Friday, May 1, 2026

SharePoint Online Administration & Architecture Complete Guide

SharePoint Online Administration & Architecture — Complete Guide

Site Hierarchy · Hub Sites · Information Architecture · Security · Administration · Content Management · Scenarios · Cheat Sheet

Core Concepts — Basics
Information Architecture & Hub Sites
Security, Permissions & Sharing
SharePoint Online Administration
Content Management & Key Features
Governance & Compliance
Scenario-Based Questions
Cheat Sheet — Quick Reference

1. Core Concepts — Basics

What is SharePoint Online and how does it fit in Microsoft 365?

SharePoint Online (SPO) is a cloud-based collaboration and content management platform included in Microsoft 365. It serves as the backbone for document management, intranet portals, team sites, and structured content.

SharePoint Online's role in Microsoft 365:

Document storage backbone: every Microsoft 365 Group, Teams channel, and OneDrive uses SharePoint Online as its underlying file storage
Intranet platform: communication sites, hub sites, and Viva Connections are built on SharePoint Online
Content services: Microsoft Syntex (content AI), Microsoft Purview (compliance), sensitivity labels all leverage SharePoint
Power Platform integration: Power Automate, Power Apps, and Power Pages connect to SharePoint lists and libraries

Key positioning: SharePoint Online is not just a file share — it is the content foundation of Microsoft 365.

What is the SharePoint Online site hierarchy?

Tenant (organisation)
  └── Site Collection (isolated container)
       ├── Root Site (top-level site)
       │    ├── Lists (structured data — rows & columns)
       │    ├── Libraries (document storage + metadata)
       │    ├── Pages (modern SharePoint pages)
       │    └── Web Parts (modular page components)
       └── Sub-sites (NOT recommended — use flat architecture instead)

Key components:
Site collection → isolated container: own permissions, storage quota, recycle bin
Site           → a website within a site collection
List           → structured data table (like a simple database)
Library        → document storage with metadata, versioning, check-out
Page           → modern web page built with web parts
Web Part       → modular content block (text, news, events, document library)

Warning: Sub-sites are a legacy pattern — avoid in modern SharePoint Online. Use separate site collections connected via Hub Sites instead. Sub-sites create complex permission inheritance issues.

What are the different types of SharePoint Online sites?

Site Type	Description	Best For
Team site	Connected to Microsoft 365 Group. Shared mailbox, calendar, Teams, Planner.	Team collaboration
Communication site	No M365 Group. Broadcasts information to wide audience.	Intranet portals, department sites
Hub site	A designation applied to an existing site. Connects associated sites.	Organisational grouping
Teams-connected	Every Teams channel has a corresponding SharePoint library.	File storage for Teams
OneDrive site	Each user's personal site collection.	Personal/private files

Tip: Communication site = publish TO many people. Team site = collaborate WITH a team. Hub site = connect related sites. These three distinctions are tested in every SharePoint .

What are SharePoint admin roles?

Role	Scope
Global Administrator	Full access to all SharePoint settings — too broad for daily use
SharePoint Administrator	Full SharePoint admin — all sites, settings, policies. Primary admin role.
Site Collection Administrator	Full control of a specific site collection
Site Owner	Manage a specific site — permissions, settings, pages
Site Member	Contribute — add, edit, delete content
Site Visitor	Read-only — view and download

Warning: Never use Global Administrator for routine SharePoint administration. Use the SharePoint Administrator role.

2. Information Architecture & Hub Sites

What is a Hub Site and what does it provide?

A Hub Site is an existing SharePoint site registered as a hub — connecting associated sites without creating a sub-site hierarchy.

What hub sites provide:

Unified navigation: hub nav bar displayed across all associated sites — changes propagate automatically
Shared branding: hub theme (colours, logo) applied consistently to all associated sites
Aggregated search: searching from any hub site or associated site searches the entire hub family
News rollup: News Web Part pulls news from all associated sites into the hub home page
People rollup: aggregate people across associated sites

Hub architecture example:
Contoso Intranet Hub (communication site — top-level hub)
  ├── HR Hub (communication site — sub-hub)
  │    ├── HR Policies (team site — associated to HR Hub)
  │    └── Benefits site (communication site — associated to HR Hub)
  ├── IT Hub (communication site — sub-hub)
  │    ├── IT Support site
  │    └── Infrastructure site
  └── Finance Hub
       ├── Finance team site
       └── Reporting site

Tip: Hub sites are the modern replacement for sub-sites. They provide organisational grouping benefits without the permission inheritance and governance problems.

