Microsoft 365 Governance: Keep Your Tenant Healthy
As your Microsoft 365 environment grows — more sites, more teams, more users, more content — it gets harder to keep track of who has access to what, which sites are still active, and whether your sharing settings still make sense. That’s where Microsoft 365 governance comes in, and the good news is there are some really solid tools to help you stay on top of it. 😊
On Power Hour, we did a full deep dive into Microsoft 365 governance — what it is, what you can do out-of-the-box, what Microsoft’s premium add-on brings to the table, and where a dedicated tool like ShareGate Protect fits in. Let’s walk through it, and the video is at the end.
🧱 What Is Microsoft 365 Governance, Anyway?
Governance is basically the answer to three questions:
- Who has access to your content?
- How is your content growing, and who’s responsible for it?
- What’s being shared — and with whom?
Here’s my favorite way to put it: Microsoft 365 governance is making sure your tenant stays organized and intentional as it grows — so you always know who owns what, who has access to what, and whether content is still relevant and appropriately shared. Think of it as keeping a tidy, well-managed digital workplace instead of a sprawling one that nobody fully understands anymore.
The four pillars of Microsoft 365 governance are access (who can see what), ownership (who’s accountable for each site or team), activity (is this content still being used?), and external sharing (are people outside your company able to get in?). The goal isn’t just to generate reports — it’s to actually act on what you find.

🔍 Microsoft 365 Governance: What You Can Do Out-of-the-Box
Let’s start with what Microsoft gives you for free as part of your Microsoft 365 subscription, because there’s actually more than most people realize. Here are a couple of common places you can look.
As a site owner, you can go to your SharePoint site, click the gear icon, and open the Site Usage report. It shows you popular content, viewer counts, and — importantly — whether anyone shared content on your site with external users. You can also manually review permissions on your site to see who has access to what.

As a SharePoint admin, you can go to the SharePoint Admin Center and view all your active sites. You can sort by size, filter by site type, and check the last activity date to find sites that have gone quiet. There are also some built-in reports that show you basic activity across your tenant.

It’s a solid starting point! That said, out-of-the-box SharePoint governance is better at surfacing information than acting on it. For larger tenants and/or more visibility, you’ll want more firepower — and that’s exactly where the next two tiers come in.
⚙️ SharePoint Advanced Management (SAM)
If you have a Microsoft 365 Copilot license, here’s something you might not know: SharePoint Advanced Management is already included. You can also purchase it separately as its own license.

SharePoint Advanced Management (SAM) lives inside the SharePoint Admin Center and gives you automated, policy-based governance specifically for SharePoint and OneDrive. It has a list of several features. Policies are my favorite. Here are a couple of policy types I like:
Site Ownership Policy — You can create a policy that checks whether your sites have a minimum number of owners (I’d recommend at least 2), sends email reminders to owners who haven’t been active, and even loops in their manager if the original owner has left the company. If a site remains ownerless after a set period, SharePoint automatically sets it to read-only.
Inactive Site Policy — This one identifies sites that haven’t had any activity in a certain number of months. SAM notifies the site owner to “certify” that the site is still needed. If they don’t respond, it can take action automatically — like setting the site to read-only, or archiving it if you have Microsoft 365 Archive.
Another type of policy is the Site attestation policy. These will identify sites due for attestation of their information,
send notifications to site owners or admins seeking attestation, and automatically archive or mark sites in read-only.
All policies have a simulation mode, which I love. You can run the policy without it actually doing anything, just to see which sites it would flag. That’s a great way to get a realistic picture of your tenant before you commit to anything.
SAM is a solid governance tool if you’re focused on SharePoint and OneDrive. But if you need visibility across your whole tenant, this is where things get really interesting.
🚀 Where Native Microsoft 365 Governance Stops (and ShareGate Starts)
Microsoft 365 is made up of a lot of different products, and each one has its own admin center — SharePoint, Teams, Purview, Exchange, and more. Each has its own reports, its own settings, its own way of doing things. To build a complete picture of your tenant’s governance health, you’d need to navigate all of them and pull the information together yourself.
That’s where a dedicated governance tool really shines.
This episode of Power Hour was sponsored by ShareGate. I’ve been exploring ShareGate Protect, which is a governance product designed for your whole Microsoft 365 tenant — not just SharePoint. Instead of bouncing between admin centers, you get one unified place to see everything and actually take action on it.
🛡️ What ShareGate Protect Does Differently
One Unified Dashboard
ShareGate Protect gives you a single place to see the health of your SharePoint sites, OneDrive, Teams, and Microsoft 365 Groups — all in one interface with consistent filtering and reporting across all of them.

