SharePoint and SharePoint Online Best Practices

We care about security of your data. Privacy Policy

Microsoft SharePoint is the premier information management and sharing platform. It provides organizations with the information management, collaboration, workflow and data integration capabilities they need to drive their business processes forward. However, in order to be effective, the SharePoint solution has to be properly configured and secured. Here are the SharePoint best practices and SharePoint Online best practices for document management and administration that will help you to achieve these goals and get the most from your investment.

SharePoint and SharePoint Online Document Management Best Practices 

Here are the top SharePoint document management best practices for making the most of your SharePoint and improving both security and business performance.

Identify and classify the data you store in SharePoint and SharePoint Online 

Applicable for SharePoint and SharePoint Online

To protect the data on your SharePoint, you need to identify all valuable assets stored there, such as health service numbers and credit card numbers, and classify them using data classification best practices. For this purpose, you can use third-party tools like Netwrix Data Classification. This data discovery and classification process will help you limit access permissions in accordance with the principle of least privilege. It can also help you identify stale data on your SharePoint site so you can archive or delete it.

Define your site’s taxonomy

Applicable for SharePoint and SharePoint Online

Choose a set of naming rules to use on your site. Be clear and consistent; by looking at the names of subsites, menu options and other things, users should immediately understand what's in front of them. If these titles are misleading, even experienced users can get lost on the site. Similarly, parallel content should share naming conventions. If the intranet gives a user the same options on separate pages, the taxonomy should be the same. If separate pages have identical sub-pages, the naming conventions should be similar.

Tag SharePoint content with metadata 

Applicable for SharePoint and SharePoint Online 

Metadata is very useful for all content on your SharePoint site. By adding tags that indicate the content and value of a document or site, you make it much easier to find and interact with. SharePoint offers some default tags, called terms. You can also create new terms to better suit your purposes. 

Create a solid SharePoint information architecture: sites, libraries and lists

Applicable for SharePoint and SharePoint Online

When developing your SharePoint information architecture, it’s important to understand these key terms:

  • Site — A containers that holds lists and document libraries.
  • List — A table with a column and row structure, like tables in Word or an Excel sheet, but with added SharePoint features like versioning, indexing and SharePoint content approval functions, as well as the ability to add workflows.
  • Library — A table used for document storage. Libraries allow you to classify, manage and tag content so you can find documents quickly.
  • Site collection — In modern SharePoint, Microsoft recommends creating each new site as a site collection connected together through a hub site.
  • Hub — Hubs connect families of modern SharePoint team and communication sites. They model relationships as links instead of in a hierarchy so it’s easier to adapt to organizational changes. You can add hubs to serve as the “head” of a family of related sites that share navigation, branding and other elements. Each site can belong to only one hub at a time. However, you can associate hubs together by using a combination of navigation links and associated hubs as part of your navigation experience.

SharePoint information architecture

A standard SharePoint environment has three different site levels: web applications, site collections and webs (sites and subsites). Web applications can be created only by SharePoint administrators who have Farm Administrator privileges as well as Local Administrator permissions on the SharePoint Server. 

Every web application needs to have a root site collection, which is the site collection with the same URL as the web application. A site collection can be placed into its own content database, and can be moved between content databases that are attached in the same web application. Under the site collection are webs, which can be either the root of the site collection or a subsite of the root web. Web applications and site collections are simply containers that do not store any content directly; all content is stored in the webs. 

SharePoint Online information architecture

When organizations began their asset migration projects from SharePoint into Office 365 and SharePoint Online, Microsoft introduced the modern SharePoint experience and Office 365 Groups. 

With SharePoint Online, the basic aim is to “go flat” versus relying on a top-down hierarchy. That means creating one site for each discrete topic or unit of work. When you no longer need a topic, you can archive or delete it with little impact. In a flat environment, every site is a site collection, and each of these can be associated with a hub site.