What is the flat architecture principle in modern SharePoint?

Flat architecture: separate, independent site collections connected via Hub Sites — rather than a deep sub-site hierarchy.

Legacy (sub-site) architecture — AVOID:
/sites/contoso
  /sites/contoso/hr
    /sites/contoso/hr/policies
      /sites/contoso/hr/policies/2024

Problems:
→ Permissions cascade and are hard to manage
→ Sub-sites inherit parent permissions — hard to isolate
→ All sub-sites share root site storage quota
→ Cannot move sub-sites to different hub contexts

Modern (flat) architecture — RECOMMENDED:
/sites/intranet        ← Hub site
/sites/hr              ← Separate site collection (associated to Intranet hub)
/sites/hr-policies     ← Separate site collection (associated to HR sub-hub)
/sites/it              ← Separate site collection (associated to Intranet hub)

Benefits:
→ Each site has independent permissions
→ Each site has its own storage quota and recycle bin
→ Sites can be re-associated to different hubs as org evolves
→ Sites can be moved between hubs without restructuring

What are Managed Metadata and Content Types?

Managed Metadata (Term Store): centrally managed taxonomy of terms applied as metadata columns across all sites in the tenant. Enables consistent tagging and filtering.

Content Types: reusable definitions for a type of document or list item — specifying columns, document template, workflows, and retention policies. Defined once in the Content Type Hub and published to all sites.

Example:
Term Store: Department
  Terms: HR / Finance / IT / Legal / Operations

Content Type: "Contract Document"
  Columns: Title, Department (managed metadata), Effective Date,
           Expiry Date, Contract Value, Counterparty
  Template: Contract_Template.docx
  Retention: 7 years after expiry date

When a user creates a "Contract Document" in ANY library:
→ Pre-configured template automatically applied
→ Required metadata fields enforced
→ Document follows 7-year retention policy automatically
→ Consistent across ALL sites and ALL libraries in the tenant

Tip: Content Types + Managed Metadata is the foundation of enterprise information architecture in SharePoint. Any question about governance, compliance, or findability leads to this answer.

What are the SharePoint URL patterns and character limits?

SharePoint Online URL patterns:
Tenant root:       https://contoso.sharepoint.com
Team sites:        https://contoso.sharepoint.com/sites/{sitename}
Communication:     https://contoso.sharepoint.com/sites/{sitename}
OneDrive:          https://contoso-my.sharepoint.com/personal/{username_contoso_com}
Admin Centre:      https://contoso-admin.sharepoint.com

Important limits:
Maximum URL length:         400 characters (file path + filename)
Maximum filename length:    256 characters
Maximum file size:          250 GB per file
Maximum list items:         30 million items per list (with index)
Maximum library items:      No hard limit (but performance degrades > 5,000 without indexing)
List view threshold:        5,000 items per view (requires indexed columns to exceed)
Maximum site storage:       25 TB per site (or tenant pool limit)

3. Security, Permissions & Sharing

What are SharePoint permission levels?

Built-in permission levels (most → least permissive):
Full Control   → complete access — manage, configure, delete the site
Design         → create lists/libraries, edit pages, apply themes
Edit           → add, edit, delete items AND manage lists
Contribute     → add, edit, delete items (cannot manage lists)
Read           → view items, open/download documents
View Only      → view in browser only (cannot download — for DRM)
Limited Access → system-generated — access to specific items only

Assigned via SharePoint Groups:
Site Owners   → Full Control (default)
Site Members  → Edit (modern) or Contribute (classic)
Site Visitors → Read (default)

Three-layer model:
Users → SharePoint Groups → Permission Levels → Site/List/Library

Tip: Permission levels are templates. Groups hold users. Groups are assigned permission levels. This three-layer model is tested in every SharePoint security .

What is permission inheritance and when should you break it?

By default, lists, libraries, folders, and items inherit permissions from their parent site.

When to break inheritance — legitimate:

A library contains confidential HR files on a general site → break library inheritance, add HR team only
A specific document needs to be shared with external users → share the item directly

When NOT to break inheritance:

Breaking inheritance on dozens of folders in a library → creates unmanageable permission matrix
Breaking inheritance instead of creating a separate site → if access requirements differ significantly, create a new site

Best practices:
→ Manage permissions at SITE level (not list/library/item where possible)
→ Use separate sites for content with different access requirements
→ Item-level sharing is acceptable for exceptions, not systematic use
→ Audit broken inheritance regularly: Get-PnPList | Where-Object HasUniqueRoleAssignments

Critical: Over-breaking inheritance is the #1 SharePoint governance anti-pattern. It creates "permission hell" where nobody can determine who has access to what.

