How fast can you respond to a SharePoint production outage?

Support-plan customers get a 15-minute acknowledgement on severity-1 outages through the on-call rotation, with an engineer actively troubleshooting inside 60 minutes twenty-four hours a day. Severity-1 is reserved for tenant-wide inaccessibility, authentication failure, data loss, or search index corruption affecting production business processes. Severity-2 (feature broken for a specific department) is acknowledged inside one business hour. For ad-hoc emergency engagements without an existing contract, an engineer can typically be on a bridge within two hours during US business hours after the engagement agreement is signed. Every incident produces a written root-cause analysis within five business days, including the Microsoft 365 Service Health correlation ID where applicable, change-management entries reviewed, and a hardening recommendation so the same issue does not recur.

What does a tenant-to-tenant SharePoint migration look like?

Tenant-to-tenant migrations run in four phases. Discovery inventories every site collection, OneDrive, Teams, Planner plan, group calendar, and permission assignment, and maps source-to-target identities. Pre-migration remediation fixes unsupported items — external sharing links, orphaned permissions, oversize files, legacy InfoPath forms, and classic workflows — before the first byte moves. Migration executes in waves grouped by business unit, using a combination of ShareGate, Quest On Demand, or native Microsoft cross-tenant tooling depending on scope, content types, and identity model. Cutover runs on a weekend window with delta-sync passes on Friday evening and Sunday morning. Post-migration includes URL mapping for internal links, email communication to end users, guest-access re-invites, and a 30-day hypercare period where an engineer triages every reported issue inside the same day.

How is a SharePoint consulting engagement priced?

Three models fit most organizations. Fixed-fee project pricing works for scoped deliverables — a migration, an intranet rebuild, a branding refresh, or a governance rollout — where requirements can be documented up front. Time-and-materials applies to exploratory work and long-tail enhancements where the backlog changes monthly. Retainer support (priced in hours-per-month tiers from 20 to 200 hours) covers ongoing administration, ticket handling, minor customizations, user training, and emergency response with a guaranteed SLA. Migration scope is typically priced per seat or per gigabyte depending on complexity. Every proposal itemizes what is and is not included, so procurement teams can baseline the quote against competing bids. Microsoft 365 license costs are quoted separately and are not marked up.

Do you support SharePoint Framework (SPFx) custom development?

Yes. SPFx work includes web parts, extensions, field customizers, application customizers, and adaptive card extensions targeting the modern Viva Connections surface. Build pipelines run on Node LTS aligned to the current SPFx generator, with solution packaging, CDN hosting on SharePoint Online or Azure Front Door, and automated deployment through the App Catalog. Every solution ships with accessibility testing (WCAG 2.1 AA), localization hooks, and logging to Application Insights so production issues are traceable. Legacy full-trust or sandbox solutions are refactored onto SPFx using a documented migration pattern rather than a rewrite-from-scratch assumption. Where modern features cannot fully replace a legacy customization, the delta is surfaced early in discovery so stakeholders can decide between a Power Platform alternative, a Graph API solution, or a redesigned business process.

How do you design SharePoint information architecture at scale?

Modern SharePoint is a flat architecture built from hub sites, not nested site collections. Design starts with a persona-driven inventory of content audiences and the tasks they perform, not an org-chart mirror. Hub sites group content by business capability (HR, Finance, Project Delivery, Customer) with a consistent navigation pattern, shared theme, and associated audience targeting. Managed metadata and site columns enforce tagging where taxonomy matters — retention, records, regulated content — while labels in Microsoft Purview drive compliance automation. Search is tuned with promoted results, refiners, and result sources so users find content in fewer clicks. Every site template is published as a site design with a PnP provisioning template, so new sites inherit branding, security, and structure automatically rather than drifting from the standard within three months.

How do you secure SharePoint and enforce Microsoft 365 governance?

