Why “Like” and “Comment” Features Should Be Disabled in SharePoint Sites

Why “Like” and “Comment” Features Should Be Disabled in SharePoint Sites

Why “Like” and “Comment” Features Should Be Disabled in SharePoint Sites

In our wonderful age of digital collaboration, SharePoint is continuing on its march to be what it is – a  great platform for content publishing, knowledge sharing and governance (my go to!). But not every feature should be enabled in every site. Two of the most deceptively harmless and sometimes mis-understood in terms of impact are the ‘Like’ and ‘Comment’ options on SharePoint modern pages.

While Like and Comment, classed as social features may seem like a ‘Oh yes! Let’s enable them throughout because doing that will increase engagement’ Utopian statement, enabling them can undermine governance, compliance, and clarity. This is especially true in structured, regulated or formal SharePoint sites.

Why? Brainstorm time:

  1. Governance and Compliance Risks
  • Unmoderated Feedback: Comments are not subject to approval workflows using any automation engine. Anyone with access to the site from a contributor perspective can post; and guess what, those posts are immediately visible to others;
  • Audit Gaps: Comments and Likes are not version controlled. They are not visible in any audit trails, so that makes them invisible to compliance reviews. Forget using say Microsoft Purview to try track Likes or Comments – these interactions are not captured in Purview logs;
  • Policy Confusion: When users comment on pages, those comments create the illusion of a ‘feedback loop’. There would be no mechanism to act on them.
  1. Content Integrity and User Experience (UX) Clarity
  • Noise Over Signal: Comments can dilute the authority and authenticity of ‘official’ content. Users can post anything – post questions, complaints, or off-topic remarks.
  • Visual Clutter: The social bar (Like, Comment, View Count, Save for Later, etc.) adds UI elements that may distract from the page’s purpose. So, not at all useful for pages whose key objectives are Dashboards, Standard Operating Procedures (SOPs), or compliance repositories.
  • Misleading Metrics: A “Like” on a ‘policy page’ does not mean the content of that page is understood. ‘Like’ is classed as simply a ‘vanity metric’ that can mislead stakeholders.

🛠️ 3. Operational and Technical Limitations

  • No Central Moderation: SharePoint does not have an Out-Of-The-Box (OOTB)  ‘centralised comment moderation’ dashboard. Site ‘owners’ must manually monitor each page on the SharePoint site.
  • Default Enablement: If comments are enabled by default on modern pages this leads to no proactive governance – proliferate unnoticed.
  • No Alerts: Page owners will never receive notifications when comments are posted. This leads to stale and/or unaddressed feedback.

 

Example: Healthcare Intranet Misstep

Time to give you an example as to how a mid-sized healthcare provider learned the hard way. They launched a SharePoint Online communication site to publish internal policies, including those related to patient data handling and emergency standards. Unknown to the governance team, Like and Comments were enabled by default on every page on the SharePoint tenant. So, every page being created going forward on their SharePoint site had Like and Comments enabled.

Within weeks:

  • Staff began posting unmoderated feedback on sensitive policy pages;
  • Some comments included anecdotal patient references, violating internal privacy standards;
  • Others expressed disagreement with procedures, creating confusion about which policies were enforceable;
  • No one was alerted—the comments sat visible for weeks before being discovered during a routine audit.

The fallout?

  • A formal compliance review;
  • Emergency PowerShell scripts to disable comments across the tenant;
  • A new provisioning routine to enforce social feature settings;
  • Mandatory training for site owners on page settings and governance.

Best Practices for Disabling Social Features

  • Disable Comments Per Page: Use the page settings UI or PowerShell (Set-PnPClientSidePage -CommentsEnabled $false);
  • Hide the Social Bar: Use custom page templates or SPFx extensions to remove Likes, Views, and Save for Later. Check out the SharePoint Frameworks SPFX examples;
  • Automate at Scale: Include social feature settings in your site provisioning scripts or site designs;
  • Educate Site Owners: Make social feature governance part of your SharePoint training and onboarding;
  • Define the Environments. In a SharePoint / Teams instance mixed environment, split your governance based on the kind of collaboration needed. Things like Like and Comments are ‘post’ oriented and more related to the Teams Client than a SharePoint page.