What are sharing settings in SharePoint Online?

External sharing controls who can share content with people outside the organisation.

Policy	Description	Risk Level
Anyone (anonymous links)	Share with anyone — no login required	High
New and existing guests	External users must authenticate (Entra B2B or OTP)	Medium
Existing guests only	Only users already in the Azure AD guest directory	Low
Only people in your org	No external sharing at all	None

Governance controls:
→ Set tenant policy restrictively → override per site as needed
→ Site policy can only be EQUAL TO or MORE RESTRICTIVE than tenant
→ Set link expiry dates on anonymous links (e.g., 30 days)
→ Require re-authentication after X days for guest users
→ Restrict sharing to specific domains (allow/block list)
→ Require approval for external sharing via access requests

What are Sensitivity Labels in SharePoint Online?

Sensitivity Labels (Microsoft Purview) applied to SharePoint sites enforce data protection policies at the container level.

Sensitivity label capabilities on sites:
Privacy setting:          Enforce site privacy (Public/Private)
External sharing:         Block external sharing (e.g., "Highly Confidential" = no external)
Unmanaged device access:  Browser-only on personal devices, no download
Teams/Groups settings:    Control guest access, meeting options

Example:
Owner creates site → selects "Highly Confidential" label
Label automatically:
→ Sets privacy = Private (cannot be changed by owner)
→ Disables external sharing for this site
→ Restricts personal device access to browser-only
→ Applies to all documents in the site (auto-labelling)
→ Reports to Purview compliance portal for audit

4. SharePoint Online Administration

What is the SharePoint Admin Centre?

The SharePoint Admin Centre (admin.microsoft.com → SharePoint) is the central management portal.

Section	Capabilities
Sites	View all sites, create/delete, storage quotas, set admins, configure sharing per site
Policies	Sharing settings, access control, device policies, idle session sign-out
Settings	Storage limits, site creation settings, OneDrive settings
Content services	Term Store, Content Type Gallery, Microsoft Syntex
Migration	Migration Manager for file server/Google Drive to SharePoint
Reports	Active sites, storage usage, sharing activity

What is SharePoint PowerShell — PnP PowerShell vs SPO Management Shell?

SPO Management Shell (Microsoft.Online.SharePoint.PowerShell): Microsoft's official module for tenant-level administration.

PnP PowerShell (PnP.PowerShell): community-driven module with 500+ cmdlets covering tenant administration AND site-level content management, provisioning, and automation.

# SPO Management Shell — tenant admin:
Connect-SPOService -Url https://contoso-admin.sharepoint.com
Get-SPOSite -Limit ALL | Where-Object {$_.StorageUsageCurrent -gt 1000}
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/hr -StorageQuota 5120
Set-SPOTenant -SharingCapability ExternalUserSharingOnly
New-SPOSite -Url https://contoso.sharepoint.com/sites/newsite -Owner admin@contoso.com -StorageQuota 1024

# PnP PowerShell — site content and config:
Connect-PnPOnline -Url https://contoso.sharepoint.com/sites/hr -Interactive
Get-PnPList | Select-Object Title, ItemCount
Add-PnPField -List "Documents" -DisplayName "Department" -InternalName "Dept" -Type Choice
Apply-PnPProvisioningTemplate -Path ./site-template.xml
Get-PnPSiteTemplate -Out ./site-backup.xml

Tip: PnP PowerShell is the go-to tool for most SharePoint automation. SPO Management Shell for tenant-level operations PnP doesn't cover (CDN configuration, tenant sharing settings).

What is SharePoint storage management?

