Governance in Microsoft 365 doesn't require an external consultant or an 80-page document. It requires sitting down for a couple of hours with the right people and answering a specific set of questions. The answers to those questions are your governance policy.
This post covers the concrete decisions your organisation should have answered and documented — the practical part of governance that most organisations either skip or leave vague.
1. Who can create sites and Teams?
This is probably the most important decision. If any employee can create a Team or a SharePoint site without restriction, within a few months you'll have dozens of spaces with no clear owner, inconsistent names, and scattered content.
The usual options are:
- Only administrators can create — more control, more friction for users
- Anyone can create but following a process — a request form, quick approval
- Anyone can create — maximum flexibility, minimum control
For most mid-sized organisations, the middle option is the most sensible. A simple request process — even an email to the administrator — is enough to maintain order.
2. How are sites, Teams, and files named?
Without a naming convention, everyone names things their own way. The result is that search works poorly and nobody can tell what a site contains just from its name.
Decide and document:
- How Teams are named — "Sales-London" or "London Sales Team" or "SalesLDN"?
- How project sites are named — do they include the year? the client? the project code?
- How files are named — date at the start or the end? hyphens or underscores?
It doesn't matter much which convention you choose — what matters is that one exists and everyone uses it.
3. Who is the owner of each site?
Every SharePoint site and every Team should have at least one clearly identified owner. The owner is the person responsible for:
- Keeping the content up to date
- Managing access permissions
- Deciding what happens to the site when it's no longer needed
Without a clear owner, sites become orphaned spaces that nobody maintains but that keep appearing in search results and generating noise.
Create a simple register — a SharePoint list works well — with all active sites, their owner, and the date of last review.
4. Who can share content externally?
External sharing — sharing documents with suppliers, clients, or collaborators outside the organisation — is one of the highest-risk areas if left uncontrolled.
Decide:
- Can all users share with external people, or only certain roles?
- What link types are permitted — specific people only, or anyone with the link?
- Is there content that should never be shared externally — payroll, employee contracts, financial information?
These decisions are configured in the Microsoft 365 admin centre and SharePoint Admin. Once configured, the system enforces them automatically.
5. What happens when someone joins?
The onboarding process for a new employee should include a clear list of:
- Which access groups they receive from day one based on their role
- Which Teams they are automatically added to
- Who manages this process — IT, HR, their direct manager?
Without a defined process, new employees spend their first days requesting access from different people, interrupting their colleagues' work.
6. What happens when someone leaves?
This is the governance point most organisations leave unresolved — and the one that causes the most problems.
When someone leaves the organisation, you need a process to:
- Disable the account in Microsoft 365 — this removes access to all services
- Reassign ownership of the sites and Teams where they were an owner
- Decide what happens to their content — transferred to their manager? archived?
- Revoke external access that person had granted to third parties
- Handle their mailbox — converted to a shared mailbox? for how long?
Microsoft 365 makes this process much easier when a defined procedure exists. Without one, ex-employee accounts can remain active for months — with access to sensitive company information.
7. What happens to sites and Teams that are no longer used?
Projects end, teams change, departments reorganise. Without a lifecycle policy, the environment accumulates abandoned sites and Teams that nobody maintains but that keep appearing in search and consuming storage.
Decide:
- How often do you review which sites and Teams are active?
- What happens to a site when a project ends — archived, deleted, or kept?
- Who makes that decision?
Microsoft 365 has lifecycle management capabilities that can automate part of this process — sending notifications to owners when a Team has been inactive for a period of time.
8. Which site templates are used?
Site templates are pre-configured sites with the structure, libraries, metadata columns, and permissions already defined. Instead of each person configuring their site from scratch — and doing it differently every time — templates guarantee consistency.
Decide which types of site your organisation needs and create a template for each:
- Department site
- Project site
- Client site
When someone needs a new site, they apply the appropriate template. Everything starts the same — ordered and consistent.
9. How is metadata managed?
If you've implemented content types and metadata columns in your libraries, governance needs to define:
- Who can create new columns or modify existing ones
- How new values are added to choice columns
- Who is responsible for maintaining the Term Store if you're using managed taxonomy
Without control over metadata, duplicate columns, inconsistent values, and structural degradation accumulate over time.
How to document it
No sophisticated format is needed. A Word document or a SharePoint page with the answers to these questions is already a functional governance policy.
What matters is that it:
- Is written down and accessible to the people who need it
- Is reviewed at least once a year
- Has an owner — someone responsible for keeping it up to date
The summary
| Decision | The minimum you should have |
|---|---|
| Site and Teams creation | Who can create and how to request it |
| Naming | A documented and communicated convention |
| Ownership | A site register with an assigned owner for each |
| External sharing | A clear policy configured in the admin centre |
| Employee onboarding | A list of access rights by role |
| Employee offboarding | A documented step-by-step process |
| Lifecycle | A periodic review of active sites |
| Templates | At least one per site type |
| Metadata | Who can modify the structure |
None of these decisions require advanced technology or external consultants. They require a conversation between the right people and a document where the answers are written down.
Need help defining your Microsoft 365 governance policy? Get in touch and we'll work through it together.