Office 365 Groups can be attached to an existing SharePoint site, but there are two limitations you will want to consider:

  • You can attach groups only to the root site of a site collection (not to subsites).
  • You should use Office 365 Groups only with SharePoint team sites (not other types of sites).

Use the SharePoint Recycle Bin 

Applicable for SharePoint and SharePoint Online 

SharePoint includes a Recycle Bin that can be used to review and, if necessary, restore items previously deleted from SharePoint. Items that can be restored include documents, list items, document libraries, lists, folders and sites. 

Deleted items are placed in the Recycle Bin for the number of days defined by the SharePoint administrator. The SharePoint Recycle Bin has two levels of functionality:

  • Site Recycle Bin — When items are deleted from a site, they are held in the site Recycle Bin until they are manually deleted or until the deletion date exceeds the purge period.
  • Site collection Recycle Bin — This bin stores all items deleted from any site in the site collection, including items purged from the site Recycle Bins before the purge period ends. It gives site collection administrators a higher degree of control over managing deleted items and helps ensure information is properly protected from inappropriate deletion.

Use SharePoint document versioning

Applicable for SharePoint and SharePoint Online

Enable SharePoint document versioning to store a complete version history that enables users to track document changes and restore previous versions if required. To control storage use, you should limit how many major and minor versions are to be kept; 10 major and 10 minor versions is often a good choice.

Establish document retention and deletion policies 

Applicable for SharePoint and SharePoint Online

Managing content commonly requires retaining content for a set period of time and deleting content permanently at the end of the retention period. Within these two retention actions, you can further configure retention settings:

  • Retain-only — Retain content forever or a specified period
  • Delete-only — Delete content after a specified period
  • Retain and then delete — Retain content for a specified period and then delete it

You can use both retention policies and retention labels to assign retention settings to content. Use a retention policy to assign the same retention settings for content at a site or mailbox level.

Retention policies can be applied to these locations:

  • Exchange email
  • SharePoint site
  • OneDrive accounts
  • Microsoft 365 groups
  • Skype for Business
  • Exchange public folders
  • Teams channel messages
  • Teams chats

You can apply a single policy to multiple locations or to specific users or locations. You can also apply a retention policy that covers all content or content when it meets specific conditions, for example, content that contains keywords or sensitive information types.

Retention labels can be used to assign retention settings at the item level, like a folder, document or email. Unlike retention policies, retention settings from retention labels persist with the content even if it’s copied or moved to a new Microsoft 365 location.

Retention labels allow you to:

  • Start the retention period either from when the content was labeled or based on an event, in addition basing it on the age of the content or when someone last modified it
  • Use trainable classifiers to identify content to label
  • Apply default labels to SharePoint documents

Consider storage limitations in SharePoint Online 

Applicable for SharePoint Online

SharePoint Online storage limitations vary by plan. The minimum amount that a tenant (organization) gets with the Microsoft 365 Business Basic, Business Standard or Business Premium licenses is 1TB of storage plus 10GB per license:

1TB + (10GB x Number of Licenses) = Total SharePoint Online Storage

To manage your SharePoint Online storage effectively, follow these best practices:

  • Regularly check the storage and usage reports in the admin center. Once SharePoint storage is full, SharePoint sites go into read-only mode.
  • Monitor the Recycle Bin and empty it regularly. The storage space it uses counts toward your organization's total storage limit.
  • Keep in mind the restrictions for copying or moving multiple files. Remember these requirements for a single copy or move operation:
    • No more than 100GB total file size
    • No more than 30,000 files
    • Each file must be less than 2GB
  • Limit the number of subsites. You are allowed to have 2,000 subsites per site (site collection). Create sites and organize them into hubs instead of creating subsites.
  • Plan before you create hubs. Your organization is limited to 2,000 hub sites. You might not need a hub site for every function, and it's important to do some planning before you create hubs.

