Site Attestation vs. Inactive Site Policies in SharePoint Online
- Jul 3
- 3 min read

Site attestation and the inactive site policy engine are related SharePoint lifecycle controls, but they are not the same thing.
Both help organizations reduce unmanaged site growth, improve accountability, and bring more structure to SharePoint governance. The difference is what triggers the review and what question the organization is trying to answer.
Site attestation is a scheduled governance review. It asks site owners or administrators to confirm that a site is still needed, properly owned, and appropriately governed. It is best used when the organization wants periodic accountability across important sites, even when those sites are still active.
The inactive site policy engine is a lifecycle control that uses activity signals to identify sites that may no longer be in active use. It looks for sites that appear inactive based on usage signals, then notifies the right people to confirm whether the site should stay active, become read only, be archived, or move through another review process.
In short, site attestation is about accountability, whereas inactive site policies are about identifying dormant sites and moving them through the lifecycle.
The easiest way to understand the distinction is to compare the purpose, trigger, and outcome of each control.
Comparison
Area | Site Attestation | Inactive Site Policy Engine |
Main Question | Is the site still accurate, properly owned, configured with the right permissions, and needed? | Has the site gone inactive based on usage signals? |
Trigger | Scheduled review cycle (every 3, 6, or 12 months) | Inactivity based on site and connected Microsoft 365 workload activity |
Primary Focus | Governance certification and accountability | Lifecycle cleanup and dormant site review |
Best Used For | Recurring confirmation of important sites, even if actively used | Finding abandoned, stale, or quiet sites at scale |
Who Responds | Site owners, site administrators, or both | Site owners, site administrators, or both |
Typical Outcome | The site is confirmed, corrected, escalated, or moved into an enforcement path, if not attested | The site is confirmed as still needed, made read only, archived, or routed for further review |
Risk Reduced | Poor ownership, stale permissions, oversharing, and unclear accountability | Content sprawl, abandoned workspaces, unmanaged dormant content, and unnecessary exposure |
Practical Example | A Finance site is reviewed annually to confirm ownership, permissions, sharing settings, and continued business need | A project site with no recent activity is flagged for owner confirmation and possible archive |
When to Use Site Attestation
Use site attestation when the site still matters and the organization wants recurring confirmation that it is being governed properly.
This is especially useful for department sites, policy sites, executive sites, regulated workspaces, sensitive collaboration areas, or sites that support important business functions. These sites may be active and valuable, but they still need periodic review.
A site can be active and still have governance issues. It may have the wrong owner, too many members, outdated sharing links, or permissions that no longer match the business need. Site attestation creates a formal checkpoint to confirm the site is still accurate and accountable.
When to Use Inactive Site Policies
Use inactive site policies when the organization needs a scalable way to identify sites that may no longer be used.
This is especially useful for project sites, temporary collaboration spaces, older Teams-connected sites, and workspaces created for initiatives that may have ended. These sites often become invisible over time, especially when ownership changes or the original business purpose is no longer clear.
The inactive site policy engine helps bring those sites back into view. It does not automatically mean the site has no value. It means the site requires review.
How These Controls Work Together
The strongest approach is to use both controls as part of the broader SharePoint site lifecycle.
Use site attestation to govern important sites on a recurring basis. Use inactive site policies to identify sites that may no longer be needed. In both cases, success depends on clear ownership, because notifications and review requests only work when the right people are accountable.
A mature lifecycle model usually includes three layers:
Site ownership policies to confirm every site has accountable owners.
Site attestation policies to periodically confirm important sites are still accurate and governed.
Inactive site policies to identify dormant sites and move them through review, restriction, archive, or another approved process.
Neither control replaces good information architecture, retention planning, permission design, sensitivity labeling, or records management. They are governance checkpoints that help organizations maintain ownership, accountability, and control as the SharePoint environment grows over time.
If you'd like to learn more about the governance controls behind effective SharePoint lifecycle management, we invite you to explore the following related articles:



