1. Architecture & Site Governance

  • Flat Architecture: Modern SharePoint relies on a “flat” structure using Hub Sites rather than legacy subsites.
    • Hub Sites: Used to logically connect related sites (e.g., all “HR” sites) for shared navigation, branding, and search scope. Sites can only belong to one Hub at a time.
  • Site Types:
    • Team Sites: Backed by an M365 Group (includes shared inbox, calendar, Planner, Teams integration). Best for internal team collaboration.
    • Communication Sites: No M365 Group. Best for broad broadcasting (e.g., Intranet homepage, company-wide news).
  • Storage Management: Manage tenant-level storage limits. Configure site-level storage quotas to prevent single sites from consuming the entire tenant allocation.

2. External Sharing & Collaboration

  • Tenant vs. Site Limits: The tenant-level sharing setting acts as a ceiling. A site-level setting cannot be more permissive than the tenant-level setting.
    • Hierarchy: Anyone (Anonymous) > New and Existing Guests > Existing Guests > Only People in Your Organization.
  • Entra External ID (B2B collaboration) Integration: Ensure SharePoint and OneDrive integration with Entra External ID (B2B collaboration) is enabled so guests get a seamless authentication experience via Entra ID rather than legacy SharePoint guest accounts.
  • Access Expiration: Configure guest access expiration policies at the tenant level (e.g., guests must be renewed every 90 days).

3. Permissions & Access Control

  • M365 Group Permissions vs. SharePoint Permissions:
    • Team sites rely on the underlying M365 Group (Owners/Members) for primary access.
    • Avoid using legacy SharePoint Groups (Visitors/Members/Owners) on group-connected Team Sites unless specifically required for granular, non-group access.
  • Item-Level Permissions (Broken Inheritance):
    • Discourage breaking inheritance at the folder/file level at scale, as it creates massive administrative overhead and impacts performance.
    • If a sub-folder requires different permissions, it usually warrants a separate Document Library or a separate Site.
  • Access Requests: Ensure the “Access Request” email is routed to active site owners, not an orphaned user account.

4. OneDrive for Business (Enterprise Management)

  • Known Folder Move (KFM): Deployed via Intune/Group Policy to silently redirect Desktop, Documents, and Pictures to OneDrive. Essential for device backup and seamless hardware replacements.
  • Sync Client Troubleshooting:
    • Common issues involve file path limits (256/400 characters), invalid characters, or conflicting file locks.
    • Use the OneDrive admin center (now merged into the SharePoint admin center) to track sync health across the organization.
  • User Offboarding:
    • When an Entra ID account is deleted, the OneDrive retention period begins (default is 30 days, often increased to 93 or 3650 days via retention policies).
    • Manager access: By default, the user’s manager (defined in Entra ID) is granted a link to the OneDrive data to salvage files before deletion.

5. Essential PowerShell Cmdlets (PnP PowerShell)

PnP PowerShell is the industry standard for SharePoint Online management, preferred over the native SharePoint Online Management Shell.

  • Connection: Connect-PnPOnline -Url https://tenant-admin.sharepoint.com -Interactive
  • Site Management:
    • Get-PnPTenantSite (Lists all sites)
    • Set-PnPTenantSite -Url "https://tenant.sharepoint.com/sites/Target" -SharingCapability ExistingExternalUserSharingOnly
  • Permissions:
    • Get-PnPGroup
    • Add-PnPUserToGroup -LoginName "user@domain.com" -Identity "Site Owners"
  • OneDrive Management:
    • Request-SPOPersonalSite -UserEmails user@domain.com (Pre-provisions a OneDrive site before the user logs in for the first time).