SharePoint and SharePoint Online Administration Best Practices

Design your SharePoint farm architecture well 

Applicable for SharePoint 

Here are the primary factors to consider when deciding on a farm architecture:

  • Budget available, along with previous hardware and other investments that can be reassigned to the new initiative
  • High availability (HA) and disaster recovery (DR) requirements (RTO/RPO)
  • Anticipated content size
  • Anticipated total number of users
  • Anticipated number of concurrent users
  • Services required

SharePoint Server can represent a significant monetary cost. Hardware requirements are on the upper end of many document management systems. Each SharePoint Server must be licensed, along with each SharePoint user. Plus, since SharePoint Server does not support SQL Express, you’ll need to pay for a licensed edition of SQL Server.

Maintaining a highly available SharePoint farm also involves ongoing operational costs. The more servers and services there are to manage, the more expensive the farm becomes over time.

What services are provisioned on the farm will also impact costs and performance. If your farm has over 500 million items to crawl, you’ll need to provision a new Search Service application. If you have multiple Search Service applications, you might need to provision additional SharePoint servers to handle the load. 

Define a proper topology for your SharePoint farm

Applicable for SharePoint

Here are the most common SharePoint topology strategies:

  • Single-server farm — A single server farm consists of one single server with runs both SharePoint 2013 and SQL Server. This farm architecture has a specific installation role named “Single Server Farm.” It is also possible to add additional SharePoint servers to the farm to accommodate a farm expansion at a later stage.
  • Three-tier farm — The three-tier farm is one of the most common farm types. These farms consist of a single web front end, a single application server and a single SQL Server. The web front end is simply the SharePoint Server that is handling end-user traffic, while the application server is a SharePoint Server that handles most SharePoint services, such as Business Data Connectivity Services and the Managed Metadata Service.
  • Traditional highly available farms — These farms provide basic high availability because they can suffer the loss of one or more SharePoint servers and SQL servers while still serving users. An example of this would be two web front ends, two application servers and two SQL servers using a form of high availability, such as SQL clustering, database mirroring or AlwaysOn availability groups with failover clustering.
  • MinRole farms — Introduced in SharePoint Server 2016, MinRole is a farm topology based on a set of predefined server roles. For example, if a SharePoint Server is deployed with the “Distributed Cache” MinRole, SharePoint will automatically provision the Distributed Cache service. If other services are started that do not comply with the MinRole selected for a given SharePoint Server, that server will be considered out of compliance and marked as such in Central Administration. The following MinRole options are available:
    • Distributed Cache — Runs Distributed Cache, but does not handle end-user traffic directly
    • Front-end— Not only handles end-user traffic, but also runs many services that require low latency for end users, such as the Managed Metadata Service or User Profile Service
    • Application — Tuns non-latency-sensitive services, such as workflows or the PowerPoint Conversion Service
    • Search — Runs the specific Search roles, such as Admin or Content Processing.
  • Large High Availability (HA) MinRole farm — This farm type requires a minimum of eight SharePoint servers within the farm:
    • Two servers with the Distributed Cache MinRole
    • Two servers running the front-end MinRole (they are behind a load balancer that can detect server failure and route end-user traffic to an available server)
    • Two Application MinRole servers
    • Two Search MinRole servers

With this configuration, you can maintain availability even if any one particular role suffers a single SharePoint Server failure or there are multiple server failures across roles. 

Manage site security properly

Applicable for SharePoint and SharePoint Online

Site owners are responsible for assigning rights to users within their own sites. Rights can be assigned either directly to a user or to a group that users (or other groups) are members of. 

Security must be configured for every root site within SharePoint. When a new root site is created, the user who created it will specify the site collection administrators for the site and, by default, those individuals will be the only people with access to the new site. These site collection administrators will then grant end users appropriate levels of access to the site. 

Subsites will either inherit their rights from the site in which they are contained or have unique permissions, as determined by the settings configured for the subsite:

  • If security for a subsite is configured to be inherited from the parent site, security is not managed for the site directly; instead, security will be based on the rights assigned in the parent site.
  • If security for the subsite is configured to be unique, a site administrator will have to assign the appropriate rights to individuals who need access to the site.

