The topic of orphaned and ownerless Groups and Microsoft Teams is particularly of interest in the wake of recent mass layoffs and downsizing.
Our blog will take you on a journey, by the end of which you will be equipped with the knowledge of best practices for identifying and effectively dealing with orphaned Microsoft Teams and Groups and potentially even preventing them from occurring in the future. Are you ready?
What are orphaned Microsoft Teams/Groups?
In a nutshell, orphaned Microsoft Teams and Groups are those that don’t have an assigned or active Owner. This also includes Teams and Groups whose Owner has been blocked from signing into your organization’s Microsoft 365 tenant.
And lastly, Groups that have no members are also considered orphaned.
Since Teams membership is determined by Microsoft Groups, when a Group becomes ownerless, so does the associated Team.
How do they become orphaned?
Microsoft has some pretty great failsafe mechanisms in place to ensure that no Team is left without an Owner. When a new Microsoft Team is created, a new Microsoft Group is created as well, and whoever created it automatically becomes the Owner. When the Owner tries to leave the Team and they are the sole Owner of the Team, they will be prompted to assign a new Owner.
That said, there are still a few scenarios that lead to a Team becoming an orphan.
Owner leaves the organization
This is the most straightforward case – an employee leaves your company and their account gets disabled or deleted in Azure Active Directory.
Moving to a different role/department/on leave
This is a more difficult scenario to deal with – the Owner of the team is promoted to a different role or even a department, or, perhaps goes on long-term leave, and although they are still listed as a Team Owner, they are not actively participating in the management of the Team.
Technical issues do happen, and user account deletions can occur accidentally or due to technical issues. For example, a user with administrative privileges might accidentally delete a user account while performing another task in the Azure portal, or a technical issue like a network error might cause a user account to be deleted. Users can also be blocked from logging into the M365 tenant due to a technical error.
Are there any risks with orphaned Teams/Groups?
Orphaned Teams and Groups may not seem like a big deal at first sight. Without a Team Owner, members of the Team can still collaborate, chat, share, and access documents. That said, when you know what Owners are responsible for, the threats and risks become a lot more apparent.
What do Owners do within a Team?
The Owner of a Microsoft Teams team is responsible for several important tasks, which include:
- Managing team membership: The Owner is responsible for adding and removing team members and Guests, as well as granting or revoking administrative permissions.
- Setting team policies and permissions: The Owner can control who can create and manage channels, tabs, and connectors, as well as set policies for messaging, calling and meeting options.
- Manage the Team’s lifecycle: The Owner can edit, delete, renew, archive, or restore a Team.
- Monitoring team activity: The Owner should stay up-to-date on what’s happening within the team, such as new messages and files, and be able to address any issues that arise.
- Maintaining team data: The Owner is responsible for managing the team’s data and ensuring that it is secure and in compliance with relevant regulations.
- Ensuring team compliance: The Owner is responsible for ensuring that the team follows any applicable laws, regulations, and organizational policies.
- Promoting collaboration: The Owner should encourage team members to collaborate effectively and make the most of the team’s resources.
These are some very important responsibilities, all of which are completely unattended to when a Team has no Owner or an inactive Owner.
Public Teams are the ones that are visible to everyone and are accessible from the Teams gallery. Members can join and leave Public Teams without any restrictions. Private Teams, on the other hand, can only be joined by invitation from a Team Owner, and members can leave only with the permission of the Team Owner. So, in the case of an orphaned Team, members are stuck there indefinitely and cannot invite other members, until a tenant administrator gets involved. Which, of course, adds extra work to their already overloaded plates.
The largest risk when it comes to security lies in whether there are Guests present within a Team. Since without an Owner, Team members cannot join or leave the Team, that means that neither can Guests. They will remain in the team indefinitely, oftentimes beyond when they are no longer needed, which means they retain access to all the resources within the Team. That can pose a massive security risk.
This may sound grotesque, but since Team Owners are responsible for the effective usage of Teams, monitoring their activity, ensuring compliance, and promoting collaboration, naturally, without an Owner things are bound to start getting out of control.
How to find orphaned Teams/Groups?
So, we’ve figured out that orphaned Teams are undesirable. Now what? This is when active monitoring of orphaned Teams and some process that will involve tracking cross-departmental movements/leaves will need to be implemented.
There are a few ways M365 admins can go about locating orphaned Teams.
Teams Admin Centre
The Teams admin Centre shows you the full list of Teams within your tenant, along with the numbers of standard and private channels, members, Owners, and Guests. When a Team doesn’t have an Owner, you will see a 0 in that column with a warning sign next to it.
This is probably the easiest, but also the most ineffective way of finding orphaned Teams. If you have 50-100 Teams, it may be easy enough, but in larger organizations with hundreds upon thousands of Teams, it simply won’t work.
Another downside is that the Teams Admin Center will only show Teams with absolutely no Owners. In the cases where a Team Owner is unable to sign into M365 or who’s simply inactive, the Admin Center won’t be much help. You will need to go through each Owner and check their status one by one, losing endless hours.
Using PowerShell scripts
The Get-TeamUser cmdlet can be utilized to determine if a team has an Owner by providing a list of all its members and Owners. To obtain a list of teams without Owners, the Get-Team and Get-TeamUser cmdlets must be used in conjunction with additional filtering.
There are PowerShell scripts available out there to create a report of orphaned Teams, and a sample report will look something like this:
You will need to automate the script to run regularly using Windows Task Scheduler, to stay on top of the orphaned Teams.
But, just like with Teams Admin Centre, this script won’t surface any Teams that have Owners who can’t sign in or who are no longer taking an active role in managing the Team.
To locate inactive Team Owners who are blocked from signing into M365, you will need to go through each Team Owner in your Azure Active Directory first to check their status. Then, you will need to identify all Teams they are Owners of.
