Tag Archives: Ownerless groups

Dealing with Ownerless Groups in large Microsoft 365 environments

1 Reply

Microsoft 365 groups is a key concept in today’s collaboration landscape that includes Microsoft Teams, Viva Engage, SharePoint etc. Access to resources is organized via groups. It is essential that every Microsoft 365 group has an owner (owners) so we have somebody to enforce Collaboration governance through.

Scenario

Let say you administer a large Microsoft 365 environment (e.g. ~100k+ users and/or ~50K+ sites) and after some years you have a lot of ownerless groups and sites (around 5k probably), and a lot of inactive groups and sites (maybe 15k). You are getting more and more ownerless groups – dozens each week. You are thinking of stopping bleeding and cleaning this up…

Out-of-the-box we have Microsoft 365 groups expiration policy and Microsoft 365 ownerless groups policy. You might also have some 3-rd party tools implemented – e.g. ShareGate, SysKit Point.

If you do not care – you might just activate both OotB Microsoft policies – via GUI – they are simple to activate. But once you activated policies – they will trigger thousands of emails. Now imagine a person is getting dozens of emails asking him/her to be an owner or to renew the group that probably he/she has no idea about… What will happen next? People will probably ignore these alerts. Then? Groups and sites will be automatically deleted. And then? Right, there will be a huge noise and many angry users and high-priority tickets and you will have to restore sites/teams and finally you’ll have to deal with all that mess manually.

So, what is the right way to clean-up a large Microsoft 365 environment from ownerless and inactive teams, groups sites? Not a trivial question, hah?

Solution

Disclaimer: I’m sharing here my personal opinion with no obligations or warranty etc., so you’d dig into all the technologies used and based on your particular situation build your own plan. But my personal opinion is based on my 15+ years experience with SharePoint, including really large environments.

Note: It is always a good idea to discuss your plans with you org’s communication team and helpdesk/service-desk to adjust clean-up activities with other initiatives and let other people be prepared.

High-level steps for group-based Sites:

  • consider implementing Minimum 2 owners per group policy to stop bleeding. Currently Microsoft 365 does not have such functionality, so consider 3-rd party tool like SysKit Point or custom PowerShell script that sends notifications
    • apply this policy to groups where you already have 2+ owners – it’ll be safe
    • apply this policy to all other groups by chanks
  • consider custom PowerShell clean-up, e.g. you can simply delete groups with no owners and no members and/or inactive groups with no content and/or groups that are inactive for a long time (this must be aligned with business and legal)
  • implement Microsoft’s Ownerless groups policy in “Clean-Up” configuration; there are some tricks and gotchas worth a separate post, but in short
    • avoid scoping down this policy via people (security groups)
    • implement it for all groups all users with 6-7 weeks and custom e-mail template
  • implement Microsoft groups expiration policy in “Clean-Up” configuration… again, there are a few different strategies – see this article
  • change Microsoft Ownerless groups policy configuration to a “Permanent” mode configuration set
  • (or) change Microsoft 365 groups expiration policy with a “Permanent” mode configuration
  • (or) develop and implement custom staged decommissioning process – kind of “last chance” set of scripts to discontinue groups that are still ownerless after all efforts above. Staged means we do not just delete these groups, but e.g. we can
    – rename ownerless groups
    – convert groups from public to private
    – set teams to archived mode
    – exclude sites from copilot search with “Restricted SharePoint Search” etc.
    – set site to no-access mode
    – remove members from the group
    – and finally delete the group with connected team team and site
    I have a separate article on custom staged decommissioning process

Note: There will always be ownerless groups in large environment. We have to live with it. So all steps above – think of it as a processes – we’d need to do it on regular basis.

All above was mostly about group-based sites (as we have OotB Microsoft policies for groups), but we probably have the same problem (or even worth) with standalone sites (that would be a separate topic).

