15 SharePoint Governance Rules Every Enterprise Needs
I have seen the same pattern hundreds of times. An organization deploys SharePoint, everyone is excited, teams create sites freely, and within 18 months the environment is ungovernable — 500 orphaned sites, inconsistent permissions, stale content everywhere, and no one knows who owns what. Copilot starts surfacing confidential documents to the wrong people because permissions were never cleaned up.
These 15 rules prevent that. They are based on governance frameworks we have built for 1,000+ enterprise clients, refined through the mistakes (theirs and ours) over 25 years.
---
Site Provisioning (Rules 1-4)
Rule 1: Nobody creates sites without approval
The single most important governance rule.
Disable self-service site creation for all users. Route all site requests through an approval workflow (Power Automate or a custom Power App). Every request must include: business purpose, primary and secondary owners, expected lifecycle (1 year, 2 years, permanent), data classification (public, internal, confidential, highly confidential), and compliance requirements.
Why this matters: unchecked site creation is the root cause of site sprawl, orphaned sites, and governance debt. A 5,000-user organization without provisioning controls will generate 200-500 unnecessary sites within the first year.
Rule 2: Every site has two owners — no exceptions
Primary owner and backup owner. Both must be active employees (not shared accounts, not distribution lists, not external guests). When either owner leaves the organization, their manager inherits ownership until a new owner is assigned.
Automate enforcement: run a monthly Power Automate flow that checks site ownership against Entra ID. If a site owner's account is disabled, auto-notify the backup owner and their manager. If no active owner exists after 30 days, lock the site to read-only and escalate to IT governance.
Rule 3: Use hub site architecture — not flat site collections
Every site belongs to a hub. Hubs provide consistent navigation, shared branding, cross-site search, and content roll-up. Without hubs, your environment is a disconnected collection of sites that users cannot navigate.
Recommended hub structure for a mid-size enterprise:
- Corporate hub: company news, HR policies, executive communications
- Department hubs: one per major department (Finance, Engineering, Marketing, Operations)
- Project hub: active project sites (archived when complete)
- Compliance hub: policies, training, audit documentation
Rule 4: Naming conventions are enforced, not suggested
Every site, document library, and team name follows a standard format. For sites: `[Department]-[Purpose]-[Year]` (e.g., "Finance-AuditDocs-2026"). For document libraries: descriptive names, no abbreviations, no special characters.
Enforce via provisioning workflow — the request form validates naming before submission. Retroactively rename non-compliant sites during quarterly governance reviews.
---
Permissions (Rules 5-8)
Rule 5: No unique permissions at the document level
Permission inheritance should break at the library or folder level — never at individual documents. Document-level unique permissions create unmanageable complexity, slow performance, and make governance audits nearly impossible.
If a single document needs different access than its library, move it to a separate library with appropriate permissions. This is simpler, faster, and auditable.
Rule 6: Use security groups, not individual user permissions
Every permission assignment should go to a security group, not a person. When John leaves the company, you remove him from the security group once — not from 47 individual sites. Security groups should map to job roles: "Finance-ReadOnly," "Finance-Contributors," "HR-FullControl."
Rule 7: External sharing is off by default, enabled by request
SharePoint Admin Center > Sharing > default to "Only people in your organization" for all new sites. External sharing requires a formal request with: business justification, data classification review, time-limited access (30/60/90 days with auto-expiration), and compliance officer approval for any site containing sensitive data.
Rule 8: Quarterly permission audits are mandatory
Every quarter, run a permission report across all SharePoint sites. Flag: sites with "Everyone" or "Everyone except external users" access, sites where external guests have access beyond the approved period, sites with more than 100 unique permission entries (indicates permission sprawl), and sites where the owner has not reviewed permissions in 6+ months.
---
Content Lifecycle (Rules 9-12)
Rule 9: Every document library has a retention policy
No content lives in SharePoint without a defined retention period. Standard retention labels:
- Operational (1 year): routine working documents, drafts, meeting notes
- Business (3 years): project deliverables, reports, presentations
- Regulatory (6-7 years): financial records, compliance documentation, PHI, PII
- Permanent: board minutes, corporate policies, legal agreements
Apply labels automatically based on site classification or require users to label at upload.
Rule 10: Stale content triggers automated review
Configure a Power Automate flow: if a document has not been modified in 12 months, email the document owner asking them to confirm it is still needed. If no response in 30 days, move to an archive library. If no response after 60 days in archive, delete (or retain per retention policy).
For sites: if a site has zero activity (no page views, no document edits, no new content) for 90 days, email the site owner with a "keep or archive" decision. Unresponsive owners after 30 days trigger automatic archival.
Rule 11: Archived content is read-only, not deleted
When content is archived, move it to a dedicated archive site collection with read-only permissions. Do not delete. Archived content may be needed for compliance, legal discovery, or business reference. Archive sites should have minimal storage quotas and no contribution rights.
