Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The site lifecycle management features in Microsoft SharePoint Advanced Management help your organization improve site governance through automated policies that SharePoint administrators configure in the SharePoint admin center.
Site ownership policies help you automatically monitor and enforce site ownership requirements across your organization. These policies let you define who should be responsible for each site, set minimum owner or administrator counts, and automate notifications when sites don't meet the specified criteria. By regularly identifying noncompliant sites and prompting users to take action, site ownership policies support effective site management, reduce the risk of ownerless sites, and help maintain security and compliance in your SharePoint environment.
What do you need to create a site ownership policy?
What are the license requirements?
Your organization needs to have the right license and meet certain administrative permissions or roles to use the feature described in this article.
First, your organization must have one of the following base licenses:
- Office 365 E3, E5, or A5
- Microsoft 365 E1, E3, E5, or A5
Additionally, you need at least one of these licenses:
- Microsoft 365 Copilot license: At least one user in your organization must be assigned a Copilot license (this user doesn't need to be a SharePoint administrator).
- Microsoft SharePoint Advanced Management license: Available as a standalone purchase.
Administrator requirements
You must be a SharePoint administrator or have equivalent permissions.
Additional information
If your organization has a Copilot license and at least one person in your organization is assigned a Copilot license, SharePoint administrators automatically gain access to the SharePoint Advanced Management features needed for Copilot deployment.
For organizations without a Copilot license, you can use SharePoint Advanced Management features by purchasing a standalone SharePoint Advanced Management license.
How do site ownership policies work?
Scope of site ownership policies
You can create different policies with different scopes based on your organization's requirements.
You can choose the sites to be scoped under the policy based on site templates, creation sources, sensitivity labels, and include sites under retention policies and retention holds. If you want to exclude specific sites, you can add the site URLs of up to 100 sites in the Exclude sites section while configuring the policy.
Note
OneDrive sites, sites created by system users, app catalog sites, root sites, home sites, and tenant admin sites are excluded from site ownership policies.
Policy modes
When setting up a site lifecycle policy, you can choose between a simulation policy and an active policy.
Simulation mode
The simulation policy runs once and generates a report based on the set parameters. If it fails, you need to delete it and create a new one. Once you validate a simulation policy, you can convert it to an active policy.
Note
Site lifecycle policies in simulation mode are now available in GCCH and DoD environments as of November 17, 2025.
Active mode
The active policy runs monthly, generating reports and sending notifications to site owners to confirm the site's status. If it fails during a particular month, it will run again on the next schedule. The policy enforces actions on sites that remain uncertified or unattested by the site owner or admin, provided you configured it to take enforcement actions.
Ownership criteria
Different organizations have different needs. Site ownership policies allow you to customize how ownership is determined by allowing you to:
- Choose who is responsible for managing a site in your organization: site owners, site administrators, or both.
- Define the minimum number of owners or admins a site should have (currently up to two).
The policy identifies all sites that aren't compliant with the configured ownership criteria and generates the report. If your policy is active, it sends email notifications for identified sites.
Choose two as the minimum owner count so that sites with a single owner are identified and another owner is added immediately. Having more than one site owner helps reduce the risk of sites becoming ownerless.
How can you resolve user ID mismatches before running the site ownership policy?
Before running a site ownership policy, resolve any user ID mismatches to ensure accurate ownership outcomes for each site. Sometimes, if you delete and later recreate a site owner, ownership references might point to an old, nonexistent PUID. As a tenant administrator, fix these mismatches by running the Site User ID Mismatch diagnostic.
Create a site ownership policy
To create a site ownership policy, follow these steps:
As a SharePoint administrator, go to the SharePoint admin center and sign in.
In the navigation pane, expand Policies, and then select Site lifecycle management.
Under Site ownership policies, select Open. Then, select + Create policy.
On the Manage ownership of sites page, review the information, and then select Next.
On the Set policy scope step, choose your policy scope parameters, and then select Next.
If you select Upload a CSV file with a list of up to 10,000 URLs, you can upload a list of site URLs of select sites for the policy.
Tip
- You can export the site list from the SharePoint active sites page.
- Ensure the CSV file use the same format of the sample CSV file and has no duplicate URLs and those URLs are valid and complete.
- Ensure the URLs listed in CSV file belong to your tenant's domain.
