How to Deal With Orphaned Microsoft Teams and Office 365 Groups 

The global pandemic in 2020 ensured that the shift to cloud and remote work happened much faster than predicted or planned by many companies. COVID-19 changed how we work and learn, and it is driving the development of the modern workplace more than ever. 

Microsoft Teams reached 115 million daily active users in 2020! Many companies enabled self-service to drive adoption and empower users to create teams, share, and collaborate as much they want.  

Now, the time has come to create governance policies for all these Microsoft Teams and users. Regardless of all the adoption practices, tenant admins need to ensure that collaboration remains secure and organizational data effectively managed. 

The most common and important recommendation for Microsoft Teams governance is that every team should have at least two active owners during all phases of the teams’ lifecycle. In this blog, we will explore why this is the case and how to keep control of your Microsoft Teams. 

Microsoft Teams Owners vs. Members vs. Guests

There are three types of users we can differentiate when it comes to Microsoft Teams membership:  

  • Owners – They can add and remove members and guests, change team settings, and are responsible for all administrative tasks. A person that creates a team is automatically assigned as an owner, and there can be up to 100 owners in one team. 
  • Members – Are people inside the team that can collaborate on content and participate in channel conversations. 
  • Guest users – Team members invited from outside your company, for example, external vendors or consultants. They have fewer capabilities than internal members but can still actively collaborate. Guests cannot be promoted to owners. 

It is essential to notice that team owners are the only ones who can: 

  • Add or remove new owners, members, and guests 
  • Edit or delete a team 
  • See private channels and delete them (they can see content only if they are members of the channel) 
  • Set team’s permissions for channels, tabs, and connectors 
  • Change team settings such as privacy type 
  • Add, delete, and organize apps within the team and determine if members can do the same 
  • Renew, archive, or restore a team 

Office 365 roles

Image Source: Microsoft 

What Happens with Teams without Owners? 

If a team ends up ownerless, no one is left to ensure the security of data collaboration and proper membership management. However, the good thing is that the team is still accessible to all members to continue collaborating, chatting, and using files. 

Owners are the only ones that can change teams’ settings, manage lifecycle (archive or delete a team), and receive notifications for reaching the storage quota thresholds. If the team reaches its storage quota, it goes to read-only mode, leaving all other members locked out. 

Most importantly, there will be no one to manage and remove inactive and unnecessary guests or external users. No team member would be able to perform any of these actions and would need help from IT or tenant administrators for any further management. 

How Do Orphaned Teams Appear? 

Orphaned teams are the ones that no longer have any active owners, otherwise called ownerless teams. This includes Teams whose owners have been blocked from signing into the Microsoft 365 tenant as well. 

Microsoft did an excellent job, ensuring that you could not create a new team without assigning at least one owner. The person that makes the team is automatically added as the first owner. The same security mechanism has been integrated if the only owner tries to leave the team without assigning a new owner first. 

Unfortunately, there are some situations when a team can become ownerless, regardless of the before mentioned safety mechanisms. The most common scenario is when a person assigned as the sole owner of the team leaves the organization and their account gets disabled or deleted in Azure Active Directory

The biggest problem will occur for the private teams as no one will be able to leave or join the team until the tenant admin takes over control. Of course, leaving this up to tenant admins burdens them with unnecessary tasks in the long-term, and it is not a recommended way to go. Owners know best what content should be stored there, who should access it, and collaborate on it.

Owners should be the ones who take full responsibility for their teams and are an essential part of an organization’s Microsoft 365 governance. 

Best Practices for Ownerless Teams 

The best way to avoid orphaned teams in the first place is to always have at least two active owners, so even if one of them leaves for any reason, your team continues to function normally.  

Teams without owners represent a security risk and can directly impact the productivity of other team members. As there are no active owners to administrate, no one is responsible for the content stored and shared inside that team. Most importantly, no one can remove or add members required for seamless collaboration. 

Regularly checking for orphaned teams and enforcing at least two active owners for every team needs to become a part of your regular governance policies implemented on the organizational level. 

What About Orphaned Microsoft 365 Groups? 

Microsoft Teams and Microsoft 365 Groups are tightly connected. You can apply all the recommendations we mentioned in this article to Microsoft 365 groups, as well. 

Always have at least two active group owners, and make sure that ownerless Microsoft 365 groups are timely managed. 

Read more about the touchpoints and differences of Microsoft Teams and Groups in our previous articles. 

How to find all Orphaned Teams and Microsoft 365 Groups? 

There is no straightforward way in Microsoft 365 to discover all orphaned teams or teams with less than two active owners. The information is there, but you will need to work for it. Here is how to do it:  

Admin Center 

Using the Teams admin center, you can easily explore and see how many owners your teams have. If a team has no owners, you will notice a 0 with the report grid’s exclamation point. In the same manner, you can find all teams with only one active owner. 