Governance is written, published, and enforced by tenant policy — not by tribal knowledge. External sharing is restricted at the tenant and per-site level, with sensitivity labels controlling which sites accept guest access and which block it. Conditional access policies require compliant devices for privileged roles, and risky sign-ins trigger step-up authentication. Microsoft Purview delivers DLP for content in motion, retention labels for records management, and Communication Compliance for regulated industries. SharePoint Advanced Management surfaces oversharing reports, inactive site detection, and restricted-access control for high-value sites. Every tenant gets a written governance charter covering provisioning workflow, naming standards, site lifecycle, backup and restore responsibilities, and the audit cadence. Quarterly governance reviews track policy drift and adjust controls against emerging Microsoft 365 features.

What are the options for migrating from SharePoint on-premises?

SharePoint 2013, 2016, and 2019 all move to SharePoint Online, but the migration path depends on starting version, customization footprint, and data volume. Native Microsoft migration tools cover the majority of document libraries, lists, and permissions. SharePoint Migration Tool handles straightforward farms; the Migration Manager agent model suits large distributed environments. Third-party platforms (ShareGate, Quest, AvePoint) are preferred for complex permission remapping, nested content types, or large metadata hierarchies. InfoPath forms, classic workflows, and full-trust code are evaluated case by case and converted to Power Apps, Power Automate, or SPFx. 2013 workflow is retired from Microsoft 365, so migration plans explicitly schedule workflow replacement. Content older than a retention threshold is archived to Microsoft 365 Archive or Azure Storage rather than moved, reducing target footprint by 20–40 percent on average.

Can you integrate Microsoft 365 Copilot with SharePoint content?

Yes, with governance preceding enablement. Copilot surfaces any content a user can already access through SharePoint, OneDrive, and Teams, so permission hygiene and sensitivity labeling have to be completed before enablement — not afterwards. Integration work covers three tracks. First, SharePoint cleanup: oversharing detection, broken-inheritance remediation, restricted SharePoint search for sites still in flight. Second, content enrichment: sensitivity labels applied at scale, retention policies aligned to record classes, and managed metadata reintroduced for high-value libraries so Copilot has better retrieval signals. Third, operational control: DSPM for AI in Microsoft Purview, Copilot audit log review, and ongoing monitoring of AI-generated activity. Each track produces a before-and-after evidence pack so executive sponsors can see that enablement was controlled, not opportunistic.

What qualifications and experience do your consultants have?

Engineers assigned to client engagements hold current Microsoft 365 certifications (Modern Desktop Administrator, Teams Administrator, Identity and Access Administrator, Security Administrator) plus SharePoint-specific depth — multiple people on the bench have supported SharePoint since the 2007 product cycle. The team includes former Microsoft Most Valuable Professionals, community conference speakers, and active contributors to the PnP community initiative. Every consultant rotates through a quarterly internal lab to rehearse outage scenarios, new Microsoft 365 feature rollouts, and hands-on migration drills. Staffing decisions match the engagement profile: compliance-regulated clients are staffed with engineers who have delivered in that exact vertical before, not generalists. Every project has a named technical lead and a named delivery lead so escalation paths are obvious from day one.

Is the support service offered in multiple languages or time zones?

Support coverage spans US Eastern, US Pacific, UK, and Asia-Pacific time zones through a follow-the-sun rotation for retainer clients on the 24/7 tier. Primary support language is English, with working proficiency in Spanish and French available on a best-effort basis. For clients with strict language requirements, a named engineer can be matched for the duration of the engagement. Ticket submission is available through email, a web portal, and a Teams-integrated bot; severity-1 issues additionally escalate to an on-call phone bridge. All tickets are tracked in a shared ITSM platform with visibility for the client, and monthly service reviews report on SLA attainment, ticket volume trends, and any patterns that justify a proactive hardening project rather than repeated break/fix work.

What is SharePoint Embedded?

SharePoint Embedded is a Microsoft developer platform that lets SaaS vendors and enterprises embed Microsoft 365 content storage inside their own applications. End users interact with the ISV's user interface, not SharePoint, but the content is physically stored in dedicated partitions inside Microsoft 365 tenants, inheriting Microsoft's storage, search, compliance, and retention capabilities.

How is SharePoint Embedded different from regular SharePoint Online?

Regular SharePoint Online is the full collaboration and content management product with sites, pages, and the SharePoint user interface. SharePoint Embedded is a headless storage and content services platform. Users never see SharePoint. ISVs use Microsoft Graph APIs to create containers, upload files, and manage content, while all of the UI is built by the ISV.