SharePoint Inactive Site Policies

Recently (2024-2025) Microsoft developed SharePoint Advanced Management set of features and offers it as an add-on to SharePoint (aka SharePoint premium). SAM includes Inactive Site Policies under Site lifecycle management. This policy can work not only against group-based sites, but against all sites, including standalone sites. The other big difference is that this SharePoint Inactive Site Policy do not delete sites, but allows to set site to read-only mode and archive. See SharePoint Inactive Site Policies deep dive.

Microsoft 365 admin center: Manage ownerless Microsoft 365 groups and teams

1 Reply

There is a new feature published at Microsoft roadmap site:

Microsoft 365 admin center: Manage ownerless Microsoft 365 groups and teams

Teams, Outlook groups, Team Sites etc. powered by Microsoft 365 Groups supports two roles: members and owners. Members can collaborate with others in the group through files, emails, messages etc. Owners manage the group membership and monitor content and conversations. When employees leave an organization or switch projects internally, it results in their existing user accounts getting deleted. If such employees were group owners, keeping track of their groups becomes critical to ensure accountability within the organization. We have introduced a new ownership governance policy to help automate the management of ownerless groups by requesting active members to become owners of the group. Admins can define who is eligible for these notifications and configure what notifications and how often these notifications are sent to active group members. Users, who are members of the ownerless groups can simply accept or decline request via the actionable email message.

  • Feature ID: 180749
  • Added to roadmap: 10/10/2023
  • Last modified: 10/10/2023
  • Product(s): Microsoft 365 Admin Center
  • Cloud instance(s): GCC
  • Platform(s): Web
  • Release phase(s): General Availability


But based on the feature description – all looks exactly as what we already have for years as “Microsoft 365 ownerless groups policy” which you can configure under Microsoft 365 Admin Center -> Settings -> Org settings -> Microsoft 365 groups

More on Microsoft 365 ownerless groups

Massive Microsoft 365 groups update with PowerShell

1 Reply

What if you need to bulk update Microsoft 365 groups membership e.g. to add a group owner or member for tens of thousands m365 groups? Iterating through groups one-by-one is unproductive and could take days. Can we do it faster? Here is what I found.

In my case, it was Microsoft 365 ownerless groups policy implementation for large tenant… Skipping details – I needed to update ownership for 10,000 Microsoft 365 groups and I was looking for a best/fastest possible option maybe some kind of bulk update or with multiple threads. And I figured out that the fastest way is to use PnP.PowerShell that calls Microsoft Graph API but run it against list of groups with PowerShell parallel trick. Here is the sample PowerShell code:

$groups | ForEach-Object -Parallel {
    $owner = "newGroupOwnerUPN@contoso.com"
    Add-PnPMicrosoft365GroupOwner -Identity $_.Id -Users $owner
} -ThrottleLimit 50

That worked for me perfectly and it took ~8 seconds per 1,000 groups.

Ownerless groups and dependent channels

1 Reply

Here is the scenario:

There is a team (including SharePoint site) under Microsoft Teams. There are multiple channels under this team with types:
– standard channel
– shared channel
– private channel

A single group owner (team owner) leaves company and the team (group) becomes ownerless. Question: what will happen with private and shared channels?

A group (team) gets a new owner. Question: what will happen with private and shared channels?

“Microsoft Teams – Teams And Channels Service made you an owner of a channel”

TBP

Archiving SharePoint Sites

Leave a reply

What is archiving SharePoint sites and why we’d need it?

Disclaimer: Archival that was announced at Microsoft Inspire 2023 (Introducing Microsoft 365 Backup and Microsoft 365 Archive) is not what we are discussing here.
Though it might be considered as an option (as archived sites are still visible for admins but not visible for users), MS SharePoint Archive require additional licensing.

Scenario

You are in the process of cleaning-up large Microsoft 365 environment. You need to delete SharePoint sites (e.g. due to inactivity) but you cannot get confirmation from site owners (e.g. sites or groups are ownerless).

Deleted sites could be restored within 93 days of deletion if somebody rise a hand, but there is still a risk of possible loosing of important information, e.g. in case site is needed one a year. So you need to do clean-up but at the same time you want to decrease risks of loosing information.

