3.4.2. SharePoint Advanced Management

💡 First Principle: SharePoint Advanced Management (SAM) is a premium add-on that gives administrators deeper control over who can access SharePoint sites and how — including the ability to restrict site access to specific groups even if broader permissions exist elsewhere. It's the surgical tool for permission control where standard SharePoint settings aren't enough.

Standard SharePoint permissions work by inheritance and explicit grants. SAM adds features that go beyond this:

Restricted Site Access: Lock down a specific SharePoint site so that only members of a designated group can access it — even if other permission grants would normally allow access. This is a site-level fence that overrides broader permissions.

Conditional Access policies for SharePoint sites: Apply Entra Conditional Access policies at the site level — for example, require a managed device to access a site containing sensitive research.

Site ownership policies: Require sites to always have at least two owners (prevents orphaned sites with no admin).

Inactive site policies: Automatically notify or archive sites that haven't been used in a defined period.

Block download policies: Prevent users from downloading files from specific sites (they can view in browser but not download) — useful for contractors or external partners.

⚠️ Exam Trap: SharePoint Advanced Management is a licensed add-on — it's not included in standard Microsoft 365 plans. It requires Microsoft 365 E5 or as a separate add-on. Not every organization has it.

Reflection Question: Your legal team has a SharePoint site containing ongoing litigation documents. You want to ensure that only the legal team can access this site, even though the site was originally created under a broader permission structure. Which SAM feature is most appropriate?