Administration

SharePoint Health Assessment: 15-Question Enterprise Checklist

A 15-question SharePoint health assessment your team can self-run in about two hours. Includes PowerShell checks, green/amber/red thresholds, and a 0-100 scoring rubric.

SharePoint Support Team2026-06-2512 min read
SharePoint Health Assessment: 15-Question Enterprise Checklist - Administration guide by SharePoint Support
SharePoint Health Assessment: 15-Question Enterprise Checklist - Expert Administration guidance from SharePoint Support

Every time we start a new engagement we begin with a two-hour health assessment. Fifteen questions across five categories — Access and Permissions, Copilot Readiness, Storage and Performance, Governance, and Compliance. It surfaces enough about the tenant to structure a serious remediation plan and, more importantly, to price it accurately.

This is that assessment, published here so any enterprise can self-run it before deciding whether to bring in outside help. Each question includes what to check, the PowerShell or admin center path to check it, thresholds for green (healthy), amber (needs attention), and red (must remediate before Copilot or major deployment), and the remediation category. At the end there is a 0-100 scoring rubric with color bands so you know where you stand.

How to use this assessment

Three practical notes:

SharePoint architecture diagram showing hub sites, team sites, and content structure
Enterprise SharePoint architecture with hub sites and connected team sites
  • Budget two hours — running the 15 checks is fast if you have tenant admin access. Interpreting the results is what takes time.
  • Use two people — a SharePoint admin who knows the tenant and an executive sponsor who knows the business context. Every finding needs both technical and business framing.
  • Score honestly — an amber that you plan to fix is still amber today. The assessment is only useful if it reflects reality.

Category 1 — Access and Permissions (3 questions)

Q1. How many sites have "Everyone" or "Everyone except external users" in a permission group?

Why it matters: Any content in these sites is effectively public across the tenant. When Copilot is enabled it will surface this content to any user who asks, regardless of the sensitivity.

Check with:

```powershell

Connect-PnPOnline -Url https://.sharepoint.com -Interactive

$sites = Get-PnPTenantSite -IncludeOneDriveSites:$false

$oversharing = @()

foreach ($s in $sites) {

Connect-PnPOnline -Url $s.Url -Interactive

$groups = Get-PnPGroup

foreach ($g in $groups) {

$members = Get-PnPGroupMember -Identity $g.Id

if ($members.LoginName -match 'spo-grid-all-users|federateddirectoryclaimprovider') {

$oversharing += $s.Url

}

}

}

$oversharing | Sort-Object -Unique | Measure-Object

```

Thresholds:

  • Green: 0-5% of sites
  • Amber: 6-15% of sites
  • Red: More than 15% of sites

Remediation category: Permission remediation, sensitivity labeling, potentially Restricted Content Discovery for high-risk sites.

Q2. What percentage of sites have external sharing enabled with "Anyone" links?

Why it matters: Anyone links are unauthenticated shareable URLs. In an enterprise tenant they are almost always a governance failure — a workaround for a broken permission model.

Check with: SharePoint admin center > Policies > Sharing > review tenant-level default; then Get-SPOSite for per-site sharing settings.

Thresholds:

  • Green: 0% (Anyone links disabled tenant-wide or restricted to specific sites)
  • Amber: 1-10% of sites
  • Red: More than 10% of sites, or Anyone links enabled tenant-wide as default

Remediation category: Sharing policy hardening, DLP policies for external sharing, monitoring for policy violations.

Q3. How many active guest accounts exist in the tenant, and when did each last authenticate?

Why it matters: Stale guest accounts accumulate over years. Each is a potential attack vector and each has some level of access to shared content.

