Regaining Control: How to Secure and Optimize Your Out-of-Control M365 Tenant

Is your Microsoft 365 tenant spiraling out of control? You're not alone. As organizations grow, M365 environments often become cluttered with orphaned workspaces, inactive Teams, and storage bloat—creating security risks, compliance gaps, and unnecessary costs. This blog series explores how Audit's new reporting capabilities help you identify and remediate these issues.

What happens when the only owner of a critical Teams workspace leaves your company? That workspace becomes orphaned—and a potential security liability.

Key Points: 

1. The Problem: Workspaces with no owners, disabled owners, or unlicensed owners create security vulnerabilities and compliance risks 
2. The Risk: No one to manage permissions, approve access requests, or respond to security incidents 
3. The Solution: Audit's Orphaned Workspaces Report identifies: 
4. 1. Workspaces with zero owners 
   2. Workspaces where all owners are disabled or unlicensed 
   3. Workspace type (Teams, Site Collections, etc.) 
   4. Current owner status 
5. The Action: Quickly assign new owners to prevent unauthorized access and ensure accountability 
6. The Benefit: Close security gaps, maintain compliance, and ensure every workspace has proper governance 

When a workspace owner leaves your organization or has their license revoked, something dangerous happens: their Teams sites, SharePoint collections, and Microsoft 365 Groups don't disappear with them. These orphaned workspaces continue to exist, often containing sensitive data, but with no one responsible for managing access, responding to security incidents, or maintaining compliance controls. According to Microsoft's own security guidance, orphaned resources represent one of the most overlooked attack vectors in enterprise cloud environments. Without an active owner, there's no one to approve or deny access requests, no one monitoring for suspicious activity, and no accountability when auditors come asking who's responsible for the data. 

The challenge for IT leaders is that orphaned workspaces are nearly impossible to identify at scale using native Microsoft 365 admin tools. You can manually check individual sites, but in an enterprise with hundreds or thousands of workspaces, this approach is impractical. Many organizations only discover orphaned workspaces during security incidents or compliance audits, when it's already too late. The alternative is building custom PowerShell scripts that query the Microsoft Graph API, but this requires specialized development resources, ongoing maintenance as Microsoft's APIs evolve, and significant time investment. Even then, these scripts often miss edge cases like owners who are disabled but not deleted, or owners who have lost their licenses but remain in the directory. 

The new Orphaned Workspaces Report, in Audit, directly addresses this problem. The report runs tenant-wide and automatically identifies any workspace where there are no owners, or where all owners are either disabled or unlicensed. For each orphaned workspace, you'll see the workspace name, type, and the owner status, showing whether they're disabled or unlicensed. This information is delivered in a single, exportable report that you can immediately action. 

The real value becomes clear when you consider the remediation process. Once you've identified orphaned workspaces, you can quickly assign new owners to restore proper governance, archive workspaces that are no longer needed, or escalate high-risk orphaned sites containing sensitive data for immediate review. For IT leaders managing compliance frameworks like SOC 2, ISO 27001, or industry-specific regulations, the ability to prove that no workspaces exist without responsible owners is essential. The Orphaned Workspaces Report transforms what would be a long manual audit into a task you can complete in minutes.