My final thoughts to project to you 😊

In SharePoint, not every feature is a fit and ‘yes plonk every feature’ for every site. ‘Likes’ and ‘Comments’ are a part of Community / Project environments such as Microsoft Teams (Posts in Channels) or say Yammer-integrated pages. For policy repository based sites, policy pages, compliance dashboards, and formal communications – a governance liability.

Disable them by default. Enable them only with intent

Thoughtless SharePoint Site Provisioning: The Hidden Cost of Convenience

Thoughtless SharePoint Site Provisioning: The Hidden Cost of Convenience

Thoughtless SharePoint Site Provisioning: The Hidden Cost of Convenience

In the age of rapid collaboration and cloud-first strategies, provisioning SharePoint sites has never been easier. But with great power comes great potential for chaos. When sites are created without proper analysis, planning, or governance, organisations often find themselves buried under a mountain of sprawl, broken workflows, and compliance nightmares.

Let’s unpack why this practice is risky—and explore real-world examples where it’s gone wrong.

🚨 The Problem: Convenience Over Strategy

Provisioning a SharePoint site is just a few clicks away. But when those clicks happen without:

  • Purpose definition
  • Information architecture planning
  • Governance alignment
  • Security and compliance review

…you’re not building a solution—you’re planting a ticking time bomb.

🔍 Real-World Failures from Poor Site Provisioning

  1. The ROT Tsunami: Redundant, Obsolete, Trivial Data

A global consultancy allowed unrestricted site creation across departments. Within a year, they had over 2,000 SharePoint sites—many duplicating the same content. The result?

  • 20%+ of their data was ROT (Redundant, Obsolete, Trivial)1
  • Search performance degraded
  • Storage limits were exceeded, triggering Microsoft’s read-only mode
  • Cleanup took six months and required external consultants

“We thought we were empowering teams. We ended up drowning in digital clutter.” — IT Manager, anonymous case study

  1. Broken Provisioning Templates: The Automation Trap

An IT manager at a mid-sized firm used a custom provisioning tool to create sites based on PnP templates. Unfortunately, the tool wasn’t tested for edge cases. Several sites failed to provision correctly, leaving users with half-configured environments and broken permissions2.

  • No document libraries were created
  • Navigation links pointed to non-existent pages
  • Users lost trust in the platform

“We had to manually rebuild sites and reapply templates via PowerShell. It was a governance nightmare.” — Microsoft Q&A thread2

  1. The Collaboration Mirage: Failed Adoption

At a large enterprise, a SharePoint site was provisioned to replace an existing intranet without stakeholder input. The new site had:

  • No migration plan
  • No redirect strategy
  • No training or onboarding

Despite its modern design, users clung to the legacy site. Adoption stalled, and the new site became a ghost town.

“We built a beautiful site. Nobody came.” — Curtis Hughes, Collab365 Summit3

🧭 Why Thoughtful Provisioning Matters

✅ 1. Purpose-Driven Architecture

Every site should serve a defined purpose—project, department, community—with clear content types and lifecycle expectations.

✅ 2. Governance Alignment

Provisioning should trigger automated policies for:

  • Retention
  • Sensitivity labels
  • External sharing controls
  • Audit logging

✅ 3. Information Architecture Planning

Define:

  • Navigation structure
  • Metadata taxonomy
  • Content types
  • Permissions model

✅ 4. User Experience and Adoption

Involve stakeholders early. Design with their workflows in mind. Provide training and feedback loops.

