GOVERNANCE · April 11, 2026 · 11 min read
Teams Governance Assessment: Find Sprawl Before Copilot Surfaces It
Microsoft Teams was supposed to make collaboration easier. In most tenants, it made collaboration faster — and sprawl faster too. The median Microsoft 365 tenant we scan has 30% or more of its teams sitting orphaned, unowned, or unused for six months or longer. Each one is a SharePoint site, an Exchange group, a Planner board, and a OneNote — all indexed by Copilot, all returning stale or contradictory data when a user asks the AI a question.
The Teams Governance Assessment is the read-only audit that finds the sprawl before Copilot surfaces it. This post explains what it scans, why those checks matter for both day-to-day Teams hygiene and Copilot-in-Teams safety, and how a CA$399 one-time purchase compares to the alternatives.
Why Teams Sprawl Becomes a Copilot Problem
Most Teams sprawl conversations happen in the lifecycle context — orphaned teams cost storage, abandoned channels confuse new hires, the corporate directory is a graveyard of "Q3 2022 Project Phoenix" channels. Those are real costs but they are not urgent. They are "we should clean this up someday" problems.
Copilot turns "someday" into "Monday." Here is the failure mode: a user asks Copilot in Teams "what's the status of Project Phoenix?" Copilot semantically searches every Team the user has access to. It finds the Q3 2022 Project Phoenix channel — the one nobody has updated since the project ended in early 2023. The most recent message in the channel says "we're going to ship by Christmas." Copilot has no idea that message is two years out of date. It has no idea the project was cancelled three weeks after that message. It surfaces "the project is on track to ship by Christmas" as the answer, with full confidence.
This is the hidden cost of Teams sprawl. The sprawl was always there. Copilot is the first product that gives users confidently-wrong answers from old project channels nobody has logged into in eighteen months. The Teams Governance Assessment is the cleanup pass that prevents that.
What the Assessment Scans
Three modules execute when you run a Teams Assessment:
1. Teams & OneDrive Governance (the headline)
We enumerate Microsoft 365 groups filtered to Teams via the Graph groups endpoint with the resourceProvisioningOptions filter, then run lifecycle hygiene checks on each one:
- Orphaned teams — teams with zero owners (the original owner left and ownership was never reassigned)
- Single-owner teams — teams with exactly one owner, where that owner being unavailable bricks the team
- Inactive teams — teams with no message activity in the last 180 days (the most likely "should be archived" candidates)
- Tenant-wide external sharing capability — Anyone vs New and existing guests vs Existing guests vs Only people in your organization, pulled from
/admin/sharepoint/settings - OneDrive Known Folder Move adoption percentage — pulled from
getOneDriveUsageAccountDetail, this is the precondition for any Teams-based file collaboration that does not bypass governance
The scoring rubric: over 30% inactive teams + Anyone external sharing + low OneDrive enablement = score 1 (Not Ready). Each governance gap reduces the module score independently. Clean Teams governance + restricted sharing + KFM deployed at 80%+ = score 4 (Ready).
2. Identity & Conditional Access (the gate layer)
Teams external sharing is gated by Identity policies, not just by the SharePoint setting. A "yes you can share with anyone" tenant setting is overridden if there is no MFA-required Conditional Access policy on guest tokens — in that case the guest can be invited but cannot actually authenticate without MFA, which is good. Conversely, a tenant with the SharePoint setting locked down to "only people in your organization" but no CA enforcement on guest accounts is a tenant where guest invitations technically cannot create new sharing relationships but existing invited guests can still access content.
The Identity module reviews CA policies relevant to the Teams external surface: MFA enforcement on guest sign-ins, device compliance gates, geographic restrictions, and the OAuth grants that govern which third-party apps can read Teams content. The findings tagged for the Teams pack focus on the gates that govern Teams collaboration specifically.
3. M365 Apps Readiness (the Copilot-in-Teams compatibility check)
This is the module most "Teams audits" forget. Copilot in Teams is rendered by the Teams desktop client, which is gated by the Click-to-Run update channel of the underlying Microsoft 365 Apps installation. Users on Semi-Annual Enterprise Channel cannot render Copilot in Teams at all — not because Copilot is broken, but because their Office build is six months behind the Copilot ribbon's required version.