So, you might want to do something with sites to engage users to volunteer to be site owner if they want to keep this site – e.g. prevents using the site the regular way and let users know that the site will be deleted etc., but do not actually delete site until it will be fully clear that site is not needed for anyone and can be safely deleted.

Let us call it “Staging” period. Depending on your org culture/rules/licensing etc. it might be 6 months, or 1 year or 5 years or more.

Approach options

generally, the options are (random order):

  • Set site to Read-Only mode
  • Set site to No-Access mode
  • Convert group from Public to Private
  • Remove access to the site (remove users from group)
  • Rename the site
  • Put a banner on a top bar with a message
  • Message to Teams or Yammer chat
  • Send e-mail to site members
  • Implement a Microsoft 365 ownerless groups policy

You might choose to set sites to read-only mode or even no-access mode. If so – users that are still need this site are loosing ability to work with site, but site is not deleted. Consider archiving as kind of scream-test phase before actual sites deletion.

If a user who needs this site would scream (rise a ticket to restore site) – you can trigger processes of
a) finding new owner for the site
b) excluding the site from clean-up process
c) actual restoring site to normal mode

There are some options to setup a site to Read-Only or NoAccess mode. Here is the PowerShell command:


$siteurl = "https://contoso.sharepoint.com/teams/Team-SO-B"
Get-PnPTenantSite -Identity $siteurl   | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState ReadOnly
Get-PnPTenantSite -Identity $siteurl   | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState NoAccess
Get-PnPTenantSite -Identity $siteurl   | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState Unlock

The problem is what if the site is teams-connected or yammer-connected or just group-based. Here are some test results:

Services SharePoint site is connected to/Site StateRead-OnlyNoAccess
Outlook onlyN/AN/A
SharePoint and OutlookOutlook emails: OK
Outlook files: read-only experience; No options to upload or create document; Documents are open in read-only mode. “The file couldn`t be saved to group” error message when trying to save file to a group library.		Outlook emails: OK
Outlook files: empty screen; No error messages; Documents are not visible; “The file couldn`t be saved to group” error message when trying to save file to a group library.
SharePoint and Yammer
SharePoint, Teams and OutlookTeams chats: OK
Teams files: documents are open as read-only; No options to upload or create a new document
SharePoint: “This site is read-only at the administrator’s request.”
Teams chats: OK
Teams files: “403 FORBIDDEN” error message
SharePoint: “
This site can’t be reached
The webpage at https://contoso.sharepoint.com/teams/Team-STO-B might be temporarily down or it may have moved permanently to a new web address.
ERR_INVALID_RESPONSE”

So you can see – behavior is inconsistent – users can still chat in Teams and Yammer and consume SharePoint content (in case the site in read-only) or get error messages or not very meaningful results (in case the site is in NoAccess mode) – so it would be not clear for users that the site is gong to be decommissioned.

to be continued…

(WIP – Work in progress)

Ownerless resources in Microsoft 365 SharePoint

3 Replies

I have multiple publications on the subject – how to manage ownerless groups in Microsoft 365:

And 9 videos :

Here is the Introduction video and content covered in next videos:

Ownerless group policy configuration failed

1 Reply

If you are seeing “Ownerless group policy configuration failed” and “Please try again.” error message:

there might be some different reasons:

  1. Microsoft said it is (was) a know problem – it happens sometimes (timeout?), if you configured the policy properly and have enough permissions.
    So just go back one step and try again – all should be good.
  2. Sometimes “Ownerless group policy configuration failed. Failure in configuring ownerless groups policy” is a permissions issue
    SharePoint admin, Teams admin: cannot configure Ownerless Groups Policy
    Global admin: yes, can configure Ownerless Microsoft 365 Groups Policy.
    What is the minimum role required?
    According to a recent update of the Microsoft’s article – “A Global administrator can create a policy…”. In my experience – groups admin can also configure the policy

Note: Groups admin when configuring the policy can see warning message “You don’t have permissions to save changes”.
No worries 🙂 => You will be able to save changes 🙂

Video tutorial on the policy configuration (at around 5:00 you can see this error message):

Manage Microsoft 365 groups membership with PowerShell and Graph API

1 Reply

As SharePoint or Teams admin you manage Microsoft 365 groups (create, update, delete, manage membership etc.) having your admin role activated. I prefer PowerShell 7 and Microsoft.Graph PowerShell module, and I need an Azure registered app with “Group.ReadWrite.All” Microsoft Graph API delegated permission.

