Microsoft SharePoint: The Best Practice Guide to SharePoint Administration

SharePoint is a collaboration platform for businesses that can be operated on-premise or through Microsoft 365. SharePoint allows organizations to host and provide access to content. It supports use cases like sharing documents with others, organizing and managing projects or setting up internal wikis and intranets. Behind the scenes, SharePoint also serves as the document library and file sharing platform for Microsoft Teams and is closely connected to the cloud storage service OneDrive.

SharePoint is a flexible and highly customizable platform that supports a variety of use cases. Organizations can structure SharePoint in a way that best enables them to achieve their specific goals. To use SharePoint successfully, however, it’s important to understand the basic building blocks that make up the platform.

SharePoint is divided into:

SharePoint was initially developed as an on-premise application, but since the launch of Office 365 in 2011, it is also an important part of the Microsoft Cloud. Businesses can choose between the two versions: SharePoint Server or SharePoint Online.

The main difference between SharePoint Server and SharePoint Online is the fact that an enterprise running SharePoint Server needs to manage their own infrastructure, whereas SharePoint Online is managed by Microsoft. As a result, SharePoint Server offers businesses slightly more control, but at the price of setting up, patching and maintaining their own servers. Nowadays, SharePoint Online is the far more popular option. Because of Microsoft’s cloud first strategy, SharePoint Online also often receives new features first.

While SharePoint exists as its own app in Microsoft 365, it also serves as the backend for many other cloud services. For example, teams and channels in Microsoft Teams are created as SharePoint sites and subsites in the background. Uploading and sharing files through Teams channels relies on SharePoint, while files shared in chats are stored in the user’s OneDrive.

By default, each new SharePoint site comes with three groups that users can be added to:

Additionally, Microsoft 365 includes the SharePoint admin role, which allows members to edit any SharePoint site as well as global settings. If organizations need to provide users with different levels of access, they can create custom SharePoint groups and assign them different permissions and permission levels.

Permission Level	Details
View Only	Allows users to view pages, objects and files on a site, but prevents downloading of documents that can be rendered in the browser.
Restricted Read (Communication Site Only)	Provides read access to pages and documents, but not their version history or sharing settings.
Manage Hierarchy (Communication Site Only)	Allows users to create sites and edit pages, list items and documents.
Approve (Communication Site Only)	Users can approve sites, list items and documents.
Limited Access	Enables users to navigate to an object that has been shared with them. Assigned automatically when accounts are given access to a specific item on a site.
Limited Access (Web Only)	Like Limited Access, but only allows access to the web object.
Read	Allows users to view pages and documents, including downloading files. The default setting for the Site Visitor group.
Contribute	Users can view, add, edit or delete items, but not create new lists or libraries.
Edit	Users can view, add, edit and delete lists, list items and documents. The default setting for the Site Members group.
Design	Enables users to create lists and libraries as well as apply designs, templates and style sheets.
Full Control	Allows users to view, add, edit and delete content, add or remove users and groups as well as edit site settings. The default setting for the Site Owner group.

Perhaps the biggest challenge in managing SharePoint permissions is the fact that any explicit permission on an object automatically breaks inheritance. When this happens, SharePoint maintains all current permissions the object inherits by turning them into explicit permissions as well. So users keep their current level of access, but the object no longer inherits new permissions.

Example: Your HR department has a team website which includes all members of the HR group. To plan the holiday party, the site owner creates a project folder and shares it with people outside the site – permission inheritance is now broken. Members of the HR group continue to have access, but if an admin were to add a new user to the site, they would not inherit access to that folder.

Admins are faced with two problems when it comes to permission inheritance in SharePoint: First, it’s easy to miss – especially when explicit permissions are set on deep levels of the file/folder structure. Second, it’s easy to make mistakes because SharePoint permissions behave differently than admins are used to from share permissions and NTFS permissions on the file server.

On file servers, you can add a group to a specific folder and still rely on inheritance to propagate permissions to its child objects. But in SharePoint admins need to think carefully about when and if to use explicite permissions to avoid creating problems in the future.

To use SharePoint safely and effectively, there are a few important points that admins need to pay attention to – from the proper information architecture to using the right security settings and tips for efficient administration. We’ve collected some of the most important best practices for SharePoint in this list.

In the early days of SharePoint, organizations modeled their SharePoints after the hierarchical structure of their file servers, with many layers of nested sites and objects. However, this approach has since fallen out of favor and it has become normal to use a flat hierarchy for SharePoint’s information architecture. What this means is that in almost all cases, it’s better to create a new site instead of adding a subsite to an existing one.

Sticking to a flat structure has multiple advantages: On the one hand, avoiding nested sites and folders helps admins dodge the problem of broken permission inheritance. Creating separate sites also makes it easier to delete sites when they are no longer needed, without first checking which subsites are attached to it. Lastly, if you use too many levels in SharePoint, the character limit on a file’s path can lead to problems with file names.

To bring structure to your SharePoint without the use of subsites, organizations should use hubs to group sites together. For example, you could create one hub site for each department and add separate sites for different teams and projects. This way, you can use shared navigation and document search across the hub. Another advantage of hubs is that sites can easily be attached to a different hub if the need arises. Sites that are attached to a hub still remain separate and do not inherit permissions from the hub site.

Whether users should be allowed to create new sites depends on how your organization uses SharePoint. But you should definitely stop users from creating subsites to preserve the flat hierarchy you have created. You can find this setting in the SharePoint admin center under site creation and the classic settings page. More on managing site creation.

