Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
As sprawl and oversharing of SharePoint sites increase with exponential data growth, organizations need help with governing their data. Data access governance reports can help you govern access to SharePoint data. The reports let you discover sites that contain potentially overshared or sensitive content. You can use these reports to assess and apply the appropriate security and compliance policies.
What you need to create a data access governance report
The feature discussed in this article requires one of the following licenses:
- Microsoft 365 Copilot license
- Microsoft SharePoint Advanced Management license
If your organization has a Copilot license, SharePoint administrators automatically get access to the SharePoint Advanced Management features needed for Copilot deployment.
You can also purchase a standalone SharePoint Advanced Management license.
In addition, data access governance reports require either Microsoft 365 E5 or Microsoft SharePoint Advanced Management and the organization is either a non-government cloud environment or available in GCC-Moderate gov cloud environment. The report is currently unavailable for government cloud environments such as GCCH/DoD/Gallatin, even if you have a SharePoint Advanced Management license or Copilot license.
How to access the Data access governance reports in the SharePoint admin center
Sign in to the SharePoint admin center with the SharePoint administrator credentials for your organization.
In the left pane, expand Reports and then select Data access governance.
The following reports are currently available from the Data access governance landing page:
- Snapshot reports
- Activity reports
Note
IT administrators with Microsoft 365 E5 licensing can access Data access governance reporting, but are unable to view or utilize the other SharePoint Advanced Management features. No snapshot reports are provided. No remedial actions are provided. Activity reports are available but can return only up to 10000 sites.
What are snapshot reports?
Snapshot reports give you a snapshot of your organization's current status based on specific reporting criteria. These reports show data as of the date they were generated.
Currently, two types of snapshot reports are available:
- Site permissions report: Provides a comprehensive snapshot of permission structure across all SharePoint and OneDrive sites, helping you identify sites with the broadest user access (for example, sites with thousands of users, external guests, or "Everyone except external users" permissions).
- Sensitivity label for files report: Identifies SharePoint sites containing files with specific sensitivity labels applied, allowing you to verify that appropriate security policies are in place for your most sensitive content.
What are activity reports?
Activity reports help you track potential oversharing activities that occurred in the last 28 days. These reports focus on "recently active" sites where users have created sharing links or shared content with large groups.
Currently, two types of activity reports are available to help you identify potential oversharing:
- Sharing links reports: Identifies sites where users have recently created the most sharing links (including "Anyone," "People in the organization," and "Specific people" links) to help you catch potential oversharing as it happens.
- Shared with 'Everyone except external users' reports: Tracks sites where content has been shared with all internal users in your organization, helping you identify broad internal exposure that could lead to unintended data access.
Important
For organizations without SharePoint Advanced Management: You must enable data collection before you can generate activity reports. Here's what you need to know:
- After enabling data collection, the system starts collecting audit data
- Data is stored for 28 days
- Reports become available 24 hours after enabling collection
- Reports only contain data from when collection was enabled
- If no reports are generated for 3 months, data collection pauses and must be re-enabled
Combining snapshot and activity reports
As part of your governance strategy, we recommend:
- Start with snapshot reports: Run site permissions reports first to understand your baseline permission structure and identify sites with the broadest exposure. We recommend running these quarterly to maintain a comprehensive view of your organization's data access.
- Follow up with activity reports: Use sharing links and EEEU activity reports to monitor recent oversharing activities and catch emerging risks. We recommend running these monthly to stay on top of ongoing sharing activities.
This combination ensures you have both a complete picture of your current state and visibility into ongoing sharing activities that could create new exposure risks.
What is the site permissions report?
The site permissions report is one of the two snapshot reports that provide a comprehensive snapshot of your organization's current permission structure across all SharePoint and OneDrive sites. This report analyzes every site to help you understand how broadly your data is exposed and identify potential oversharing risks.
