SharePoint Online environments can grow rapidly, and without proper governance, many sites may consume unnecessary space, and teams may struggle with unclear ownership or unchecked permissions. There are many 3rd party tools that you can use to improve site governance across your organization, but they are costly and require additional configuration and planning.
Microsoft provides built-in site lifecycle management features (part of SharePoint Advanced Management) to help you control content and enforce governance policies. Last year, those features were greatly enhanced, and with the latest update, they provide a comparable set of features to 3rd party tools.
Site lifecycle management
There are 3 policies designed to manage and govern SharePoint sites:
- Inactive site policies.
- Site ownership policies.
- Site attestation policies.
Before you start, your organization must have one of the following licenses:
- Office 365 E3, E5, or A5
- Microsoft 365 E1, E3, E5, or A5
Additionally, you need at least one of these licenses:
- Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license. If yes, SharePoint administrators automatically gain access to these features. You don’t need to assign them any Copilot licenses.
- Microsoft SharePoint Advanced Management license:Â Available as a standalone purchase.
Inactive Site Policies
An Inactive Site policy automatically identifies SharePoint sites that have not been used for a specified period of time. The policy checks activity (site views, file downloads, etc.), and if a site is inactive, the policy flags that site in the reports. If a site is part of a team in Microsoft Teams or part of a Microsoft 365 Group, the policy monitors it as well.
Site owners receive email notification with details about their inactive sites. If they confirm that the site should be kept, then the policy will stay in live; otherwise, the policy can make it read-only or even archive and release the space.
Use Cases and Benefits
Inactive site policies are useful in enterprise scenarios to maintain large environments and keep them healthy. Common scenarios and benefits:
- Cleaning Up Abandoned Projects
Automatically detect project or team sites that have ended (no activity for the last X months) and prompt owners for decisions. Finished projects can consume TBs of storage!
- Site Compliance and Lifecycle Management
Enforce data lifecycle rules by archiving or deleting sites that are no longer needed.
- Security Risk Reduction
Remove inactive sites that might contain sensitive information. This reduces the surface area for potential data leaks or unauthorized access. This is extremely important when you want to deploy Copilots.
- AI readiness
By eliminating old and out-of-date sites, the content that Microsoft 365 Copilot (or other AI services) indexes remains relevant and up to date. This improves the quality of AI responses based on SharePoint content.
Site Ownership Policies
A Site Ownership policy ensures that every site has an assigned required number of owners. The policy scans your environment and detects sites that do not meet the site owner requirements (1 or 2). Such sites are flagged by the policy, and the appropriate users get a notification.
For example. If a site has only 1 owner, the policy can prompt the current owner to add another, or if a site has no owner, it can notify others (the previous owner’s manager or the site members) to take ownership.
Use Cases and Benefits
Site ownership policies are useful in enterprise scenarios to keep sites manageable. Common scenarios and benefits:
- Preventing Orphaned Sites
If a site’s sole owner leaves the organization, that site could present a security risk. The policy will catch such sites and alert managers or members to take ownership. That scenario is one of the most common issues in large organizations. - Enforcing Best Practice
Two site owners is a common best practice to provide backup and accountability. This policy automatically flags any site with only one owner so that a secondary owner can be added. This helps avoid single points of failure and ensures someone is available to manage the site without contacting an IT team. - Security & Compliance
It’s easier to hold someone accountable for reviewing permissions, content, and sharing on each site. Sites without owners might not be reviewed regularly by other SharePoint policies. - Simplify IT Administration
The policy automates monitoring site owners and keeping them in good shape. For example, IT teams can regularly or on demand check their environment and correct missing permissions. This saves admin effort and minimize number of tickets created by users.
Site Attestation Policies
A site attestation policy introduces a periodic site attestation process. It requires site owners to confirm that the site is still needed and its key configuration is up to date (owners, members, sharing settings, etc.).
The process can be scheduled every X months. Then it sends a notification to site owners with details about the process and next steps. If site owners do not take action, then the policy enforces actions such as making a site read-only or archiving it.
Use Cases and Benefits
Site attestation policies help keep sites healthy and with proper configuration. Common scenarios and benefits:
- Periodic Site Review
Enforce a routine check where site owners must validate that their site is still required. This catches sites that may have gradually fallen out of use. - Optimize Storage
Regular attestations remind owners to remove obsolete content or whole sites once they are no longer needed. That process is crucial for keeping the entire SharePoint storage in good condition. Keep in mind that additional storage can cost even more hundred thousands of dollars yearly. - Compliance
Owners are reminded to review sharing permissions, guest access, and security settings during attestation. This helps prevent situations where a site’s sharing was opened and then forgotten. - Validate Ownership and Membership
The attestation process highlights current owners and members. That’s a great opportunity to review the existing configuration and remove unnecessary users from the site. This scenario is important to manage the oversharing of files and information.
