This chapter covers SharePoint Online administration, a core topic in the Microsoft 365 Administrator MS-102 exam. You will learn how to plan, configure, and manage SharePoint Online sites, permissions, sharing, and hybrid scenarios. Expect approximately 15-20% of exam questions to touch on SharePoint administration, often integrated with other workloads like Teams and OneDrive. Mastery of this topic is essential for managing content collaboration in Microsoft 365.
Jump to a section
Imagine a large corporation with dozens of departments, each needing to store and share documents. Instead of a single file room, they have a digital filing system with cabinets (site collections), drawers (sites), folders (libraries), and documents (files). Each cabinet has a key (permissions) that determines who can open it. Some cabinets are locked for executives only, while others are open to all employees. Inside each drawer, there are labels (metadata) that help categorize documents, such as 'Project Name' or 'Date'. The system also has a search index that scans every label and document content, allowing anyone to find a document by typing keywords. When a user requests a document, the system checks their key against the cabinet's lock; if authorized, it retrieves the document from the correct drawer. This mirrors SharePoint Online: site collections are the top-level containers, sites are subsites or teams, libraries hold files, permissions control access, and metadata enables search and navigation. The key difference is that SharePoint's search index is continuously updated and can leverage AI for intelligent discovery.
What is SharePoint Online?
SharePoint Online is a cloud-based service in Microsoft 365 that provides content management, collaboration, and intranet capabilities. It is the backbone for document storage in Teams, OneDrive, and many other Microsoft 365 services. As a Microsoft 365 Administrator, you must understand how to provision sites, manage permissions, configure sharing, and ensure compliance.
SharePoint Online Architecture
SharePoint Online is built on a multi-tenant architecture. Each tenant has a root site collection (the tenant's root site) and can have many other site collections. A site collection is a logical container that has its own permissions, navigation, and content databases. Within a site collection, you can have one or more sites (subsites). Each site can contain libraries, lists, pages, and web parts.
Key components: - Site Collections: Top-level containers, each with its own owner, storage quota, and resource usage limits. Default site collections include the root site (tenant.sharepoint.com) and the My Site host (for OneDrive). - Sites: Child sites within a site collection. They inherit permissions from the parent by default but can have unique permissions. - Libraries: Document libraries store files and can have metadata columns, versioning, check-out/check-in, and approval workflows. - Lists: Similar to libraries but for structured data (e.g., tasks, contacts, custom lists). - Pages: Web pages that can be customized with web parts. - Web Parts: Reusable components that display content from libraries, lists, or external sources.
Permissions and Security
SharePoint Online uses a permission model based on SharePoint groups and permission levels. There are three default groups: - Owners: Full control over the site. - Members: Can add, edit, and delete content. - Visitors: Read-only access.
Permission levels define what actions a user can perform (e.g., Read, Contribute, Edit, Full Control). You can create custom permission levels. Permissions can be assigned at the site collection, site, library, folder, or item level. Breaking permission inheritance creates unique permissions for a child object, which can impact performance and management.
Sharing and External Access
Sharing is a critical feature in SharePoint Online. You can share sites, libraries, folders, or individual files with internal users or external guests. Sharing settings are controlled at the tenant level (in SharePoint admin center) and can be overridden at the site level. The sharing options include: - Anyone with the link (anonymous access) – can be restricted to view or edit. - People in your organization – requires authentication. - People with existing access – link works only for those already granted access. - Specific people – only named users.
External sharing can be enabled for guests (Azure AD B2B collaboration). You can set expiration dates for guest access and require guests to sign in using multi-factor authentication.
Site Provisioning and Templates
You can provision sites using the SharePoint admin center, PowerShell, or through Microsoft Teams (which creates a team site). Site templates (e.g., Team site, Communication site) define the default structure and features. Team sites are designed for collaboration with an associated Microsoft 365 group, while Communication sites are for broadcasting information to a broad audience.
Managed Metadata and Content Types
Managed metadata allows you to create a central taxonomy of terms that can be used across sites. Content types define the schema for a specific type of content (e.g., a contract with fields for contract number, vendor, and expiration date). You can associate workflows and retention policies with content types.
Search and Indexing
SharePoint Online has a powerful search engine that indexes content from all sites, libraries, and lists. The search index is updated continuously. You can configure search scopes, result sources, and query rules. Search can also return results from external sources (e.g., file shares) via the cloud hybrid search.