Who pays for SharePoint Embedded storage and API usage?

The ISV pays Microsoft on a pay-as-you-go basis through Azure for storage, API calls, and premium features. The ISV can then pass these costs to customers as part of the product pricing, absorb them, or bundle them into tiered subscription plans. The billing relationship is between the ISV and Microsoft, not between the customer and Microsoft for the embedded content.

Does SharePoint Embedded require customers to have Microsoft 365 licenses?

Customers need a Microsoft 365 tenant so the content can physically reside in their tenant, but individual end users of the ISV application do not need per-user Microsoft 365 licenses to access content through the ISV's UI. This is a critical advantage for SaaS products where end users may not be licensed for Microsoft 365 directly.

Can SharePoint Embedded content be searched by Microsoft 365 Copilot?

Yes, content in SharePoint Embedded containers is indexed by Microsoft Search and can be surfaced by Microsoft 365 Copilot when the user has appropriate access. This makes SharePoint Embedded particularly valuable for ISVs whose products need to be discoverable through enterprise-wide search and AI experiences.

How does compliance work with SharePoint Embedded?

Content in SharePoint Embedded containers inherits the compliance posture of the consuming customer tenant. This includes HIPAA BAA coverage, FedRAMP, SOC, ISO certifications, and geographic data residency configurations. The ISV application itself must still meet its own security standards, but the storage layer inherits Microsoft's existing attestations.

Is SharePoint Embedded suitable for consumer applications?

No, SharePoint Embedded is designed for applications where end customers have Microsoft 365 tenants. It is not the right choice for consumer applications where end users do not have Microsoft 365 subscriptions. For consumer scenarios, ISVs typically use Azure Blob Storage, AWS S3, or dedicated consumer content platforms.

SharePoint Embedded for SaaS: A Technical and Business Guide for 2026

What SharePoint Embedded Actually Is

SharePoint Embedded is a SaaS developer platform that lets independent software vendors (ISVs) and enterprises embed Microsoft 365 content storage directly into their applications. Instead of building file storage, versioning, permissions, search, and compliance features from scratch, developers call SharePoint Embedded APIs and get enterprise-grade content management as a service.

SharePoint architecture diagram showing hub sites, team sites, and content structure — Enterprise SharePoint architecture with hub sites and connected team sites

The key architectural insight is that SharePoint Embedded is not the same as SharePoint Online. Customers never see SharePoint sites, pages, or the SharePoint user interface. Instead, content sits in dedicated storage partitions inside Microsoft 365 tenants, accessible only through the ISV's application. The end user sees the ISV's user experience, while the ISV gets Microsoft's storage, search, e-discovery, retention, and compliance capabilities automatically.

This guide walks through the technical architecture, the business model, and the decision framework for when SharePoint Embedded is the right choice for a SaaS product.

The Architecture at a High Level

SharePoint Embedded introduces several new concepts that do not map to classic SharePoint.

Consuming Tenant and Owning Tenant

The consuming tenant is the Microsoft 365 tenant of the end customer. This is where the content physically lives, and it is subject to that tenant's compliance, retention, and governance policies. The owning tenant is the ISV's tenant, which hosts the application registration, billing, and policy configuration. The split between consuming and owning is what lets customer data remain in the customer's tenant while the ISV retains control over the application.

File Storage Container Types

File Storage Container Types are the ISV-defined schema that governs how storage is organized. An ISV registers a Container Type with Microsoft, specifies the billing model (pay-as-you-go metered to Azure), and then creates containers against that type. Each container is a content partition owned by the application.

Containers

Containers are the actual storage units. Each container holds files, folders, and associated metadata. Permissions are managed at the container level using Microsoft Entra identities. Containers are searchable, can have retention labels, and can be subject to eDiscovery through the consuming tenant's compliance tools.

Application Identity

SharePoint Embedded applications authenticate using Microsoft Entra application identities, typically with certificate-based authentication. The application acts with its own permissions, independent of any individual user. This separation is critical because it lets the application manage content lifecycle operations that would be awkward or impossible for a user identity.