🛠️ Geoff’s Governance Checklist for Site Provisioning

Before provisioning a site, ask:

Question Why It Matters
What is the site’s purpose? Prevents duplication and ROT
Who owns the site? Enables lifecycle and compliance tracking
What content types will be stored? Drives metadata and retention policies
Who needs access? Ensures proper permissions and security
How will the site be maintained? Avoids orphaned or abandoned sites
Is this replacing an existing site? Triggers migration and redirect planning

🧩 Final Thoughts

Provisioning a SharePoint site is not just a technical task—it’s a governance decision. Without thoughtful analysis, you risk building digital silos, eroding user trust, and violating compliance standards.

Sources:

References (3)

  1. 5 ways Teams and SharePoint sprawl is hurting your organisation. https://www.sprobot.io/blog/5-ways-teams-and-sharepoint-sprawl-is-hurting-your-organisation
  2. Sharepoint Online – Provisioning Failure – Microsoft Q&A. https://learn.microsoft.com/en-us/answers/questions/98401/sharepoint-online-provisioning-failure
  3. 7 Deadly Sins of SharePoint: Planning Successful Implementations and …. https://collab365.com/7-deadly-sins-of-sharepoint-planning-successful-implementations-and-avoiding-project-failure/
ITAR – An Office365 Dedicated Support Plan

ITAR – An Office365 Dedicated Support Plan

Introduction

If you run and/or own an Office365 tenant, you are guaranteed 99.9% uptime, you get a Service Health Dashboard, and you can see a Planned Maintenance Schedule.

Whilst these features are crucial to ensuring a resilient platform that gives visibility of status, it is important to recognise that there is another support plan which addresses compliance – particularly when it comes to who is responsible for the service, protection of connection and encryption.

Office 365 (enterprise version) offers enhanced versions of Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft Lync Online dedicated support plans that are designed to support the security, privacy, and regulatory compliance meeting the following:

•  U.S. federal government agencies requiring certification under the Federal Information Security Management Act (FISMA) of 2002.

•  Commercial entities subject to International Traffic in Arms Regulations (ITAR).

This document describes the advanced security and privacy features that are available in the ITAR-support plans from Office 365.

It also calls out any significant feature differences between Office 365 ITAR-support plan solutions and Office 365 dedicated plan solutions.

 

What is ITAR

Microsoft Office 365 ITAR-support plans are a variation of the Microsoft Office 365 dedicated plans. The primary difference is that ITAR-support plan solutions are designed to meet the security, privacy, and regulatory FISMA/FedRAMP compliance requirements for U.S. federal government agencies and support the regulatory needs of companies operating under ITAR.

These enhanced services are offered to customers under the Office 365 ITAR-support subscription plans (“ITAR-support plans”).

The ITAR dedicated support plan attempts to address frustrations of having to deal with generic (raise a support call into a ‘global queue’) helpdesk tickets regarding compliance and security. Another benefit of this support plan is the ability for those providing Office365 to help the customer build SLAs and at the same time provides more confidence in the use of online systems. Since ITAR is specific, the support resources applied will be closer to the relevant issues and will define solutions specific to those relevant issues.

Summary of ITAR

Data Protection

Encryption at Rest and Encryption in Transit

Encryption at Rest and Encryption in Transit is covered, describing that documents would be encrypted using AD RMS. Effectively, this means that users would access AD RMS documents using AD authentication. Note that Encryption at Rest only applies to Exchange and SharePoint Online. As for Encryption in Transit, there is a description concerning dedicated and Internet Connectivity.

Environment and Customer Isolation

Environment Isolation, which is the isolation of the Office 364 Environment. Per Customer Isolation – describes where data is held and how as an ITAR plan customer hardware is provisioned and segregated. Note that this segregation covers only Exchange, SharePoint and Lync online.

Connectivity Protection

Trusted Connection

Trusted Internet Connection. Very useful for thise customers who need support for TIC requirements, Office365 ITAR support plans provide a dedicated connection, rather than an direct internet connection to data centres. This service is provided to SharePoint, Exchange and Lync only.