The site permissions report captures your organization's permission state at a specific point in time, giving you a complete overview of:
- Total permissioned users: All unique users who can access the site and its content at any level
- Guest user permissions: Access granted to guests marked with #EXT# in their identities
- External participant permissions: Access for external users who can sign in with their own credentials
- Microsoft Entra group counts: Number of cloud-only groups with permissions at all scopes
- Broken inheritance counts: Where custom permissions override default site settings
- Sharing link counts: Both "Anyone" and "People in your organization" links
- Everyone except external users (EEEU) permissions: Content shared with all internal users
...and more. For the complete list of metrics captured in the report, see the Download the site permissions reports section below.
This snapshot approach helps you quickly assess your overall security posture and identify sites that need immediate attention.
Why the site permissions report matters for Copilot
Since Copilot respects existing permissions, understanding your current permission structure is critical before deployment. Sites with many users accessing content pose higher risk for unintended data exposure through Copilot interactions. The site permissions report prioritizes sites with the highest user counts, helping you focus remediation efforts where they're most needed.
Run the site permissions report
Here's how to run the site permissions report:
From the Data access governance landing page, select View reports under Site permissions across your organization.
Select Create report to generate your first report.
Before running the report, review these important details:
- The system creates separate reports for SharePoint and OneDrive sites
- The first report takes up to 5 days to complete, regardless of your organization's size
- Subsequent reports complete within 24 hours
- Reports capture data from up to 48 hours before generation
- You can run reports again every 30 days
If you've already created reports, select Run reports (when enabled) to get the latest data.
How do I view the site permissions report?
After your report is ready, you can view a summary of the permissions across your organization.
The report summary page displays:
- Total sites scanned: The number of SharePoint and OneDrive sites analyzed for permissions
- Sites without users: How many sites have no user permissions assigned
- Sites with user permissions: The remaining sites that have at least one user with access permissions (separated by SharePoint and OneDrive)
- Report date: When the data was captured (up to 48 hours before generation)
To view detailed results:
Select View report under either the SharePoint or OneDrive section
The report displays the top 100 sites with the highest number of users who have permissions
This visualization helps you quickly identify sites with the broadest access, making them priority candidates for review and potential remediation.
What does the site permissions report show me?
The site permissions report helps you identify potential oversharing by analyzing how data is exposed across your sites. Here's the key metrics for assessing site exposure:
Total permissioned users: Shows the unique number of users who can access each site's content. This helps you compare sites and identify those with the broadest exposure.
Microsoft Entra groups: Indicates how many groups have permissions to access site content.
Broken inheritance: Reveals how many items have unique permissions that override the site's default settings.
External user permissions: Shows permissions granted to:
- Guest users (marked with #EXT# in their identities)
- External participants in shared channels
Special SharePoint groups: Tracks permissions for:
- Everyone except external users (EEEU)
- Everyone
Sharing links: Counts the number of:
- Anyone links
- People in your organization links
How "Total permissioned users" is calculated
This critical metric represents all unique users who can access the site and its content at any level:
Site-level access: Users in SharePoint groups (owners, members, visitors) have access to all site content. These groups can include both individual users and Microsoft Entra groups.
Item-level access: Users granted permissions to specific files or folders through broken inheritance. These permissions can be assigned to individuals, SharePoint groups, or Microsoft Entra groups.
The system calculates this number by:
- Expanding all groups across all permission levels
- Removing duplicate users
- Counting the remaining unique users
Understanding current vs. potential exposure
Current exposure: When you add users directly or through Microsoft Entra groups, the "Total permissioned users" count increases immediately based on the group size or number of individuals added.
Potential exposure: Creating sharing links or granting access to "Everyone except external users" doesn't automatically increase the user count. These actions create potential exposure that only becomes actual exposure when users access the content through these links.
Download the site permissions reports
You can download the report as a CSV file to analyze up to 1 million sites offline.