Manage permissions

Applicable for SharePoint and SharePoint Online

With both SharePoint and SharePoint Online, managing permissions effectively can help keep your network secure. Follow these best practices when granting permissions throughout your organization:

  • Configure permissions on the web application level only for site collection administrators. Certain user permissions can be granted directly at the web application level. This is very useful for SharePoint administrators who need access to all the site collections in a web application but don’t want to add themselves to each one manually. SharePoint also uses web application policies to give certain accounts permissions to the web application. For example, the Search Crawl account has Full Read permissions on every web application in the farm it needs to crawl. You can also create custom policies and permission levels in the web application permission policy; however, it’s recommended to use only the default ones if possible. To add users to the web application policy, from the Web Application page in Central Administration, select the web application you want to apply the policy to, and select User Policy from the ribbon. A window will open that displays all the current policies for the web application.
  • Use SharePoint groups. You can group together user accounts and Active Directory security groups to make security assignment easier and clearer. You can also configure SharePoint to use an alternate source for users and groups: You assign users and groups to SharePoint groups, and then use the SharePoint groups to assign permissions within sites. SharePoint groups can be used throughout a site collection hierarchy to assign rights within the various sites within the collection and can also be used to assign rights to SharePoint libraries and lists contained within the site.
  • Use information barriers for SharePoint Online. Information barriers are Microsoft 365 policies that compliance admins can configure to prevent users from communicating and collaborating with each other. This function is most common in highly regulated industries and companies that need to adhere to strict governance and compliance requirements.

To better understand SharePoint permissions and permission inheritance, please refer to this guide.

Manage sharing configurations

Applicable for SharePoint and SharePoint Online

Each time you share a file, you are granting access to a single file only. But when you share a folder, you grant access to the whole folder and every file and subfolder within it, including any new ones that are created in the folder later. 

External sharing gives guest users the same access rights to your files as team members unless specific parameters are set up on the front end. 

Best practices for sharing include:

  • Classify your data and determine which types of content can be shared externally.
  • Block external sharing unless there is a business reason for it.
  • Isolate all external sharing sites into a single site collection.
  • Disable anonymous sharing.
  • Enable external access expiration.

Audit your SharePoint and SharePoint Online regularly 

Applicable for SharePoint and SharePoint Online 

Auditing SharePoint Server 

  • Take advantage of the various logs and tools:
    • IIS logging — IIS logs all website activity to SharePoint. While not necessarily the primary data to examine for errors or performance issues, it can provide an indication of issues users are running into, including missing assets or server errors, such as HTTP 500 errors. Since IIS logs are plain text files, parsing them can be difficult with text editors like Notepad, but Microsoft’s Log Parser and Log Parser Studio can make finding specific types of log entries significantly easier.
    • ULS logging — ULS is a valuable source of information about your SharePoint farm. This is the core logging mechanism of SharePoint and is often the first place a SharePoint administrator will look for any SharePoint-related errors. By default, ULS logs are located in C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\LOGS\.
    • Event Viewer — SharePoint stores a limited amount of information in Event Viewer, but it is very useful for service-specific and ASP.Net errors. Generally, Windows services that run SharePoint, such as the SharePoint Timer or SharePoint Administration service, will show any startups or unexpected stops in the System Event log. SharePoint also logs data in a few application and service event logs, such as email statistics and log status, like when the log reached its retention limit based on space used or date.
    • Usage logging — SharePoint records a variety of information to the Usage database. This database can be directly queried either through the tables or through the built-in views. For example, the Request Usage view provides information on how long a particular request took, how many CPU megacycle it consumed, the number of Distributed Cache reads, how long those Distributed Cache reads took and so on. Usage logging can be configured in Central Administration. Gather data for only the scenarios you believe will be important for farm diagnostics; logging more than is required can lead to farm performance issues.
    • Health Analyzer — The built-in SharePoint Health Analyzer is a set of rules that run periodically via the SharePoint Timer Service. These rules detect various issues, such as SharePoint application pools recycling, databases with a large amount of free space, and other minor or major issues with the farm.
    • Performance Monitor — Performance Monitor can be a useful tool for diagnosing server performance issues; you can examine outstanding ASP.NET requests, CPU usage by process and so forth.
  • Keep your audit logs separately. Unlike Usage logs, which go into a separate logging database, SharePoint audit logs are stored in the AuditData tableinside the content database of the site collection. Move your audit logs out of the content databases in a secure centralized location to protect the integrity of the audit logs from intruders and malicious administrators.
  • Configure log trimming. Audit logs can quickly expand to fill up your SQL Server. To prevent the audit log from filling the hard drive and potentially degrading the performance of the site collection, enable audit log trimming for site collections with extensive auditing.
  • Stay alerted on critical activities. To detect suspicious activity, consider using a third-party solution like Netwrix Auditor for SharePoint. Netwrix Auditor provides customizable alerts along with its comprehensive SharePoint auditing and reporting, so you know about critical changes in time to respond effectively.