Two Factor Authentication

Smart cards using PIV (Personal Identity Verification) can be used to ensure secure authentication of clients. However, there are a number of client responsibilities described, including PIV implementation, client side authentication, including PKI and card management. This ITAR supported provision covers Exchange and SharePoint only.

Compliance and Support considerations

Described is the ITAR level plan information concerning compliance with FISMA (Federal Information Security Management Act) covering service hosting, and Microsofts’ plans to to comply with FEDRAMP (Federal Risk and Authorization Management Program). Also, discussed are the security and screening features concerning dedicated hardware, infrastructure location, security access and screening.

Personnel and Background Checks

ITAR ensures that those responsible for supporting Office365 systems on behalf of customers undergo stringent personnel and background checks as follows:

  • Employment History Check
  • Education Verification
  • Social Security Number (SSN) Search
  • Criminal History Check
  • Office of Foreign Assets Control List (OFAC)
  • Bureau of Industry and Security List (BIS)
  • Office of Defense Trade Controls Debarred Persons List (DDTC)
  • Fingerprinting Check

The article details what kind of checks are carried out and that they are recurring checks. This is applied to Exchange, SharePoint and Lync.

Further Reading

Whilst reading up on ITAR, I found a number of other documents which are extremely useful and I would strongly suggest you check them out:

Federal Information Security Management Act of 2002 – FISMA

Recognises the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

 

International Traffic in Arms Regulations – ITAR

Controls the export and import of defense-related articles and services on the United States Munitions List (USML).

 

Federal Risk and Authorization Management Program – FEDRAMP

For security in Cloud computing, the US Government has compliance audits such as Federal Information Security Management Act of 2002 (FISMA) which cloud providers can go through to meet security standards.

FEDRAMP is a program which develops relationships between Federal agencies and cloud service providers. The program is designed to be compliant with FISMA.

 

Microsoft Office 365 ITAR-Support Service and Network Descriptions

Documents that support and further describe FISMA and ITAR-Support Solutions Service Description and the Network Service Description for Office 365 ITAR Support Plans

 

Office 365 Dedicated

Resources covering Office 365 dedicated service descriptions, deployment guidance and dedicated administration.

Office365 Service Status and SharePoint support

Office365 Service Status and SharePoint support

Am checking up on a friend who is using Office 365 within a team of 20 people, mainly for SharePoint 2013, and who relies on SharePoint support provided externally. My friend stated they want to ramp up the usage, but were concerned about service availability, and wanted to know whether it was possible to get a record of service uptime for Office 365. They were particularly interested in SharePoint Online service uptime.

That got me thinking. Not all customers using Office 365 will understand how to read the service status provided in Office 365. Even if they saw that page, without really understanding the meaning will probably gloss over some of the features within the service status offerings on that page. Also, considering the methods by which Office365 tenants are provisioned (off-the-shelf buy, through a re-seller, directly) it could be likely that literally any computer literate person could be drafted in to support the customer who takes on Office 365 who potentially has never worked in customer support!

So, yes, taking some time to understand the service statuses provided within Office 365 is useful. Particularly if you are responsible for managing SharePoint online through Office 365 (plus its other offerings), or if you are considering a move / hybrid approach and need to inform the client of the service expectation and what is used to measure service status in Office 365.

What is the Office 365 Service dashboard? The service dashboard is located in the Office 365 Admin centre, and then by clicking the View Details and History link at the foot of the current health list in the centre of the screen as shown in Figure 1.

Figure 1: The Office 365 Service Dashboard

When View Details and History is clicked, a screen showing the service health of Office 365 is displayed. These Service are Exchange Online, Identity Service, Lync Online, Office 365 Portal, Office Subscription, Rights Management Service and SharePoint Online and all are shown in expanded format showing the sub-services and their statuses. The service status is indicated by an icon which is displayed for each. Figure 2 shows each service icon, its meaning, the definition associated with that icon.

