Logo
Enterprise AI 22 min read

How to Secure M365 Copilot via SharePoint Advanced Management (SAM)

Can Dedeoglu avatar
How to Secure M365 Copilot via SharePoint Advanced Management (SAM)
Discover the definitive guide to architecting M365 Copilot readiness using SharePoint Advanced Management (SAM) to secure enterprise data.

As organizations rush to deploy Microsoft 365 Copilot, a hard truth has emerged: Copilot is only as secure as your underlying SharePoint permissions. Copilot retrieves data from Microsoft Graph and honors existing permissions and sharing settings exactly as they are. So if your tenant is plagued by ownerless sites, unchecked sharing links, and years of content sprawl (ROT — Redundant, Obsolete, Trivial data), Copilot won’t break in. It will simply walk through doors you left open and surface that chaos directly to your end users.

The good news: Microsoft folded the governance toolkit you need — SharePoint Advanced Management (SAM), formerly SharePoint Premium — into the Copilot license. This guide is the hands-on playbook. It pairs the why with the exactly-how: the PowerShell you’ll run, the admin-center paths you’ll click, and the gotchas that fail silently.

Drawing on a deep-dive session featuring practitioners from Microsoft, this is the field guide I wish I’d had on day one. Every command below is copy-paste ready — replace contoso with your tenant name and the example site URLs with your own.

TL;DR — The Copilot Readiness Roadmap

Copilot Readiness Roadmap

If you read nothing else, run these phases in order. Each links to a section below.

  1. Confirm SAM is lit up — assign one Copilot license, verify in the SharePoint admin center.
  2. Connect your tooling — install the modules, connect PowerShell, verify your module version (Prerequisites).
  3. Lock down baseline sharing — fix link defaults and hide the EEEU claim (Phase 1).
  4. Kick off the oversharing baseline report — it takes up to 5 days, so start it now (Phase 4).
  5. Purge ROT — run Inactive Site and Site Ownership policies in Simulation Mode first (Phases 2–3).
  6. Remediate the worst offenders — Site Access Reviews, RAC, and RCD (Phase 5).
💡

Sequencing matters. Start the oversharing baseline report on day one (Step 4) even though it’s “Phase 4” conceptually. It runs for up to five days in the background, so launching it early means your cleanup data is ready by the time you finish baseline hardening.

The Golden Ticket: How SAM Is Now Licensed

Before configuring anything, understand the licensing, because it changes the economics completely.

SAM (formerly SharePoint Premium) was historically a separate paid add-on layered on top of E3/E5. As of mid-2025, Microsoft made a pivotal change.

The unlock: If your organization assigns at least one Microsoft 365 Copilot license to a single user, SharePoint administrators get the full SAM (Plan 1) feature set across the entire tenant. Whether you have 100 or 10,000 users, that one seat lights up Advanced Management in the SharePoint admin center. You do not buy SAM per user.

Two caveats worth knowing:

  • It’s “Plan 1.” Microsoft has signaled that future SAM features may land in a separate add-on (a hypothetical “Plan 2”) not covered by the Copilot license. Today, the readiness toolkit described here is included.
  • Verify it’s on. In the SharePoint admin center → Advanced Management, you should see “Your SharePoint Advanced Management subscription is now enabled.” If you instead see a prompt to start a trial, no Copilot license has been assigned yet (or it hasn’t finished provisioning — allow a few hours after assigning the seat).
ℹ️

Two-minute verification. Don’t just trust the banner. Assign the Copilot seat, wait, then confirm the toolkit actually responds by running a harmless read-only command such as Get-SPOTenant | Select-Object EnableRestrictedAccessControl. If SAM isn’t provisioned, SAM-gated cmdlets return a license error like “This operation can’t be performed as the tenant doesn’t have the required license.” — that error is your real signal, not the UI.

Prerequisites: Set Up Your Cockpit First

The single biggest gap in most “Copilot readiness” articles is that they jump to policies without telling you how to connect. Half of SAM’s most powerful features — including the all-important oversharing baseline report — are PowerShell-only. Get your tooling ready before Phase 1.

Roles you’ll need:

  • SharePoint Administrator (preferred) or Global Administrator for SAM policies and reports.
  • Owner or Contributor on an Azure subscription in the same tenant — required only if you plan to use Microsoft 365 Archive (Phase 2).