How to Configure a Policy
This section provides a step-by-step guide to creating and using Site lifecycle management policies. Configuration processes are very similar to each other.
- In the SharePoint admin center, go to Policies, then open Site lifecycle management, and open a policy (Inactive site policies, Site ownership policies, or Site attestation policies).
2. I selected the Site attestation policy as an example. There are details about existing policies and their status. To create a new policy, select the button Create policy.
3. In the Set policy scope section, you can choose which sites will be checked. Available options:
- Upload CSV file
You can upload a list of specific site URLs (up to 10,000) if you want precise control over which sites are included in your policy. - Select sites at scale.
You can include all site types or specify by site template (Classic, Communication, Group-connected, Teams-connected, etc.).You can filter by sensitivity label and site creation source as well (for example, only include sites created via self-service, or those created by the PnP PowerShell). You can also choose to include sites under retention policies/holds and optionally exclude specific sites by URL.
4. Configure Settings – each policy type has its own set of configuration settings.
Inactive site policies:
- Specify how long a site should be idle before it’s considered inactive (1, 2, 3, or 6 months).
- Choose who gets the inactivity notifications. You can send automated email alerts to site owners, site collection admins, or both. You can also customize the email content – and that’s a very important step to configure. You should include your organization’s branding and provide specific instructions. Otherwise, users can skip or even delete such notifications (they look similar to standard SharePoint notifications)
- Select what happens if a site owner does not respond after multiple notifications. By default, the system will send up to 3 monthly reminders for an inactive site. You can select Do nothing or make the site Read-only/Archived. To archive a site automatically, you must configure the Microsoft 365 Archive feature!
Site ownership policies:
- You can choose who is responsible for each site – Site owners, Site admins (site collection administrators), or both. This setting defines which roles on the site will be counted toward the ownership requirement.
- Set the number of owners/admins for each site. You can require 1 or 2.
- Select who should be notified when a site does not meet the ownership criteria. You can select current site owners, Current site admins, and the manager of the previous owner/admin.
- You can also customize the email content – and that’s a very important step to configure. You should include your organization’s branding and provide specific instructions. Otherwise, users can skip or even delete such notifications (they look similar to standard SharePoint notifications).
- Select what happens if a site owner does not respond after multiple notifications. You can select Do nothing or make the site Read-only/Archived. To archive a site automatically, you must configure the Microsoft 365 Archive feature!
Site attestation policies
- Select how often owners must attest to their sites. You can choose 3 months, 6 months, or 12 months.
- Select if the attestation request should go to site owners, site admins, or both.
- You can also customize the email content – and that’s a very important step to configure. You should include your organization’s branding and provide specific instructions.
- Select what happens if a site owner does not take any action after multiple notifications. You can select Do nothing or make the site Read-only/Archived. To archive a site automatically, you must configure the Microsoft 365 Archive feature!
5. The last step is to name your policy (e.g., “Project sites”) and choose Simulation or Active mode, then finish. Simulation could be used to gauge how many sites would be targeted and to test the policy.
Monitoring and Management
Each policy requires ongoing oversight to ensure it is effective:
- Review ongoing policies and monitor users’ activities. The admin dashboard will show how many sites were discovered, how many have no one to notify, how many have been confirmed, and how many have been put in read-only or archived status as a result. This gives a quick overview of your policies.
- You can also download the CSV report for a granular view. It will list each site in the policy scope.
- Pay attention to sites that ended up read-only or archived. Usually, you might reach out to the listed owners or members to confirm if the site can be retired or archived.
- Site review is an ongoing process, so it’s important to educate site owners and admins about what these attestation emails are and why they matter. You should prepare communication before you start creating policies.
- Ensure that you do not configure multiple policies on the same sites with conflicting settings. If a site is covered by two or more policies, owners will receive duplicate notifications, or one policy might mark the site as read-only while another moves it to archive.
Summary
Site governance policies for inactive sites, site ownership, and site attestation give you powerful tools to keep your environment organized and compliant. Policies identify sites and can enforce specified actions if owners/admins don’t do anything.
All three policies are configurable via SharePoint Admin Center and don’t require any additional configuration or installation.
If your organization has at least 1 Microsoft 365 Copilot license, you start using those policies without any additional licenses or addons.
With these policies in active use, you will make your SharePoint environment healthier: active sites will be updated with current configurations, old sites will be archived, and required storage for SharePoint will be reduced. This not only improves the user experience and search relevance but also makes your SharePoint ready for AI.