On the Configure policy step, specify criteria for your policy, and then select Next.
If you're planning to exclude users or groups, see important information in the section, Excluding users or groups (in this article).
On the Finish step, specify a name and description for your policy, select a policy mode, and then select Finish.
If you select Active mode, your policy runs monthly, generates a report, and notifies site owners or site admin about potential issues, depending on policy configuration.
After your policy is created, select Done.
Once deployed, you can view and manage your policy by selecting Site ownership policies in the Site lifecycle management dashboard.
Excluding users or groups
You can exclude specific users, Microsoft 365 Groups, or security groups from receiving site lifecycle management requests and notifications, even if they're site owners or site admins for sites that are included in a policy.
Key behaviors:
- Exclusions are used only to determine notification recipients.
- Excluding a user or group doesn't change site permissions or ownership, and doesn't exclude the site from lifecycle policy evaluation
- Sites continue to be evaluated by the policy as usual.
Limits:
- You can add up to 100 entries to the exclusion list.
- Each entry can be an individual user, a Microsoft 365 Group, or a security group
- The 100-entry limit applies to the number of entries, not the number of users within a group. For example, a group with more than 100 members counts as one entry.
Group exclusion behavior (important):
- When a group is added to the exclusion list for a policy, that group is excluded from notifications only when the group is directly added to the site or is a nested group within other groups that are directly added to the site.
- A member of an excluded group might still receive a notification if they're directly added to the site or are part of some other group that is directly added to the site.
Ownership policy notifications
Each policy runs every month to identify noncompliant sites. The policy sends email notifications to the configured set of recipients. Notifications trigger only if the policy runs in active mode.
Important
Site lifecycle policies use Outlook Actionable Messages to enable recipients to take necessary actions within the email.
- For notifications to render properly, ensure Outlook version requirements are met in your organization.
- If you're a US Government Cloud customer (GCC High or DoD), make sure to enable actionable messages. See Enabling actionable messages for SLM policies in US Government Cloud (GCC High and DoD) environments (in this article).
- To troubleshoot rendering issues, refer to frequently asked questions.
The potential recipients of these email notifications, if you configure them in the policy, are:
Current site owners: If you set the minimum owner or admin count to 2 and the site has an existing site owner, the owner receives an email notification asking them to add another owner.
Current site admins: If you set the minimum owner or admin count to 2 and the site has an existing site administrator, the administrator receives an email notification asking them to add another owner.
Managers of previous owners or admins: If an owner or admin of a site leaves the organization, their managers are informed that the site needs an owner for effective management. If managers are members of a site, they can accept ownership. If they're visitors or don't have access to the site, they can coordinate with SharePoint admins to find the next best owner.
As a user's details are deleted from the system 30 days after leaving the organization, managers might get only one notification about the site.
If the policy runs after 30 days of a user's leaving the organization, manager information isn't available, and notifications can't be sent.
- For a Teams site, the "manager of the previous site owner" notification works only for users added directly to the SharePoint site owner. If the user was added from a Microsoft 365 Group, the notification isn't sent. This is a system limitation due to how user information is retained after an account is deleted. Therefore, to improve the chances of successfully sending notifications, select at least three options.
Active site members: Based on policy configuration, the policy sends emails to the most recent active members of a site to accept ownership.
To ensure relevance and recency, read or write activity performed by a site member on a site in the last 180 days is considered as an activity.
Any user with last activity beyond 180 days isn't considered for these notifications.
External and guest users aren't considered for these notifications to accept ownership.
Note
If a site has no one to notify as per the email recipients provided during policy configuration, the count is provided in the summary. You can triage the sites and determine the next course of action.
Customize email notifications
Admins can now customize the emails sent by the Site Lifecycle Management policies, to site owners and admins for certification or attestation. Customizing email content helps improve the read-through rate of the emails sent, effectively improving the response efficiency thus contributing towards better governance across the tenant.
The option to customize emails is available in the configure step for all site lifecycle management policies.