The downloaded report contains the following information:
| Column | Description |
|---|---|
| organizationID | GUID identifying the organization |
| Site ID | GUID identifying the organization |
| Site Name | Name of the site |
| Site URL | URL of the site |
| Site Template | Specifies the type of site. Has values such as Communication site, Team site, Team site (no Microsoft 365 Groups), Other sites |
| Primary admin | Site administrator marked as Primary in Active sites page |
| Primary admin email | Email of primary site administrator |
| ExternalSharing | Specifies whether content can be shared with external guests. Yes or No. |
| Site Privacy | Applicable in Microsoft 365 connected team sites. Specifies the privacy setting of the group. Has values Public or Private |
| Site Sensitivity | Specifies the sensitivity label applied to the site |
| Number of users having access | Unique number of users having access to site content at any level/scope |
| Guest user permissions | Count of permissions to guests at any level/scope. These users are marked with #EXT# in their Microsoft Entra identities |
| External participant permissions | Count of permissions to external users who can directly use their own credentials to sign-in and collaborate, such as in Shared channels |
| Microsoft Entra group count | Number of Microsoft Entra cloud only groups at all scopes |
| File count | Approximate number of all files in the site |
| Items with unique permissions count | Extent of broken inheritance. Count of all items where inheritance was broken and unique permissions were assigned |
| People In Your Org link count | Number of existing PeopleInYourOrg links across all the files in the site |
| Anyone link count | Number of existing Anyone links across all the files in the site |
| EEEU permission count | Number of permissions with 'Everyone except external users' as the recipient at any level/scope |
| Everyone permission count | Number of permissions with 'Everyone' as the recipient at any level/scope |
| Report Date | Time of generation of report. It might take up to 48 hours to reflect any changes in the report |
What is the sensitivity labels for files report?
The sensitivity labels for files report is the other snapshot report that helps you control access to sensitive content across your organization. This report identifies sites containing files with sensitivity labels applied, allowing you to verify that appropriate security policies are applied.
How to add sensitivity label reports
You can create a sensitivity label report for each label you want to monitor. When you add a report, the system automatically runs it for the first time.
Note
You can only create reports for sensitivity labels that have 'File' included in their scope.
Run sensitivity label reports
To get the latest data for each report, you need to manually run it. You can run all reports at once or select individual reports to run. Before running reports, review these important details:
- Reports are created for SharePoint sites only (OneDrive is not currently supported)
- Reports may take up to 24 hours to complete
- Reports capture data from up to 120 hours before generation
- You can run reports again every 24 hours
To check if a report is ready or see when it was last updated, check the Status column.
Download the sensitivity label reports
After running a report, you can download the data as a CSV file for offline analysis. Here's how:
Select the report name to access the download option
Download the CSV file containing up to 10,000 sites
The downloaded report includes the following information:
- Sites with labeled files: Lists sites containing the highest number of Officefiles with the selected sensitivity label applied
- Applied policies: Shows which security policies are active on each site:
This data helps you verify that sites containing sensitive content have appropriate security policies in place.
What is the sharing links report?
The sharing links report is one of the two activity reports that helps you identify sites where users have created the most new sharing links in the last 28 days. These reports are available for the following types of links:
| Name of report | Description |
|---|---|
| 'Anyone' links | This report provides a list of sites in which the highest number of "Anyone" links were created. "Anyone" links allow anyone to access files and folders without signing in. |
| 'People in the organization' links | This report provides a list of sites in which the highest number of 'People in the organization' links were created. These links can be forwarded internally and allow anyone in the organization to access files and folders. |
| 'Specific people' links shared externally | This report provides a list of sites in which the highest number of 'Specific people' links were created for people outside the organization. |
Run sharing links reports
To get the latest data for each report, you need to manually run it. You can run all reports at once or select individual reports to run. Before running reports, review these important details:
- Reports are created for SharePoint sites only. OneDrive support is available via PowerShell
- Reports may take up to 24 hours to complete
- Reports capture data from up to 24 hours before generation
- You can run reports again every 24 hours
To check if a report is ready or see when it was last updated, check the Status column.
View sharing links reports
After your report is ready, select the report name to view the data. Each sharing link report displays:
- Top 100 sites: Sites with the highest number of sharing links created in the last 30 days
- Applied policies: Security policies active on each site:
- Primary administrator: The designated admin for each site
Note
OneDrive data is now available via PowerShell.