Rule 12: Version history has limits
Enable versioning on all document libraries, but set limits: 50 major versions maximum. Without limits, a frequently edited document can consume enormous storage (500 versions of a 50MB PowerPoint = 25GB for one file). Libraries with automatic versioning and no limits are one of the top causes of SharePoint storage overruns.
---
Compliance and Copilot Readiness (Rules 13-15)
Rule 13: Sensitivity labels are required before Copilot deployment
Before deploying Microsoft Copilot for Microsoft 365, every site and document library must have a sensitivity label. Copilot respects SharePoint permissions — but in overpermissioned environments, it surfaces content that users technically have access to but should not see. Labels + DLP policies prevent Copilot from exposing sensitive content.
This is not optional. Deploying Copilot without sensitivity labels is deploying a tool that will surface your compliance failures to every employee who asks the right question.
Rule 14: Information barriers for regulated departments
If your organization has departments that must maintain information separation (Chinese walls in financial services, clinical vs. administrative separation in healthcare, attorney-client privilege in legal departments), configure Microsoft Purview information barriers before those departments use SharePoint.
Information barriers prevent users in separated segments from discovering or accessing each other's SharePoint sites, Teams, and OneDrive content.
Rule 15: Governance documentation is a living document
Your SharePoint governance framework must be documented, published on your intranet (practice what you preach), reviewed quarterly, and updated when Microsoft introduces new features, your organization changes structure, or compliance requirements evolve.
The governance document should include: provisioning policy, naming conventions, permission model, classification schema, retention schedule, external sharing policy, support model, and roles and responsibilities. Every new employee with SharePoint access should read it during onboarding.
---
Governance Implementation Priority
If you are starting from scratch, implement in this order:
| Priority | Rules | Timeline |
|----------|-------|----------|
| Week 1-2 | Rules 1-2 (provisioning + ownership) | Stop the bleeding — prevent new ungoverned sites |
| Week 3-4 | Rules 5-7 (permissions model) | Establish permission hygiene |
| Month 2 | Rules 3-4 (hub architecture + naming) | Organize existing chaos |
| Month 3 | Rules 9-10 (retention + lifecycle) | Start content lifecycle management |
| Month 4-6 | Rules 13-15 (compliance + Copilot readiness) | Prepare for AI deployment |
| Ongoing | Rules 8, 11-12 (audits, archival, versioning) | Continuous governance |
---
Frequently Asked Questions
How much time does SharePoint governance take?
Initial setup: 2-4 weeks of dedicated effort to design policies, configure controls, and document the framework. Ongoing maintenance: 4-8 hours/week for a mid-size enterprise (permission audits, provisioning approvals, lifecycle reviews, policy updates). This is a fraction of the time spent dealing with ungoverned environments.
Should I hire a consultant for SharePoint governance?
If your environment has been running ungoverned for more than a year, yes. The cleanup and framework design is significantly more complex than greenfield governance. A consultant brings patterns from other organizations and can compress a 6-month effort into 6-8 weeks.
What tools automate SharePoint governance?
Power Automate for workflow automation (provisioning approval, lifecycle notifications, permission reviews). AvePoint Cloud Governance for automated policy enforcement. ShareGate for permission reporting and cleanup. SharePoint Admin Center for site-level controls. Microsoft Purview for compliance policies.
How do I get executive buy-in for governance?
Frame it in risk terms, not IT terms. Calculate the cost of a compliance violation (HIPAA: up to $1.5M per incident). Calculate the cost of a data breach through oversharing (average: $4.45M per Ponemon/IBM). Calculate the hours wasted searching for content in an ungoverned environment (30-50% of knowledge worker time). Governance is risk management, not IT bureaucracy.
What is the most common governance mistake?
Creating policies that nobody enforces. A governance framework with 50 rules that are all "suggested best practices" is worthless. Start with 5 rules that are technically enforced (not just documented) and expand from there. Automated enforcement beats voluntary compliance every time.
How does governance relate to Microsoft Copilot?
Copilot searches everything a user has access to and surfaces it in AI-generated responses. If your permissions are overly broad (common in ungoverned environments), Copilot will surface confidential documents, salary data, M&A plans, and personal information to anyone who asks. Governance — specifically permission hygiene and sensitivity labels — is a prerequisite for safe Copilot deployment.
Written by Errin O'Connor
Founder, CEO & Chief AI Architect | Microsoft Press Bestselling Author | 25+ Years Microsoft Ecosystem
Errin O'Connor is a Microsoft Press bestselling author of 4 books covering SharePoint, Power BI, Azure, and large-scale migrations. He leads our SharePoint consulting practice with expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments.
Expert SharePoint Services
Need Expert Help?
Our SharePoint consultants are ready to help you implement these strategies in your organization.