Hybrid Scenarios
Many organizations have on-premises SharePoint Server and want to integrate with SharePoint Online. Hybrid scenarios include: - Hybrid search: Index on-premises content in the cloud search index. - Hybrid sites: Use a common navigation and site structure across on-premises and online. - Hybrid taxonomy: Share managed metadata between on-premises and online. - Hybrid OneDrive: Redirect users to OneDrive for Business in the cloud.
To configure hybrid, you typically use the SharePoint Hybrid Picker or PowerShell. Azure AD Connect is required for identity synchronization.
Governance and Compliance
As an administrator, you must implement governance policies for site lifecycle, storage limits, and data retention. You can use site policies to automatically close or delete sites after a period of inactivity. Retention labels and data loss prevention (DLP) policies can be applied to SharePoint content. eDiscovery cases can search across all SharePoint sites.
Monitoring and Troubleshooting
Monitor SharePoint Online health using the Microsoft 365 admin center, SharePoint admin center, and the Microsoft 365 Health Dashboard. Common issues include permission errors, sync problems (OneDrive sync), and slow performance due to large files or complex customizations. Use the SharePoint Online Management Shell to diagnose and resolve issues.
Key PowerShell Commands
Connect-SPOService -Url https://tenant-admin.sharepoint.com – connect to SharePoint admin center.
Get-SPOSite – list site collections.
Set-SPOSite -Identity <SiteURL> -SharingCapability ExternalUserAndGuestSharing – enable external sharing.
New-SPOSite -Url <URL> -Owner <Owner> -StorageQuota <MB> -Title <Title> – create a new site collection.
Set-SPOTenant -SharingCapability Disabled – disable external sharing tenant-wide.
Default Values and Limits
Storage per site collection: Default 1 TB, can be increased up to 25 TB.
Maximum file upload size: 250 GB (for files in SharePoint Online, not in OneDrive sync).
Number of site collections per tenant: 500,000 (including personal sites).
Maximum site collection storage per tenant: Depends on subscription (e.g., 1 TB + 10 GB per user for Enterprise plans).
Resource usage limits: To prevent abuse, SharePoint Online enforces daily resource usage limits (e.g., 300 operations per user per day for certain operations).
Interaction with Other Workloads
Teams: Every Microsoft Team has an associated SharePoint team site where files are stored. The Files tab in a Teams channel points to a document library in that site.
OneDrive: OneDrive for Business is essentially a personal SharePoint site collection (My Site). It uses the same infrastructure and sharing model.
Yammer: Yammer groups can have a SharePoint site for file storage.
Power Platform: Power Apps and Power Automate can integrate with SharePoint lists and libraries.
Understanding these interactions is crucial for the MS-102 exam, where questions often span multiple workloads.
Plan SharePoint Online Deployment
Begin by assessing organizational requirements: number of users, departments, and content types. Determine the site architecture: should you use a hub site model to organize related sites? Plan for permissions: will you use default groups or custom permission levels? Consider external sharing needs and compliance requirements. Document a governance plan that includes site creation policies, storage quotas, and retention. This step ensures that subsequent configuration aligns with business needs.
Configure Tenant-Level Settings
In the SharePoint admin center, navigate to Settings and configure external sharing (choose from: Anyone, New and existing guests, Existing guests, Only people in your organization). Set storage limits and resource usage quotas. Configure the default time zone and locale. Enable or disable features like the SharePoint app launcher or the ability to create sites from Teams. These settings apply tenant-wide but can be overridden per site collection.
Create and Configure Site Collections
Provision site collections using the admin center or PowerShell. Specify the site type (team site or communication site), title, URL, owner, and storage quota. For team sites, an associated Microsoft 365 group is created. Configure site features such as versioning, content approval, and check-out requirements. Set the default sharing link type (e.g., Internal, Direct). Assign site collection administrators if needed.
Manage Permissions and Sharing
For each site collection, manage permissions by adding users to SharePoint groups or assigning direct permissions. Break permission inheritance only when necessary. Configure sharing settings at the site level: enable or disable external sharing, set expiration for guest access, and restrict sharing to specific security groups. Use the Sharing report in the admin center to audit shared content.
Implement Governance and Compliance
Apply site policies to automatically close or delete sites after a period of inactivity. Use retention labels to manage document retention and disposal. Configure DLP policies to prevent sensitive data from being shared externally. Enable eDiscovery for legal hold. Monitor site usage and storage through the SharePoint admin center reports. Regular auditing ensures compliance with organizational policies.