Download sharing links reports
You can download any report as a CSV file for offline analysis, containing data for up to 1 million sites.
What is the 'Everyone except external users' (EEEU) report?
The 'Everyone except external users' (EEEU) report is the other activity report that helps you identify sites where content has been shared with your entire organization. EEEU is a built-in SharePoint group that automatically includes all internal users but excludes any external guests.
When does EEEU sharing occur?
Content can be shared with EEEU in two ways:
Public sites: When a site is configured as public, the EEEU group becomes part of the site's membership (owners, members, or visitors). This makes all site content visible to everyone in your organization.
Public items: Individual files or folders can be shared directly with EEEU using the people picker. This makes specific items accessible to your entire organization while keeping the rest of the site private.
Why monitor EEEU sharing?
Sharing with EEEU can lead to unintended data exposure since it grants access to all current and future employees. The EEEU reports help you:
- Discover sites with the most EEEU sharing activity in the last 28 days
- Identify potential oversharing risks before they impact your organization
- Take appropriate actions to limit access when necessary
How to create an Everyone except external users report?
When creating an EEEU report, you can configure various options to focus your analysis:
Here is how: Report configure options:
- Report name: Enter a unique name to identify this report
- Template: Select which SharePoint site templates to include (you can select multiple template types or choose "All sites"):
- Classic sites
- Communication sites
- Team sites
- Others
- All sites (to include everything)
- Privacy: For Team sites, filter by privacy setting:
- Private
- Public
- All (both private and public)
- Site sensitivity: Choose specific sensitivity labels to focus on sites with particular security classifications. For example, you can identify files shared with EEEU within sites labeled as "Confidential" in the last 28 days
- Report type: Select which EEEU scenario to analyze:
- Public sites: Sites where EEEU is part of the site membership
- Public items: Individual files or folders shared with EEEU
Run the Everyone except external users report
To get the latest data, you need to manually run each report. You can run all reports at once or select individual reports. Before running reports, review these important details:
- Reports cover SharePoint sites only (OneDrive support is available via PowerShell)
- Maximum of 10 reports allowed
- Reports may take up to 24 hours to complete
- Data captured is from up to 24 hours before generation
- Reports can be run again every 24 hours
Check the Status column to see if a report is ready or when it was last updated.
View Everyone except external users reports
After your report completes, it displays key insights about EEEU sharing activity:
Each report shows:
- Top 100 sites: Sites with the highest number of items or groups shared with EEEU in the last 28 days
- Security policies: Current policies applied to each site:
- Site sensitivity labels
- Site privacy settings
- Site external sharing settings
- Primary administrator: The designated admin responsible for each site
Download Everyone except external users reports
You can download the full report data as a CSV file for detailed analysis:
Downloaded report contents:
- Up to 1 million sites sorted by EEEU sharing activity (highest first)
- Complete site information including:
- Primary administrator name and email
- Site template type
- Privacy settings
- Sensitivity labels
- Additional site metadata
Limitations or known issues
- Reports may not work if you have nonpseudonymized report data selected for your organization. To change this setting, you must be a Global Administrator. Go to the Reports setting in the Microsoft 365 admin center and clear Display concealed user, group, and site names in all reports.
Remedial actions from Data access governance reports
Important
Remedial actions from Data access governance reports are only available for SharePoint Advanced Management subscribers in non-government cloud environments or GCC-Moderate government cloud environments. This feature is currently unavailable for GCCH, DoD, and Gallatin government cloud environments, even with a SharePoint Advanced Management or Copilot license.
After discovering potential oversharing through Data access governance reports, you can take several actions to address these risks. When deciding which actions to take, consider:
- The sensitivity of the exposed content
- The amount of content at risk
- The potential disruption to users and workflows
Available remediation options
For immediate action:
- Use Restricted access control (RAC) to limit access to a specific group
- Review the 'Change history' report to identify recent permission changes that may have led to oversharing
For collaborative remediation:
- Use the Site access review feature to request that site owners review and update permissions themselves
This approach ensures you can balance security needs with minimal disruption to your organization's productivity.