Favorite your Message Center and Roadmap items. Access them anytime via your Profile. Export and share with your team or your LLM.

SharePoint Advanced Management: Delegate management of Restricted Access Control (RAC) to site admins

Message ID
MC1274323
View in Message Center
Services
SharePoint OnlineMicrosoft Copilot (Microsoft 365)
Category
Stay Informed
Tags
New featureAdmin impact
Rollout
March 2026April 2026

Summary

SharePoint now allows delegation of Restricted Access Control (RAC) management to site admins, requiring justification for changes. This feature, needing a premium license, is off by default and can be enabled by SharePoint admins to reduce overhead while maintaining security and auditability. Rollout completes by April 2026.

Details

[Introduction]

We’re introducing the ability for SharePoint admins to delegate management of Restricted Access Control (RAC) policies to site admins. This change provides more flexibility while maintaining strong security and governance. By allowing site admins to manage RAC directly on their sites—with required justification for changes—organizations can reduce administrative overhead while improving accountability and auditability.

[When this will happen:]

General Availability (Worldwide, GCC, GCC High, DoD): We began rolling out in mid-March 2026 and expect to complete by late April 2026.

[How this affects your organization:]

Who is affected:

  • SharePoint Online admins
  • Site admins in tenants where delegation is enabled
  • A Microsoft 365 Copilot (Premium) or SharePoint Advanced Management license is required to use this feature.

What will happen:

  • By default, delegation of RAC management is turned off.
  • When enabled by a SharePoint admin:
    • Site admins can manage Restricted Access Control directly from the Site information panel.
    • Site admins must provide a justification when updating RAC policies.
  • RAC continues to restrict site access to a defined set of users using:
    • Microsoft 365 groups, or
    • Microsoft Entra security groups
  • No changes occur to existing sites or policies unless delegation is explicitly enabled.

What you can do to prepare:

  • No action is required to receive this update.
  • SharePoint admins should consider the following steps to prepare for their organization: 
    1. Evaluate whether delegation aligns with your security model.
    2. Enable delegation using Set-SPOTenant -DelegateRestrictedAccessControlManagement $true.
    3. Verify delegation status at any time by running: Get-SPOTenant | Select-Object DelegateRestrictedAccessControlManagement
  • Update internal documentation and communicate expectations to site admins.

Learn more: Delegate Management of Restricted Access Control to Site Admins | Microsoft Learn

[Compliance considerations:]

Compliance area Explanation
Alteration of how existing customer data is accessed RAC management can now be delegated to site admins, changing who can control access to existing SharePoint site content.
Admin monitoring or compliance reporting impact Required justification for RAC changes improves auditability and governance tracking.
Change to admin control or governance model The feature is controlled by a tenant-level admin setting and is not enabled by default.

Change History

Show
Published: April 8, 2026
Last Updated: April 8, 2026
No change history available

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

Explore Dashboard Sign Up Free