Modules to install:

Code 
# 1. The SharePoint Online Management Shell — used for DAG reports, RAC, RCD.
#    DAG report cmdlets require version 16.0.25409 or LATER. Older versions
#    silently lack Start-SPODataAccessGovernanceInsight.
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

# 2. PnP PowerShell — used for tenant-wide sharing defaults and EEEU controls.
Install-Module -Name PnP.PowerShell -Force

Verify your module is new enough before you waste a day (this is the #1 silent failure):

Code 
# Must be 16.0.25409 or higher, or the DAG cmdlets won't exist.
Get-Module Microsoft.Online.SharePoint.PowerShell -ListAvailable |
  Select-Object Name, Version | Sort-Object Version -Descending

# If you have an old version pinned, force the latest:
Update-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

Connect (replace contoso with your tenant name):

Code 
# SharePoint Online Management Shell.
# Note: for Data Access Governance, connect WITHOUT -Credential.
# Modern auth / MFA is required; credential-based sign-in is blocked by design.
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"

# Quick sanity check that you're connected and have admin rights:
Get-SPOTenant | Select-Object -First 1 | Out-Null; Write-Host "Connected OK"

# PnP PowerShell (interactive, MFA-friendly).
Connect-PnPOnline -Url "https://contoso-admin.sharepoint.com" -Interactive
⚠️

Gotcha: Connect-SPOService -Credential is intentionally unsupported for the DAG reporting cmdlets. If you script these in automation, use a certificate-based app registration or managed identity — not a stored username/password. Also note your admin URL is always https://<tenant>-admin.sharepoint.com (the -admin is mandatory).

Phase 1: Baseline Settings — Improve the Signal-to-Noise Ratio

Copilot quality depends on a clean “signal-to-noise” ratio. Your readiness pillars should include reviewing DLP (Data Loss Prevention), Conditional Access, and validating user permissions. Before touching SAM’s advanced features, harden these baseline tenant settings.

By default, SharePoint sets sharing to the most permissive option. Tighten it.

Admin-center path: SharePoint admin center → Policies → Sharing.

  • Change the default sharing link from “Anyone with the link” / “People in your organization” to “Specific people.”
  • Switch the default permission from Edit to View.

Or enforce it as code at the tenant level:

Code 
# Make "Specific people" the default link, and View the default permission.
Set-SPOTenant -DefaultSharingLinkType Direct -DefaultLinkPermission View

# Confirm it stuck:
Get-SPOTenant | Select-Object DefaultSharingLinkType, DefaultLinkPermission
ℹ️

This is forward-looking, not retroactive. Changing the tenant default only affects new links. It does nothing to the millions of permissive links already out there — those are what the oversharing baseline report (Phase 4) and remediation (Phase 5) exist to clean up.

2. Eradicate the EEEU claim

The legacy “Everyone Except External Users” (EEEU) claim is the single biggest oversharing liability for Copilot. It grants access to every current and future employee. Many readiness guides just say “use a PowerShell command” — here is the actual command.

Hide EEEU (and the broader “Everyone” claim) from the people picker tenant-wide so users can’t apply it to new content:

Code 
# PnP PowerShell — stops EEEU/Everyone from being newly assigned anywhere.
Set-PnPTenant -ShowEveryoneExceptExternalUsersClaim $false -ShowAllUsersClaim $false

# Narrower option: block EEEU only inside private (non-group) sites,
# leaving it available elsewhere.
Set-PnPTenant -AllowEveryoneExceptExternalUsersClaimInPrivateSite $false

# Verify the current state:
Get-PnPTenant | Select-Object ShowEveryoneExceptExternalUsersClaim, ShowAllUsersClaim
ℹ️

Hiding ≠ removing. The commands above prevent new EEEU grants but do not strip EEEU from content where it’s already applied. To find and remediate existing grants, run the EEEU activity report (Phase 4) or use a file-level remediation script such as the community EEEU-Tools set. Hide first to stop the bleeding, then clean up the back catalog.

3. Require site-level approval for sharing

For sensitive sites, require site-owner approval before content can be shared outward. Combine this with the Block Download Policy (Phase 5) for your most confidential workspaces.

Phase 2: Taming Sprawl via Lifecycle Management

Inactive Site to Archive Lifecycle

Reviewing permissions on sites no one has touched in years is wasted effort — purge them instead. Your first SAM lifecycle action targets ROT with the Inactive Site Policy.

Admin-center path: SharePoint admin center → Site lifecycle management → Inactive site policies → Open.

This policy lets you:

  • Define “inactive” (e.g., no activity in 6 months) and automatically email site owners/admins to certify whether the site is still needed.
  • Scope and brand the notifications — customize the sender domain and filter by Purview sensitivity labels.
  • Escalate enforcement. If owners ignore the email after a defined number of attempts, SAM can lock the site read-only or push it into Microsoft 365 Archive.