Scenario 1: Large Enterprise with Multiple Departments
A multinational company with 50,000 users needs to organize content by region and department. They create a hub site for each region (e.g., North America, Europe, Asia) and associate department sites as child sites. Permissions are managed via Azure AD security groups. External sharing is enabled for partners but restricted to 'Existing guests' with expiration of 90 days. They use managed metadata for consistent tagging across regions. The challenge is maintaining performance with many sites; they monitor resource usage and enforce storage quotas (e.g., 5 TB per department). Misconfiguration often occurs when permission inheritance is broken too deeply, leading to management overhead and access issues.
Scenario 2: Migration from On-Premises SharePoint
An organization migrating from SharePoint 2013 to SharePoint Online uses the SharePoint Migration Tool (SPMT) to move content. They plan a hybrid environment during transition: on-premises search results appear in SharePoint Online via cloud hybrid search. They configure Azure AD Connect for identity sync and use the Hybrid Picker to set up hybrid sites and taxonomy. A common mistake is not updating DNS records for the hybrid configuration, causing authentication failures. They also need to manage duplicate content and ensure that migrated sites have correct permissions.
Scenario 3: Compliance-Heavy Industry (e.g., Healthcare)
A hospital uses SharePoint Online to store patient records (with appropriate de-identification). They enforce strict retention policies: documents must be kept for 7 years, then deleted. They use retention labels applied automatically via a content type. DLP policies block sharing of any document containing patient identifiers with external users. They also enable audit logging and regularly review sharing activity. The biggest risk is accidental external sharing; they configure sharing to require explicit approval for guests. Performance is a concern when storing large medical images; they set file size limits and use Power Automate workflows to compress files.
MS-102 Exam Focus on SharePoint Online Administration
The MS-102 exam tests your ability to manage SharePoint Online as part of Microsoft 365 administration. Key objective codes: - 1.5 Manage SharePoint Online: Includes planning site architecture, configuring permissions and sharing, managing site collections, and implementing governance. - 1.6 Manage Microsoft 365 Groups: Often overlaps with SharePoint team sites. - 1.7 Manage OneDrive: Related to personal sites.
Common Wrong Answers
Confusing SharePoint groups with Azure AD groups: Many candidates think SharePoint groups are the same as Azure AD groups. Reality: SharePoint groups exist only within a site collection; Azure AD groups can be added to SharePoint groups but are separate.
Believing external sharing is disabled by default: The default tenant setting is 'New and existing guests' (external sharing enabled). Candidates often choose 'Only people in your organization' as default.
Thinking that breaking permission inheritance improves performance: It actually degrades performance and increases management complexity. The exam tests that you should minimize unique permissions.
Assuming that all site collections have the same storage limit: Default is 1 TB per site collection, but can be increased to 25 TB. The exam may ask for the default value.
Specific Numbers and Terms
Default storage per site collection: 1 TB.
Maximum file upload size: 250 GB.
Maximum number of site collections: 500,000.
Sharing options: 'Anyone', 'New and existing guests', 'Existing guests', 'Only people in your organization'.
Resource usage limit: 300 operations per user per day for certain operations.
Edge Cases and Exceptions
When a user is removed from Azure AD, they lose access to SharePoint sites (but their OneDrive content is retained for 30 days).
Site collections created via Teams have an associated Microsoft 365 group; deleting the group deletes the site.
External sharing can be blocked for specific domains via the SharePoint admin center.
Hub sites: Only site collection administrators can register a site as a hub site. A hub site can have up to 2,000 associated sites.
Eliminating Wrong Answers
If a question asks about the default sharing setting, remember it's 'New and existing guests'.
For permission inheritance, choose options that minimize breaking inheritance.
For storage limits, know the default 1 TB and maximum 25 TB.
For external sharing, understand that 'Anyone' links are anonymous and can be disabled at the tenant level.
SharePoint Online is the content platform for Microsoft 365, used by Teams, OneDrive, and Yammer.
Default external sharing setting is 'New and existing guests'; 'Anyone' links are disabled by default.
Default storage per site collection is 1 TB, maximum is 25 TB.
Maximum file upload size is 250 GB.
There are three default SharePoint groups: Owners, Members, Visitors.