Check with:

```powershell

Get-MgUser -Filter "userType eq 'Guest'" -Property Id, DisplayName, Mail, SignInActivity |

Select DisplayName, Mail, @{n='LastSignIn';e={$_.SignInActivity.LastSignInDateTime}} |

Sort LastSignIn

```

Thresholds:

  • Green: All guests authenticated within last 90 days OR guest lifecycle policy active
  • Amber: 10-30% of guests inactive more than 180 days
  • Red: More than 30% of guests inactive more than 180 days, or no guest lifecycle policy

Remediation category: Guest cleanup, Entra ID guest lifecycle policy, quarterly access reviews.

Category 2 — Copilot Readiness (3 questions)

Q4. What percentage of active content in the tenant has a sensitivity label applied?

Why it matters: Copilot honors sensitivity labels. Unlabeled content is treated as unprotected — if a user has permission to read it, Copilot will surface it, even if it should be confidential.

Check with: Purview compliance portal > Information protection > Reports > Sensitivity label activity.

Thresholds:

  • Green: More than 90% of content labeled
  • Amber: 60-90% labeled
  • Red: Under 60% labeled or no auto-labeling policy configured

Remediation category: Sensitivity label deployment, auto-labeling policy design, simulation-before-enforce process.

Q5. Are Copilot Agents enabled and, if so, is per-site labeling coverage above 95% on those sites?

Why it matters: Even with tenant-wide labeling in place, Copilot Agents enabled on sites with poor label coverage will overshare.

Check with: SharePoint admin center > Copilot settings; then per-site label coverage via Purview reports.

Thresholds:

  • Green: Agents enabled only on sites with more than 95% label coverage
  • Amber: Agents enabled on some sites with 80-95% coverage
  • Red: Agents enabled tenant-wide with no per-site coverage requirement

Remediation category: Copilot governance charter, per-site labeling before enablement, RCD for sensitive sites. See our SharePoint Copilot service for our full governance framework.

Q6. What is the current or forecast per-user monthly cost for Copilot Agents?

Why it matters: Consumption-based pricing means costs scale with usage. Without measurement, enterprises overrun budget by 300-500% in the first 90 days.

Check with: Azure Cost Management > filter to Microsoft 365 Copilot cost meter; combine with active-user count from Copilot dashboard.

Thresholds:

  • Green: Cost tracked monthly, budget alerts configured at 50/80/100%, per-agent quotas set
  • Amber: Cost tracked but no budget alerts or per-agent quotas
  • Red: Cost not tracked or over $3 per user per month with no containment plan

Remediation category: Cost forecasting, budget alerts, per-agent quotas, agent lifecycle policy.

Category 3 — Storage and Performance (3 questions)

Q7. How close is the tenant to the SharePoint storage quota?

Why it matters: Hitting the quota disables uploads across the tenant. Storage growth patterns matter — a tenant at 60% today growing 8% per month will hit the quota in 5 months.

Check with: SharePoint admin center > Storage usage; export monthly to trend growth.

Thresholds:

  • Green: Under 70% used with under 5% monthly growth
  • Amber: 70-85% used, or growth rate above 8% monthly
  • Red: More than 85% used, or storage buy required in less than 90 days

Remediation category: Storage cleanup (empty recycle bins, orphaned OneDrive, archived project sites), archive tier evaluation, quota purchase.

Q8. How many document libraries are approaching the 5 million item threshold?

Why it matters: SharePoint libraries above 5M items experience significant performance degradation. Some views become unusable. Refer to Microsoft's SharePoint limits documentation for full boundary details.

Check with:

```powershell

$sites = Get-PnPTenantSite

$largelibs = @()

foreach ($s in $sites) {

Connect-PnPOnline -Url $s.Url -Interactive

$lists = Get-PnPList | Where-Object { $_.ItemCount -gt 4000000 }

foreach ($l in $lists) {

$largelibs += [PSCustomObject]@{

Site = $s.Url

Library = $l.Title

ItemCount = $l.ItemCount

}

}

}

$largelibs | Sort ItemCount -Descending

```

Thresholds:

  • Green: No libraries above 4M items
  • Amber: 1-3 libraries between 4M-5M items
  • Red: Any library above 5M items or more than 3 above 4M

Remediation category: Library splitting, archival to secondary storage, information architecture redesign.

