1. SharePoint Hierarchy & Architecture

Modern SharePoint is built on a flat architecture designed for cloud scalability and governance, moving away from the legacy subsite model in favor of independent site collections.

  • Tenant Boundary: The global container for the organization’s entire SharePoint and OneDrive service.
  • Hub Sites: The logical “connective tissue” used to group related site collections (e.g., “HR” or “Projects”) to provide shared navigation, branding, and a unified search scope.
  • Site Collections (The Administrative Unit): These are the primary units of governance. Each collection is an independent boundary for permissions and features, categorized into two primary types:
    • Team Sites: Group-connected sites backed by an M365 Group, designed for active internal collaboration with a shared mailbox and Teams integration.
    • Communication Sites: Non-group-connected sites intended for broad broadcasting, such as an Intranet homepage or company news.
    • Resource Management: Architecture is governed by tenant-level storage limits. Administrators should configure individual site quotas to prevent any single site collection from exhausting the tenant’s total allocation.
  • Document Libraries: Containers within a site for storing files that can be configured with unique metadata, versioning, and sensitivity labels.
  • Folders & Files: Individual items stored within libraries. Item-level permissions are possible but discouraged due to administrative overhead.

2. Permissions & Access Control

Governing access requires a balance between external collaboration needs and internal security guardrails.

  • Modern vs. Legacy Permissions:
    • M365 Group-Based: Modern Team sites rely on the underlying M365 Group (Owners/Members) for access management.
    • SharePoint Groups: Use of legacy groups (Visitors/Members/Owners) should be avoided on group-connected sites unless highly granular access is required outside of the standard group membership.
  • External Sharing Hierarchy: The tenant-level sharing setting acts as a “ceiling” that site-level settings cannot exceed.
    • Hierarchy: Anyone (Anonymous) > New and Existing Guests > Existing Guests > Only People in Your Organization.
  • Collaboration Policies:
    • Access Expiration: Organizations should enforce tenant-level policies (e.g., 90 days) requiring periodic renewal of guest access to maintain a “Zero Trust” posture.
    • Access Requests: Ensure request routing is configured to notify active site owners rather than orphaned or service accounts.
  • Inheritance Management: Breaking inheritance at the folder or file level is discouraged at scale. If a specific sub-folder requires unique permissions, it typically warrants its own Document Library or Site Collection to reduce administrative debt.

3. Site Lifecycle & Sprawl Management

Effective governance prevents “site sprawl” by managing the beginning and end of a site’s usefulness.

  • Provisioning Control: Restrict self-service site creation to a specific security group and implement a “Request a Site” workflow via Power Automate to ensure every site has a defined owner and purpose.
  • Inactive Site Policies: Automated policies in the SharePoint Admin Center identify sites with no activity (visits or file edits) over a set period. The system automatically prompts owners to confirm if the site is still required, otherwise marking it for deletion or archiving.
  • M365 Group Expiration: For Team sites, enforce group-based expiration policies in Entra ID (e.g., 365 days). Owners must renew the group, or the entire collaboration unit—including the SharePoint site—is deleted.
  • Site Archiving: Use Microsoft 365 Archive to move inactive site collections into “cold storage”. This reduces the tenant’s active storage footprint and removes the site from user search while keeping the data accessible for compliance.
  • Site Classification: Apply custom metadata or properties to sites (e.g., Department, Project End Date) to enable advanced auditing and automated lifecycle reporting.

4. OneDrive for Business (Enterprise Management)

OneDrive serves as the personal document repository for users, governed by the same underlying SharePoint engine but managed for individual productivity.

  • Known Folder Move (KFM): A critical deployment step using Intune or Group Policy to redirect Desktop, Documents, and Pictures to OneDrive for seamless device backup.
  • Sync Client Health: Common troubleshooting involves resolving character limits (256/400), invalid characters, or file locks. Admins can track organization-wide sync health via the SharePoint admin center.
  • Account Lifecycle: When an account is deleted, a 30-day retention period begins by default. The user’s manager is automatically granted access to salvage business-critical data before final deletion.

5. Essential PowerShell Cmdlets (PnP PowerShell)

PnP PowerShell is the industry standard for SharePoint management, offering more robust automation than the native management shell.

  • Connection: Connect-PnPOnline -Url [https://tenant-admin.sharepoint.com](https://tenant-admin.sharepoint.com) -Interactive
  • Site Management:
    • Get-PnPTenantSite (Lists all collections)
    • Set-PnPTenantSite -Url "[https://tenant.sharepoint.com/sites/Site](https://tenant.sharepoint.com/sites/Site)" -SharingCapability ExistingExternalUserSharingOnly
  • Permissions:
    • Get-PnPGroup
    • Add-PnPUserToGroup -LoginName "user@domain.com" -Identity "Site Owners"
  • OneDrive Management:
    • Request-SPOPersonalSite -UserEmails user@domain.com (Pre-provisions a user site before their first login)