Breaking permission inheritance should be minimized to avoid performance issues.
SharePoint Online uses a multi-tenant architecture with site collections as top-level containers.
Hub sites can associate up to 2,000 sites and require site collection administrator registration.
Resource usage limits help prevent abuse; default is 300 operations per user per day.
OneDrive for Business is a special SharePoint site collection (My Site).
These come up on the exam all the time. Here's how to tell them apart.
SharePoint Groups
Exist only within a site collection.
Cannot be used across Microsoft 365 workloads (e.g., Teams, Exchange).
Created and managed in SharePoint admin center.
Support custom permission levels.
Can include Azure AD groups as members.
Azure AD Groups
Exist across Azure AD and can be used in multiple workloads.
Can be added to SharePoint groups to grant access.
Created and managed in Azure AD admin center or via PowerShell.
Do not have permission levels; they are assigned roles in other services.
Can be synced from on-premises Active Directory.
Mistake
SharePoint Online uses the same permission model as on-premises SharePoint.
Correct
SharePoint Online has a simplified permission model with only three default groups (Owners, Members, Visitors) and no 'Design' or 'Approve' permission levels by default. You can create custom levels, but the exam tests the default model.
Mistake
External sharing is disabled by default in SharePoint Online.
Correct
The default tenant-level setting is 'New and existing guests' (external sharing enabled). Only the 'Anyone' option is disabled by default. You must explicitly change the setting to disable all external sharing.
Mistake
Breaking permission inheritance on a library improves performance.
Correct
Breaking inheritance creates unique permissions, which increases database overhead and can degrade performance. It should be used sparingly. The exam emphasizes minimizing unique permissions.
Mistake
The storage limit for a site collection is fixed at 1 TB.
Correct
The default is 1 TB, but you can increase it up to 25 TB via the SharePoint admin center or PowerShell. The exam may ask for the default or the maximum.
Mistake
SharePoint Online and OneDrive for Business use different storage and permission systems.
Correct
OneDrive for Business is a special type of SharePoint site collection (My Site). It uses the same infrastructure, storage, and permission model. The exam tests this relationship.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
First, ensure the tenant-level sharing setting allows external sharing (e.g., 'New and existing guests'). Then, in the SharePoint admin center, select the site, click 'Sharing', and choose the desired level (e.g., 'New and existing guests'). You can also use PowerShell: Set-SPOSite -Identity <SiteURL> -SharingCapability ExternalUserAndGuestSharing. Note that tenant settings override site settings; if tenant is set to 'Only people in your organization', you cannot enable external sharing at the site level.
A team site is designed for collaboration within a team or project. It includes a Microsoft 365 group, a shared mailbox, a calendar, and a document library. Users can add members easily. A communication site is designed for broadcasting information to a broad audience, like an intranet portal. It does not have an associated Microsoft 365 group and is typically read-only for most users. Both can have subsites, but communication sites are often used as top-level hubs.
In the SharePoint admin center, select the site, click 'Storage limit', and set a new value up to 25 TB. Alternatively, use PowerShell: Set-SPOSite -Identity <SiteURL> -StorageQuota <MB>. Note that the tenant's total storage is limited by your subscription (e.g., 1 TB + 10 GB per user for Enterprise E3). You cannot exceed the tenant's total storage.
The site collection is moved to the recycle bin (first-stage) and retained for 93 days. During this time, site collection administrators can restore it. After 93 days, it is permanently deleted. If the site collection is associated with a Microsoft 365 group, the group is also deleted (with its own recycle bin). The exam may ask about retention periods.
Yes, you can create custom permission levels (e.g., 'Custom Read' with specific permissions). However, the exam focuses on the default levels: Full Control, Design, Edit, Contribute, Read, and Limited Access. Custom levels are rarely tested. Note that you cannot modify the 'Full Control' level.
You need the SharePoint Online Management Shell. Install the module: Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Connect to the admin center: Connect-SPOService -Url https://tenant-admin.sharepoint.com. Common commands: Get-SPOSite, Set-SPOSite, New-SPOSite, Remove-SPOSite. For user permissions, use the SPO user commands or PnP PowerShell (community module). The exam may test basic PowerShell operations.
The maximum is 500,000 site collections (including personal sites). This is a hard limit. If you need more, you must request an increase via Microsoft support. The exam may ask for this number.
You've just covered SharePoint Online Administration — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?