Administrative control
Site collection administrators, site admins, SharePoint administrators, group owners, Team owners, and emergency or support accounts.
Recertify the effective access to each SharePoint site—not only the names in the Owners group. Give an accountable business owner the identity, sharing, item-permission, guest, application, and evidence context needed to approve, remove, investigate, or formally except every material access path.

A SharePoint site can be reached through Microsoft 365 group membership, SharePoint groups, direct grants, security groups, guest accounts, sharing links, unique item permissions, site collection administrator rights, and application permissions. A report showing only “site owners” or only Microsoft 365 group members is not a complete access review.
The review must connect technical identity evidence to a business decision. The owner should know what the site contains, its sensitivity and sharing posture, why each person or workload needs access, the permission level, last meaningful use where available, expiration or end date, and the consequence of removal. IT must challenge conflicts, preserve records, apply changes, test the result, and close exceptions.
Critical distinction: Microsoft Entra access reviews can recertify a Microsoft 365 group, security group, application assignment, role, or access package. SharePoint site access review can delegate remediation of a data-access-governance finding. SharePoint site ownership and attestation policies address different lifecycle questions. None of those mechanisms, by itself, proves that every site, item, link, guest, app, and administrator path has been reviewed.
Normalize people, groups, links, and workloads into one evidence model. Preserve the original grant source so a denied principal can be removed at the right layer without breaking unrelated access.
Site collection administrators, site admins, SharePoint administrators, group owners, Team owners, and emergency or support accounts.
Microsoft 365 group owners/members, Team owners/members, private/shared channel sites, and connected service relationships.
Owners, Members, Visitors, custom SharePoint groups, security groups, direct users, custom permission levels, and limited access.
Guest users, external domains, cross-tenant participants, invitation state, sponsor, last need, account status, and expiration.
Unique folder/file permissions plus Anyone, organization, and specific-people links, their recipients, use, expiration, and block-download state.
Service principals, Entra apps, Sites.Selected grants, tenant-wide permissions, workflows, migrations, backup, search, and integration identities.
| Access path | Evidence to capture | Owner question | Removal or control point |
|---|---|---|---|
| Site admin or owner | Principal ID, role source, active account, owner versus administrator, business role, last review, backup coverage | Is this person accountable for content, membership, sharing, records, and owner requests—not merely technically convenient? | Site admin panel, site permissions, Microsoft 365 group/Team ownership, or tenant administration process |
| Group-derived access | Source group ID/type, direct or nested membership, dynamic rule, synchronized source, owner, permission level, target scope | Does the entire group need this level, and can the owner identify who controls its membership? | Entra or Microsoft 365 group, on-premises directory for synchronized groups, dynamic rule, or group-to-site grant |
| Direct user or guest | User object ID, internal/guest state, sponsor, grant scope, permission, invitation/redemption, last need, expiration | Why is direct access needed instead of governed group membership, and when should it end? | Site/group/item permission, guest object/lifecycle, access package, or direct grant cleanup |
| Sharing link | Resource path, link ID/type, scope, role, creation/expiration, recipients or use evidence where available | Is the link still required, appropriately scoped, and safe for the content’s sensitivity? | Manage access at item level; delete or replace link; change default sharing or expiration controls |
| Unique item permission | File/folder/list path, broken inheritance, principals, links, sensitivity/record status, business owner | Is the exception intentional and supportable, or is it hidden permission drift? | Restore inheritance, remove principal/link, restructure content, or move sensitive content to a governed site |
| Application or service principal | App ID, owner, credential, permission type/scope, site grant, last activity, purpose, data actions, expiry | Does this workload still exist, is its access least-privileged, and who owns incident response and rotation? | Sites.Selected grant, API permission/admin consent, credential, automation configuration, or app retirement |
| Mechanism | Primary question | Useful scope and evidence | Important gap |
|---|---|---|---|