Selecting Customize email to be sent opens the customization window as following:
| Customizable section | Description |
|---|---|
| Sender | Configuring a custom domain (in the Microsoft 365 admin center) is a prerequisite to using the email customization feature. For more information, see Choose which domain to use for your email. |
| Subject (up to 100 characters) | You can use $UserDisplayName to insert the user's name and $SiteName to insert the name of the site. |
| Message (up to 500 characters) | You can use $UserDisplayName to insert the user's name, $SiteName to insert the name of the site and $SiteUrl to insert URL of the site. |
| Policy guideline URL | Only valid HTTP links are allowed |
| Policy guideline description text | Default value is the placeholder text |
You can also customize emails for existing policies. To customize emails, follow these steps:
Select an existing policy.
Go to Edit configuration.
Find the email customization option.
Note
If you don't configure email customization for a policy, the system continues to send default emails from noreply@sharepoint.com.
What to do if you can't customize email messages
You might not be able to customize emails if the custom domain setting isn't configured or is turned off.
You must configure the Send email notifications from your domain setting in the Microsoft 365 admin center before you can customize emails. If this setting isn't configured, you see a warning message on the top of the policy list, as shown in the following image:
You might also see the warning message during the configuration step, as shown in the following screenshot:
If you previously customized emails in one or more policies, but now the Send email notifications from your domain setting in the Microsoft 365 admin center is turned off later, you see the message bar in the policy list, and a warning message in the email customization window, as shown in the following screenshot:
Note
Only someone who has the Global Administrator role can configure domain settings in the Microsoft 365 admin center.
Sites managed by multiple site lifecycle management policies
For each type of site lifecycle management policy, such as site ownership policy, inactive site policy, and site attestation policy, if you create multiple policies under the same type, notification emails aren't repeated. If a notification was sent within the last 30 days from any policy of that type, and the site remains uncertified, no further notifications are sent. The policy execution report shows the site's status as "Notified by another policy."
For example, if a site is covered by two different site ownership policies and receives a notification email from the first policy, the second policy doesn't send any other notifications within the next 30 days if the site remains uncertified.
Make sure that policies of the same type don't have overlapping scopes. If sites fall under the scope of multiple policies of the same type, the notification schedule and enforcement actions on the site could become unpredictable.
Enforcement actions
Note
Hard enforcement actions (such as locking a site or setting it to read-only) are only limited to ownerless (zero owner) sites, where there's no accountable party and the governance risk is highest. Applying such enforcements to sites with an active owner can be disruptive and may unintentionally impact business workflows. As a result, this policy is designed to nudge rather than disrupt; single owner sites receive notifications and reporting to encourage restoration of the minimum owner count, without blocking access. If no action is taken by the site owner in such cases (nonownerless, but still in violation sites), after the third notification, there's a three-month cool-off period after which notifications resume.
The following table summarizes how the site ownership policy behaves, based on the selected enforcement action:
| Enforcement action | Policy behavior |
|---|---|
| Do nothing | The specified recipients receive monthly notifications for three months. After this period, the policy sends no notifications for the next three months. If the site remains in violation of ownership criteria after six months, monthly notifications resume. The policy execution report lists sites in violation as unactioned. You can download this report and filter out sites marked as unactioned. |
| Read-only access | The specified recipients receive monthly notifications for three months. - If the notification recipients don't complete attestation during this period and the site continues to be ownerless, it goes into read-only mode. - If the notification recipients don't complete attestation during this period but the site has at least one owner, after the third notification, there's a three-month cool-off period, after which notifications resume. |
| Archive sites after mandatory read-only period | The specified recipients receive monthly notifications for three months. - If the notification recipients don't complete attestation during this period, and the site continues to be ownerless, then the site goes into a read-only mode for the configured number of months. After the configured number of months, the site gets archived through Microsoft 365 Archive. Archival must be enabled for the tenant in the Microsoft 365 admin center. - If the notification recipients don't complete attestation during this period but the site has at least one owner, after the third notification, there is a three-month cool-off period, after which notifications resume. |
Read-only mode
A site ownership policy that you configure with the read-only enforcement action sends extra notifications to inform the specified recipients when there's no response.
When a site goes into read-only mode, a notification is sent.
If a site is in read-only mode, the following banner is added to the site:
Important points about read-only or locked sites
For sites that are in a read-only or locked state, the following behaviors are expected.