The Business Model

The SharePoint Embedded business model changes the economics of building SaaS products that need content storage.

What the ISV Pays

ISVs pay Microsoft for storage and API consumption on a pay-as-you-go basis through Azure. The metering covers storage at rest, API calls, egress, and premium features. A typical mid-sized ISV with 10,000 active customers and moderate content volume might spend $25,000 to $150,000 per year on SharePoint Embedded consumption, with the exact number depending on document volume, retention patterns, and search usage.

What the Customer Gets

Customers get enterprise content storage that inherits their tenant's compliance posture. The content sits in their Microsoft 365 tenant, is subject to their data residency and sovereignty requirements, and is covered by their Microsoft 365 compliance and audit posture. This is a significantly different value proposition from ISV-hosted storage in the ISV's cloud account.

What the ISV Gets

ISVs get out-of-the-box content management features that would take 18 to 36 engineering months to build from scratch. Features like versioning, full-text search, virus scanning, eDiscovery, retention, and file preview are included. ISVs also get a compelling enterprise sales story because their product automatically passes most Microsoft-aligned procurement reviews.

When SharePoint Embedded Is the Right Choice

Based on deployments over the last two years, SharePoint Embedded is the right choice in four scenarios.

Scenario 1: Microsoft 365-Aligned Enterprise SaaS

Enterprise SaaS products sold into organizations that are already committed to Microsoft 365. Legal case management, contract lifecycle management, professional services automation, clinical document management, and loan origination are all fitting examples. Customers appreciate that content stays in their tenant, and ISVs avoid the cost of building and operating enterprise-grade storage.

Scenario 2: Compliance-Heavy Workloads

SaaS products that handle regulated data and need to meet HIPAA, FedRAMP, GDPR, SOC 2, or equivalent compliance requirements. SharePoint Embedded inherits the customer's Microsoft 365 compliance posture, which dramatically reduces the compliance burden on the ISV. Instead of proving compliance for the ISV's own cloud, the ISV relies on Microsoft's existing attestations.

Scenario 3: Document-Heavy Verticals

SaaS products where documents are a primary artifact. Real estate, insurance, legal, finance, and healthcare all fit this pattern. The combination of ISV workflow logic and Microsoft storage produces a stronger product than either component alone.

Scenario 4: ISVs Wanting to Reduce Storage Infrastructure

ISVs currently operating their own S3, Azure Blob, or Google Cloud Storage backends who want to reduce infrastructure complexity. Moving to SharePoint Embedded eliminates the need to operate storage infrastructure, handle compliance certifications for storage, and build customer-facing compliance tooling.

When SharePoint Embedded Is Not the Right Choice

SharePoint Embedded is not a fit for every product. The patterns where it does not work:

Consumer SaaS products where end users do not have Microsoft 365 tenants
Products requiring sub-100ms latency for individual file operations
Products with simple, low-volume content needs where pay-as-you-go is more expensive than a small cloud storage bucket
Products requiring deep integration with non-Microsoft ecosystems as the primary experience
Products with aggressive data portability requirements that conflict with Microsoft's storage model

The Technical Build

A working SharePoint Embedded integration has five core components.

1. Application Registration

Register an application in Microsoft Entra ID, configure the necessary API permissions (FileStorageContainer.Selected, Sites.Selected, and optionally FileStorage.Selected), and generate a certificate for authentication. The application will act with application permissions rather than delegated user permissions.

2. Container Type Registration

Register a Container Type with Microsoft through the admin portal. The Container Type includes the application ID, the billing classification (standard or trial), and the default permissions. Container Type registration is a one-time operation per ISV application.