Some findings:

If a user was not a group member or group owner – and the user is added to the group members – this user will get notification “You’ve joined the <Group Name> group” via e-mail that comes from a group e-mail address.

When a user is added to the group owners (or elevated to group owner if user was a group member) – user does not get notification.

When a user was a group owner and now you are adding this user to the group members – user does not get notification.

All the actions are logged into Microsoft 365 audit log under your personal Id.

Script samples:

# This script is just a sample to demonstrate basic technique on getting, updating groups membership and deletion m365 groups with PowerShell and MS Graph
#
# please do not run this script as is, but update it based on your needs

# authentication with personal Id
#  app must have as minimum "Group.ReadWrite.All" Microsoft Graph API delegated permission
#  user must have SharePoint admin (or Teams admin) roles activated
Connect-MgGraph -ClientId $clientid -TenantId $tenantId 
Get-MgContext | Select-Object Scopes -ExpandProperty Scopes

# sample data
$groups = @()
$groups += [PSCustomObject]@{GroupId = '443d22ae-683a-4fe4-8875-7bd78227a026' }
$groups += [PSCustomObject]@{GroupId = 'e5805388-c18c-48c0-b42d-6223cf8f3d82' }

# Get Groups
foreach ($group in $groups) {
    Get-MgGroup -GroupId $group.GroupId
}

# add members to the group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
$userId = 'df74e0d3-d78c-495b-b47a-549437d93cf7' # Adele
New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId

# add Owner to the group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
$userId = 'eacd52fb-5ae0-45ec-9d17-5ded9a0b9756' # Megan
New-MgGroupOwner -GroupId $groupId -DirectoryObjectId $userId

# Delete group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
Remove-MgGroup -GroupId $groupId

References

Microsoft 365 ownerless group policy to send more than 10,000 notifications

1 Reply

It is known that a single Microsoft Exchange account is not sending more than 10k emails per day.

It is also know that once activated – Microsoft 365 groups ownerless policy will be sending notifications for all groups in scope to specified number of group members within 24 hours.

The question is: what if there are more than 10,000 notifications to send (e.g. 4,000 ownerless groups and the policy is configured to send notification to 3 members per group – that gives us 12,000 notifications to send)? Would the policy send 10k notifications and the rest 2k notifications the next day?

I’m conducting an experiment. I created 10k groups in my lab tenant with one owner and 3 random members. Then I configured a policy that is sending notification to a 3 most active members (in this case – random members). And then I made all these groups ownerless by deleting the single owner Id from Azure AD (Microsoft Entra).

Here is what I got from users perspective:

useruser groups
number		got messages
day 1		got messages
day 2		got messages
total
1 Roger50121374
2 Dick50391349
3 Bob51083412
4 Bapu49081376
5 Stas49961437
6 David49591377
total10325

Here is what audit log says:

Events “OwnerlessGroupNotified” day 1: 4949
Events “OwnerlessGroupNotified” day 2: 95
Events “OwnerlessGroupNotified” total: 5044
Each event details says 3 members were notified.

It seems like groups are selected by policy in random order.

Massive E-mails sending was started 43 minutes after midnight UTC

“OwnerlessGroupNotified” were logged at the rate of
1925 events during 1-st hour,
2029 events during 2-nd hour,
785 events during 3-rd hour,
176 events during 4-th hour,
26 events during 5-24 th hour,
95 events during next 25-48 hours
so max rate was one event every 3 seconds in the beginning (or 1 e-mail per second) …

TBC…

Ownerless Microsoft 365 groups policy staged implementation in large environments

4 Replies

Usually, a Microsoft 365 group can be created by anyone in your organization as part of creating a Team, a Yammer community, an Outlook group, a SharePoint site, etc. If the group owner leaves the company and the account gets deleted, the group becomes ownerless.

