Decisions for you to consider when creating a Governance Plan for SharePoint Online

As you venture into the world of SharePoint, Microsoft 365 Groups, and Teams, you might hear the word Governance come up more than a few times. The reason for this is that, even if you are a small business, with the users creating Teams on the fly, sharing the content externally as they wish, you might, at some point, start worrying about business data integrity and business data security. Those worries are amplified when you are a larger organization. With hundreds and perhaps even thousands of users creating Microsoft 365 Groups and sharing content without any reasonable restrictions, it might get wild and crazy pretty quickly. So, I thought I would document some of the things for you to think about as you work on a Governance Plan and meet with your Governance Committee.

What is Governance?

If you are new to Governance and need to get familiar with the terminology and what this is all about – I suggest you check out this post.

SharePoint Governance is a set of policies that define processes, roles, rules, and regulations for user interaction with SharePoint in your organization.

Governance Plan Template

If you do not know where to start, I suggest downloading a Governance Plan here. I put this together back in 2019 and a lot of changes have occurred in SharePoint and Teams since then; however, for the most part – it is a great document to reference and start documenting your Governance plan and decisions. Many things I mention below are also referenced/mentioned in that template as well.

What to include in the Governance Plan

Every organization is different and has different needs and tolerance for certain items. They all depend on company culture, and legal or compliance regulations for a company. So, what I thought I would do below is summarize some of the major decisions you need to make when putting together a Governance Plan.

Decision 1: Determine who can create Sites/Teams

I am sure you have heard the term “site sprawl” already. By default, anyone can create sites in SharePoint Online. The same applies to Teams/Microsoft 365 Groups. Every time someone creates a new Team in Microsoft Teams, it creates a Team itself, a Microsoft 365 Group, a SharePoint Site, a Group Calendar, and an Email Distribution List.

So the big decision you have to make here is whether to limit or not the ability to create sites. There are several choices available to you:

• Option 1: Leave as-is
• Option 2: Restrict access to just the IT Team/specific users
• Option 3: Allow everyone to create sites, but inject some sort of approval process/automation

Personally, I do not like to restrict site creation completely. My personal preference is to address this with proper monitoring and staff training. However, if you are a large organization, this might indeed get wild, so Option 3 might be a good middle ground.

Decision 2: Decide on Policy Regarding the creation of Teams Private and Shared Channels

While we are on the topic of Site creation, another big decision you have to make is whether or not you will allow Team Members and Owners to create Private and Shared Channels. In case you are not familiar with what those are – I suggest you check out this post. Why is this important? Because every time you create either a Private or Shared channel, it creates another SharePoint site. So, if you are on a mission to limit site sprawl, this is another big decision to make.

Decision 3: Allow or Disable External sharing

The next big decision you have to make is whether or not to allow or restrict external sharing. Again, by default, external sharing is on in Microsoft 365 tenants. However, again, this might get wild without proper training and staff guidance. There might also be some legal or compliance implications as well.

Personally, I am not a huge fan of completely disabling external sharing. I even wrote a post about it where I provided some arguments. My preference is to address it with proper staff training, and some settings within SharePoint Admin Center, where you can restrict external sharing by domain or for specific sites, for example.

Decision 4: Decide on Retention and Records Management Policies

This one might not be an issue for many organizations unless you have some legal or compliance obligations. To learn more about Retention Policies, check out this post.

Yet, enabling some basic retention policies on your site might be a smart way to assure data integrity and inadvertent data loss due to user error or unforeseen circumstances.

Decision 5: Decide on Data Loss Prevention Policies

This is yet another one of those legal implications you might have. There might be a subset of documents in your SharePoint that contains personally identifiable information of clients. For example, Social Security Numbers, Bank Account information, and Credit Card Numbers. You might want to treat those documents a bit differently and, say, prevent external sharing or the ability to print, for example. In such cases, you can enable Data Loss Prevention (DLP) policy on those documents. Please check out this article from Microsoft for more info on this.

Decision 5: Periodic Site Cleanup

The last major decision to make is about Site Cleanup. While some sites might need to exist forever (i.e., sites for department functions like Human Resources), the majority of the sites are probably created for a short period. Think of project sites, client sites, etc. So, as an organization, you will need to develop some sort of ongoing review policy to determine whether to keep the site, delete it, or archive it. Think of it as site lifecycle management.

The list above is not meant to be the most conclusive list when putting together a Governance plan. However, I wanted to include some of the major decisions you need to make and share my opinion about them. The actual plan you put together will depend on many other factors, so no two Governance Plans will ever look the same!