Figure 2: Office 365 Service Status icons, description and Definitions

Most of the above are self-explanatory, and for each service listed if there is any status reported other than ‘Normal service availability’ there is a link which is provided which when clicked allows the individual to get more information about the service issue.

An interesting one above is ‘False Positive’. For those working in email land you may have heard of this term before. A False Positive is essentially a message which is legitimate but marked as spam, which is then rejected or returned to the sender. So, what that means is that a report is provided that indicates a problem but does not provide clear proof. It is very important that these are noted, because if that’s not done, it will result in False Negative.

Without going into False Negatives (which I will write about in a companion article), let’s take a look at a False Positive example starring on-Premise SharePoint. Assume that a SharePoint 2013 on premise platform has a third party app deployed on it and a monitoring service carrying out remote scans of all apps and services on that platform. Note that it does not matter what the third party app does. The app identifies itself as version “1.6.11”. A remote scan provided on the platform identifies the app to be a vulnerable version (could be due to security, compatibility or other issues). The remote scan does not have further knowledge of the app, however, the scanner has reason to believe that a vulnerability exists and includes this in its reports. However, the SharePoint administrator (a human!) of the target system may know that this app has already been security-fixed to “1.6.11-1”, however, the app still identifies itself as version 1.6.11. Hence, this is a False Positive because the platform is deemed healthy.

I would suggest that False Positives are useful when identified, and should be recorded – so it has good reason to be there listed as a service status. One thing I should point out, however, is that the problem with tools to remote scan is that if they are configured strongly enough to be effective, there’s a significant chance of receiving false positives. If too many false positives are received, the monitoring becomes less proactive to the point were real issues are ignored, because of the volume of false positives and the assumption therefore that a human already ‘understands’ that there is no issue (when there is!).

Going back to getting more information concerning the service status. Figure 3 shows a list of the current health against each service in Office 365, and for any there there are issues links are provided for more information. SharePoint shows as being in extended recovery in the screenshot. You can click the View details link to get more information concerning the issue. In the figure, I have deliberately scored over the date…

Figure 3. Example of the Current health of services section in the Service Overview page

 

When clicking on the view details against a particular service status (not normal service status), another page is displayed giving further information concerning the issue covering issue, resolution action and date of next update. Figure 4 shows the page displayed when the view details link is clicked (again I have deliberately scored over the date).

Figure 4. The details page regarding the relevant incident when clicking the view details link at the foot of any service which has an issue on the service overview page

 

So, the service overview page is a good resource for identifying how the products provided in a Office 365 tenant are performing. However, without understanding the lifecycle of a service incident, it will be problematic in identifying whether a service incident is being fixed, has been fixed, is still under investigation and so on. What is the lifecycle concerning a service incident and how is that reflected on the service health dashboard? Here is an outline of that process:

  1. The incident occurs
  2. The service health dashboard is updated to ‘investigating’
  3. The incident status is posted to the service health dashboard
  4. The incident is resolved
  5. The closure summary is posted to the service health dashboard
  6. The post incident review is posted to the service health dashboard

I think this lifecycle is important to describe to your customer, as well as your service desk team (if for example you have an internal support team). When explaining the lifecycle of a service incident to a new customer, do this as part of providing Office 365 in the first place. If this is not done, there will be an assumption from the customer that they have a direct line to Microsoft Support. They will assume that they can quite literally pick up the phone, report a user challenge which they think is resolved using the product, and expect it be resolved immediately and that the resolution meets their exact requirements. Besides which, even understanding the sheer wealth of information provided on the service dashboard will overwhelm the customer, particularly if the customer has not been taken to identify, using the Service Level Agreement, the products listed of the service dashboard which will be of applicable to the them. That’s not to say the support you provide does not monitor the other services, it is just that in terms of priority that there is information going back to the customer that clearly identifies what is supported.

Conclusion.

