Services
Summary
SharePoint now allows delegation of Restricted Access Control (RAC) management to site admins, requiring justification for changes. This feature, needing a premium license, is off by default and can be enabled by SharePoint admins to reduce overhead while maintaining security and auditability. Rollout completes by April 2026.
Details
Introduction
We’re introducing the ability for SharePoint admins to delegate management of Restricted Access Control (RAC) policies to site admins. This change provides more flexibility while maintaining strong security and governance. By allowing site admins to manage RAC directly on their sites—with required justification for changes—organizations can reduce administrative overhead while improving accountability and auditability.
When this will happen:
General Availability (Worldwide, GCC, GCC High, DoD): We began rolling out in mid-March 2026 and expect to complete by late April 2026.
How this affects your organization:
Who is affected:
- SharePoint Online admins
- Site admins in tenants where delegation is enabled
- A Microsoft 365 Copilot (Premium) or SharePoint Advanced Management license is required to use this feature.
What will happen:
- By default, delegation of RAC management is turned off.
- When enabled by a SharePoint admin:
- Site admins can manage Restricted Access Control directly from the Site information panel.
- Site admins must provide a justification when updating RAC policies.
- RAC continues to restrict site access to a defined set of users using:
- Microsoft 365 groups, or
- Microsoft Entra security groups
- No changes occur to existing sites or policies unless delegation is explicitly enabled.
What you can do to prepare:
- No action is required to receive this update.
- SharePoint admins should consider the following steps to prepare for their organization:Â
- Evaluate whether delegation aligns with your security model.
- Enable delegation using
Set-SPOTenant -DelegateRestrictedAccessControlManagement $true. - Verify delegation status at any time by running:
Get-SPOTenant | Select-Object DelegateRestrictedAccessControlManagement - Update internal documentation and communicate expectations to site admins.
Learn more:Â Delegate Management of Restricted Access Control to Site Admins | Microsoft Learn
Compliance considerations:
| Compliance area | Explanation |
|---|---|
| Alteration of how existing customer data is accessed | RAC management can now be delegated to site admins, changing who can control access to existing SharePoint site content. |
| Admin monitoring or compliance reporting impact | Required justification for RAC changes improves auditability and governance tracking. |
| Change to admin control or governance model | The feature is controlled by a tenant-level admin setting and is not enabled by default. |