3. Consuming Tenant Onboarding

Each consuming tenant runs an onboarding PowerShell script that grants the ISV application permission to create containers in that tenant. This is typically done by the customer's global administrator during initial setup.

```powershell

# Customer-side onboarding script

# Run by customer's Global Administrator to authorize the ISV application

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser

Connect-SPOService -Url "https://customer-admin.sharepoint.com"

$containerTypeId = "a1b2c3d4-1234-5678-9abc-def012345678" # ISV-provided

$applicationId = "b2c3d4e5-2345-6789-abcd-ef0123456789" # ISV-provided

# Register the Container Type in the consuming tenant

Register-SPOContainerTypeConsumingApplication -ContainerTypeId $containerTypeId -AppId $applicationId -DelegatedPermission FullControl -ApplicationPermission FullControl

```

4. Container Lifecycle Operations

The application creates containers on demand, typically one container per customer workspace, project, or case. Containers can be activated, updated, deactivated, and permanently deleted through Microsoft Graph APIs.

```typescript

// Create a new container for a customer workspace

async function createWorkspaceContainer(workspaceId: string, displayName: string): Promise {

const graphClient = getAuthenticatedGraphClient();

const response = await graphClient.api('/storage/fileStorage/containers').post({

displayName: displayName,

description: `Container for workspace ${workspaceId}`,

containerTypeId: CONTAINER_TYPE_ID,

});

// Activate the container so it can accept files

await graphClient.api(`/storage/fileStorage/containers/${response.id}/activate`).post({});

return response;

}

// Upload a file into a container

async function uploadFileToContainer(containerId: string, fileName: string, fileContent: ArrayBuffer): Promise {

const graphClient = getAuthenticatedGraphClient();

return await graphClient

.api(`/storage/fileStorage/containers/${containerId}/drive/root:/${fileName}:/content`)

.put(fileContent);

}

```

5. File Operations via Microsoft Graph

Once containers exist, file operations use standard Microsoft Graph driveItem APIs. Upload, download, preview, search, share, and move operations all work through the same API surface that standard OneDrive and SharePoint use.

Governance and Compliance Considerations

Because SharePoint Embedded content lives in the customer's Microsoft 365 tenant, it inherits that tenant's governance and compliance posture. This creates both opportunity and responsibility.

The opportunity: ISVs get Microsoft 365 compliance for free. Customer content in SharePoint Embedded is automatically covered by the customer's existing Microsoft 365 compliance attestations, including FedRAMP, HIPAA BAA, SOC, and ISO certifications.

The responsibility: ISVs must design their applications to work correctly when customers apply strict governance policies. This includes retention labels that may block deletion, sensitivity labels that may restrict sharing, and DLP policies that may block uploads of certain content.

The Go-to-Market Story

ISVs that ship SharePoint Embedded-based products typically compete on three go-to-market angles.

First, customer data stays in the customer's Microsoft 365 tenant. This is a powerful story for enterprise security and compliance reviews. Customers do not have to approve new data residency exceptions, and the ISV does not have to build separate compliance stories for each geography.

Second, the product inherits the customer's existing compliance posture. A regulated customer with existing Microsoft 365 FedRAMP High authorization gets an ISV product that is automatically deployable in that environment, assuming the ISV application itself meets FedRAMP controls.

Third, the ISV product integrates naturally with the rest of the Microsoft 365 ecosystem. Documents created in the ISV product can be found through Microsoft Search, processed by Copilot, subject to the customer's existing retention rules, and surfaced in the customer's existing content insights.

Getting Started

SharePoint Embedded has a steep initial learning curve because the identity model, container concept, and billing are all new. The fastest path to production typically follows this timeline.

Weeks 1 to 4: Register the application, register a Container Type in trial mode, build a proof of concept that creates containers and uploads files. Validate the identity and permission model end to end.

Weeks 5 to 12: Build the production-grade container lifecycle management, integrate into the existing ISV product, and design the customer onboarding flow. Test with 3 to 5 friendly customer tenants.

Weeks 13 to 24: Move the Container Type to billable status, build the customer-facing billing model (if the ISV passes Microsoft costs through), and run a beta program with 20 to 50 customer tenants. Instrument telemetry for every container and API operation.

Weeks 25+: General availability, with ongoing investment in governance integration, retention-aware workflows, and sensitivity-label-aware features.

Our SharePoint specialists have supported ISVs building on SharePoint Embedded from initial architecture through production rollout. Contact our team to discuss a SharePoint Embedded readiness engagement, or explore our SharePoint consulting services for the full technical and go-to-market playbook.