Understanding the service dashboard is only a part of the picture in providing a successful support service for an Office 365 customer. In order for it to be effective and measurable, the results being displayed on the dashboard needs to be made meaningful and each service status to be relayed to the relevant customer in a way that makes it useful to them. So, to effectively support Office 365 and to manage customer expectation, you should define a Service Level Agreement which maps onto exactly what will be supported, since that is the key that will help you and the customer able to map the service status provided by the Office 365 service, give that meaning and provides a useful resource which can be measured.

I repeat, the principle here is a matter of what is supported. Your job as SharePoint support is to support the information worker, and in that sense, you support the usage of SharePoint. Your job is intertwined with how SharePoint is exploited to the benefit of the business. Your job is user support. However, Microsoft will see things from an entirely different perspective. Their job is product support. Microsoft cannot be expect to support your users, and certainly cannot be expected to precisely understand how your business applies to their products. So, when your query goes to Microsoft Office365 support, that query will be of several to do with the products provided within Office 365 of which SharePoint is one. That support will answer the question from a product perspective point of view. Your job, is to translate that inherently generic information into the specific information your end user needs. That means that the service status messages that are provided within the dashboard are not specific to your users concerning their use of the product, and instead the service status of the entire product provided to all customers. You must therefore take the information provided by the service status messages and relay that to the customer in a way they understand using the Service Level Agreement.

The Service Level Agreement is vital, for in the end, the only support service truly qualified to support your users is your own. The service dashboard is a resource, for that is the best it can be. If you depend 100% on Microsoft Office 365 support, the best you can hope for is an accidental or actual coincidence of purpose. I believe that is a foolish prospect, whereby one would hope or even attempt to engineer that the two widely differing set of goals (those of Microsoft and your end users) coincide somewhere, so that your company can extract some real benefit from ‘supplier’ support. I would not put all my eggs in relying on complete Microsoft support. You will still need to provide real user support and that means building a proper support model which exposes the service status. The alternative (getting the supplier to provide end user support) will simply not happen in the way the customer will expect or fully understand.

References:

SharePoint Service Level Agreement Guide

SharePoint Service Delivery

Book – SharePoint 2013 Adoption and Governance Guide

 

What is SharePoint? Video from Microsoft!

What is SharePoint? Video from Microsoft!

Microsoft have provided a great video clip explaining what SharePoint is. I think it is a really good advert for SharePoint, but at the same time, helps you demonstrate the collaboration features that enables SharePoint to solve information and collaborative challenges.

(more…)

Microsoft® SharePoint® 2013: Planning for Adoption and Governance

Microsoft® SharePoint® 2013: Planning for Adoption and Governance

Take control of user adoption and governance processes in your next SharePoint 2013 deployment—whether it’s a specific site or complete farm solution. In this book, you’ll learn proven techniques and methods that will help you better manage the entire project lifecycle concerning SharePoint implementation from a practical standpoint.

Discover how to:

  • Align organizational goals and requirements
  • Define the full scope of the project
  • Set up a team to deliver a SharePoint solution
  • Effectively communicate with and include your stakeholders
  • Prepare for user feedback and adoption
  • Establish and maintain governance through the entire project
  • Use web analytics to provide substance to governance
  • Confirm readiness for delivery to the organization

Go here to get the book and find out more information.

Microsoft Office Research and Office365 Public site connectivity

Microsoft Office Research and Office365 Public site connectivity

Just back from holidays and back into the throes of things – checking my mails find one from a client stating they want to migrate some of their in-premise SharePoint to SharePoint online.

To give this more of a scenario, here goes. The client is using SharePoint in-premise with Microsoft Office tools. Being a research body they write lots of papers and publish these on their in-premise SharePoint. They now need to make some of the documents public and wish to maintain them on their Office365 site. They are ultra-keen on ensuring that the key features of Microsoft Office are available to their SharePoint online site. One of those is the Research option.

(more…)