SharePoint Site Lifecycle Management
SharePoint Advanced Management (SAM) provides enterprise governance capabilities for managing the complete lifecycle of SharePoint sites—from creation through archival and deletion.
This guide is referenced from the Purview Implementation Guide. Site lifecycle management creates the foundation for effective data governance.
Why Site Lifecycle Management Matters
| Problem | Impact | SAM Solution |
|---|---|---|
| Orphaned sites | No owner = no accountability | Ownership enforcement |
| Stale content | Storage costs, eDiscovery noise | Inactive site policies |
| Oversharing | Data exposure, Copilot risks | Access reviews |
| Ungoverned creation | Site sprawl | Provisioning controls |
Key Capabilities
Site Ownership & Accountability
Every site needs an accountable owner. SAM enforces this:
| Feature | What It Does |
|---|---|
| Ownership policies | Require sites to have active owners |
| Orphan detection | Identify sites with no/departed owners |
| Owner notifications | Alert owners about inactive sites |
| Ownership transfer | Streamline handoff when owners leave |
Inactive Site Management
Sites that aren't being used create risk and cost:
| Policy | Action |
|---|---|
| 90-day inactive warning | Email owner about inactivity |
| 180-day inactive | Restrict to read-only |
| 365-day inactive | Archive or delete |
Access Governance
Review and remediate oversharing:
| Feature | What It Does |
|---|---|
| Data Access Governance | Surface sites with broad permissions |
| Sharing reports | Identify external sharing |
| Access reviews | Periodic owner certification |
Implementation
Step 1 – Audit Current Site State
Goal: Understand your current site landscape before applying policies.
Click-Ops (SharePoint Admin Center):
- Navigate to SharePoint Admin Center > Active sites
- Review site list and note:
- Sites without primary owners
- Sites with no recent activity
- Sites shared with "Everyone"
- Export site list for analysis
PowerShell:
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"
# Get all sites with ownership info
Get-SPOSite -Limit All | Select-Object Title, Url, Owner, LastContentModifiedDate,
SharingCapability, StorageUsageCurrent |
Export-Csv -Path "SiteAudit.csv" -NoTypeInformation
# Find orphaned sites (owner no longer in directory)
$Sites = Get-SPOSite -Limit All
foreach ($Site in $Sites) {
try {
$Owner = Get-MgUser -UserId $Site.Owner -ErrorAction Stop
} catch {
Write-Host "Orphaned: $($Site.Url) - Owner: $($Site.Owner)" -ForegroundColor Yellow
}
}
Step 2 – Configure Ownership Policies
Goal: Ensure every site has an accountable owner.
Click-Ops:
- Navigate to SharePoint Admin Center → Policies → Site lifecycle management
- Enable Require site owners
- Configure notifications:
- Warn when owner account is disabled
- Notify secondary admins
- Set escalation path for orphaned sites
Step 3 – Configure Inactive Site Policies
Goal: Automatically manage sites that are no longer in use.
The Inactive Site Policy has moved in the SharePoint Admin Center. Depending on your tenant, you may find it under:
- Policies → Site lifecycle management → Inactive sites
- Or via Reports → Site lifecycle management
Click-Ops:
- Navigate to SharePoint Admin Center → Policies → Site lifecycle management
- Select Inactive sites tab
- Enable Inactive site policy
- Configure thresholds:
- Warning: 90 days inactive
- Read-only: 180 days inactive
- Archive/Delete: 365 days inactive
- Set notification frequency
Recommended Settings:
| Site Type | Warning | Read-only | Archive |
|---|---|---|---|
| Team sites | 90 days | 180 days | 365 days |
| Communication sites | 120 days | 240 days | 2 years |
| Project sites | 60 days | 120 days | 180 days |
Step 4 – Configure Sharing Defaults
Goal: Set secure defaults for how sites can be shared.
Tenant-Level Settings:
| Setting | Recommended Value | Reason |
|---|---|---|
| External sharing | New and existing guests | Identity-based, auditable |
| Default link type | Specific people | No accidental broad sharing |
| Anonymous links | Disabled | Requires authentication |
| Guest expiration | 90 days | Automatic cleanup |
Click-Ops:
- Navigate to SharePoint Admin Center > Policies > Sharing
- Set organization-level sharing capability
- Configure link defaults and expirations
- Enable guest access expiration
PowerShell:
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"
# Set tenant defaults
Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing
Set-SPOTenant -DefaultSharingLinkType Internal
Set-SPOTenant -RequireAnonymousLinksExpireInDays 0 # Disable anonymous
Set-SPOTenant -ExternalUserExpirationRequired $true
Set-SPOTenant -ExternalUserExpireInDays 90
Step 5 – Enable Data Access Governance (DAG)
Goal: Surface sites with overly permissive access for review.
Click-Ops:
- Navigate to SharePoint Admin Center → Reports → Data access governance
- Review reports:
- Sites shared with "Everyone except external users"
- Sites with large group membership
- Sites with external guests
- Create access review campaigns for high-risk sites
Integration with DSPM: Data Access Governance findings feed into DSPM for unified risk visibility. Sites identified here appear in DSPM's oversharing alerts.
Site-Level Overrides
For specific high-risk sites, apply stricter controls:
| Site Type | Sharing | Access | Lifecycle |
|---|---|---|---|
| HR | Internal only | Restricted | Never auto-delete |
| Legal | Internal only | Restricted | Legal hold enabled |
| Research (CUI) | Approved guests only | Conditional Access | Grant-based retention |
| General projects | New/existing guests | Standard | 365-day inactive |
PowerShell (Per-Site Override):
# Lock down HR site
Set-SPOSite -Identity "https://tenant.sharepoint.com/sites/HR" `
-SharingCapability Disabled `
-DisableCompanyWideSharingLinks $true
# Research site with controlled external
Set-SPOSite -Identity "https://tenant.sharepoint.com/sites/Research-CUI" `
-SharingCapability ExistingExternalUserSharingOnly `
-SharingAllowedDomainList "partner.edu,collaborator.gov"
Validation Checklist
| # | Item | Success Criteria |
|---|---|---|
| 1 | Ownership policy | All sites have active owners |
| 2 | Inactive policy | Notifications configured |
| 3 | Sharing defaults | Anonymous links disabled |
| 4 | DAG reports | Reviewed and remediation planned |
| 5 | High-risk sites | Locked down |
Copilot Readiness {#copilot-readiness}
Before deploying Microsoft Copilot, ensure your SharePoint governance is ready to prevent AI from surfacing sensitive or overshared content.
Pre-Copilot Checklist
| Task | Why It Matters |
|---|---|
| Run DAG reports | Identify overshared sites before Copilot indexes them |
| Apply sensitivity labels | Copilot respects label permissions and encryption |
| Review "Everyone" shares | Copilot can surface content shared too broadly |
| Enable Restricted SharePoint Search | Exclude sensitive sites from Copilot indexing |
| Validate site permissions | Copilot inherits user permissions—fix overpermissioned sites |
Restricted SharePoint Search
For highly sensitive sites that should never appear in Copilot results:
- Navigate to SharePoint Admin Center → Policies → Sharing → Restricted SharePoint Search
- Enable site restriction
- Add sites to exclude:
- HR sites with employee records
- Legal/compliance sites
- Research data with export controls
For comprehensive Copilot governance, also configure Restricted SharePoint Search in Purview.
Related Resources
- Purview Implementation Guide — Full governance implementation
- DSPM — Data Security Posture Management
- SharePoint Permissions Guide — Detailed permissions
- Information Protection — Sensitivity labels