Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The site lifecycle management features from Microsoft SharePoint Advanced Management help you improve site governance by automating policy configuration in the SharePoint admin center. Site attestation policies, part of SharePoint's site lifecycle management features, help you manage periodic attestation of sites at scale. This attestation involves regular reviews by site owners or admins to check and confirm the accuracy of site information, including the site's necessity, its owners, members, permissions, and sharing settings. For sites that remain unattested, you can choose to automate enforcement actions to prevent risks of content overexposure. This approach ensures ongoing site compliance and actively reduces risks such as information oversharing.
What do you need to create a site attestation policy
What are the license requirements?
Your organization needs to have the right license and meet certain administrative permissions or roles to use the feature described in this article.
First, your organization must have one of the following base licenses:
- Office 365 E3, E5, or A5
- Microsoft 365 E1, E3, E5, or A5
Additionally, you need at least one of these licenses:
- Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license (this user doesn't need to be a SharePoint administrator).
- Microsoft SharePoint Advanced Management license: Available as a standalone purchase.
Administrator requirements
You must be a SharePoint administrator or have equivalent permissions.
Additional information
If your organization has a Copilot license and at least one person in your organization is assigned a Copilot license, SharePoint administrators automatically gain access to the SharePoint Advanced Management features needed for Copilot deployment.
For organizations without a Copilot license, you can use SharePoint Advanced Management features by purchasing a standalone SharePoint Advanced Management license.
How does a site attestation policy work?
Scope of site attestation policies
You can create site lifecycle policies with different scopes based on your organization's requirements. Choose the sites to include in the policy based on:
- Site templates
- Creation sources
- Sensitivity labels
- Whether to include sites under retention policies and retention holds
To exclude specific sites, add the site URLs of up to 100 sites in the Exclude sites section while configuring the policy.
Policy modes
When setting up a site lifecycle policy, you can choose between a simulation policy and an active policy.
Simulation mode
The simulation policy runs once and generates a report based on the set parameters. If it fails, you need to delete it and create a new one. Once you validate a simulation policy, you can convert it to an active policy.
Note
Site lifecycle policies in simulation mode are now available in GCCH and DoD environments as of November 17, 2025.
Active mode
The active policy runs monthly, generating reports and sending notifications to site owners to confirm the site's status. If it fails during a particular month, it will run again on the next schedule. The policy enforces actions on sites that remain uncertified or unattested by the site owner or admin, provided you configured it to take enforcement actions.
Create site attestation policies
To create a site attestation policy, follow these steps:
Sign in to the SharePoint admin center by using the SharePoint administrator credentials for your organization.
In the navigation pane, expand Policies and select Site lifecycle management.
Under Site attestation policies, select Open.
Select Create a policy.
On the Overview page of Manage site attestation, select Next.
On the next page, you define the scope of the policy.
Define the scope of the site attestation policy
To define the scope of the site attestation policy, on the Select policy scope page, start by selecting the sites for the policy by using one of the following approaches:
- Upload a CSV file with a list of up to 10,000 URLs
- Select sites at scale
Upload a CSV file with the list of sites
If you select Upload a CSV file with a list of up to 10,000 URLs, you can upload a list of site URLs for the policy.
Tip
- You can export the site list from the SharePoint active sites page.
- Ensure the CSV file uses the same format as the sample CSV file and has no duplicate URLs. Also, make sure the URLs are valid and complete.
- Ensure the URLs listed in the CSV file belong to your tenant's domain.
Select sites at scale
If you choose Select sites at scale, you can select site templates to include in this policy, and filter them by:
- Sensitivity label
- Site creation source
You can also choose whether to:
- Include sites with retention policies and retention holds
- Exclude specific sites from this policy
Select site template types
Select site template types from the following list:
- All sites
- Classic sites
- Communication sites
- Group connected sites without teams
- Team sites without Microsoft 365 group
- Teams-connected sites
Filter sites by sensitivity labels
Set policy scope by filtering sites by their sensitivity labels.
Note
If your tenant doesn't set up sensitivity labels, this option is unavailable.
Filter sites by creation source
Filter sites for the policy scope by site creation source:
- SharePoint Home
- SharePoint admin center
- PowerShell
- PnP
- Teams
Include sites with retention policies and retention holds
By default, the box for Include sites with retention policies and retention holds, read-only sites and locked sites is selected. This selection means sites in a read-only state or locked states are included in the scope of the policy, with whatever other filters applied.