Q9. What is the median Core Web Vitals score for the top 20 SharePoint sites?

Why it matters: Slow SharePoint sites are the number one driver of user complaints. Beyond user experience, poor performance breaks the case for Copilot adoption.

Check with: PageSpeed Insights on landing pages of top 20 sites; export scores to workbook.

Thresholds:

  • Green: Median Performance greater than 85, LCP less than 2.5s
  • Amber: Performance 60-85, LCP 2.5-4s
  • Red: Performance less than 60, LCP more than 4s

Remediation category: Web part optimization, image compression, custom code review, CDN configuration.

Category 4 — Governance (3 questions)

Q10. Is there a documented, current information architecture (IA) design?

Why it matters: Without a current IA, sites proliferate uncontrolled. Every migration, every Copilot rollout, every retention project runs 3x cost because the ground truth has to be rediscovered.

Check with: Ask the SharePoint owner: "Show me the current IA document." Anything more than 12 months old is stale.

Thresholds:

  • Green: IA document reviewed within last 12 months, aligned to current business structure
  • Amber: IA document exists but more than 12 months old
  • Red: No IA document, or last version predates the last major reorg

Remediation category: IA workshop, site inventory, hub site design, taxonomy refresh.

Q11. Is site provisioning centralized and automated, or ad-hoc?

Why it matters: Ad-hoc provisioning creates 500-2,000 sites over 3 years that no one governs. Copilot indexes all of them. Retention policies do not apply to them. External sharing is inconsistent across them.

Check with: Ask: "How do users request a new SharePoint site?" If the answer involves an IT ticket AND a manual approval AND custom configuration, that is the process. If the answer involves users clicking "Create site" from Teams or SharePoint Home, provisioning is not governed.

Thresholds:

  • Green: Automated request/approval workflow with template-based provisioning
  • Amber: Manual provisioning with consistent template, but no automated request workflow
  • Red: Ad-hoc provisioning; users self-serve sites without governance review

Remediation category: Site provisioning workflow (Power Automate + Graph), site templates, request/approval process. Our SharePoint intranets service covers our provisioning framework.

Q12. Are site lifecycle policies (inactive site cleanup, ownership review) in place?

Why it matters: Sites accumulate. Owners leave the company. Sites become orphaned. The Copilot indexes them all. Storage costs grow. Governance decays.

Check with: SharePoint admin center > Policies > Site lifecycle policies. Check for inactive site policy, orphaned site policy, ownership review cadence.

Thresholds:

  • Green: Inactive site policy (180 days), quarterly ownership reviews, automatic archival for orphaned sites
  • Amber: Some policy in place but inconsistent enforcement
  • Red: No site lifecycle policy — sites persist indefinitely regardless of activity or ownership

Remediation category: Lifecycle policy design and deployment, ownership review workflow, archival tier configuration.

Category 5 — Compliance (3 questions)

Q13. Are retention labels in Purview deployed and enforcing across regulated content?

Why it matters: Regulated enterprises must be able to prove retention. Classic SharePoint retention is being retired; Purview labels are the successor. If they are not deployed and enforcing, retention is broken.

Check with: Purview compliance portal > Records management > Retention labels > review labels, published policies, and label activity report.

Thresholds:

  • Green: Comprehensive Purview label taxonomy deployed, more than 90% of regulated content labeled
  • Amber: Labels deployed but coverage under 90% or enforcement gaps
  • Red: Still using classic SharePoint retention only, or no retention labels deployed

Remediation category: Purview label design, auto-apply policies, event-based retention integrations. See Microsoft's Purview retention documentation for the current supported configurations.

Q14. Is a tenant-wide permissions report reviewed on a regular cadence?

Why it matters: Permission drift is inevitable. Without a periodic review process, oversharing accumulates silently for years.

