Getting Control of SharePoint Site Growth with Site Attestation

In our decades of SharePoint experience, we see that the average Microsoft 365 tenant has somewhere between two and four SharePoint sites per employee. For organizations on the platform for a few years, that number goes higher.

It sounds almost too mundane to worry about, until you start asking who owns those sites, what's in them, and whether the people who created them still work at your company.

In most organizations, nobody really knows. And that's not negligence, it's a natural part of how the platform works. We all love spinning up new sites and teams, right? 😊

How it happens

SharePoint site creation is frictionless by design. Every new Teams channel generates one automatically. Every project, working group, or initiative that spins up adds another.

Which is all fine when the work is active.

The problem is there's no equivalent mechanism to wind things back down when a project wraps up, a team restructures, or someone leaves the organization.

Over a few years of normal business activity, it's common to find yourself managing thousands of sites where only a fraction of the sites are actively maintained. The rest exist in some sort of administrative limbo that people, or IT, don’t have the time or mandate to sort out.

Why it matters

The security risk issue is usually the first one raised, and for good reason. Stale sites accumulate risk quietly: external sharing links left open after a vendor relationship ended, guest accounts never removed, sensitive documents in a site where permissions haven't been reviewed in years.

There's also a compliance dimension. If your organization is subject to GDPR, HIPAA, or similar legislation, the expectation is that you can protect and account for data in your organization. An unmanaged sprawl of SharePoint sites is a meaningful gap in that posture.

Next, there’s the end user issues. Search, findability and AI are less effective if they bring in inactive data and content from old SharePoint sites.

Finally there's the quieter operational cost: IT teams fielding ad hoc questions about ownership and access for an environment they have no systematic way to manage.

SharePoint site attestation

Ok, so what do we do about this?

The Microsoft 365 platform provides several ways to address stale SharePoint sites and Teams, including site attestation, lifecycle management policies, automated retention and deletion policies, and reporting tools to help administrators identify and manage inactive resources.

Site attestation is a relatively new feature in SharePoint advanced management to help IT get a handle on these sites going forward, and at scale.

How it works:

1. Site attestation asks site owners a simple question on a regular schedule: is this site still active and does it still need to exist?

2. Owners get a notification, review the site, and certify it.

3. If nobody responds after reminders and the attestation window closes, the site is considered unattested. Administrators can configure policies to do nothing, or automatically take action on these sites, such as archiving them or marking them as read-only. For more information about the options for actions, refer to this article.

The real value isn't only the automation, it's also the accountability shift. Instead of IT guessing at what's still relevant, the decision goes back to the people who created the site and know what it's for. The business owns that answer and attestation creates the mechanism to ask the question to record what they say.

Also note that site attestation itself is a review and accountability mechanism; deletion, or another type of action, can be handled through separate lifecycle or retention policies.

Licenses required

The site attestation feature requires a base license such as E3 or E5 and either a Microsoft 365 Copilot license or the SharePoint Advanced Management license.

More information is on Microsoft Learn about the pre-requisites.

Common objections

A few things tend to come up when you introduce this kind of process:

• "I don't have time for this."

  Certifying an active site takes under a minute. The friction people feel is usually unfamiliarity, not actual effort. Clear communication before the first cycle will help.

• "What if I accidentally delete something?"

  Attestation is a review mechanism, not a deletion one. Nothing gets removed without a deliberate policy decision made in advance. Be explicit about this upfront.

• "I didn't even know I owned that site."

  This is probably the most useful response you can get! It surfaces orphaned sites and starts a conversation to get the right person in the loop.

How to get started

A practical approach to get started is:

• Start narrow. Sites inactive for 12+ months are a natural first target. To do this, go to the list of your Active Sites where you can export the list to Excel and start filtering from there.

• Decide on the attestation cadence. Annual reviews work for most organizations as a baseline, whereas quarterly makes more sense for sites with sensitive data or external sharing enabled.

• Decide what happens to uncertified sites before anything goes out. Automatic archiving, or making a site read-only are the main options.

• Make the email look legitimate. Employees will be suspicious of an unexpected message asking them to "confirm" something. Pair the launch with internal communication so people know it's coming.

All these settings can be configured through the guided interface:

The goal is a known environment, not a perfect one

The aim isn't to hit some ideal ratio of sites to employees. It's to be able to answer basic questions with confidence: what do we have, who owns it, and is it still serving a purpose. For most organizations, that's already a meaningful improvement over the current state.

Site attestation won't solve everything, but it gives you a repeatable structure for staying on top of active sites. If you need assistance gathering the list of sites to start with, or rolling out the policy, please do reach out to us!

👉 Talk to the team