The filtering capabilities are really impressive. Want to find all sites that have broken permissions inheritance and fewer than two owners and haven’t had activity in 90 days? You can stack those filters in seconds. That kind of cross-referenced view just isn’t possible out-of-box. In the video below, you’ll see my demo of trying various filters, and in this screenshot, you can see the columns available to view, as you are sorting and filtering your list of sites.

Policies That Actually Take Action
ShareGate’s policies go further than SAM’s — for example, you can create a policy that automatically removes sharing links when certain conditions are met, like a site being shared with “Anyone” (anonymous access) and carrying a sensitive content label. Set it once and it runs continuously in the background, keeping things clean without manual effort. As you can see, there are different ways to get started with policies. Choose SharePoint sites, Microsoft 365 groups, OneDrives, or Sharing Links.
You’ll see that the options are to archive or delete, and keep in mind that you’ll only be able to archive if you have purchased “Microsoft 365 Archive” separate Microsoft product. This works the same in SAM, it won’t let you archive items via policy if you don’t own the archive product.

In this example below, I’m creating a new Microsoft 365 Group policy, and as you can see, this interface allows you to select one or more filters. I’ve selected groups that have less than 2 owners and more than 3 MB worth of data.

AI-Powered Reports
This one genuinely impressed me. Instead of building a report by clicking through filters, you can just type a plain-English prompt: “Show me SharePoint sites with only one owner, broken inheritance, and no activity in the last 90 days.” ShareGate’s AI generates the report instantly — and you can save it so you don’t have to run the prompt again next time.

Bulk Actions, Not Just Reports
Once you find the sites you want to address, you can take action on them in bulk — archive a workspace, remove sharing links, clean up orphaned resources — all built in. That’s the real value here: governance that moves from insight to action in the same tool.
You can check it out and start a free trial at sharegate.com. They also have an MCP integration that lets you run governance actions directly from AI tools using natural language — that’s a whole other Power Hour waiting to happen. 😄
ShareGate MCP
MCP stands for Model Context Protocol, and it’s basically a standard way for AI tools (like Claude or Copilot) to securely connect to outside apps and data. Instead of every company building its own custom integration, MCP gives them a common “language” to plug into. Since ShareGate has an MCP integration, it means you can ask an AI assistant to pull governance reports or run cleanup actions for you directly through natural conversation — no separate dashboard required. Check out ShareGate MCP today!
This is so cool!! I connected to the ShareGate MCP and gave it this prompt. Then, it created a PowerPoint file, which I converted to a PDF (shown below).
“Look at my ShareGate environment and create a PowerPoint presentation that I can show to the executives about actions that need to be taken in our tenant immediately, and the risks. Include beautiful dashboards.”
💡 Governance and Copilot: Why They Go Hand in Hand
If your organization is rolling out Microsoft 365 Copilot, governance becomes even more valuable. Copilot uses your SharePoint content as part of its knowledge base, searching across all the sites a person has permission to access to answer their questions. When your permissions are accurate and your sharing settings are intentional, Copilot works exactly the way you want it to — surfacing the right content for the right people. Think of good governance as the foundation that makes Copilot trustworthy and effective. The cleaner and more organized your tenant, the better your Copilot results will be.
🧭 Your Microsoft 365 Governance Roadmap
Here are my recommendations to getting started with governance in your tenant. If you aren’t an admin, this is something you can ask your admin about:

The great thing about Microsoft 365 governance is that you don’t have to tackle everything at once. Start where you are, use the tools you already have, and build from there. 😊 Here is the associated video. It’s got full demos of everything I’ve discussed in this post.
Want to go deeper on any of these topics? I have full courses on SharePoint, Teams, Power Apps, Power Automate, and more over at iwmentor.com. And Power Hour happens every Wednesday at 11am Central — sign up for the newsletter to vote on next week’s topic!
What does your Microsoft 365 governance setup look like right now? Are you using any policies or tools to keep things organized? Drop a comment below — I’d love to hear! 👇
FAQ
Governance is managing who has access to your content, who owns it, whether it’s still active. This also entails how it’s shared, so that your tenant stays organized instead of sprawling out of control.
Some basic functionality is included free with Microsoft 365. But, for automated, policy-based governance, you’ll want SharePoint Advanced Management (included with Copilot licenses, or available as an add-on) or a third-party tool like ShareGate Protect for tenant-wide coverage.
Yes, both with SAM and with ShareGate Protect, you’ll need to purchase Microsoft 365 Archive in order to do an archive action as part of a policy.
SAM handles policy-based governance for SharePoint and OneDrive only. ShareGate Protect covers your whole tenant — SharePoint, OneDrive, Teams, and Groups — with more advanced filtering, AI-powered reports, and bulk remediation.
Copilot searches every site a person already has access to when answering questions. Accurate permissions and sharing settings are what make sure it surfaces the right content to the right people.