Check with: Purview compliance portal > Data lifecycle management > SharePoint access review; and SharePoint admin center's tenant-wide permissions report.

Thresholds:

  • Green: Permissions report reviewed quarterly with documented action items
  • Amber: Report generated but reviewed inconsistently
  • Red: No permissions review process, or review is annual with no follow-through

Remediation category: Access review workflow, quarterly cadence with named owners, remediation tracking.

Q15. Is there a documented eDiscovery and legal hold process, tested within the last 12 months?

Why it matters: When litigation happens, "we will figure out eDiscovery when we need to" is an expensive answer. Untested processes fail on the day they matter.

Check with: Ask legal: "When did we last run an eDiscovery drill?" Anything more than 12 months old is not tested.

Thresholds:

  • Green: Documented process, tested within 12 months, dedicated legal reviewer trained on Purview eDiscovery Premium
  • Amber: Process documented but not tested recently
  • Red: No documented process, or process tested more than 24 months ago

Remediation category: eDiscovery playbook, legal hold procedures, tabletop exercise, training on Purview eDiscovery Premium.

Scoring rubric (0-100)

Score each question 0-3: 0 = red, 1.5 = amber, 3 = green. Multiply the total by 100/45 to normalize to 100.

| Score band | Health status | Interpretation |

|---|---|---|

| 90-100 | Enterprise-grade | Tenant is ready for Copilot, ready for regulated deployment, ready for scale. Optimize the amber areas. |

| 75-89 | Solid foundation | Tenant is healthy overall but has specific gaps that should be closed before major initiatives. |

| 60-74 | Material gaps | Tenant will run into problems with Copilot cost, oversharing, or compliance. Plan remediation before scale. |

| 40-59 | Serious risk | Multiple red findings. Prioritize permission, labeling, and governance remediation before Copilot or regulated content moves. |

| Below 40 | Critical risk | Tenant is not fit for enterprise operation. Structural remediation program required. |

The pattern we see most

Enterprises typically score in the 55-75 range on first assessment. The consistent failure modes:

  • Sensitivity labeling under 40% (Q4)
  • No per-agent Copilot cost tracking (Q6)
  • No site provisioning governance (Q11)
  • No site lifecycle policy (Q12)
  • Untested eDiscovery process (Q15)

Each of those on its own is a 1-3 month remediation project. Together they are a 6-9 month program. That is what we scope when a health assessment surfaces a 60-something score.

Expert help from our SharePoint consultants

We run this assessment as a facilitated 4-hour session for consultation prospects, and produce a scored report with remediation cost estimates within 5 business days. If you have run the self-assessment and want a second opinion, or you want the facilitated version, reach out through our SharePoint consulting service or contact us. We will send back a scoring workbook and a scoped remediation plan tailored to your tenant.

Share this article:

Written by the SharePoint Support Team

Senior SharePoint Consultants | 25+ Years Microsoft Ecosystem Experience

Our senior SharePoint consultants bring deep expertise spanning 500+ enterprise migrations and compliance implementations across HIPAA, SOC 2, and FedRAMP environments. We cover SharePoint Online, Microsoft 365, migrations, Copilot readiness, and large-scale governance.

