Collection Scoped Permissions, if the app Allows AppOnly, RedirectUri, AppDomains and ValidUntil If the ValidUntil field contains specific date – that means the app was registered via appregnew If the ValidUntil field contains “01/01/0001 00:00:00” date – that means the app was registered in EntraId if the AllowAppOnly field equals TRUE – that means ACS permissions were provided to the app
classicacsprincipalsites.csv – report contains apps and sites they have access to Details are: AppIdentifier, ServerRelativeUrl
classicacsprincipalsitescopedpermissions.csv – list of apps permissions to sites Details: AppIdentifier, ServerRelativeUrl, SiteId, WebId, ListId, Right (Read/Write/FullControl/Guest etc.) If the WebId field equals zeros, that means permissions were provided to entire site collection
classicacsprincipaltenantcopedpermissions.csv – list of apps with tenant-wide permissions
some other reports, like list of sites, list of webs
Unfortunately, this tool does not provide when the app was last time authenticated or when the app accessed the site. Also, we do not know what kind of access was provided for the app to the site – Sites.Selected or ACS. If at least one access provided for the app was ACS-based – the app will have AllowAppOnly field equals TRUE.
Report on apps owners and permissions from from Entra Id
Using all the methods above – you’d get a list of active service principals that use legacy ACS authentication. But to whom we need communicate to regarding this service principals? Obviously, we are looking for these service principals owners and sites owners.
There are multiple options how to get an app owner from Azure (Entra Id):
So you’ll get a list of legacy apps sorted by recent activity. These apps need to be decommissioned. There should be no one App-only service principal or app registration (client id) with legacy ACS permissions provided in tenant.
Communicate to apps owners and site owners
Once you get a list of legacy (ACS/App-Only) apps – pull report on these apps owners. Having “classicacsprincipalsites.csv” report from m365 assessment tool – you can pull site owners for every app you need to decommission. This is a big topic itself. See details in my article How to prepare your tenant for Azure ACS retirement – Guide for SharePoint Admins
More Observations
Test scenario 1 DisableCustomAppAuthentication is true, i.e. ACS are not allowed in tenant. SiteOwnerManageLegacyServicePrincipalEnabled -s false, i.e. site owners cannot register apps at sites or provide permissions to app on sites. It is not possible for admin to go to appregnew.aspx and create an app (app-only spn). I registered apps in Azure. It is possible for admin to go to appinv.aspx and “provide” permissions to the azure app registrations.
Connect-PnPOnline works with certificates or with secrets. Get-PnPSite works only if connection was made with a Certificate (if connection was made with secret – it gives 401 unauthorized).
Test scenario 2 DisableCustomAppAuthentication is false, i.e. ACS are allowed in tenant. SiteOwnerManageLegacyServicePrincipalEnabled -s false, i.e. site owners cannot register apps at sites or provide permissions to app on sites. Connect-PnPOnline and Get-PnPSite works with certificates or secrets if ACS access was provided for an app to at least one site. If there was no ACS permissions provided for the app – Get-PnPSite gives “Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))”
Error messages and possible fixes
“Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))” – happens if you try to access SharePoint API with an Entra Id app registration that have an API permissions but do not have legacy ACS permissions being authenticated with a secret. Solution option 1: try authentication with a certificate. Solution option 2: use Microsoft Graph API.
“The remote server returned an error: (401) Unauthorized.” – happens if you try to access SharePoint API being authenticated with a certificate with an app registration that do not have modern API permissions correctly provided. Solution: ensure app registration is configured with SharePoint API permissions.
“(403) Forbidden” – happens if you try to access SharePoint API being authenticated with a secret with an app registration that do not have modern API permissions correctly provided. Solution: ensure app registration is configured with Graph API permissions.
“AccessDenied”,”Either scp or roles claim need to be present in the token.” – happens if you try to access Graph API being authenticated with a secret with an app registration that do not have modern API permissions correctly provided. Solution: ensure app registration is configured with Graph API permissions.
Get-MgServicePrincipal
Get-MgServicePrincipal returns servicePrincipal objects with properties and relationships. ServicePrincipalType = ‘Legacy’ indicates service principal was registered in SharePoint (via appregnew.aspx).
An issue with ACS apps discovery when Graph permissions also provided
There was an issue (before late June 2025)
How do we know the ACS permissions are provided for the app to the site? Two great options: appprincipals.aspx and Microsoft 365 assessment tool by PnP.
An app is shown under appprincipals.aspx only in case if ACS access was provided to app but Sites.Selected access was not provided. The moment you provide Sites.Selected access for the app to the site – the app disappears from list of apps under appprincipals.aspx page. The app is not visible for Get-PnPAzureACSPrincipal. PnP M365 Assessment Tool also fails to get list of ACS apps if the site also has Sites.Selected permissions. It does not help if you remove Sites.Selected permissions. This issue is reported to Microsoft and confirmed. Microsoft is working on it. Upd (June 2025) – Microsoft implemented fix, so all should be good now (but if you are seeing “Sorry, something went wrong” trying to access appprincipals.aspx – just wait, they said db needs to be updated as well, it takes time).
A fix, current state and changes
Microsoft deployed a fix and updated databases. So starting July 2025 we can see all apps (legacy, modern, with ACS and with Graph permissions assigned) under appprincipals.aspx page. The good is we finally can see apps, the bad is we cannot differentiate – is this an ACS app or app with permissions provided via Microsoft Graph, also we cannot see permissions.
Microsoft 365 Assessment Tool does a good job, detecting if the app allows App-Only permissions (AllowAppOnly equals true in the report classicacsprincipals.csv). Under reports classicacsprincipalsites.csv and classicacsprincipalsitescopedpermissions.csv, the tool provides what sites every app has access to and what permissions the app has, but again, it does not provide details if permissions were provided with ACS or Microsoft Graph.
Summary
use Microsoft 365 assessment tool to get list of apps with ACS permissions provided. It also gives you report on ACS apps and sites, and apps-sites-permissions.
use Graph API or PnP to get owners of active apps – so you can communicate to owners
AFAIK, generally, for apps with both kinds of permissions provided Entra Id and ACS permissions – we cannot establish for sure if the app is actually using ACS access or not. We only can say that ACS permissions were provided to the app and the App is still active.
If there are no Entra Id permissions provided to the app and app is still actively using SharePoint – that means that this app is leveraging ACS and very soon will stop working.