SharePoint Online storage model:
Tenant storage pool:
  1 TB base + 10 GB per licence purchased
  Example: 500 users → 1 TB + 5 TB = 6 TB total pool

Site storage:
→ Each site draws from the tenant pool
→ Default: each site gets up to 25 TB (or pool limit)
→ Admins set per-site storage quotas (in MB) in Admin Centre

OneDrive storage (separate from SharePoint pool):
→ Each user: 1 TB (or more with licence)

Storage consumers to monitor:
→ Version history: each version = complete file copy
   100 versions × 10 MB = 1 GB per document
→ Recycle bins: first + second stage count against quota
→ Large file libraries without version limits → storage bloat

Remediation:
→ Set version limits (major only, limit to 50)
→ Schedule recycle bin emptying
→ Run storage reports: SharePoint Admin Centre → Sites → Storage Used
→ PnP: Get-PnPSite -Includes StorageUsage, StorageMaximumLevel

What is the Site Lifecycle and how do you manage it?

Site lifecycle stages:
1. Provisioning  → controlled creation (self-service or admin-approved)
2. Active use    → regular access tracked via usage analytics
3. Inactive      → no activity for 180 days → Microsoft notifies owner
4. Review        → owner confirms: still needed or ready for deletion
5. Archival      → content archived before deletion if needed
6. Deletion      → soft delete → 93-day recovery window
7. Permanent delete → after 93 days, irrecoverable

Key facts:
→ 93-day recovery window for deleted sites in Admin Centre recycle bin
→ After 93 days: permanently deleted — no recovery
→ Microsoft 365 inactive site policies: auto-detect and notify
→ Always confirm with site owner before deleting — inactive ≠ dead

Tip: The 93-day recovery window is a critical fact in every SharePoint admin . After this period, all content is permanently gone. Always verify with owners before deletion.

5. Content Management & Key Features

What is versioning in SharePoint Online?

Version types:
Major only:           1.0, 2.0, 3.0 — published versions
Major + minor:        1.0, 1.1, 1.2, 2.0 — drafts (minor) + published (major)

Storage impact:
Each version = complete file copy
100 versions × 10 MB document = ~1 GB storage consumed
Unlimited versioning → storage bloat on large libraries

Recommended configuration:
Document libraries:  Major versions only, limit to 50
Intranet pages:      Major + minor, limit 10 major + 10 minor
Compliance:          Major + minor, no limit (regulatory requirement)

Restore previous version:
Via UI: Document → Version History → Restore
Via PnP: Restore-PnPFileVersion -Url /sites/hr/docs/policy.docx -Identity 3.0

What are SharePoint Lists vs Libraries?

SharePoint List: structured data storage — rows and columns. Stores data (not files).

SharePoint Library: document storage with metadata — each row is a file with associated metadata columns. Adds versioning, check-in/out, and co-authoring.

	List	Library
Stores	Data (items/rows)	Files (documents)
Versioning	Yes (optional)	Yes (recommended)
Check-in/out	No	Yes
Templates	No	Yes (per content type)
Use for	Issue trackers, tasks, asset registers, contacts	Policies, contracts, reports, templates

What is the SharePoint List View Threshold (LVT)?

List View Threshold: 5,000 items per view
→ SharePoint throttles queries returning > 5,000 items in a single view
→ Returns error: "This view cannot be displayed because it exceeds the list view threshold"

Workarounds:
1. Create indexed columns on the most-filtered columns
   → Index: Status, Department, Created, Modified
2. Use filtered views that return < 5,000 items
3. Use modern search instead of list views for large lists
4. Use Power BI or Power Apps for large data visualisation
5. Archive old items to a separate "Archive" library periodically

Indexing:
→ List Settings → Indexed columns → add up to 20 indexes
→ Always index columns used in view filters, sorts, and group-by
→ Required BEFORE the list grows beyond 5,000 items
   (cannot add index to column if list already > 5,000 and no index exists)

Warning: Adding indexes to large lists (>5,000 items) when no index exists can fail. Always add indexes proactively when creating lists that may grow large.

What is Microsoft Syntex?

Microsoft Syntex is a content AI service automatically extracting, classifying, and processing content in SharePoint libraries.

Feature	Description
Document understanding	Train AI models to classify documents and extract fields (invoice → vendor, amount, date)
Form processing	Extract structured data from forms and PDFs
Auto-tagging	Automatically apply content types and metadata to uploaded documents
Content assembly	Generate documents from templates using SharePoint data
eSignature	Send documents for e-signature directly from SharePoint
Microsoft 365 Backup	Rapid point-in-time restore of sites, libraries, or items

Tip: Syntex solves the "metadata entry burden" problem — the main reason SharePoint metadata strategies fail in practice. Auto-classification means users don't have to manually tag every uploaded document.

What is SharePoint Search and how does it work?