| SharePoint site ownership policy | Does the site meet the required minimum number of owners or site administrators? | Finds ownerless or under-owned sites; supports simulation, active monthly runs, reporting, notifications, and configured enforcement for ownerless sites | A valid owner count does not certify members, guests, links, item permissions, group composition, or apps |
| SharePoint site attestation policy | Should this site continue to exist, and will an owner/admin attest it on the required schedule? | Scales recurring site confirmation by policy scope; supports 3-, 6-, or 12-month attestation, simulation, notifications, and configured lifecycle actions | Attesting the site does not prove that each effective access path was reviewed or remediated |
| SharePoint site access review | Will the site owner review and address a specific potential-oversharing finding? | Delegates a Data Access Governance report finding from SharePoint admin to the owner; tracks requests and owner response | It is finding-driven, license-dependent, and not a universal substitute for full periodic access certification |
| Microsoft Entra access review | Should a person keep membership in a group, access to an app/package, or a role? | Recurring reviewer decisions, reminders, recommendations, audit history, and optional outcome application for supported identity resources | Snapshot timing, nested and synchronized-group limitations, and non-group SharePoint access require separate handling |
| Owner-led full recertification | Who or what can effectively reach this site/content, why, for how long, and was the decision applied and retested? | Combines tenant/site/group/item/link/app evidence with business decisions, tickets, before/after state, residual access, and closure | Requires a designed process, data normalization, accountable owners, secure evidence storage, and technical validation |
License and feature check: SharePoint Advanced Management and Microsoft Entra ID Governance capabilities have prerequisites that vary by feature and subscription. Confirm current Microsoft licensing and cloud support before designing a mandatory process around them; keep a documented manual or scripted fallback that produces equivalent evidence.
Set review cadence by sensitivity, population, sharing posture, regulation, and change rate. Define review owner, site owner duties, fallback reviewer, separation of duties, response window, escalation, nonresponse treatment, exception authority, evidence retention, and closure criteria.
Use site ID and URL together. Record type, purpose, owner, group/Team connection, channel sites, hub, sensitivity label, retention, external-sharing level, activity, and lifecycle state. Exclude only with a documented control rationale and next review.
Confirm the primary and backup owner are active, knowledgeable, and free of unresolved conflict. Do not send a review to an ownerless site, departed employee, generic mailbox, external guest, or technical account and treat nonresponse as evidence.
Capture site/group/admin memberships, SharePoint groups, direct grants, sharing reports, unique permissions, guests, links, app access, and relevant activity before the review opens. Time-stamp sources and preserve IDs, because permissions can change while decisions are pending.
Resolve duplicate people across multiple paths, but keep every grant source. Expand groups for reviewer context where authorized, flag nested and synchronized membership, distinguish limited access from intentional grants, and identify access that automation cannot remove directly.
Surface site admins, full control, external guests, anonymous or organization-wide links, broad groups, unique item permissions, dormant principals, ownerless apps, tenant-wide API permissions, sensitive content, and exceptions first. Risk order helps owners spend attention where it matters.
For each row show identity, access level, source, target scope, internal/external/app type, business role, last-use signal and its limitations, sponsor, current end date, recommendation, and content sensitivity. Avoid exposing sensitive report files to ordinary site members.
Use approve, deny, investigate, not applicable, or time-bound exception. “Don’t know” must route to an investigator and due date, not silently keep access. High privilege, guest, app, broad-link, and policy-exception approvals should include a business justification.
Challenge blanket approvals, empty comments, unexplained direct grants, permanent guests, broad groups, inactive privileged users, inconsistent decisions across similar sites, self-approval, and approvals that conflict with sensitivity, sharing, legal hold, or policy.
Remove direct membership, change the authoritative group or synchronized source, delete links, restore inheritance, remove guests, revoke app/site grants, replace tenant-wide permission, rotate credentials, or restructure the content. Use tickets and capture failed or deferred changes.
