Forcing Owners to Confirm Details of Their Sites

The site attestation policy is part of the site lifecycle management component of SharePoint advanced management (SAM). It’s also one of the SAM features available to tenants with Microsoft 365 Copilot licenses. The basic idea is to force site owners to periodically attest that the settings of their site, including its membership, remain valid. If the site owners can’t or don’t confirm the site details, SharePoint Online can enforce an action such as archiving the site.

Microsoft 365 roadmap item 494159 lists the site attestation policy as generally available from August 2025. However, that’s not quite the case as the policy is still listed in the SharePoint admin center as a preview feature (Figure 1).

Imposing site attestation can clear out many sites that form the digital debris that clogs up Microsoft 365 tenants. Apart from releasing expensive SharePoint “hot” storage by moving the content of non-attested sites into “cold” archive storage, the biggest benefit is to remove the files held in these sites from Copilot processing. This reduces the risk that obsolete and incorrect information will find its way into Copilot responses and improves the overall quality of Copilot processing.

Configuring a Site Attestation Policy

Like the other site lifecycle policies, configuring a site attestation policy is pretty straightforward. The usual process is to configure a policy in simulation mode so that the policy runs to generate a report about the sites within the policy scope for administrators to review.

Scoping means defining what sites the policy should process, like all team-connected sites. In Figure 2 I’ve selected to combine several criteria to form a precise scope. You can select one or more container management sensitivity labels to use. Filtering by site creation source is interesting because it allows you to select sites created using methods like PnP, PowerShell, or the SharePoint admin center. Running the policy in simulation mode will create a report to tell you exactly what sites match the scope.

The policy configuration specifies how often the policy runs, who must attest sites, and what SharePoint Online should do if attestation doesn’t happen. In Figure 3, we see the configuration for an annual review where lack of attestation by site owners leads to sites being moved to Microsoft 365 Archive.

Given that most SharePoint Online sites are used with Teams and that many Microsoft 365 tenant administrators probably couldn’t differentiate between site owners and site administrators, I wonder if the configuration could be simplified to a single option that combines the two. Just a thought.

After running in simulation to identify any issues and making necessary tweaks, such as including or excluding certain sites, the attestation policy can be launched to do its business.

Site Owner Actions

Turning on the site attestation policy causes SharePoint Online to send Outlook actionable messages to site owners to ask them to confirm site details. I received 63 messages within ten minutes, including duplicate messages for a couple of sites.

The initial message (Figure 4 left) informs the site owners about their responsibilities and sets a attestation deadline. Pressing the “Yes, settings are accurate” button allows the owner to attest that everything is OK without leaving the message. Acknowledgement is automatic by updating the same message (Figure 4 – right).

You’ll notice that no button exists for a site owner to declare that the site settings are inaccurate. The assumption is that the site owner will simply ignore the messages sent by SharePoint Online. After three monthly warnings, SharePoint will enforce the action set in the policy. It would be nice to give site owners the ability to accelerate the process with an option to take the policy action immediately. Maybe that will come in a future release.

Removing Digital Debris is Goodness

Regular site attestation seems like a solid idea. Anything to remove debris from a tenant is goodness. One concern that I have is that moving a team-connected site to Microsoft 365 Archive does nothing to affect the team. Users won’t be able to access files in the SharePoint site, but shouldn’t an archive action process everything? After all, Teams supports team archiving.

Insight like this doesn’t come easily. You’ve got to know the technology and understand how to look behind the scenes. Benefit from the knowledge and experience of the Office 365 for IT Pros team by subscribing to the best eBook covering Office 365 and the wider Microsoft 365 ecosystem.