Auditing SharePoint Online

SharePoint Online does not have a dedicated audit log search. To find SharePoint-related events, use the unified audit log. However, keep in mind that native logs are known for their short log retention period — 90 days for non-E5 users. Moreover, the maximum period an audit log search can cover is the preceding 90 days; even though you might have some older events, there is no way to see them. Therefore, third-party solutions are usually needed to effectively monitor activity, keep systems secure and ensure regulatory compliance. To monitor what’s going on in your SharePoint environment, including changes to configurations, permissions, content, and data access, consider Office 365 auditing with Netwrix Auditor.

Create a disaster recovery plan for your SharePoint site 

Applicable for SharePoint

Here are the disaster recovery options for the SQL Server databases supporting your SharePoint farm: 

  • Database mirroring — Database mirroring for DR involves adding a High Performance mode node to the existing SQL Server configuration. This node can coexist with High Safety, with or without automation failover in place. Failover in High Performance mode is a manual process; databases will not be brought online automatically.
  • Log shipping — Log shipping is the transfer of transaction log backups from one SQL Server to another. The destination SQL Server then restores the transaction log backups to the target database. This method allows you to keep the databases up to date with additional replication options available outside of SQL Server. For example, it is possible to ship a transaction log backup to a Windows file server, and using Distributed File Services (DFS-R), replicate the transaction log backup to a Windows file server in the DR datacenter, and have the DR SQL Server restore the transaction log backup to the destination database. This eliminates the SQL Server from being responsible for the replication of the transaction log backup. DFS-R also provides a faster and more reliable replication mechanism.
  • AlwaysOn availability groups — AlwaysOn availability groups enable you to add an asynchronous remote SQL Server to your availability group, which allows a highly available local availability group to have a single SQL Server in a DR location. Unlike with the synchronous local availability group, the remote SQL Server must be set to asynchronous mode. This mode has a manual failover process. Since the DR SQL Server must be failed over manually, as soon as the link between production has been severed, the databases will enter a read-write state, showing “Not Synchronized” in the SQL Server Management Studio. This means the databases are now in a read-write mode, allowing the disaster recovery farm to be brought online.

Disable insecure transport security protocols in SharePoint 

Applicable for SharePoint

SharePoint Server 2016 introduced support for Transport Layer Security (TLS) 1.2. It is highly recommended to disable previous protocols, including Secure Socket Layer (SSL) 3.0, TLS 1.0 and TLS 1.1. TLS encrypts data as it is sent between services or between the end user and services, which helps protect sensitive data in transit over the network.

Use Kerberos or SAML for authentication in SharePoint 

Applicable for SharePoint

Kerberos is a modern authentication protocol that is used in every Active Directory implementation. Instead of passing password hashes to and from services, Kerberos passes tickets. Tickets are created upon user login to the client machine by the Ticket Granting Service (TGS) and are retrieved from the Kerberos Distribution Center (KDC), which is an Active Directory domain controller. When a user makes a request to an external sharing service, such as SharePoint, the user’s ticket is sent to the target service for validation. In a mutual authentication scenario, the service sends information back to the client confirming the identity of the service. Each ticket has a specific lifetime, but it is generally long enough that users do not have to reauthenticate to the KDC to get a new ticket.