Generate a fresh post-change snapshot. Test representative approved and denied personas, guest access, direct item links, group paths, app behavior, owner coverage, and business workflow. A deny decision is not closed while residual access remains through another group, link, role, or app.
Retain review and execution IDs, decision export, exception register, change evidence, residual risk, retest results, metrics, sign-off, and next review. Feed recurring defects into provisioning, sharing defaults, group governance, owner policy, training, and architecture improvements.
Approve only when the identity is active and known; access supports a current business purpose; scope and permission are least-privileged; source is governed; sponsor/owner is accountable; and the end date or next review matches the risk. Approval preserves access—it does not validate an unsafe mechanism.
Deny access that lacks a current need, has an inactive/departed identity, uses the wrong privilege, bypasses an approved group, creates unnecessary external/broad access, belongs to an obsolete app, or conflicts with sensitivity and policy. Specify the correct grant source to change.
Investigate when evidence is incomplete, nested, synchronized, shared, technical, or business impact is uncertain. Exceptions require an owner, reason, compensating control, risk approval, expiration, ticket, and automatic re-review—not an indefinite “keep” decision.
| Difficult case | Why the apparent decision can fail | Required handling | Closure test |
|---|---|---|---|
| Nested group membership | Entra can display a user flattened from a nested group, but denying the user may not remove membership from the nested source group | Identify the membership path and remove or redesign at the nested group or resource assignment; assess impact on other resources | Recalculate effective access and prove the user no longer reaches the site through any nested path |
| Synchronized on-premises group | Cloud review cannot directly change membership mastered in on-premises Active Directory | Route the approved change to the authoritative directory owner, record synchronization, and prevent duplicate cloud grants | Confirm source membership changed, synchronization completed, and SharePoint access is removed |
| Review-period changes | Entra access reviews use a snapshot at the start; new members, new owners, and changed access may wait until a later recurrence | Freeze high-risk changes where practical, capture deltas before application, and reconcile the post-review population | No unreviewed high-risk delta remains; next instance is scheduled for lower-risk changes |
| Microsoft 365 group-connected site | SharePoint site membership and Team/Microsoft 365 group membership are related; editing in the wrong portal can create confusing or unsupported state | Manage core owners/members through the Microsoft 365 group or Team and separately review SharePoint visitors, direct grants, items, links, guests, and admins | Group/Team and SharePoint views reconcile; representative personas match intended roles |
| Private or shared channel site | The channel site has its own access behavior tied to channel membership and cross-tenant collaboration patterns | Inventory each channel site separately, use channel-aware ownership/member evidence, and test guest/B2B direct-connect paths | Channel membership, site access, and retained content align after the decision |
| App-only access | Applications do not appear as ordinary site users and can use broad tenant permission or a selected-site grant | Inventory app registration, service principal, API consent, site grant, credential, owner, use, and data actions; prefer scoped modern permissions | Approved app operations succeed only at intended scope; denied app/token no longer reaches the site |
A site admin can generate a CSV of unique files, users, permissions, and links. Protect the saved report because it can expose sensitive paths and sharing relationships. Remember that SharePoint groups appear as groups rather than expanded members.
The sharing report identifies link types and link IDs, but reporting can differ by how the link was sent or used. An Anyone link or an emailed link that has not been clicked may not produce the recipient evidence an owner expects. Review link objects directly.
Broken inheritance can hide access below the site root. Prioritize sensitive libraries, externally shared folders, records, executive content, and large unique-permission populations. Restore inheritance where exceptions are no longer justified.
Verify sponsor, organization, domain, invitation/redemption, activity, access source, business end date, terms, and all other resource access before disabling or deleting a guest. Removing one group may not remove a direct item link or another site grant.
Microsoft Graph Sites.Selected can limit an application to explicitly granted site collections; the selected permission alone grants no site access until the site permission is assigned. Compare that model with broad Sites.Read.All or Sites.ReadWrite.All consent.
