SharePoint & OneDrive · Advanced Management
SharePoint Advanced Management Administrator
Manages SharePoint Advanced Management (SAM) features including data access governance, content lifecycle management, and advanced access controls.
Scope: Organization-wide advanced SharePoint governance
Permissions
- Data access governance - View oversharing and sensitivity reports
- Site lifecycle - Manage inactive site policies
- Block download - Apply download restrictions to sites
- Conditional access - Configure authentication contexts for sites
- Restricted site creation - Control who can create sites
- Catalog management - Organize sites into governance groups
Common use cases
- Preparing for Copilot deployment
- Reducing oversharing and data exposure
- Managing inactive and stale sites
- Implementing advanced access controls
Best practices
- Review data access governance reports regularly
- Set up lifecycle policies for inactive sites
- Use catalog management for governance at scale
- Combine with sensitivity labels for protection
Security considerations
- Access to sensitive data exposure reports
- Can block access to sites organization-wide
- Changes affect all users
- Data access governance reveals oversharing risks
Common questions
When should I assign the SharePoint Advanced Management Administrator role?
Assign SharePoint Advanced Management Administrator when you need to: Preparing for Copilot deployment; Reducing oversharing and data exposure; Managing inactive and stale sites; and Implementing advanced access controls. It is part of SharePoint & OneDrive and should be granted as a least-privilege alternative to broader roles like Global Administrator.
What can someone with the SharePoint Advanced Management Administrator role do?
The SharePoint Advanced Management Administrator role grants permissions including: Data access governance - View oversharing and sensitivity reports; Site lifecycle - Manage inactive site policies; Block download - Apply download restrictions to sites; Conditional access - Configure authentication contexts for sites; Restricted site creation - Control who can create sites; and Catalog management - Organize sites into governance groups. See the Permissions section above for the full list.
What are the security risks of the SharePoint Advanced Management Administrator role?
Key considerations when assigning SharePoint Advanced Management Administrator: Access to sensitive data exposure reports; Can block access to sites organization-wide; Changes affect all users; and Data access governance reveals oversharing risks. Review the Security considerations section before assignment, and pair with Privileged Identity Management (PIM) for just-in-time access where possible.