Unlocked sites: Always included in policy scope
Read-only sites locked by the same policy type:
- Included in scope
- Report indicates the site was previously actioned by this policy
Read-only sites locked by a different policy type:
- Excluded from policy scope
- Another policy already owns and governs this site
Read-only sites externally locked (locked because of non-site lifecycle management reasons):
- Included in scope
- External locks do not prevent the site from being evaluated by the policy
No-access (fully locked) sites:
- Included in scope, but no enforcement action is taken
- The policy skips action because the site is already in a no access locked state
These are default behaviors that can't be modified through policy configurations.
Remove site from read-only mode
To remove a site from read-only mode in SharePoint admin center, go to the Active sites page, select the site, and then select Unlock from the site page panel.
Site owners can't remove a site from read-only mode and must contact the tenant admin to remove read-only mode.
Unarchive a site
To unarchive a site in SharePoint admin center, expand Sites and select Archived sites. Select the site you want to unarchive and select Reactivate.
Note
Only tenant admins can reactivate an archived site.
Reporting
After each run of the configured policy, you can view a report about the sites it identifies.
In the Site ownership policies page, select the desired policy from the list.
The report outlines the number of sites that don't meet the ownership criteria, along with the number of sites that don't have anyone to notify.
Select Download report to download the detailed report in a .csv format. The following table describes the information included in the policy execution report:
| Column | Description |
|---|---|
| Site name | Name of the site |
| URL | URL of the site |
| Template | Template of the site |
| Sensitivity label | Sensitivity label of the site |
| Retention policy | Indicates if any retention policy is applied to the site |
| Site lock state | State of site access before the policy runs (Unlock/Read-Only/No access) |
| Minimum owners or admins configured | Minimum owner or admin count you configured while creating the policy |
| Number of site owners | Total count of site owners for the site |
| Email address of site owners | Email addresses of all site owners |
| Number of site admins | Total count of site admins for the site |
| Email address of site admins | Email addresses of all site admins |
| Managers of previous owners or admins | Email addresses of the managers of previous owners or admins (if this option was configured during policy set-up) |
| Active members | Email addresses of the active site members (if this option was configured during policy set-up) |
| Total notifications count | Total notifications sent so far by any policy under the same policy template |
| Action status | Status of the site [First/second/third notification sent, Site in read-only mode, Site archived, Action taken by another policy] |
| Action taken on (UTC) | Date on which the enforcement action was taken (date when site was archived or put in read-only mode) |
| Last activity date (UTC) | Date of last activity detected across SharePoint site and connected workloads |
| Site creation date (UTC) | Date when the site was created |
| Storage used (GB) | Storage consumed by the site |
| Duration in read-only (days) | Number of days the site is in the enforced read-only state |
Enabling actionable messages for SLM policies in US Government Cloud (GCC High and DoD) environments
In US Government Cloud (GCC High and DoD) environments, a tenant administrator must complete an extra, one-time setup for SharePoint site lifecycle management (SLM) policies to use actionable messages. This step helps ensure that policy notification emails display and function correctly. For example, site admins and site owners can take actions directly from email.
Unlike other commercial cloud environments, GCC High and DoD tenants require explicit administrator approval of the actionable message provider before it can send interactive email messages. Without this approval, SLM policy emails are delivered, but action buttons don't function as expected.
Important
You must be a Global Administrator or Exchange Administrator in the tenant to set up actionable messages.
Approve the SLM actionable message provider
Go to the Outlook Actionable Messages – Connectors admin portal for GCCH or DoD and sign in.
In the Provider Status filter, select Approved by Microsoft – Pending Your Approval.
Locate the provider named
InactiveSiteOAMProviderGCCH.Select the provider, and then select Approve.
After you approve the provider, the SLM policy notifications send actionable messages.
Note
This approval applies only to SLM policy notifications. Other applications or services that use actionable messages might require separate approval.
Ensure actionable messages are enabled for the tenant
Site lifecycle management policies use Outlook actionable messages to enable site owners or site administrators to take necessary actions by using links within email messages.
- For notifications to render properly, make sure your organization meets the Outlook version requirements.
- To troubleshoot rendering problems, see frequently asked questions.
Troubleshooting actionable messages
If actionable messages don't work as expected, try these steps:
- Make sure that the
InactiveSiteOAMProviderGCCHprovider is in an approved state. - Allow sufficient time. It can take up to 24 hours for changes to propagate.