It would be a nightmare to reach out to ownerless group members one by one, trying to figure out who is the actual data owner and who should become the group owner. So we need some kind of automated solution.

There is a Microsoft ownerless groups policy that detects ownerless groups and sends emails to the most active group members, asking if they want to become group owners. If a member accepts ownership, the policy automatically elevates that person from group member to group owner. The policy does not cover standalone SharePoint sites, but the majority of orphaned resources in an organization are usually Microsoft 365 groups, so this policy should still help a lot.

The policy was designed with the idea of preventing ownerless groups, meaning it handles them gradually over time as they become ownerless. Because of that, it’s recommended to activate the policy as soon as you set up the tenant. Configuration is done through the GUI, and it’s intuitive and straightforward. Microsoft documented it well, but if you still have questions about how the policy behaves, here is my Q&A covering what is not included in Microsoft’s FAQ, along with some tips, tricks, and gotchas.

The problem is that Microsoft introduced this feature relatively recently, and if you’ve owned your tenant for years, you probably already have some ownerless groups. In small or medium environments with a few dozen ownerless groups, this isn’t a big issue. But in a large Microsoft 365 or SharePoint Online environment, you might end up with hundreds or even thousands of ownerless (or orphaned) resources that you have to deal with.

One of the challenges is how to implement the policy correctly when you already have many ownerless groups, and then how to manage the groups that will become ownerless in the future. In other words, we need to solve two consecutive issues:

  • Remediate vast amount of existing ownerless groups
  • Prevent groups to become ownerless

Obviously we’d need two different strategies and policies configurations.

There are also 3-rd party tools – like SysKit Point that can help with orphaned resources by enforcing minimum number of owners. There is also “Orphaned resources” policy under SysKit that allows multiple workflow options to resolve the issue – but there is no “fully automated” option -all SysKit options require an interaction from admin/manager.

Microsoft 365 built-in feature – “Ownerless groups policy” allows fully automated process:

  • detects ownerless groups, and for every group found
  • generate e-mail invitations to most active group members
  • assigns users as group owners if they accept invitation

Another problem in large environments is that we have strict requirements we need to satisfy:

  • end-users to get a limited number of emails in a certain period so they can process
  • end-users get only relevant messages so they will not ignore further notifications
  • high percentage of acceptance and (ideally) no orphaned resources

We want the policy to be piloted or tested in production against a small group and then we want phased implementation – so we could have a chance to get a feedback on phase 1 and adjust our approach at phase 2 etc.

The policy allows limiting the policy scope in two ways:

  • by limiting “who can receive” messages – it’s done by specifying a security group – so only this security group members will be eligible to get invitation and accept or decline it
  • by limiting Microsoft 365 groups that would be in scope for the policy – it’s done by specifying group names

Two options can be specified in the same policy and effective eligible members would be those who satisfy both requirements.

Configuration is done using GUI – i.e. there is no PowerShell commands known on the subject at the moment.

There are a lot of “what if” questions regarding the policy – most of them are resolved in Microsoft’s “Microsoft 365 ownerless group policy FAQ” and my Ownerless m365 groups Q&As, gotchas, findings…

But the most important gotcha for me is that we cannot reconfigure the policy or reactivate it to trigger additional messages for groups that already had messages generated earlier. In other words, if email notifications were already sent for a group and the policy stopped working after the defined time period, it’s done for good. No more emails can be generated for that same group.

The other limit is you can only specify no more than 50 Microsoft 365 groups in policy under “Apply policy to Specific groups” option. And we’d keep in mind exchange’s limit of 10,000 emals per account per day.

So, having this said, what would be the proper approach to do phased implementation in terms of configuring policy to scope it down for each step?

