SharePoint site owners often need to prepare their sites for a Microsoft Purview audit. This audit examines site permissions, sharing settings, content classification, and activity logs. The goal is to verify that sensitive data is protected and that access controls meet your organization’s compliance requirements. This article provides a practical checklist for SharePoint site owners to review and adjust their sites before an audit. You will learn which settings to check, how to verify permissions, and what documentation to gather.
Key Takeaways: Audit Preparation Checklist for SharePoint Sites
- Site permissions review: Use the SharePoint admin center > Active sites > Permissions to identify all site members, owners, and external users.
- Sharing settings check: Go to SharePoint admin center > Policies > Sharing to confirm external sharing is limited to your organization’s allowed level.
- Sensitivity labels applied: Verify that Microsoft Purview Information Protection sensitivity labels are applied to documents and lists in the site.
What a Purview Audit Checks in SharePoint Sites
A Microsoft Purview audit reviews how your SharePoint site handles data governance, security, and compliance. The audit team examines site-level settings and user activities. They look for:
- External sharing: Who can share content outside your organization and what level of access they can grant.
- Permission inheritance: Whether the site breaks permission inheritance and how unique permissions are managed.
- Sensitivity labels: Whether documents and lists are classified with the correct labels from Microsoft Purview Information Protection.
- Activity logs: Whether audit logging is enabled and that relevant events like file downloads, sharing changes, and permission updates are captured.
- Data lifecycle: Whether retention labels and retention policies are applied to site content.
Site owners do not need to configure every item from scratch. Many settings are controlled by SharePoint admins at the tenant level. However, site owners must verify that their site follows the tenant’s baseline policies and that no exceptions create compliance risks.
Checklist: Steps to Prepare Your SharePoint Site for an Audit
Use the following steps to review your site before the audit. Perform each step from a SharePoint site owner account.
- Check site permission levels
Open the site, select the gear icon, and choose Site permissions. Review the list of site members, site visitors, and site owners. Remove any users or groups that no longer need access. For each group, confirm the permission level is appropriate. Site members should have Edit access, not Full Control. - Review external sharing settings for the site
In the SharePoint admin center, go to Active sites, select your site, and choose Settings > Sharing. Compare the site-level sharing setting to your organization’s allowed sharing policy. If the site allows sharing with anyone, change it to Existing guests or Only people in your organization unless your compliance team explicitly approved broader sharing. - Verify sensitivity labels on documents and lists
Open a document library, select a file, and choose Information from the details pane. Confirm that a sensitivity label appears. If no label is applied, check whether your site has a default label policy. You can apply labels manually to individual files or use auto-labeling rules. Repeat this check for a sample of at least 10 documents across different libraries. - Confirm audit logging is enabled
In the Microsoft Purview compliance portal, go to Audit > Audit log search. Verify that audit log search is turned on. If it is off, a SharePoint admin must enable it. As a site owner, you cannot enable tenant-level audit logging yourself. Report this to your admin if the setting is disabled. - Review sharing invites and access requests
In the site, go to Settings > Site permissions > Access requests and invitations. Review pending invitations and access requests. Approve or reject them before the audit. Remove any sharing invitations that are no longer needed. - Check retention labels on site content
Open a document library, select a file, and view the details pane. Look for a retention label. If retention labels are missing, ask your compliance team to apply a default retention label policy to the site. Alternatively, apply labels manually to important records. - Run a permissions report
In the SharePoint admin center, go to Active sites, select your site, and choose Permissions > Run a permissions report. This generates a CSV file showing all users and their permission levels. Save the report as evidence for the audit. - Document site policies and exceptions
Create a one-page document that lists your site’s sharing setting, permission groups, sensitivity label usage, and any exceptions approved by your compliance team. Include the date of your review and the names of site owners. Store this document in a library that the audit team can access.
Common Issues Found During SharePoint Audits and How to Fix Them
External sharing set to Anyone with a link
This setting allows anonymous sharing. Most organizations block this in their tenant default. If your site uses this setting, change it to Existing guests or Specific people. Go to SharePoint admin center > Active sites > your site > Settings > Sharing and select the appropriate option.
Unique permissions on subsites or folders
When a site breaks permission inheritance, it creates unique permissions that are harder to audit. Review all subsites and folders in your site. If unique permissions are not needed, revert to inheriting permissions from the parent. To do this, go to the subsite or folder, select Permissions, and choose Delete unique permissions.
Missing sensitivity labels on critical documents
If documents that contain personal or financial data lack labels, the audit may flag them as noncompliant. Apply a sensitivity label manually: select the document, open the details pane, and choose Edit > Apply a sensitivity label. For large libraries, ask your admin to configure auto-labeling rules in Microsoft Purview.
Orphaned users in site permissions
Users who left the organization may still appear in site permissions. Run a permissions report and compare the user list to your organization’s active directory. Remove any orphaned accounts by going to Site permissions > Show all users > Remove user.
Audit logs not capturing file downloads
If audit logging is enabled but file download events are missing, check the SharePoint admin center > Settings > Audit settings. Ensure the FileAccessed event is selected. If it is not, ask your admin to enable it. This event logs when a user downloads a file.
Site Owner Responsibilities vs SharePoint Admin Responsibilities
| Item | Site Owner | SharePoint Admin |
|---|---|---|
| Enable tenant-level audit logging | Cannot change | Enable in Purview compliance portal |
| Set site-level sharing policy | Adjust in site settings | Set tenant default in admin center |
| Apply sensitivity labels | Apply manually to documents | Configure default labels and auto-labeling |
| Manage site permissions | Add or remove users | Set permission policies at tenant level |
| Apply retention labels | Apply manually or request policy | Create and publish retention label policies |
| Run permissions report | Generate from admin center | Can run reports for all sites |
Site owners control day-to-day access and content classification. SharePoint admins set the tenant-wide rules that site owners must follow. Before the audit, confirm with your admin which settings you should adjust and which are locked at the tenant level.
After completing this checklist, you will have a SharePoint site that meets common audit requirements. The next step is to schedule a regular review every quarter to keep permissions and labels current. For advanced preparation, ask your compliance team to run a Purview Data Lifecycle Management scan on your site content to identify any unlabeled items.