SharePoint Online search key concepts:
Crawl          → automatic continuous crawling (no manual schedule needed)
Managed props  → searchable/queryable metadata (Author, Created, ContentType)
Security trim  → users only see results they have permission to access (always on)
Query rules    → promote specific results for specific queries
Result sources → scope search to specific locations (site, library, content type)

Microsoft Search (modern):
→ AI-powered, graph-aware, works in SharePoint, Teams, Office apps
→ Bookmarks: admin-configured top results ("IT Helpdesk" always returns IT support site)
→ Acronyms, Q&A, Floor plans: additional answer types

Classic search (legacy):
→ Customisable result pages, query rules, promoted results
→ Being phased out — use Microsoft Search for new implementations

Configure Microsoft Search answers:
Microsoft 365 Admin Centre → Search & Intelligence → Answers
→ Bookmarks: pin specific URLs for specific search queries
→ Q&A: define answers to common questions
→ Acronyms: define org-specific abbreviations

6. Governance & Compliance

What are the key SharePoint governance controls?

Control	Description
Site creation policy	Restrict self-service site creation to specific groups or admins only
External sharing policy	Tenant + per-site sharing levels, domain restrictions, link expiry
Sensitivity labels	Enforce data protection at container level
Retention policies (Purview)	Retain or delete content based on age or label
DLP policies	Detect and block sharing of sensitive content (SSN, credit card, etc.)
Conditional Access	Restrict access from unmanaged devices, specific IPs, or locations
Information barriers	Prevent certain groups from communicating or sharing with each other
eDiscovery & Legal holds	Preserve content for legal proceedings

What is Microsoft Purview integration with SharePoint Online?

Purview capabilities for SharePoint:
Retention policies:
→ Retain content for X years (cannot be deleted during retention)
→ Delete content after X years (auto-disposal)
→ Apply to: all SPO sites, specific sites, or by sensitivity label
→ Disposition review: human review required before permanent deletion

DLP policies:
→ Detect sensitive data in SharePoint (credit card numbers, NHS numbers, etc.)
→ Actions: block sharing externally, alert admin, notify user
→ Works on files AND list items

eDiscovery:
→ Search across SharePoint and other M365 services for legal matters
→ Place content on Legal Hold — prevents deletion even if retention period ends
→ Export content in standard formats for legal review

Audit log:
→ All SharePoint activity logged (file access, permission changes, sharing)
→ Retention: 90 days (standard) / 1 year (M365 E3) / 10 years (E5 compliance)
→ Search via: Purview compliance portal → Audit

What is Conditional Access for SharePoint Online?

Conditional Access policies (configured in Entra ID / Azure AD) can restrict SharePoint access based on device compliance, location, or risk level.

SharePoint-specific Conditional Access scenarios:
Unmanaged devices:
→ Allow full access from Intune-managed devices
→ Browser-only (no download, no sync) from personal/unmanaged devices
→ Block access entirely from non-compliant devices

Network location:
→ Only allow access from corporate IP ranges
→ Block access from specific countries

Sensitivity label integration:
→ "Highly Confidential" label automatically enforces browser-only on unmanaged devices
→ No separate Conditional Access policy needed — label handles it

Configure in SharePoint Admin Centre → Policies → Access control
→ Unmanaged devices: Allow full access / Limited browser-only / Block
→ Network location: specify allowed IP ranges

7. Scenario-Based Questions

Scenario: Design a SharePoint Online intranet for a 5,000-person organisation with 10 departments.

Architecture:

Root/Intranet Hub: communication site registered as top-level hub. Contains: global news, CEO announcements, company-wide navigation, Viva Connections integration.
Departmental sub-hubs (×10): each department gets a communication site registered as a hub associated to the Intranet Hub:
- HR Hub, IT Hub, Finance Hub, Marketing Hub, Legal Hub, etc.
Team collaboration sites: each team/project gets a Team site associated to its departmental hub. Microsoft 365 Group-connected → automatic Teams, mailbox, Planner.
Information architecture:
- Term Store: Department, Location, Topic, Document Type
- Content Types: Policy, Procedure, Report, Contract — published from Content Type Hub
- Required metadata on all library content types
Navigation: Hub navigation per hub level. Global navigation via Viva Connections app bar.
Search: Microsoft Search Bookmarks for key destinations (HR portal, IT helpdesk, Finance reporting). Verticals for People, Departments, Policies.
Governance: PnP provisioning templates for consistent site creation. Sensitivity labels for confidential sites. External sharing: blocked by default, enabled per-site on request with approval workflow.

