Our blog will guide you through best practices for identifying and addressing orphaned Microsoft Teams and Microsoft 365 Groups. It may even help prevent them in the future. Are you ready?
The topic of ownerless and orphaned Groups and Microsoft Teams is particularly of interest. Especially in the wake of recent mass layoffs and downsizing.
Our blog will guide you through best practices for identifying and addressing orphaned Microsoft Teams and Microsoft 365 Groups. It may even help prevent them in the future. Are you ready?
In a nutshell, orphaned Microsoft Teams and Groups are those that don’t have an assigned or active Owner. This also includes Teams and Groups whose Owner has been blocked from signing into your company's Microsoft 365 tenant.
And lastly, Groups that have no members are also considered orphaned.
Since Teams membership is determined by Microsoft Groups when a Group becomes ownerless, so does the associated Team.
Microsoft has some pretty great failsafe mechanisms in place to ensure that no Team is left without an Owner. Whenever a new Microsoft Team is created, a corresponding Microsoft 365 Group is also created. The person who creates it becomes the Owner by default. If the sole Owner of a Microsoft Team tries to leave it, they will be asked to assign a new Owner before they can proceed.
That said, there are still a few scenarios that lead to orphaned Microsoft Teams.
This is a simple scenario where an employee leaves the company. Their account is then disabled or deleted in Azure Active Directory.
This scenario can be challenging to handle. In some cases, the Owner of a Microsoft Team may get promoted to a different role or department. Or they may go on long-term leave. Even though they are still listed as Team Owners, they are not actively managing the Team.
Technical issues do happen, and user account deletions can occur accidentally or due to technical issues.
For instance, an administrator might unintentionally delete an account while performing another task, or network errors could lead to account deletion. Users can also be blocked from logging into the M365 tenant due to a technical error.
Orphaned Teams and Groups may not seem like a big deal at first sight. Without a Team Owner, members of the Team can still collaborate, chat, share, and access documents. That said, when you know what Owners are responsible for, the threats and risks become a lot more apparent.
The Owner of a Microsoft Teams team is responsible for several important tasks, which include:
These are some very important responsibilities. all of which are completely unattended to when a Team has no Owner or an inactive Owner.
Public Teams are the ones that are visible to everyone and are accessible from the Teams gallery. Members can join and leave Public Teams without any restrictions.
Private Teams are different from public Teams, as they require an invitation from the Team Owner to join. The Team members can only leave with the permission of the Owner.
In the case of orphaned Groups or Teams, the members are unable to invite new members. They may be stuck in the Team indefinitely until a tenant administrator intervenes. Which, of course, adds extra work to their already overloaded plates.
The largest risk when it comes to security lies in whether there are Guests present within a Team. Since without an Owner, Team members cannot join or leave the Team, that means that neither can Guests.
They will stay in the team for an unlimited time, even if they are no longer necessary. This gives them access to all the Team's resources and other Microsoft 365 services which can pose a massive security risk.
Without an Owner, it's natural for things to get out of control in Teams. It is because Owners are responsible for monitoring activity, mailbox usage, ensuring compliance, promoting collaboration, and effectively using Teams.
So, we’ve figured out that orphaned Microsoft Teams are undesirable. Now what?
This is when you need to actively keep an eye on orphaned Groups and Teams. You will also need to establish a process to track movements and leaves across departments.
There are a few ways M365 admins can go about locating orphaned Teams.
The Microsoft 365 Admin Centre provides you with Microsoft 365 analytics and reports:
When a Team doesn’t have an Owner, you will see a 0 in that column. There will also be a warning sign next to it.
In Microsoft Teams Admin Center you can find the following details about all Teams in your tenant:
If there are no Owners in a Team, you will see a 0 in that column, along with a warning sign. This indicates that it is an orphaned Team.
This is probably the easiest, but also the most ineffective way of finding orphaned Teams. This may be manageable if you have 50-100 Teams. It does become impossible in larger organizations with hundreds or thousands of Teams.
Another downside is that the Teams Admin Center will only show Teams with absolutely no Owners.
If a Team Owner cannot sign into M365 or is inactive, the Admin Center cannot be of much help. You will need to go through each Owner and check their status one by one, losing endless hours.
The Get-TeamUser cmdlet can be utilized to determine if a team has an Owner. It will provide a list of all its members and Owners. To get a list of orphaned Microsoft Teams, you need to use the Get-Team and Get-TeamUser cmdlets. Then you will need to apply additional filters.