First – know your data. Get full report on ownerless groups, analyze it and come up with approach. Let’s assume we have an org with ~100K users and ~5000 ownerless groups. I bet you will find out that you have

  • large m365 groups (100+ members): <1%, i.e. 10-20 groups
  • medium m365 groups (10-100 members): ~25%, i.e. ~1000-2000 groups
  • small m365 groups (1-10 members): ~50%, i.e. ~2500 groups
  • null m365 groups (0 members): ~25%, i.e. ~1000-2000 groups

You’d might have your own classification, but I would propose the following approach to each category.

  • large groups:
    configure policy with “Apply policy to Specific groups” option
    and specify all or several of your large groups (the limit if 50 allowed groups in this field)
  • medium groups:
    configure policy not scoped down (e.g. apply to all groups, all users)
  • small groups:
    skip the policy, use PowerShell to elevate all group members to owners
    optionally – elevate specific titles (manager, lead) or salary grade members to owners
  • null groups:
    consider deleting these groups
    optionally – delete only inactive no-members groups or groups with no or small amount of storage/files.

You’d also come up with the ideas on

  • desired min and max number of owners
  • deleting groups/sites phased approach
  • archiving groups/teams/sites

Remember – this is production, so at this moment you should test the policy in non-prod an be fully comfortable with all aspects of configuring the policy and formatting e-mail template etc.

As a remediation part plan I would propose the following:

Wave 0 – piloting

select a few (3-5) ownerless m365 groups, preferably your colleagues from IT – whose members will be your pilot team, so you could finalize all settings and polish notification message etc.

Implement the policy with settings:
– All active members, 5 members to notify, 2 weeks
– Sender
– Subject and message – clean-up oriented
– Specified groups – select these pilot groups

In parallel, while you are waiting weeks for the policy to pause, start developing PowerShell scripts that will 1) delete null (no members) groups and 2) elevate members to owners (get how many members can be elevated if elevate only certain members)

Track user’s response – % of declines and accepts

Get feedback from users – how well the notification message is understandable etc.

Wave 1 – large groups and small groups

Implement the policy for large with settings:
– All active members, 5 members to notify, 5 weeks
– Sender – specially created m365 group with the name you need as sender
– Subject and message (polished at wave 0, clean-up oriented)
– Specified groups – select large groups

For small groups – run PowerShell script that elevates members to owners.

Wave 2 – medium groups and null groups

For null groups – run PowerShell script that removes groups with no owners and no members (optionally only inactive groups and/or no content groups).

At this moment number of ownerless groups should be decreased significantly. So we should be good to start implementing policy for all groups. But we are getting new ownerless groups permanently – during all the waves of policy implementation.

Get the report again. In case you have e.g. up to 2,000 orphan groups – you can reconfigure policy and “Apply this policy to” All groups.

If you have more than 2k ownerless groups left – consider the following: create a few service accounts in Entra ID. Add these account to ownerless groups as owners (distribute equally). That’d make groups not ownerless. Then you’d configure the policy. Than delete these service accounts from entra id one by one, so it’d make groups ownerless again, but not all at once, but gradually.

Wave 3 – all groups left ownerless

After a few months you configured ownerless groups policy for all groups – get reports on your orphan groups again – there should be some % of remediated groups, and some % of groups that are still ownerless after all notifications sent to most active members (nobody volunteered to be a group owner). But you still need to deal with these ownerless groups. Consider the following approach based on groups activity (this would require PowerShell):

  • active groups – elevate most active members to owners
  • groups with no recent activities – rename group, remove all members, configure “request access” email and let the group stay for a few more months/years – then delete groups not reclaimed

Wave 4 – permanent policy and custom deletion

After you completed clean-up (policy + your custom solution), consider policy re-configuration.
Specifically, you might want to update the notification Subject and Message.

Questions and Answers

Q: Isn’t it a security risk if we elevate members to owners? Would a member get access to more information that he/she did have access to before.
A:
1) Elevating members is the same risk as implementing the ownerless policy, as policy does the same – it elevates member to group owner.
2) When a member is elevated to group owner – a member does not get access to more information, as
a) for standard channels – he/she did have access as a member
b) private channels stays private – new group owner does not get access to private channels automatically
c) shared channels stays with the same permissions also

References