Scenario: Users are accidentally deleting documents. How do you prevent and recover?

Prevention:

Custom permission level "Contribute without Delete": remove the "Delete Items" permission. Assign to regular users — they can edit but not delete.
Require check-out on critical libraries: users must check out before editing — prevents accidental overwrites.
Retention policy (Purview): during retention period, even site owners cannot permanently delete content.
Versioning: ensure versioning is enabled — overwritten documents have recoverable previous versions.

Recovery:

Site recycle bin: available for 93 days. Site owners can restore.
Second-stage recycle bin: site collection admin recycle bin — another 93-day window after first-stage deletion.
Microsoft 365 Backup (Syntex): rapid point-in-time restore of libraries or entire sites.

# Restore from recycle bin via PnP:
Restore-PnPRecycleBinItem -Identity $itemGuid

# Check recycle bin contents:
Get-PnPRecycleBinItem | Sort-Object DeletedDate -Descending | Select-Object -First 20

Scenario: How do you migrate 10TB of file server content to SharePoint Online?

Assessment: SharePoint Migration Assessment Tool (SMAT) — scan file server for file count, total size, path length issues (max 400 chars), special characters, blocked file types.
Information architecture design: map folder structure to SharePoint sites/libraries. Avoid replicating deep folders — redesign with metadata. "2024" folder → Year metadata column.
Target provisioning: create destination sites and libraries using PnP PowerShell provisioning templates.
Migration Manager (SharePoint Admin Centre):
- Install agent on file server
- Set up migration tasks: source folder → destination library
- Run pre-migration scan for errors

Phased migration:

Phase 1: Pre-migration copy (overnight — bulk of data)
Phase 2: Delta copy (capture changes since pre-migration)
Phase 3: Cutover (set source to read-only, final delta, redirect users)

Permission mapping: Migration Manager maps file server ACLs to SharePoint groups. Validate and simplify — fewer, broader permissions are easier to maintain.
User communication: training on new SharePoint experience, new URL bookmarks, OneDrive sync client configuration.

Tip: Migration is the opportunity to redesign with flat structure + metadata. Never replicate the folder hierarchy as-is.

Scenario: Implement a document management system in SharePoint for a legal team.

Dedicated site: Legal team site, restricted access. Sensitivity label "Confidential" → enforces Private, no external sharing, browser-only on unmanaged devices.
Content types: "Contract", "Legal Opinion", "Court Filing", "NDA" — each with metadata columns (Matter number, Client, Jurisdiction, Counterparty, Effective Date, Expiry Date).
Managed metadata: Term Store for Jurisdiction (UK, EU, US, APAC) and Practice Area (Corporate, Litigation, Employment, IP).
Versioning: Major + minor versions, no version limit — full audit trail required for legal compliance.
Retention policies (Purview): 7-year retention on all contract documents. Disposition review workflow at end of retention period before permanent deletion.
Access control: matter-level permissions — only lawyers on a specific matter access that matter's documents. Break inheritance at folder/library level per matter.
Microsoft Syntex: auto-classify uploaded documents by type, extract key metadata (counterparty, dates, values) automatically.
eDiscovery: Microsoft Purview eDiscovery integration — legal holds on relevant content, search across all legal documents for litigation support.

Scenario: How do you handle a site that has grown to 500,000+ documents with slow search and list view errors?

List View Threshold: ensure indexed columns are configured on all columns used in view filters, sort, and group-by. Views must filter to < 5,000 items.
```
Add-PnPIndex -List "Documents" -Field "Department"
Add-PnPIndex -List "Documents" -Field "Year"
```
Archive old content: move documents older than X years to an archive library or separate "Archive" site — reduces active library size.
Metadata-based navigation: replace folder-based navigation with metadata navigation (filtered views by Year, Department, Content Type).
Search instead of views: for ad-hoc queries across 500K documents, direct users to Microsoft Search rather than list views.
Microsoft Syntex: if documents are untagged, use Syntex auto-classification to bulk-apply metadata — enables proper filtered views.
Power BI report: for data analysis across large libraries, connect Power BI to SharePoint list API — handles large item counts better than list views.