Security Assertion Markup Language (SAML) is a modern form of authentication that presents claims about a user to a service. Based on the identity claim contained in the SAML assertion, the service will authorize the user to the service. SAML is a favorite with modern services due to its ability to federate with disparate services that do not have a dependency on the authentication service the user authenticates with. 

For example, a user might authenticate against a local Active Directory Federation Services server using NTLM or Kerberos, and due to federation, assert their identity to a SharePoint farm running within a separate organization. Based on rules within the federation trust, SharePoint will authorize the user to have access to SharePoint resources. This configuration is significantly easier to manage than an Active Directory forest trust over the internet.

Implement high availability for SharePoint 

Applicable for SharePoint

Farms must have a 99% 1 ms round-trip time on average over 10 minutes; otherwise, you might encounter object synchronization issues, including timer job failures. Farms also must have 1 Gbps connectivity between all farm members and SQL servers that are serving the farm in a read-write capacity or are in a synchronous form of replication with the read-write SQL Server. In practice, this means that each farm member or SQL Server in synchronous replica mode must be within a radius of approximately 186 miles (300 km).

Patch your SharePoint servers regularly 

Applicable for SharePoint

Patching SharePoint is vital for its security and functionality, since as soon as you install the latest updates, you are secure from the latest known exploits. To upgrade a farm without taking it offline, you need to use “highly available upgrades” functionality that takes only one server in a farm offline at a time. 

Use Object Cache accounts to improve SharePoint rendering speeds 

Applicable for SharePoint

SharePoint publishing sites use two Object Cache accounts to improve page rendering speeds on publishing pages and reduce load on the SQL Server. Those accounts are often referred to Portal Super User and Portal Super Reader accounts. The Portal Super User account will have Full Control on the web application, while the Portal Super Reader account will only have Full Read on the web application. 

SharePoint will use those cache accounts to create two versions of the object cache, one with the Portal Super Reader account (which will only see published items) and one with the Portal Super User account (which will see both published items and drafts). When a user queries a publishing page, the object cache will check that user’s permissions and return the appropriate cached object. 

Object Cache accounts are needed only for web applications that will run publishing sites, but there is no harm in setting them on all your web applications.

Use network load balancers with your SharePoint site if it is heavy loaded 

Applicable for SharePoint

Network load balancers are essential to high availability of SharePoint for your end users. One feature to pay attention to is SSL Offloading. Although many load balancers offer it, you should avoid using it whenever possible because it removes the encryption on the load balancer and sends the resulting request in clear text to the target services, such as SharePoint. Moreover, SSL Offloading no longer provides an advantage in terms of CPU utilization on a server with a modern AMD or Intel processor.

Configure the SharePoint Server BIOS properly to improve performance 

Applicable for SharePoint

Making a few changes to your server before you install SQL Server and SharePoint can improve its performance:

  • Check the BIOS/UEFI options for the hardware running SharePoint.
  • Disable Intel C-States (SpeedStep)/AMD Cool’n’Quiet to prevent the CPU from scaling back when not under load.
  • Disable C1E support, which is available on both Intel and AMD CPUs. Because SharePoint can spike in CPU load, enabling this option can cause a seesaw effect.
  • Look for OEM-specific options that could help improve performance. For HP, set the Power Regulator Mode to Static High Performance; for Dell, set the Power Management Mode to Maximum Performance.
  • Disable QPI power management to prevent throttling of lanes between multiple CPUs and physical memory.

Conclusion

Following these configuration and security best practices will help you keep your Microsoft SharePoint environment highly available and secure, driving adoption and enabling you to make the most of your investment in the collaboration platform.