In the cases of cross-departmental moves, promotions, or leaves you’ll need to first identify those Owners and then locate all Teams they are Owners of using yet another PowerShell script (or a combination of them).
The script will first get all the teams using the Get-Team cmdlet and then loop through each team to get the Owners using the Get-TeamUser cmdlet and filter the results to only show Owners. The script then will check if the team Owners include the specific Owner, and if so, adds the team name to an array $teamsWithSpecificOwner.
Needless to say, IT admins’ responsibilities in the modern hybrid workplace go way beyond managing M365 day in and day out. Every business strives for automation, removing technical debt where possible, to free up time for innovation, operational and security improvements, and digital transformation. Many will agree that reviewing Teams to identify orphaned and ownerless Teams is not time best spent by IT admins, it requires a certain set of skills, and a whole lot of time & resources (which they clearly never have enough of).
This is where third-party M365 administration tools like Orchestry come in.
Orchestry offers a powerful visual dashboard that presents insights into the M365 tenant, among which Orchestry users can find the number and the full list of all orphaned Teams and Groups, at any given time without having to run a single line of code.
What’s even more impressive is that with a tool like Orchestry, admins can easily filter through all Teams, SharePoint sites, and Groups that specific team members are part of. So if a Team Owner has gone on leave, or has moved departments, finding Teams they are part of and replacing them with another Owner is a quick and easy job.
Lastly, if you want to really dig into data and find memberless Groups and Teams, using Orchestry, you can review Owners/Members/Guests insights and using filters identify all Teams that don’t have any members in them.
What to do with orphaned Teams/Groups?
Finding orphaned Teams and Groups is only half the battle. Once you’ve located them, you need to evaluate why they have lost their Owner and make a decision on how to proceed.
Review the team/Group and their purpose
Many organizations have done through a phase of rapid cloud technology adoption. During this phase, members of the organization have naturally gone through a bit of “test and fail”, which means there are likely tons of Teams and Groups within your tenant that were created by mistake, to try things out, or have already served their purpose and need to be decommissioned.
Now, having a ton of Teams in your tenant that have no Owners and are not serving a purpose is another topic of discussion – and it’s called Microsoft Teams sprawl. If you’re curious to know how to audit your tenant to see whether your tenant, indeed, is sprawling out of control, read this article.
The first step in figuring out what to do with an orphaned Team and Group is to identify whether it still needs to exist.
Scenario 1: Archive or delete
If the Team no longer serves its purpose and doesn’t have an Owner, it’s time to archive or delete it.
Since there is no Owner, the M365 Admin will need to do this.
To archive a Team:
- In the Teams Admin Center, select Teams.
- Select a team by clicking the team name.
- Select Archive. The following message will appear.
- To prevent people from editing the content in the SharePoint site and Wiki tab associated with the team, select Make the SharePoint site read-only for team members.
To delete a Team:
- In the Teams Admin Center, select Teams.
- Select a team by clicking the team name.
- Select Delete. A confirmation message will appear.
- Select Delete to permanently delete the team.
Scenario 2: Assign a new owner
If the Team is very much alive and well, but has no Owner or needs a new, active Owner, the M365 Admin will need to assign a new Owner or promote a current Team member to an Owner Status.
You can do this on a one-by-one basis either within the Microsoft Group by following the steps:
- Sign in to the Microsoft 365 portal with an account that has administrator privileges. Choose Groups from the navigation pane at the left, then click Groups.
- Find and select the group to which you need to assign a new Owner.
- In the Owner section, click Edit.
- In the View Owners dialog box, select Add Owners.
- Add a new Owner (or Owners, which is best to avoid a similar situation happening in the future)
You can also use PowerShell to replace Owners in multiple Groups they were part of in bulk.
Alternatively, you can replace the Owner using Microsoft Teams Admin Centre.
To do so:
- In the Teams Admin Center, expand Teams and select Manage teams.
- Select the team name under the display name column.
- In the Members tab, you can add or remove members and assign Owner and moderator roles to members.
There are also Powershell scripts you can run to replace Owners in multiple Teams in bulk.
How to reduce orphaned Teams/Groups in the future?
All this sounds like a lot of work, doesn’t it? Good news – there are steps you can take to avoid these issues in the future.
By regularly reporting on orphaned and ownerless Teams and Groups in your tenant, you can intercept and get involved in the early stages and make the right decisions on how to proceed. Although manual reporting is, indeed, a lot of work, in smaller organizations it may do the trick, as it may not have to be done as often and not on such a scale that larger organizations see.
In organizations with even 1000 members and 600 Teams, the time savings in labor alone a third-party tool like Orchestry can bring are in tens of thousands of dollars annually.
Implementing controls and a repeatable process around Teams creation can help you prevent orphaned Teams and Groups from occurring. What does that mean? Let’s say, you were able to enforce a minimum number of Owners and Members a Team has to have assigned before it is created. That would ensure whoever creates the Team has to select at least another member (or maybe more!) apart from them.
With a third-party governance, provisioning, and lifecycle management tool like Orchestry, your organization’s IT Admins can configure live M365 Teams templates with governance guardrails that require creators to add a minimum number of Owners and members at the Teams request stage. These templates are then made available for everyone within the organization and they are forced (without ever having to read your governance policies) to add multiple Owners and Members to the Team before it’s provisioned to them to use.
If you’re curious about what this Teams provisioning process looks like from the end-user perspective, we have an article you may find very interesting.
To see what other controls IT Admins can have, and what other governance guardrails they can apply to Teams templates, check out this article.
Want more insights like this one?
For more Microsoft 365, SharePoint Online, and Teams insights, tips and tricks, best practices, and exclusive events delivered straight to your inbox, join our mailing list today and level up your Microsoft 365 game!