This post is a part of the AB-900: Microsoft 365 Copilot and Agent Administration Fundamentals Exam Prep Hub.
This topic falls under these sections:
Understand data protection and governance tasks for Microsoft 365 and Copilot (35–40%)
   --> Identify and monitor oversharing in SharePoint in Microsoft 365
      --> Understand features and capabilities of SharePoint Advanced Management, including restricted site access

Note that there are 10 practice questions (with answers) at the end of each section to help you solidify your knowledge of the material. Also, there are 4 practice tests with 30 questions each available from the hub's main page below the exam topics section.

---

Introduction

As organizations increasingly rely on Microsoft 365, SharePoint Online, Microsoft Teams, and Microsoft 365 Copilot, protecting organizational data has become more important than ever. While collaboration is essential, unrestricted sharing can expose confidential information to unintended users.

To help organizations better govern SharePoint content, Microsoft offers SharePoint Advanced Management (SAM), a collection of advanced governance, reporting, security, and lifecycle management capabilities designed to improve the security of SharePoint and OneDrive environments.

One of its most important features is Restricted Site Access, which allows administrators to temporarily limit access to specific SharePoint sites that may contain highly sensitive or potentially overshared information.

For the AB-900 exam, you should understand the purpose of SharePoint Advanced Management, its major capabilities, and how Restricted Site Access helps reduce data exposure.

---

What is SharePoint Advanced Management?

SharePoint Advanced Management is a set of administrative capabilities that extends the standard SharePoint Online administration experience.

Its goals include:

• Improving governance
• Reducing oversharing
• Enhancing visibility into permissions
• Strengthening data protection
• Supporting Microsoft 365 Copilot readiness
• Helping organizations adopt Zero Trust security principles

Rather than replacing Microsoft Purview or Microsoft Defender, SharePoint Advanced Management complements these services by focusing specifically on SharePoint and OneDrive administration.

---

Why SharePoint Advanced Management Is Important

Organizations often have:

• Thousands of SharePoint sites
• Millions of documents
• Numerous external users
• Complex permission structures
• Years of accumulated sharing links

As these environments grow, administrators face challenges such as:

• Overshared files
• Forgotten external sharing
• Stale permissions
• Sensitive documents accessible by too many users
• Inactive or abandoned sites

SharePoint Advanced Management provides tools to identify and address these issues before they become security incidents.

---

Key Capabilities of SharePoint Advanced Management

SharePoint Advanced Management includes several capabilities designed to improve governance.

1. Data Access Governance Reporting

Administrators can:

• Identify overshared sites
• Review sharing activity
• Analyze permission configurations
• Discover external access
• Locate high-risk collaboration sites

These reports provide visibility into who can access organizational content.

---

2. Site Lifecycle Management

Organizations frequently create project sites that remain active long after projects end.

SharePoint Advanced Management helps administrators:

• Identify inactive sites
• Review site ownership
• Archive or delete unused sites
• Reduce unnecessary content exposure

Proper lifecycle management reduces security risks while improving overall governance.

---

3. Oversharing Insights

Administrators can identify:

• Sites shared broadly
• Anonymous sharing links
• Guest access
• Sensitive sites with excessive permissions
• Large-scale permission inheritance issues

These insights are particularly valuable before deploying Microsoft 365 Copilot.

---

4. Site Ownership Management

SharePoint sites require responsible owners.

Advanced Management helps administrators identify:

• Sites without owners
• Inactive owners
• Ownership inconsistencies

Proper ownership improves accountability and ensures permissions are reviewed regularly.

---

5. Sharing Governance

Administrators can evaluate:

• External sharing
• Anonymous links
• Organization-wide access
• Sharing policies
• Guest permissions

This helps organizations reduce unnecessary collaboration risks.

---

6. Restricted Site Access

One of the most important SharePoint Advanced Management capabilities is Restricted Site Access.

---

What is Restricted Site Access?

Restricted Site Access allows administrators to temporarily limit access to a SharePoint site.