To make SharePoint easier to navigate, organizations can add different kinds of metadata to documents. Site owners can either choose specific types of data to add as a column in a list or libarary or allow users to add their own tags to a document using enterprise keywords. The metadata used in your organization can be accessed through SharePoint’s term store.

Using metadata effectively requires some thought and preparation, but tagging documents is a great way to help users keep track of their purpose, contents and current status. More on the use of metadata.

A consistent approach to naming sites, pages and documents makes it a lot easier to browse and administer SharePoint – especially in large organizations with multiple admins. To make sure that everyone is on the same page when it comes to naming conventions, it’s important to educate site owners and users on this topic and make the proper naming scheme easily accessible for reference.

As with any other part of the your IT infrastructure, access to sensitive data in SharePoint must be restricted to only those users who genuinely need it. Following the principle of least privilege helps organizations prevent cyberattacks, leaks and data theft.

In order to enforce least privilege access, admins must assign users to the right sites and SharePoint groups, make sure that permissions on every list, folder and library are configured correctly and regularly audit internal and external access through user access reviews.

Microsoft 365 comes with a broad set of security features: To protect SharePoint Online and other apps in the Microsoft Cloud, it’s important for admins to enable and configure the included security features according to their specific needs and requirements.

Some features that organizations should definitely make use of are multi-factor authentication and conditional access in Azure AD, blocking legacy authentication and setting an automatic sign-out for idle sessions. You can find these last two settings in the SharePoint admin center under the tab access control.

Sharing access to documents is one of the main purposes of SharePoint – both within organizations and with external accounts. To prevent the wrong persons from gaining or retaining access to sensitive information, SharePoint offers a few tools to help you restrict file sharing.

For example, admins can disable Anyone links to prevent anonymous sharing. You can also disable sharing for certain domains, only enable it for specific groups or add an expiration date for guest access. More on how to manage sharing settings in SharePoint.

Automatic syncing of local files to SharePoint or OneDrive can lead to users accidentally uploading confidential or very large files that do not belong in the cloud. In addition, ransomware often exploits automatic syncing to access cloud storage and backups.

To prevent accidental or malicious uploads, you can disable automatic synchronization for certain file types. This setting is available in the SharePoint admin center under OneDrive Sync. Here, you can enter the file endings you want to block from being synced. You can set even more detailed rules through the group policy object slash Intune template EnableODIgnoreListFromGPO, which allows you to block files if their name contains certain words like budget, salaries or employee data.

Logging and auditing events plays a crucial role in fixing problems and identifying potential attacks. In SharePoint Server, site audits need to be manually configured. In SharePoint Online, they are enabled by default as part of Microsoft 365’s unified audit log, which can be found in the compliance center a.k.a. Microsoft Purview. Unfortunately, events are only logged for 90 days by default. A longer retention period requires the Microsoft 365 E5 license. More information on premium audits.

Since Microsoft 365 tracks a huge number of different events, it’s no easy task to pick out relevant information through filters and searches. This is another area where third-party tools can be a big help in keeping track of important events and responding to them quickly.

Just like on file servers, it’s much more convenient to manage access to SharePoint sites through groups than to add users individually. Instead of adding one account after another, you make a security group with the users you want to give access (“Sales Staff” for example) and add that security group to the site members. By using dynamic groups, you can even ensure that new accounts are automatically assigned to the correct groups, giving them access to the right resources.

Using groups saves time and makes it easier to track access, especially when it comes to making changes and adjustments down the line. Note: It’s important to understand the difference between Azure AD groups like security groups, distribution groups and Microsoft 365 groups on the one hand and SharePoint groups like site owners and site members on the other.

Admins and site owners should avoid setting item level permissions in SharePoint sites as much as possible. Because explicit permissions on individual objects break inheritance and are difficult to keep track of, they make managing permission management in SharePoint extremely tedious and annoying. Ideally, you always want to manage access at the highest level possible, i.e. by creating new sites, libraries or folders to address specific needs.

Retention policies allow you to ensure that data stored in SharePoint and other parts of Microsoft 365 is stored as long as necessary and deleted at the right time. This feature enables you to meet legal and compliance requirements regarding record keeping or the deletion of employee data. M365 differentiates between retention policies and retention labels, which are applied at the site vs. document level respectively.

Configuring retention policies takes some time and effort, but is a great way to prevent the accidental deletion of important data and ensure that records are properly stored and saved.

Organizations that want to be extra careful with external sharing can block sharing on all sites and create a dedicated site for external file sharing. By managing outside access through one specific site, admins can more easily keep track of who has access to which document.

Organizations that want to structure and manage their SharePoint following best practices need to invest quite a bit of time. In particular considering that SharePoint is only one part of the Microsoft 365 ecosystem. The easiest, fastest and most accurate way to administer users and permissions in the Microsoft Cloud is through the use of automated tools.

This is especially true for hybrid environments, where automated solutions enable you to manage local and cloud systems through a single application. As one such identity and access management solution, tenfold allows you to manage cloud data and identities through a central, automated platform. But beyond that, it also provides essential new features like clear and detailed permission reporting and the ability to regularly audit privileges through user access reviews.

Managing accounts in your own network and the Microsoft Cloud through a single app while keeping track of access to unstructured data on your file servers and in SharePoint? It’s easier than you think! With tenfold, you can automate user and permission management across your entire IT!

The best part? Thanks to out-of-the-box support for most systems and no-code configuration for our wide range of plugins, tenfold can be set up in record time. While other IAM solutions would have you writing scripts and programming custom interfaces for months or years, tenfold is fully operational in just a few weeks. See for yourself and put tenfold to the test with a free trial! We’ll show you just how easy access management can be.