One active owner

This is quite a straightforward method if you are dealing with a smaller number of teams, but for a larger number of teams, this represents a lot of manual work as there is no sort of filtering option in this report. Also, this is not a one-time job; your Microsoft 365 environment is constantly changing, meaning that you need to review teams regularly and check whether new ownerless teams have appeared. 

Also, keep in mind that this method will show only the teams where their owner is missing entirely, probably because it is deleted from the Azure Active Directory. It will not detect owners who are blocked from signing in to M365. If you wish to detect owners whose login has been blocked in your Azure Active Directory, you will need to manually check each owner’s status, losing hours of work on this task. 

Admin center

To assign new owners, drill to each ownerless team to add new owners or promote existing members. The main challenge is knowing who should be a new owner. Business users have the best operational knowledge, and tenant admins require their input into this matter.  

As for Microsoft 365 Groups without owners, the situation is even worse. There is no centralized interface to find details on the members’ and owners’ count per group. You can use either Azure Active Directory or the Microsoft 365 admin center to list all the groups. Still, you will need to manually open each group to see the owners’ count and check if they are still active in Azure Active Directory. 

Azure groups

 

Using PowerShell Scripts 

PowerShell is a very powerful weapon for creating detailed reports. You can find many different approaches online, one of which is using Exchange Online PowerShell. Once connected, all you have to do is run the Get-Unified group cmdlet and check the ManagedBy property. Here is an example of how to get all Microsoft 365 Groups without any owners:  

Get-UnifiedGroup | Where-Object {-Not $_.ManagedBy}

Once you have the list of teams that do not have any owners, you have to figure out who to assign as the new owner. To add a new owner, use the Add-UnifiedGroupLinks cmdlet inside Exchange Online PowerShell.  

Also, here is a great article from Petri where you can find complete scripts to report on and manage ownerless teams.

Keep in mind that you need to have global admin privileges or be the Teams and Groups service admin to run PowerShell scripts for all your teams and groups. 

Of course, not everyone feels comfortable writing a script or even using a finished script from the internet, as they may represent a security issue and additional maintenance. If you are one of those people, 3rd party vendors can help you deal with these concerns. 

SysKit Point 

SysKit Point is an Office 365 governance tool that helps you manage and govern your Microsoft 365 tenant. Using SysKit Point, you can easily discover what is being created in your environment, report on who has access to what, audit user activities, and, amongst all other things, proactively manage orphaned Microsoft 365 Groups and Microsoft Teams

Not only is SysKit Point a swiss-knife for tenant admins and IT teams, but you can also use SysKit Point to delegate the responsibility to your Microsoft 365 group and team owners without losing control and visibility in your environment. 

Dashboard 

Using a centralized Point dashboard, you can track growth trends and sharing, and pinpoint resources that need your attention. This includes orphaned groups and teams.

Point dashboard - find orphaned teams and groups

Report on Orphaned Resources 

Use the Orphaned Resources report to discover all Microsoft 365 teams and groups without active owners in two simple steps. Navigate to Reports, select Orphaned Resources, and SysKit Point will provide you with a detailed list of resources that require a new owner, including both Microsoft Teams and Microsoft 365 Groups.

Orphaned teams and groups report

It will show both resources whose owner has been deleted or blocked from signing into Azure Active Directory. Using the same interface, easily assign a new owner or multiple owners. 

Add new owners to orphaned teams and groups

Subscribe to Regular Updates 

If you do not want to manually check which teams and groups require your attention, subscribe to this report, and receive it on a daily, weekly, or monthly recurrence to your inbox. 

Automation 

Our team is already working on delivering governance automation to enforce recommended ownership policies for Microsoft 365 groups and teams. SysKit Point will regularly check for resources with less than two active owners and send tasks to the remaining owners to assign another one. If Point detects a resource without the owner, a tenant admin will have to assign one. 

This way, you are preventing ownerless teams from happening. As soon as one owner leaves the team, the other owner will be asked to choose a new one. By delegating these kinds of tasks to the business users, you empower them to participate in organizational governance and, at the same time, free some time for tenant admins to deal with top priority tasks. 

If you find this interesting and would like to see more of SysKit Point, join our early access program to work closely with our teams on Office 365 best practices. Your input and experience will help us deliver better products to help you optimize Microsoft 365 groups and teams governance! 

Want to read more posts from us? Subscribe to our blog and stay updated!

Office 365 EAP

Subscribe to the SysKit Blog

Get more product guides, webinar transcripts, and news from the Office 365 and SharePoint world!