The AI & storage advantage: Archiving moves a site to a cheaper cold-storage tier and removes it from Copilot’s reach entirely — archived content isn’t indexed, isn’t used for grounding, and users can’t open it until the site is reactivated.

⚠️

Always run in Simulation Mode first. Every lifecycle policy supports a simulation that reports who would be emailed and what would be enforced — without sending a single message. Validate scope here before you flip to Active mode and blast automated notifications across the org. A good rule: simulate, export the list, eyeball 10–20 sites you recognize, then activate.

Setting up Microsoft 365 Archive (the prerequisite everyone misses)

The “critical gotcha” is real and worth expanding: the M365 Archive enforcement action fails silently unless pay-as-you-go billing is configured. SAM checks for an Azure billing link before archiving; without it, nothing happens.

One-time setup:

  1. In the Microsoft 365 admin center, go to Setup → Billing and licenses → Activate pay-as-you-go services.
  2. Choose your Azure subscription, resource group, and region, then accept the terms. (You need Owner/Contributor on that subscription and at least one SharePoint license in the tenant.)
  3. Go to Settings → Org settings → Pay-as-you-go services → Settings tab → Storage services → Archive and toggle SharePoint archiving on.

What it actually costs (correcting a common misconception):

  • Archived (“cold”) storage is ~$0.05/GB/month versus ~$0.20/GB/month for standard SharePoint storage — roughly 75% cheaper.
  • You are billed only for archived data that pushes your tenant’s total storage over its included quota. If you’re under quota, archiving can cost nothing — yet still removes the content from Copilot’s index. (Microsoft’s own pricing doc spells this out: their “Scenario E” — under quota — is $0.) That alone is often reason enough to archive.
  • Reactivation fees were removed as of March 31, 2025, but reactivated content is restricted from re-archiving for ~4 months.
⚠️

Two more archive gotchas: (1) Sites cannot be deleted directly from the certification email interface — archive or read-only lock are the only email-driven actions. (2) Archiving is a lifecycle decision, not a folder move — the site becomes unavailable for daily use until reactivated, and a reactivation of a long-archived site can take ~24 hours. Notify owners before enforcing.

Phase 3: Fixing the Ownerless Site Dilemma

If a site has no owner, no one can review or correct its permissions — a governance dead end. The Site Ownership Policy enforces a minimum owner threshold (commonly 2 owners) on every workspace.

Admin-center path: SharePoint admin center → Site lifecycle management → Site ownership policies → Open.

This also covers connected services like Loop Workspaces, which run on SharePoint backends. When a site falls below the threshold, SAM escalates ownership requests, typically in this order:

  1. Remaining site admins.
  2. The most active site members, asked to claim ownership.
  3. The manager of the departed owner.
⚠️

Technical limitations: The “manager” fallback depends on the Microsoft Entra manager attribute, which is commonly cleared shortly after an employee leaves — so this path can dead-end for exactly the orphaned sites you most need to fix. The policy also relies entirely on end users reading and acting on emails, which makes progress hard to track natively. Run it in Simulation Mode first here too, so you can see how many sites would actually find an owner before you turn notifications on.

Phase 4: Uncovering Risk with Data Access Governance (DAG) Reports

DAG reports replace endless ad-hoc scripting to map permissions — but each report type has a distinct scope and a distinct blind spot. Know which tool answers which question.

  • Scope: Recent sharing activity — links created (“Anyone,” “People in your org,” “Specific external people”) and EEEU grants.
  • Limitation: A 28-day rolling window only. It will not surface legacy links created months or years ago.
  • Where: SharePoint admin center → Reports → Data access governance. (Up to 10 reports; the list view shows the top 100 sites; you can download a detailed CSV for up to 10,000 sites; rerun every 24 hours.)

2. Snapshot reports

  • Scope: A point-in-time count of permissions, guest access, and Entra group mappings per site.
  • Limitation: Can only be regenerated once every 30 days.

3. The Oversharing Baseline Report — your most important first move

(Surfaced in the UI as “Site permissions across your organization”; the comprehensive version is PowerShell-only.)

  • Scope: The absolute historical state of internal, external, and link-based access. Crucially, it looks inside M365 security groups to count the actual number of permissioned users per site — the truest measure of Copilot exposure.