Inventory legacy SharePoint Azure ACS app-only principals and migration plans. Microsoft documents that ACS app-only was retired and is scheduled to stop working in SharePoint Online on April 2, 2026; use current Microsoft guidance when validating or replacing it.
Related control set: align access recertification with SharePoint and OneDrive sharing security, sensitivity labels for sites and Teams, and Microsoft Entra access-package lifecycle. Recertification finds drift; provisioning and policy should prevent the same drift from returning.
Treat these as control failures even when a dashboard says the campaign is complete.
The campaign reviews two owners while hundreds of members, guests, links, items, and applications remain outside scope.
The reviewer approves every row in seconds without business rationale, privilege challenge, or evidence that the identities are understood.
A departed employee, technical admin, generic account, or owner unfamiliar with the content is treated as accountable business authority.
A broad or nested group is approved as one line, even though its membership, owner, dynamic rule, and authoritative source are unknown.
New grants and ownership changes during the review are missed because the decision set represents only the campaign start.
Uncertain access is silently retained without investigation, owner, due date, or compensating control.
The owner selects Deny, but removal is deferred, fails, targets the wrong system, or leaves access through another path.
Reviewers focus on guest accounts but miss anonymous links, specific-people links, cross-tenant access, and external group membership.
Unique file and folder permissions are ignored, so sensitive content remains shared despite a clean-looking site-level roster.
Service principals, workflows, backup, migration, and integrations keep broad read/write access with no accountable owner or credential lifecycle.
The generated sharing report exposes sensitive filenames, identities, and permission paths to members who should not see the audit population.
Completion is measured by answered rows rather than verified removal, approved access continuity, and absence of residual paths.
Risk-based cadence: review privileged, highly sensitive, externally shared, high-change, regulated, or incident-affected sites more frequently; use event-driven reviews after owner departure, business transfer, project closure, merger, major guest campaign, sensitivity change, application change, or suspected oversharing. Lower-risk sites can follow a longer interval only when provisioning, ownership, guest, sharing, and lifecycle controls are demonstrably healthy.
Use a risk-based schedule. Highly sensitive, regulated, externally shared, privileged, high-change, or incident-affected sites may need monthly or quarterly review. Stable lower-risk sites may use a semiannual or annual cycle when strong provisioning, ownership, sharing, guest, and lifecycle controls exist. Trigger an out-of-cycle review after owner departure, reorganization, project closure, sensitivity change, major guest collaboration, app change, or suspected oversharing.
No. The group review is important for owners and members, but the SharePoint site can also have visitors, site admins, direct grants, SharePoint groups, unique item permissions, sharing links, guests, and application access. Private and shared channel sites also require separate channel-aware inventory and testing.
Site attestation asks whether a site should continue to exist and be confirmed by an owner or administrator. Access recertification asks whether each effective person, group, guest, link, administrator, or application path should continue to reach the site or content. A site can be legitimately attested and still have excessive access.
No. Supported Entra reviews can apply outcomes to direct membership or assignments, but nested groups, synchronized on-premises groups, review-period changes, direct SharePoint permissions, sharing links, unique item access, and app-only permissions require source-specific handling. Always recheck effective access after remediation.
No. Use an investigate decision with an owner and due date. If access must temporarily remain, document a time-bound exception, risk owner, compensating control, expiration, and re-review. An unqualified approval converts missing evidence into false assurance.
Completion requires more than answered rows. Retain the scoped population, source exports, reviewer assignments, decisions, comments, exceptions, remediation tickets, before/after values, failed changes, a fresh post-change snapshot, representative access tests, residual-risk treatment, owner sign-off, and the next review date.
IT Perfection can help Orange County and Southern California organizations inventory SharePoint access paths, validate owners, define review evidence, align Entra and SharePoint controls, remediate permission drift, and integrate the cycle into managed Microsoft 365 operations.
Created by Ali Hassani, CISO — 25+ years of IT, cybersecurity, compliance, and infrastructure experience. This guide is for initial guidance only and does not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.