Exclude specific sites from the policy
Enter up to 100 sites that you want to exclude from the policy. Be sure to separate each URL by new lines.
After setting the policy's scope, select Next. You then configure the site attestation policy settings.
Configure site attestation policy settings
On Configure policy, you can:
- Choose how often you want the sites to be attested (3 months, 6 months, and 12 months).
- Identify who is responsible for attesting the site (site owners, site admins, or both).
- Exclude site owners or admins from receiving requests.
- Specify what action the policy should take after three notifications.
Exclude site owners or admins from receiving requests
You can exclude up to 100 users or Microsoft 365 or security groups from receiving attestation requests, even if they're the site owners or site admins for the sites included in the policy.
Actions to take on unattested sites after three notifications
For sites that are unattested after three monthly notifications, you can choose to either do nothing or take one of the following enforcement actions. The following table summarizes how the inactive site policy behaves for each selected enforcement action:
| Enforcement action | Policy behavior |
|---|---|
| Do nothing | Site owners or site admins receive monthly notifications for three months. After this period, no notifications are sent for the next three months. If the site remains unattested after six months, monthly notifications resume. The policy execution report lists unattested sites as unactioned by the site owner. You can download this report and filter out sites marked as unactioned. |
| Read-only access | Site owners or site admins receive monthly notifications for three months. If the notification recipients don't mark the site as attested during this period, the site goes into read-only mode. |
| Archive sites after mandatory read-only period | Site owners or site admins receive monthly notifications for three months. If the notification recipients don't mark the site as attested during this period, then the site goes into a read-only mode for a configurable duration (3, 6, 9, or 12 months). After the configured number of months, the site gets archived through Microsoft 365 Archive. Archival is subject to the tenant enabling Microsoft 365 Archive on the Microsoft Admin center. |
Note
If you configure the policy to take an enforcement action:
- The notifications stop after the policy action succeeds.
- The site and its status are included in the monthly report.
Customize email notifications
Admins can now customize the emails sent by the Site Lifecycle Management policies, to site owners and admins for certification or attestation. Customizing email content helps improve the read-through rate of the emails sent, effectively improving the response efficiency thus contributing towards better governance across the tenant.
The option to customize emails is available in the configure step for all site lifecycle management policies.
Selecting Customize email to be sent opens the customization window as following:
| Customizable section | Description |
|---|---|
| Sender | Configuring a custom domain (in MAC) is a prerequisite to using the email customization feature. Select here to learn more on how to configure/change this setting. |
| Subject (up to 100 characters) | You can use $UserDisplayName to insert the user's name and $SiteName to insert the name of the site. |
| Message (up to 500 characters) | You can use $UserDisplayName to insert the user's name, $SiteName to insert the name of the site and $SiteUrl to insert URL of the site. |
| Policy guideline URL | Only valid HTTP links are allowed |
| Policy guideline description text | Default value is the placeholder text |
You can also customize emails for existing policies. To customize emails, follow these steps:
- Select an existing policy.
- Go to Edit configuration.
- Find the email customization option.
Note
If you don't configure email customization for a policy, the system continues to send default emails from noreply@sharepoint.com.
When can't you customize emails?
You might not be able to customize emails if the custom domain setting isn't configured or is turned off.
You must configure the "Send email notifications from your domain" setting in Microsoft admin center (MAC) before you can customize emails. If this setting isn't configured, you'll see a warning message on the top of the policy list:
You'll also see the warning message during the configuration step:
If you previously customized emails in one or more policies but the "Send email notifications from your domain" setting in MAC is, then turned off, you'll see the message bar in the policy list, and a warning message in the email customization window.
Note
You need the Global Administrator role to configure this setting in Microsoft admin center (MAC).
After configuring the policy settings, select Next to finish your policy. Name the policy, add a description (optional), and select a policy mode.
Select Finish. You can now view and manage your policy from the Site lifecycle management > Site attestation policy dashboard.
Site set as read-only mode
When you configure an unattested site policy with the read-only enforcement action, it sends extra notifications to inform site owners or site admins that the site goes into read-only mode.
When the site is in read-only mode, the following banner appears on the site:
Remove site from read-only mode
To remove a site from read-only mode in SharePoint admin center, go to the Active sites page, select the site, and then select Unlock from the site page panel.
Site owners can't remove a site from read-only mode. They must contact the tenant admin to remove read-only mode.
Unarchive a site
To unarchive a site in SharePoint admin center, expand Sites and select Archived sites. Select the site you want to unarchive and select Reactivate.
