SPOTrim - SharePoint stale site cleanup

Connect to your tenant

SPOTrim runs entirely in your browser. It signs you in with Microsoft (PKCE) using the public Lieben Consultancy multi-tenant app and queries the Microsoft Graph & SharePoint REST APIs as you.

Your token and data never leave your browser and are NOT transmitted to Lieben Consultancy (or anyone else).

Required delegated permissions:

Sites.Read.All - enumerate all sites, read site analytics & pages
Sites.FullControl.All - read site/web modification details via SharePoint REST
User.Read - sign-in identity

Site discovery

Click below to enumerate all SharePoint sites & OneDrive sites in your tenant.

Include OneDrive sites Include SharePoint sites

Concurrency: Stale threshold (days):

Force scan (add me as owner where needed, remove afterwards)

By default SPOTrim only sees data for sites you already have access to. Sites you cannot read end up as No access. With force scan enabled, SPOTrim adds you as a temporary site collection admin to every site you don't already own, runs the analysis, and then removes you again. Sites where you are already an owner are left alone (so you don't lose existing access). Requires the SharePoint Administrator role.

	Title	URL	Type	Template	Created

Stale site analysis

Heads up: SPOTrim can only read full data for sites you have access to. Sites where you aren't an owner either show up as No access or with missing modification or view data. Use the Force scan option on the Discover & Analyze tab to have SPOTrim temporarily add you as a site collection admin for those sites and remove you again afterwards.

Recommendation	Title	URL	Type	Last modified	Last viewed	Days idle	Storage (MB)

Tip: click a row to see all signals for that site.

Debug log

Verbose

About SPOTrim

SPOTrim is part of the LCToolKit by Lieben Consultancy.

It is a fully client-side browser application. No backend, no telemetry, no data leaves your browser. All API calls are made directly from your browser to Microsoft Graph and SharePoint REST as the signed-in user, using MSAL with PKCE. SPOTrim works on any static web host - no proxy or server-side component is required.

Discovery

SharePoint sites: enumerated via Graph /sites?search=* (paginated), supplemented by SharePoint Search.
OneDrive sites: enumerated via the SharePoint Admin Tenant REST API (requires the SharePoint Administrator role). OneDrive personal sites are not returned by Graph site search and the user-facing search index trims them to what the current user can access.
Sites are classified into a richer taxonomy (Communication, Team, Modern Group, OneDrive, Hub, App Catalog, Search Center, classic templates, etc.) using the SharePoint WebTemplate captured during discovery.

Last-modified signals

For each analysed site, SPOTrim collects modification timestamps from multiple sources and uses the most recent:

Graph site: lastModifiedDateTime on /sites/{id}
SharePoint web: LastItemUserModifiedDate from _api/web (excludes system/crawl updates)
Document libraries: max LastItemUserModifiedDate across non-hidden libraries via _api/web/lists
Site Pages: most recently edited modern page via Graph /sites/{id}/pages - catches news posts and landing-page edits that happen outside document libraries

Page-view / "last viewed" signals

All view data is fetched per-site directly from graph.microsoft.com (CORS-friendly, no proxy required), batched into a single Graph $batch call:

All-time access count: /sites/{id}/analytics/allTime - total accesses ever recorded for the site, plus distinct actor count.
Last 7 days access count: /sites/{id}/analytics/lastSevenDays - recent activity bucket.
Last 30 days, daily activity: /sites/{id}/drive/items/root/getActivitiesByInterval(…,interval='day') - bucketed daily counts on the default document library, summed and converted into both a 30-day total and a most-recent active day. This is the most granular signal available via Graph and lets SPOTrim pinpoint "viewed in the last N days" rather than the coarse 7-day vs all-time choice.

Other engagement signals

Storage used: /sites/{id}/drive?$select=quota - live byte-accurate usage on the default drive (no usage report needed).
Last page edit: doubles as a modification signal AND tells you who last touched the site visually (name, page title, modifier).

Recommendations

Keep: modified within the stale threshold.
Review: not modified within the threshold but still accessed in the last 30 / 7 days, or has nonzero all-time views - likely a reference or archive site.
Clean up: not modified within the threshold and 0 all-time page views, or not viewed for at least the threshold.
No access: both _api/web and _api/web/lists returned 401/403. The site exists but the signed-in user lacks rights to read its modification signals. Filter on this advice and grant yourself site collection admin to re-scan.
Unknown: signals were unavailable for non-permission reasons (e.g. transient 5xx).

Hover the "Why" cell in the results table to see the raw signals that drove the recommendation.

Required Graph permissions (delegated)

Sites.Read.All - site enumeration, site analytics, drive activities, site pages, drive quota
Sites.FullControl.All - SharePoint REST web/lists modification metadata
User.Read - current user identity

For OneDrive enumeration the signed-in user must additionally hold the SharePoint Administrator role in Entra ID.