Diego

Day 18: SharePoint governance shouldn’t punish users

Illustration of a consultant standing calmly in a modern workspace, thoughtfully reviewing an organized set of folders and documents, conveying balance and intention rather than restriction.

Governance usually enters the conversation when something has already gone wrong.

Too many sites. Content shared too broadly. External users where no one expected them. Suddenly the solution becomes rules, restrictions, and approvals layered on top of a platform that was supposed to make work easier.

That is how governance earns a bad reputation.

Over the years, I learned something else. Governance is not sexy and it does not sell. Nobody gets excited about it unless the organization is already in panic mode. It is invisible when it works and painfully obvious when it does not.

In SharePoint, governance is often reduced to site sprawl. Who can create sites. How many exist. Which ones should be deleted. That matters, but it is only one symptom of a bigger problem.

Microsoft has been clear about empowering users. Self-service site creation. Easy sharing. Collaboration without friction. That philosophy is not wrong. It is one of the reasons Microsoft 365 succeeded where other platforms stalled.

The problem is what happens when empowerment shows up with no structure.

If you allow users to freely create sites with no guidance, you do not get innovation. You get chaos. Duplicate sites. Confusing ownership. Content scattered across places no one remembers creating.

If you lock everything down to prevent chaos, you do not get order. You get shadow IT. Files moved to personal drives. External tools adopted quietly. Work happening outside the platform you are trying to govern.

Good SharePoint governance lives in the uncomfortable middle. Enough freedom to get work done. Enough structure to keep the environment understandable and trustworthy.

That starts with roles and responsibilities.

One of the most common mistakes I see is assuming business owner and site owner mean the same thing. They do not. A business owner understands outcomes. A site owner needs to understand lifecycle, permissions, sharing, and structure. Without clarity on those roles, governance becomes reactive instead of intentional.

Training matters more than most organizations want to admit. Not training on where buttons live. Training on responsibility. What does it mean to own a site. When should you share externally. When should you create something new versus reuse what already exists.

Guidelines and best practices are not bureaucracy. They are guardrails. When they are documented well, they reduce decision fatigue. Users do not have to guess what good looks like. They can follow patterns that already work.

A documented strategy matters more than any single setting. At minimum, it should answer: who can create sites and why, how requests and exceptions work, what “done” looks like for an inactive site, and what the expected lifecycle is for content.

If you want the official receipts, Microsoft’s adoption and change guidance is a good starting point: Microsoft 365 adoption and change management. Their broader hub is also worth bookmarking: Microsoft Adoption.

Security and compliance controls support governance, but they are not governance by themselves.

External sharing policies are a good example. SharePoint gives you granular controls for external collaboration, but you have to make deliberate choices or you will either overshare or block real work. Microsoft’s guidance is here: external sharing in SharePoint.

The same applies to identity. If you enable external sharing and you are not enforcing multi-factor authentication, you are betting your tenant on luck. Microsoft’s MFA guidance lives here: get started with MFA.

And if you truly have oversharing risk, Data Loss Prevention can help. The key word is targeted. Turning DLP on everywhere without understanding your data flows creates noise and frustration. Microsoft Purview DLP basics are here: learn about DLP.

Governance is more important than ever because of Copilot.

Copilot does not introduce new problems. It amplifies existing ones. Poor structure, unclear ownership, and overly permissive sharing become far more visible when AI starts surfacing content confidently and without context. I wrote about this directly in Copilot readiness for SharePoint: it’s just governance with lipstick, because that is exactly what it is.

Governance is not a blocker for Copilot. It is the prerequisite.

This also connects back to what I wrote in Day 12: The day I stopped fighting SharePoint users. Governance that ignores user behavior will always feel punitive. Governance that accounts for how people actually work becomes invisible.

Good governance does not require users to understand policies, permission inheritance, or retention labels just to do their job. It works because defaults are sensible and paths are clear.

After a migration, this matters even more. Trust is fragile when familiarity is disrupted. Governance introduced at that moment can either rebuild confidence or confirm people’s worst fears.

If governance feels like punishment, people will work around it. If it feels like support, they will barely notice it is there.

This post is part of my 25 days of SharePoint series, created to celebrate SharePoint’s 25th anniversary and lead up to the SharePoint at 25 digital event on March 2.

Each post reflects on what actually made SharePoint last 25 years, the wins, the mistakes, and the lessons learned from building, breaking, and rebuilding it in real organizations.

You can find all posts in this series here.

If there’s a topic you think I should cover next, a SharePoint mistake you keep seeing, or a question no one ever answers straight, leave a comment. This series is shaped by real experiences, not marketing slides.

Unknown's avatar

Published by Diego

I am a Microsoft 365 architect and newly minted MVP with a passion for turning technology into something people actually love to use. With more than 20 years in web development, IT administration, and systems integration and 16+ years dedicated to SharePoint, Teams, the Power Platform, and Copilot, I specialize in modernizing legacy solutions, streamlining development processes, and building governance frameworks that are practical, sustainable, and human centered. In recent years I have been deeply focused on Copilot readiness and adoption, helping organizations move beyond "just keeping the lights on" to unlocking creativity, collaboration, and entirely new ways of working. Outside of work, I am a Certified Scrum Master, global speaker, community builder, and blogger at UnsuckM365, where I share no fluff stories from the field. I am also a bedroom DJ who believes music and technology share the same rhythm: both connect people, tell stories, and inspire new ways of thinking.

Leave a comment