When enabled:

• Most users lose access to the site.
• Only designated administrators or approved users can access the content.
• Copilot and Microsoft Search continue to respect the updated permissions because they always honor Microsoft 365 security trimming.

This feature is useful when a site contains highly sensitive information or requires investigation.

---

Why Use Restricted Site Access?

Organizations may need to immediately reduce access when:

• Sensitive information has been overshared.
• A security investigation is underway.
• Legal or regulatory reviews are occurring.
• Confidential merger or acquisition documents are stored.
• Human Resources investigations are active.
• Executive leadership documents require additional protection.
• Sensitive intellectual property is being reviewed.

Rather than deleting the site, administrators can quickly restrict access while remediation occurs.

---

How Restricted Site Access Works

The feature temporarily changes access behavior by allowing only explicitly authorized users to access the site.

Typical workflow:

1. Administrator identifies a high-risk site.
2. Restricted Site Access is enabled.
3. Only approved users retain access.
4. Administrators investigate permissions.
5. Oversharing issues are corrected.
6. Normal access is restored when appropriate.

---

Benefits of Restricted Site Access

Organizations gain several advantages:

Rapid Risk Reduction

Potential data exposure is reduced immediately.

Supports Investigations

Investigators can examine permissions without widespread user access.

Improves Governance

Administrators gain time to review sharing settings before reopening access.

Protects Sensitive Information

Highly confidential documents remain accessible only to authorized personnel.

Supports Compliance

Temporary restrictions can assist with legal, regulatory, or internal compliance reviews.

---

Relationship with Microsoft 365 Copilot

Microsoft 365 Copilot respects Microsoft 365 permissions.

If a site becomes restricted:

• Copilot cannot retrieve information from that site for users who no longer have permission.
• Microsoft Search also honors the updated permissions.
• Other Microsoft 365 services continue using the same security model.

Restricted Site Access therefore reduces the likelihood that Copilot will surface sensitive content from that site.

---

Relationship with Microsoft Purview

SharePoint Advanced Management and Microsoft Purview work together.

Microsoft Purview focuses on:

• Data classification
• Sensitivity labels
• Data Loss Prevention (DLP)
• Insider Risk Management
• Data Lifecycle Management
• Compliance

SharePoint Advanced Management focuses on:

• Site governance
• Permissions
• Oversharing
• Site administration
• Access analysis
• Restricted Site Access

Together they provide comprehensive protection for Microsoft 365 data.

---

Relationship with Microsoft Defender

Microsoft Defender identifies threats such as:

• Compromised accounts
• Suspicious user activity
• Malware
• Phishing attacks

If Defender identifies suspicious activity involving a SharePoint site, administrators may choose to enable Restricted Site Access while investigating the incident.

---

Best Practices

Microsoft recommends the following practices:

• Regularly review Data Access Governance reports.
• Minimize broad “Everyone” permissions.
• Review external sharing frequently.
• Assign active site owners.
• Archive inactive sites.
• Apply sensitivity labels to sensitive content.
• Use Restricted Site Access only when necessary.
• Review restricted sites periodically and restore normal access when appropriate.
• Combine SharePoint Advanced Management with Microsoft Purview and Microsoft Defender for layered protection.
• Follow the principle of least privilege.

---

Exam Tips

Remember these key points for the AB-900 exam:

• SharePoint Advanced Management focuses on governance and security for SharePoint and OneDrive.
• It helps identify and remediate oversharing.
• Restricted Site Access temporarily limits access to sensitive SharePoint sites.
• Copilot always respects SharePoint permissions, including restricted sites.
• Restricted Site Access is useful during investigations or when sensitive information has been overshared.
• SharePoint Advanced Management complements Microsoft Purview rather than replacing it.
• Proper site ownership and lifecycle management reduce long-term security risks.

---

Practice Exam Questions

Question 1

Which primary problem does SharePoint Advanced Management help organizations address?