Frequently Asked Questions

How long does the self-run assessment actually take?
Two hours if you have SharePoint tenant admin access, Purview compliance admin access, and Entra ID admin access ready. Most of the time is running the PowerShell scripts, waiting for Purview reports to generate, and thinking through the amber-versus-red judgment calls. Enterprises with 500+ SharePoint sites should budget three to four hours because the oversharing audit takes longer to complete. Enterprises that need to request admin access first should plan a week to get access provisioned and run the assessment.
What score do we need to hit before enabling Copilot Agents?
A minimum of 75 overall, with no red findings on Q1 (oversharing), Q4 (sensitivity labeling), or Q5 (per-site Copilot labeling coverage). Enterprises that enable Copilot Agents with red findings in those categories reliably experience two outcomes: unexpected cost overruns in the first 90 days and at least one oversharing incident that gets escalated. Fixing those three questions before Copilot enablement adds two to four months but prevents the incident and the remediation cost that follows.
Can we run this assessment without external tools?
Yes. Every check in the assessment uses either the SharePoint admin center, the Purview compliance portal, PowerShell (PnP.PowerShell and Microsoft.Graph modules), or Azure Cost Management. There are third-party tools that automate parts of this (ShareGate, AvePoint, Rencore), but they are not required. The value of manual execution is that your team learns the tenant in the process — which pays off for every subsequent remediation project.
What is the single biggest driver of a low health score?
Sensitivity labeling coverage under 60% (Q4). Almost every other finding is downstream of labeling. Without labels, oversharing cannot be contained, Copilot cost forecasting is unreliable, retention labeling is incomplete, and compliance reporting is manual. Enterprises that invest in a serious labeling program (auto-labeling policies, sensitive-info-type customization, simulation-then-enforce methodology) move their overall health score by 15-25 points in six months, without touching any other area.
How often should we re-run the assessment?
Twice a year, and before every major initiative (Copilot rollout, tenant merger, migration, compliance program change). Twice-a-year cadence catches drift between projects: guest accounts accumulating, sites proliferating, permissions changing. Pre-initiative assessment ensures the tenant is fit for whatever is about to be layered on top. Enterprises that skip the pre-initiative assessment consistently discover the same problems mid-project, when remediation cost has tripled.
Does this assessment cover on-premises SharePoint?
No — this is scoped to SharePoint Online / Microsoft 365. On-premises SharePoint Server (2016, 2019, Subscription Edition) has a different assessment framework because the storage, permissions, governance, and compliance surfaces are all different. If you are running hybrid SharePoint, run this assessment on the online tenant, then supplement with an on-premises assessment focused on server health, farm configuration, and migration readiness. Our [on-prem to online service](/services/onpremise-to-online) covers the hybrid assessment approach.
What is the fastest way to move from red to amber on the top findings?
For Q1 (oversharing): run the audit script, remediate the top 20 sites by storage size. That covers 80% of the exposure. For Q4 (labeling): publish a default sensitivity label at the tenant level, deploy auto-labeling for one high-priority sensitive-info type (usually PHI or PCI). Coverage jumps 30-40 points in weeks. For Q11 (provisioning): stand up a basic Power Automate flow for site requests with a manager approval step. Not sophisticated, but stops the ad-hoc sprawl immediately. These three moves alone often shift a tenant from red to amber in six to eight weeks.

Need Expert Help?

Our SharePoint consultants are ready to help you implement these strategies in your organization.

Continue Reading in Administration

Administration

SharePoint Admin Center: Administration Guide

Master the SharePoint Admin Center with this guide covering site management, policies, settings, and monitoring capabilities for tenant administrators.

Administration

SharePoint Storage Management: M365 Guide

Master SharePoint storage management with strategies for monitoring usage, optimizing quotas, archiving content, and planning capacity for your Microsoft 365 tenant.

Administration

Recycle Bin Management: Data Recovery Best Practices

Master SharePoint recycle bin management for reliable data recovery. Learn first-stage and second-stage recycle bins, retention policies, PowerShell recovery commands, and enterprise backup strategies.

Administration

SharePoint vs OneDrive: When to Use Each (And When You...

Clear guide to when to use SharePoint vs OneDrive in Microsoft 365. Explains the key differences, ideal use cases for each, how they work together, and the most common mistakes organizations make.

Administration

SharePoint Admin Center: Complete Guide for 2026

Master the SharePoint Admin Center with this comprehensive guide covering site management, settings, policies, external sharing, storage quotas, and modern admin features.

Administration

SharePoint Online Storage Management: Administrator...

Optimize SharePoint Online storage usage, understand tenant storage pools, manage site quotas, identify version history bloat, reclaim wasted space, and implement storage governance policies to control costs and prevent read-only site incidents.