Step A — Start the report (it’s not in the admin center):

Code 
# Org-wide permissioned-users baseline for SharePoint.
# Tip: set -CountOfUsersMoreThan 100 instead of 0 to jump straight to the
# worst offenders (sites reachable by 100+ users).
Start-SPODataAccessGovernanceInsight `
  -ReportEntity PermissionedUsers `
  -ReportType Snapshot `
  -Workload SharePoint `
  -CountOfUsersMoreThan 0 `
  -Name "OrgWidePermissionedUsers_SharePoint"

# Repeat for OneDrive for Business.
Start-SPODataAccessGovernanceInsight `
  -ReportEntity PermissionedUsers `
  -ReportType Snapshot `
  -Workload OneDriveForBusiness `
  -CountOfUsersMoreThan 0 `
  -Name "OrgWidePermissionedUsers_OneDrive"

Step B — Check whether it’s finished (this is the part most guides leave out — the report runs in the background, so you have to poll for it):

Code 
# List your reports and their status (InProgress / Completed).
# Note the ReportID GUID in the output — you need it to download.
Get-SPODataAccessGovernanceInsight | Select-Object Name, ReportType, Status, ReportId

Step C — Download the finished report to CSV (using the ReportID from Step B):

Code 
# Once Status shows "Completed", export it. Defaults to your Downloads folder
# if -DownloadPath is omitted.
Export-SPODataAccessGovernanceInsight `
  -ReportID "<paste-the-GUID-from-Step-B>" `
  -DownloadPath "C:\SAM\Reports"

Limitations to plan around:

  • Because it scans every document and list item, the first run takes up to 5 days (regardless of tenant size). Subsequent runs finish within 24 hours.
  • You can keep two reports (one per workload) and regenerate once every 30 days.
  • The native UI shows only the top 100 sites. For enterprise tenants (up to ~1M sites), the CSV is your friend — filter offline (e.g., sites with >1,000 permissioned users, or sites carrying a specific Purview label) to build your prioritized hit-list.
💡

Start this on day one, then walk away. Because of the five-day runtime, launch Step A before you begin baseline hardening, then come back and poll with Step B while you work through Phases 1–3. Your prioritized cleanup list (Step C’s CSV) will be waiting for you. Don’t serialize it.

Phase 5: Remediation & Administrative Lockdowns

Once DAG reports highlight risk, you have a spectrum of native options — from owner-delegated reviews to immediate admin lockdowns. Match the tool to the urgency.

Delegated: Site Access Reviews

Trigger reviews from DAG results with a custom message (e.g., “Please review immediately”). Owners get a specialized SAM UI to inspect item-level unique permissions and revoke access. You can also kick these off in PowerShell with Start-SPOSiteReview.

⚠️

Critical limitations: - The 1,000 cap: A hard limit of 1,000 review triggers per month, per tenant. - Review fatigue: Each link type spawns a separate review. A site with “Anyone” links, “People in org” links, and direct permissions can generate 3–4 separate emails for one site. - No enforcement: If an owner clicks “Complete” without changing anything — or ignores it — SAM does not auto-lock the site. - Scope gaps: The end-user “Manage Access” UI is clunky, and OneDrive is not supported.

Admin overrides: RAC vs. RCD

RAC vs RCD Security Controls

When you can’t wait for a human review, reach for SAM’s immediate controls. These two are frequently confused — here’s the clean mental model plus the exact commands.

RAC (Restricted Access Control) — “The Heavy Hammer”: Overrides existing permissions and restricts the site to specified Microsoft 365 groups or Entra security groups. A strict gatekeeper that blocks access outright — sharing links and direct grants stop working for anyone outside the named group(s).

RAC is a two-step process, and step one is the part everyone forgets:

Code 
# STEP 1 (tenant-level, ONE TIME): turn the RAC capability on for the tenant.
# Without this, the site-level command below fails with a license/feature error.
# Allow ~1 hour for this to take effect before moving to Step 2.
Set-SPOTenant -EnableRestrictedAccessControl $true

# Verify it's enabled:
Get-SPOTenant | Select-Object EnableRestrictedAccessControl

# STEP 2 (per-site): restrict a site to one or more groups (by object ID/GUID).
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Finance" `
  -RestrictedAccessControl $true `
  -RestrictedAccessControlGroups "00000000-aaaa-bbbb-cccc-111111111111"

Need the group’s GUID? Grab it from Entra, or with Microsoft Graph PowerShell: (Get-MgGroup -Filter "displayName eq 'Finance Team'").Id. Then use RAC Policy Insights afterward to confirm you haven’t locked out legitimate users.