A. Windows operating system updates

B. Oversharing and governance of SharePoint content

C. SQL Server performance tuning

D. Microsoft Teams meeting scheduling

Correct Answer: B

Explanation: SharePoint Advanced Management provides governance tools that help identify oversharing, manage permissions, and improve the security of SharePoint and OneDrive environments.

---

Question 2

What is the purpose of Restricted Site Access?

A. Permanently delete SharePoint sites

B. Encrypt every document within a site

C. Temporarily limit access to a SharePoint site for authorized users only

D. Automatically archive inactive sites

Correct Answer: C

Explanation: Restricted Site Access allows administrators to temporarily restrict access to a site while investigating or protecting sensitive information.

---

Question 3

Why is SharePoint Advanced Management valuable before deploying Microsoft 365 Copilot?

A. It increases Copilot response speed.

B. It upgrades Microsoft Graph.

C. It removes all external users automatically.

D. It helps identify overshared content that Copilot could otherwise access based on existing permissions.

Correct Answer: D

Explanation: Since Copilot honors existing permissions, reducing oversharing before deployment helps minimize the risk of exposing sensitive information.

---

Question 4

Which capability is included in SharePoint Advanced Management?

A. Azure virtual machine backup

B. Microsoft Intune device enrollment

C. Data Access Governance reporting

D. Windows Server patch management

Correct Answer: C

Explanation: Data Access Governance reporting is a core capability that helps administrators analyze permissions and identify overshared content.

---

Question 5

What happens when Restricted Site Access is enabled?

A. Microsoft 365 Copilot ignores the restriction.

B. Only approved users and administrators retain access to the site.

C. All SharePoint sites become read-only.

D. External sharing is permanently disabled across the tenant.

Correct Answer: B

Explanation: Restricted Site Access limits access to authorized users, and Copilot continues to respect those permissions.

---

Question 6

Which Microsoft service primarily complements SharePoint Advanced Management by classifying and protecting sensitive information?

A. Microsoft Purview

B. Microsoft Paint

C. Windows Defender Firewall

D. Microsoft Project

Correct Answer: A

Explanation: Microsoft Purview provides data classification, labeling, DLP, and compliance capabilities that complement SharePoint governance features.

---

Question 7

Which scenario is an appropriate use case for Restricted Site Access?

A. Scheduling recurring Teams meetings

B. Updating Microsoft 365 licenses

C. Protecting a SharePoint site containing confidential merger documents during negotiations

D. Increasing SharePoint storage capacity

Correct Answer: C

Explanation: Restricting access to highly confidential content during sensitive business activities helps reduce the risk of accidental exposure.

---

Question 8

Which governance activity helps reduce long-term security risks in SharePoint?

A. Creating additional anonymous sharing links

B. Allowing all users full control of every site

C. Disabling Microsoft Search

D. Reviewing inactive sites and assigning active site owners

Correct Answer: D

Explanation: Proper site ownership and lifecycle management reduce abandoned sites and improve ongoing governance.

---

Question 9

How does Microsoft 365 Copilot interact with a site that has Restricted Site Access enabled?

A. Copilot bypasses the restriction for administrators only.

B. Copilot ignores SharePoint permissions.

C. Copilot respects the updated permissions and cannot retrieve content for unauthorized users.

D. Copilot copies restricted files into Microsoft Graph.

Correct Answer: C

Explanation: Copilot always honors Microsoft 365 permissions. If a user cannot access a restricted site, Copilot cannot use its content in responses for that user.

---

Question 10

Which statement best describes SharePoint Advanced Management?

A. It replaces Microsoft Purview entirely.

B. It is focused on SharePoint and OneDrive governance, permissions, lifecycle management, and oversharing protection.

C. It functions as an antivirus solution.

D. It manages Microsoft Entra ID authentication policies.

Correct Answer: B

Explanation: SharePoint Advanced Management provides advanced governance capabilities for SharePoint and OneDrive, including oversharing detection, site lifecycle management, permission analysis, and Restricted Site Access.

---

Go to the AB-900 Exam Prep Hub main page