8. Cheat Sheet — Quick Reference

Site Types Quick Reference

Communication site:
→ No M365 Group
→ Publish TO a wide audience
→ Intranet portals, department sites, news sites
→ Hub site candidate

Team site:
→ Connected to M365 Group
→ Collaborate WITH a team
→ Shared mailbox, calendar, Teams, Planner auto-created
→ Associate to a hub for organisational grouping

Hub site:
→ An existing site registered as a hub
→ Provides: unified nav, shared theme, aggregated search + news
→ Up to 2,000 associated sites per hub
→ Up to 26 hub-to-hub associations

OneDrive:
→ Personal site collection per user
→ Private files + sync to local device
→ 1 TB per user (more with enterprise licence)

SharePoint Permissions Model

Users → SharePoint Groups → Permission Levels → Content

Default groups:
Site Owners   → Full Control
Site Members  → Edit (modern) / Contribute (classic)
Site Visitors → Read

Custom permission level example — "Contribute without Delete":
Clone Contribute → uncheck "Delete Items" → Save as new level
Apply to a new group → add users who should contribute but not delete

Permission inheritance:
By default: list/library/item inherits from parent site
Break inheritance: creates unique permissions for that object
Avoid over-breaking inheritance — creates unmanageable complexity

External Sharing Quick Reference

Tenant sharing levels (most → least permissive):
1. Anyone (anonymous links — highest risk)
2. New and existing guests (Entra B2B or OTP auth required)
3. Existing guests only (must already be in Azure AD)
4. Only people in your organisation (no external sharing)

Site-level can only be equal to or more restrictive than tenant level

Governance checklist:
☐ Set tenant to "New and existing guests" or stricter
☐ Set anonymous link expiry (30 days max recommended)
☐ Restrict to allowed domains list for specific sites
☐ Enable access request approval workflow
☐ Block sharing from sensitive sites with sensitivity labels
☐ Review guest access quarterly via Entra ID Access Reviews

Storage Management Quick Reference

Tenant storage: 1 TB + 10 GB per licence
Per-site quota: set in Admin Centre (MB)
OneDrive: separate from SharePoint pool

Storage consumers:
Version history → set major only, limit to 50 versions
Recycle bins   → first + second stage count against quota
Large files    → identify and archive via PnP

PowerShell commands:
# Get all sites by storage:
Get-SPOSite -Limit ALL | Sort-Object StorageUsageCurrent -Descending

# Set site quota (100 GB = 102400 MB):
Set-SPOSite -Identity $siteUrl -StorageQuota 102400

# Get library storage breakdown (PnP):
Get-PnPFolderStorageMetric -FolderSiteRelativeUrl "Shared Documents"

Key Limits Reference

URL path:          400 characters max
Filename:          256 characters max
File size:         250 GB per file max
List items:        30 million max (with index)
LVT:               5,000 items per view (without index)
Indexed columns:   20 per list
Site storage:      25 TB per site
Recycle bin:       93 days recovery window
Anonymous links:   Up to 30 days (recommended)
Hub associations:  2,000 sites per hub
Hubs per tenant:   2,000

Top 10 Tips

Communication vs Team vs Hub — the three-way distinction is tested in every SharePoint . Communication = broadcast. Team = collaborate. Hub = connect. Never confuse them.
Flat architecture over sub-sites — modern SharePoint is flat (separate site collections connected by hubs). Sub-sites are legacy and create governance problems. Proactively recommend flat architecture.
Content Types + Managed Metadata — the foundation of enterprise information architecture. Any question about governance, compliance, or findability leads here.
Permission levels → Groups → Users — the three-layer model. Never add individual users directly to content — always use groups.
Break inheritance sparingly — item/folder-level permission breaks are the #1 governance anti-pattern. Use separate sites for different access requirements instead.
Site-level sharing can only be more restrictive than tenant — tenant sets the ceiling. Sites can tighten further but never exceed the tenant policy.
93-day recycle bin window — after this, deleted sites and content are permanently gone. Always confirm with owners before deletion.
List View Threshold = 5,000 — without indexes, views fail beyond 5,000 items. Add indexes proactively on filter/sort columns before the list grows. Cannot add index after exceeding LVT without an existing index.
PnP PowerShell for automation — know the key PnP cmdlets: Connect-PnPOnline, Get-PnPList, Apply-PnPProvisioningTemplate, Get-PnPSiteTemplate. These come up in every technical round.
Microsoft Syntex solves metadata adoption — the real reason SharePoint metadata fails is user adoption. Syntex auto-tags and auto-classifies — removing the manual burden. This is the modern governance answer.

Friday, May 1, 2026