There are PowerShell scripts available out there to create a report of orphaned Teams. A sample report will look something like this:
To keep track of orphaned Teams, you should automate the script to run on a regular basis using Windows Task Scheduler.
The script can find Teams without Owners, but not Teams with inactive Owners.
First, you need to check the status of each Team Owner in your Azure Active Directory. This will help you locate inactive Owners who are blocked from signing into M365. Then, you will need to identify all Teams they are Owners of.
If an Owner moves departments, gets promoted, or goes on leave, you'll need to find them in Azure AD. Then you'll need to identify all the Teams they own using another PowerShell script or a combination of them.
The script will use Get-Team cmdlet to retrieve all Teams. Then use Get-TeamUser cmdlet to obtain the Owners by filtering the results.
The script will look for a particular Owner among all the Teams by using the Get-Team and Get-TeamUser cmdlets. It will check if they are an Owner of a Team. If they are, the script adds the Team name to an array called $teamsWithSpecificOwner.
Needless to say, IT admins’ responsibilities in the modern hybrid workplace go way beyond managing M365 day in and day out. Businesses aim to automate processes to reduce technical debt, allowing more time for innovation, security improvements, and digital transformation. Reviewing Teams to find orphaned and ownerless ones is not a good use of time for IT admins. It demands both specific skills and a significant amount of time and resources, which are often in short supply.
This is where third-party M365 administration tools like Orchestry come in.
Orchestry provides a user-friendly dashboard that shows Microsoft 365 reports, including a complete list of orphaned Groups and Teams. All this with zero coding.
With a tool like Orchestry, admins can easily filter through all Teams, SharePoint sites, and Groups that specific team members belong to which is even more impressive.
Orchestry makes it easy to find Teams that a Team Owner is a part of. This makes it a quick and effortless task to replace them with another Owner in cases of leave or departmental moves.
If you want to find Teams and Groups without members, Orchestry can help. It allows you to review Owners, Members, and Guests' insights and use filters to identify Teams with no members.
Finding orphaned Teams and Groups is only half the battle. After finding the Orphaned Teams, you must assess why the Owner has been lost and determine what action to take next.
Many organizations have done through a phase of rapid cloud technology adoption. During this phase, members of the organization have naturally gone through a bit of "test and fail". This means there are likely tons of Teams and Groups within your tenant that need to be decommissioned.
Having numerous Teams in your tenant without Owners and no clear purpose is known as Microsoft Teams sprawl.
Want to know if your tenant is getting out of control? Read this article to learn how to audit it.
To know what to do with an orphaned Team or Group, the first step is to check if it's still necessary.
If the Team is no longer useful and has no Owner, you will need to archive Microsoft Team. You will also need to archive the SharePoint site associated with it.
Since there is no Owner, the M365 Admin will need to complete Microsoft Teams cleanup.
To archive Teams:
To prevent editing of content, make the SharePoint site read-only for team members.
If the Team is active but has no Owner, the M365 Admin must assign a new Owner. They can also promote a current member to an Owner status.
You can do this on a one-by-one basis either within the Microsoft Group by following the steps:
You can also use PowerShell to replace Owners in multiple Groups they were part of in bulk.
Alternatively, you can replace the Owner using Microsoft Teams Admin Centre.
To do so:
There are also Powershell scripts you can run to replace Owners in multiple Teams in bulk.
All this sounds like a lot of work, doesn’t it? Good news – there are steps you can take to avoid these issues in the future.
Regularly generate reports on Teams and Groups in your tenant that are without Owners or members. This way you can identify and take action at an early stage. Manual M365 reporting is a lot of work. In smaller organizations, it may work as it doesn't need to be done on the same scale as in larger organizations.
Using a third-party tool like Orchestry can save organizations with 1000+ members tens of thousands of dollars annually by reducing labor time.
Implementing controls and a repeatable process around Teams creation can help you prevent orphaned Teams and Groups from occurring. What does that mean?
Suppose you set a rule that a Team must have a certain number of Owners and Members before it can be created. That would ensure whoever creates the Team has to select at least another member (or maybe more!) apart from them.
Orchestry is a third-party tool that can help organizations with M365 governance, provisioning, and lifecycle management. With Orchestry, IT Admins can configure live M365 Teams templates with governance guardrails embedded. This means that creators will be required to add a minimum number of Owners and members at the Teams request stage.