RCD (Restricted Content Discovery) — “The Invisible Shield”: Hides a site from Copilot, SharePoint agents, and cross-site/org-wide search while leaving direct URL access intact for permissioned users. It changes discoverability, not permissions. No tenant-level prerequisite — it works per-site out of the box.

Code 
# Hide a site from Copilot and org-wide search (permissions unchanged).
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Finance" -RestrictContentOrgWideSearch $true

# Verify the flag.
Get-SPOSite -Identity "https://contoso.sharepoint.com/sites/Finance" | Select-Object RestrictContentOrgWideSearch

# Remove the restriction later.
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Finance" -RestrictContentOrgWideSearch $false
⚠️

Three things to know about RCD: (1) It’s per-site and highly scalable, designed to supersede the tenant-level Restricted SharePoint Search (RSS) allowed-list model that practically maxed out around 100 sites. (2) It can’t be applied to OneDrive. (3) Don’t over-apply it — RCD propagates by reindexing every file in the site (a file-level “fan-out”), so large sites take time to take effect, and hiding too much content starves Copilot of legitimate grounding data, producing worse answers. Users can still find files they own or recently touched, even on an RCD site.

Proactive guardrails

Block Download Policy: On sensitive sites, prevent downloading, printing, or syncing to OneDrive. Users can still view documents in the browser alongside a clear warning banner.

Code 
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Board" -BlockDownloadPolicy $true

Content Management Assessment: A guided dashboard that runs an automated tenant assessment and produces an immediate hit-list of oversharing and lifecycle issues — accessible even to admins without deep technical expertise. Path: SharePoint admin center → Advanced Management → Start assessment. Rerun every 30 days to track progress.

Note: this is the feature sometimes referred to informally as “SharePoint Management Pro Assessment” — its official name is Content Management Assessment.

Quick Command Reference

Bookmark this. Everything you need, in execution order:

Code 
# --- SETUP ---
Install-Module Microsoft.Online.SharePoint.PowerShell -Force   # needs 16.0.25409+
Install-Module PnP.PowerShell -Force
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"
Connect-PnPOnline   -Url "https://contoso-admin.sharepoint.com" -Interactive

# --- PHASE 1: baseline hardening ---
Set-SPOTenant -DefaultSharingLinkType Direct -DefaultLinkPermission View
Set-PnPTenant -ShowEveryoneExceptExternalUsersClaim $false -ShowAllUsersClaim $false

# --- PHASE 4: oversharing baseline (start day one) ---
Start-SPODataAccessGovernanceInsight -ReportEntity PermissionedUsers -ReportType Snapshot `
  -Workload SharePoint -CountOfUsersMoreThan 0 -Name "OrgWidePermissionedUsers_SharePoint"
Get-SPODataAccessGovernanceInsight | Select Name, Status, ReportId      # poll until Completed
Export-SPODataAccessGovernanceInsight -ReportID "<guid>" -DownloadPath "C:\SAM\Reports"

# --- PHASE 5: remediation ---
Set-SPOTenant -EnableRestrictedAccessControl $true                       # RAC: one-time, ~1hr
Set-SPOSite -Identity "<site>" -RestrictedAccessControl $true -RestrictedAccessControlGroups "<guid>"
Set-SPOSite -Identity "<site>" -RestrictContentOrgWideSearch $true        # RCD: hide from Copilot
Set-SPOSite -Identity "<site>" -BlockDownloadPolicy $true                 # block download/print/sync

Closing: Readiness Is an Operating Model, Not a Project

Preparing for Copilot is not a one-time IT task — it’s an ongoing operational lifecycle. Use the Copilot license to unlock SAM, get your PowerShell cockpit connected, start the five-day baseline early, harden defaults, purge ROT in simulation first, and reserve RAC/RCD for the genuine emergencies. Do that, and you transform your Microsoft 365 tenant from a sprawling liability into a secure, AI-ready engine — one where Copilot accelerates your people instead of exposing them.

#Microsoft 365 Copilot #SharePoint Advanced Management #Governance #Security

Read next

Related articles

Publishing M365 Copilot Agents to the Org Store
Enterprise AI

Publishing M365 Copilot Agents to the Org Store

Enterprise-Grade AI Governance: Securing Copilot and Custom Agents Across the Microsoft Ecosystem
Security

Enterprise-Grade AI Governance: Securing Copilot and Custom Agents Across the Microsoft Ecosystem

Mastering the Enterprise Control Plane: A Deep Dive into Microsoft Agent 365
Agent 365

Mastering the Enterprise Control Plane: A Deep Dive into Microsoft Agent 365

Discussion

Loading...