← Back to blog
Microsoft 365

SharePoint Admin Agent: detecting oversharing and managing tenant governance with natural language

By Zarioh Digital Solutions6 min read
Share
SharePoint Admin Agent: detecting oversharing and managing tenant governance with natural language

The SharePoint Admin Agent translates natural-language instructions into concrete governance actions: permissions analysis, oversharing detection, inactive sites, and storage trends. What the three skills do, which licence you need, and where to start this month.

The average Microsoft 365 tenant contains hundreds to thousands of SharePoint sites. Sites created for a project that finished long ago. Sites whose owner has left but nobody registered that. Sites where 'Everyone except external users' still has read access to sensitive contracts. Keeping track of permissions and detecting oversharing has for years meant PowerShell scripts running for hours, generating reports nobody read.

The SharePoint Admin Agent changes that fundamentally. Available through the SharePoint Admin Center, it uses SharePoint Advanced Management to convert natural-language instructions into concrete governance actions. No script knowledge required, no hours of waiting. And destructive actions such as deleting sites or revoking permissions are never carried out autonomously — every recommendation requires explicit confirmation from the administrator.

From PowerShell script marathons to conversational management

Traditional SharePoint administration always started with reports. An administrator had to know which PowerShell commands were available, set the right parameters, and interpret the result in a CSV file with a thousand rows. For a tenant with five hundred sites, a permissions audit easily consumed a full working day.

The Admin Agent works differently. You type a question, the agent analyses the tenant's SharePoint and OneDrive data, and returns a summary with recommended actions. A question like 'which sites are broadly accessible to everyone in the organisation but contain files labelled Confidential?' returns a filtered list within seconds, including advice to enable Restricted Access Control for those sites.

The agent builds on a six-layer governance approach Microsoft has developed: Assess, Structure, Lifecycle, Oversharing, Access, and Resiliency. Those six steps give IT teams a roadmap from 'don't know where to start' to a tenant ready for AI-driven workflows. The agent helps at each of those steps by surfacing insights and initiating actions from a single conversational window.

Skill 1 — Detecting oversharing with permissions analysis

The Permissions skill is the core of the SharePoint Admin Agent. It maps which sites and libraries have permissions broader than the sensitivity label of their content justifies. Concretely: a library with documents labelled Internal that is accessible to everyone in the tenant, including people outside the original project team.

The agent combines data from Data Access Governance reports, sensitivity labels from Microsoft Purview, and the permission structure of the site. The result is a prioritised list of risks with direct action options: starting a Site Access Review where site owners review permissions themselves, enabling Restricted Access Control to limit access to specific Entra ID groups, or activating Restricted Content Discovery so sensitive sites surface less frequently in Copilot search results.

For organisations deploying Copilot for Microsoft 365, this is particularly relevant. Copilot indexes content the user has permissions to, even if that user never actively searched for it. A broadly configured SharePoint structure with wide permissions therefore leads to Copilot responses based on data that should fall outside the user's scope. Remediating permissions via the Admin Agent is therefore not a purely administrative task, but a direct step towards responsible AI deployment.

Skill 2 — Site lifecycle: cleaning up inactive and ownerless sites

Every tenant has them: sites created for a pitch that never went through, channel teams left over from a department that merged, or project sites whose last activity was a year ago. Those sites are not only a storage issue — they also represent a governance risk because their permissions are rarely reviewed.

The Lifecycle skill detects inactive sites based on activity data and flags sites without an active owner. That was already available as a policy option in SharePoint Advanced Management, but the agent adds context. Instead of an unprocessed list of five hundred inactive sites, it returns filtered sets with exportable reports: which are the most risky, which contain the most content, which have external participants.

From that view you can directly start an attestation flow where site owners — or their managers if the owner has left — confirm whether the site is still needed. Sites that are not confirmed can be automatically archived or transferred to a new owner. For IT teams that have been struggling with an uncontrolled growing site catalogue for years, this is the most concretely usable part of the Admin Agent.

SharePoint storage has long been an undermonitored area of management. Organisations bought extra capacity once the limit was in sight, without understanding where the growth was coming from. The Storage skill brings Copilot-powered insight to that: tenant and site storage trends, sites with unusually rapid growth, and libraries with large amounts of version history unnecessarily loading storage quotas.

Recommended cleanup actions are directly actionable from the conversational interface: setting version history limits, identifying inactive libraries, and activating a cleanup policy. That is relevant now that Microsoft charges for SharePoint storage above the standard quota separately. The Admin Agent's storage insights help control those costs without manually digging through site collections.

In the second half of 2026, Microsoft is expanding the Storage skill with deeper anomaly detection and notifications on unexpected peak growth, and with cross-skill queries that link storage data to permissions and lifecycle insights. That will make it possible to ask in one query: 'which sites are growing fast, have broad permissions, and have no active owner?'

Licensing requirements and availability

The SharePoint Admin Agent is part of SharePoint Advanced Management (SAM), an add-on available on top of Microsoft 365 Business, E3, and E5. The cost is approximately three dollars per user per month, and the licence must cover the entire tenant — not just administrators. For an organisation with a hundred employees, that means a monthly addition of around three hundred dollars to existing licence costs.

To use the Admin Agent, the administrator needs the SharePoint Advanced Management Administrator role in Microsoft Entra ID. The agent is accessible via the SharePoint Admin Center and operates within the existing security and compliance controls of the Microsoft 365 environment.

For teams already investing in Copilot for Microsoft 365, SAM is arguably a complementary investment that makes Copilot adoption safer: the permissions and oversharing risks the Admin Agent detects are exactly the risks that would otherwise surface through Copilot search results at a moment when an employee is not expecting it.

What should you do this month?

Three concrete steps to start with now. First, activate the Data Access Governance report in the SharePoint Admin Center. This report gives a first impression of which sites are broadly accessible and is available without the full SAM add-on. It takes less than an hour to activate and immediately shows the risk profiles in your tenant.

Second, check whether SharePoint Advanced Management is already part of your current licence. Some Microsoft 365 E3 environments have limited SAM functionality included. Verify through the Microsoft 365 Admin Center which add-ons are active — you may already be paying for functionality you are not yet using.

Third, set a governance priority using the six steps Microsoft outlines. Identify where the greatest risks lie in your specific tenant: a large number of inactive sites, demonstrable oversharing, or storage growth that no longer matches organisational growth. Start with that category, measure the result, and then expand.

Want support setting up SharePoint governance, assessing oversharing risks, or activating the Admin Agent in your environment? Zarioh helps IT teams and directors translate Microsoft technology into practical implementation. Contact us for a no-obligation conversation.

Z

Zarioh Digital Solutions

IT specialists from Utrecht, the Netherlands. We help businesses with Microsoft 365, AI agents, hosting and telephony — and share what we learn in practice. Follow us on LinkedIn

Related articles

← Back to all articles
Share