Note
Only tenant admins can reactivate an archived site.
Sites managed by multiple site attestation policies
For each type of site lifecycle management policy, such as site ownership policy, inactive site policy, and site attestation policy, if you create multiple policies, notification emails aren't repeated. If a notification was sent within the last 30 days from any policy of that type, and the site remains unattested or uncertified, no further notifications are sent. The policy execution report shows the site's status as "Notified by another policy."
For example, if a site is covered by two different site attestation policies and receives a notification email from the first policy, the second policy doesn't send any extra notifications within the next 30 days if the site remains unattested.
Make sure that policies of the same type don't have overlapping scopes. If sites fall under the scope of multiple policies of the same type, the notification schedule and enforcement actions on the site could become unpredictable.
Reporting
After each run of the configured policy, you can view a detailed report about the sites it identifies. In the Site attestation policies page, select the desired policy from the list.
The panel outlines the numbers of:
- Sites to attest
- Sites that didn't have anyone to notify
- Sites attested
- Sites set to read-only
- Archived sites You can also view the policy's scope, configuration, and general information on the report.
You can also view the policy's scope, configuration, and general information on the panel. Select the Download detailed report option to download the report in CSV containing the following details for each of the sites identified due for attestation:
| Column | Definition |
|---|---|
| Site name | Name of the site |
| URL | URL of the site |
| Template | Template of the site |
| Connected to Teams | Indicates if it's a Teams-connected site |
| Sensitivity label | Sensitivity label assigned to the site |
| Retention policy | Indicates if any retention policy is applied to the site |
| Site lock state | State of site access before the policy runs (Unlock/Read-Only/No access) |
| Notified site admins | Email addresses of site admins receiving attestation notifications |
| Notified site owners | Email addresses of site owners receiving attestation notifications |
| Last attested by | Email address of the person who last attested the site |
| Last attestation date (UTC) | Date when the site was last attested |
| Number of site owners | Total count of site owners for the site |
| Email address of site owners | Email addresses of all site owners |
| Number of site admins | Total count of site admins for the site |
| Email address of site admins | Email addresses of all site admins |
| Total notifications count | Total notifications sent so far by any policy under the same policy template |
| Action status of policy | Status of the site (First, second, or third notification sent, Site in read-only mode, Site archived, Action taken by another policy such as read-only, archive, or notified by another policy) |
| Action taken on (UTC) | Date on which the enforcement action was taken (date when site was archived or put in read-only mode) |
| Last activity date (UTC) | Date of last activity detected across SharePoint site and connected workloads |
| Site creation date (UTC) | Date when the site was created |
| Storage used (GB) | Storage consumed by the site |
| Duration in read-only (days) | Number of days the site is in the enforced read-only state |
Configure actionable emails for US Government Cloud (GCC High or DoD) environments
In US Government Cloud (GCC High and DoD) environments, a tenant administrator must complete an extra, one-time setup for SharePoint site lifecycle management (SLM) policies to use actionable messages. This step helps ensure that policy notification emails display and function correctly. For example, site admins and site owners can take actions directly from email.
Unlike other commercial cloud environments, GCC High and DoD tenants require explicit administrator approval of the actionable message provider before it can send interactive email messages. Without this approval, SLM policy emails are delivered, but action buttons don't function as expected.
Important
You must be a Global Administrator or Exchange Administrator in the tenant to set up actionable messages.
Approve the SLM actionable message provider
Go to the Outlook Actionable Messages – Connectors admin portal for GCCH or DoD and sign in.
In the Provider Status filter, select Approved by Microsoft – Pending Your Approval.
Locate the provider named
InactiveSiteOAMProviderGCCH.Select the provider, and then select Approve.
After you approve the provider, the SLM policy notifications send actionable messages.
Note
This approval applies only to SLM policy notifications. Other applications or services that use actionable messages might require separate approval.
Ensure actionable messages are enabled for the tenant
Site lifecycle management policies use Outlook actionable messages to enable site owners or site administrators to take necessary actions by using links within email messages.
- For notifications to render properly, make sure your organization meets the Outlook version requirements.
- To troubleshoot rendering problems, see frequently asked questions.
Troubleshooting actionable messages
If actionable messages don't work as expected, try these steps:
- Make sure that the
InactiveSiteOAMProviderGCCHprovider is in an approved state. - Allow sufficient time. It can take up to 24 hours for changes to propagate.