We pull the getM365AppUserDetail report from the Graph reports endpoint and bucket users by update channel. Current Channel and Monthly Enterprise Channel are fine. Semi-Annual is a Copilot blocker. Catching this before the rollout means you can switch the affected users to Current Channel via Group Policy or Intune device configuration profile, instead of explaining to fifty help desk tickets why Copilot does not appear for half the company.
What the Findings Look Like
Common findings on real tenants we scan:
TMS-001 (Must Do Before Full Rollout): 412 of 1,205 Teams (34%) have not seen any message activity in the last 180 days. Recommended: archive or delete to prevent stale Copilot answers.
TMS-002 (Must Do Before Full Rollout): 47 teams are orphaned (zero owners). Re-assign ownership or archive immediately.
TMS-003 (Must Do Before Copilot): Tenant external sharing capability is set to "Anyone" with no domain restrictions. Recommended: switch to "New and existing guests" and add an allow-list for your partner domains.
TMS-005 (Must Do Before Full Rollout): Only 38% of users (462 of 1,205) have an active OneDrive with content. Suggests Known Folder Move is not deployed broadly — Copilot will only see content in OneDrive and SharePoint, creating a two-tier experience.
APP-004 (Must Do Before Full Rollout): 34% of users (410 of 1,205) are on Semi-Annual Enterprise Channel and cannot render Copilot in Teams. Switch them to Current Channel or Monthly Enterprise Channel.
Each finding has a priority (Must Do Before Copilot, Must Do Before Full Rollout, Nice to Have), an owner role (IT Administrator, Security Team, Compliance Team), an effort estimate (Low, Medium, High), and a Microsoft Docs link to the documented remediation steps. The remediation list is sorted so the worst offenders show up first.
Why the Same Modules Show Up in Other Assessments
If you have read the Copilot Readiness Assessment deep-dive, you have already seen Teams & OneDrive Governance and M365 Apps Readiness as two of the six modules in that scan. They show up in the Teams Assessment too because they are the modules that produce Teams-specific findings — but the Teams Assessment is a focused subset of just the modules that matter for Teams sprawl, without the SharePoint Permissions deep-scan or the Licensing & Infrastructure check.
The buyer is different. A Teams admin who wants to clean up sprawl does not need the SharePoint Anyone-link inventory or the Conditional Access deep-dive — they need the orphaned teams list, the activity report, and the update channel breakdown. The Teams Assessment gives them exactly those three modules at the same CA$399 single-assessment price as any other product. If they also want the SharePoint and Identity coverage, the Microsoft 365 Complete Bundle at CA$1,599 covers everything.
How This Compares to the Alternatives
The Teams admin tools market splits roughly into three buckets:
- Microsoft Teams admin center — free, included with M365. Tells you "here are your teams" but does not produce a prioritized cleanup list, no scoring, no Copilot-readiness signal.
- Syskit Point, ShareGate Protect, AvePoint Confidence — enterprise governance platforms that DO produce cleanup lists, but charge per user per month with custom contracts ($2–$8 per user per month, often $10K+ minimum spend, contact-sales pricing). Built for ongoing governance, not one-time audits.
- Big-4 consulting engagements — Spyglass, Synergy Technical, ProArch all bid Microsoft 365 governance reviews at $15K–$50K per engagement.
The Teams Assessment at CA$399 sits in the empty slot between "free but useless" and "$15K minimum." It is the right tool for a one-off cleanup project where you want a prioritized list in 5 minutes, not a multi-week governance platform deployment.
Read-Only by Design
The scan is 100% read-only at the architectural level. The Microsoft Graph client has a write guard at the client level: any HTTP verb other than GET raises an exception before the request leaves the process. The service account is granted exactly fourteen read-only Graph application scopes. Findings are stored encrypted at rest with AES-256-GCM. The scan completes in three to five minutes.
For an MSP delivering this to a client, the read-only architecture means the client's security review takes 24 hours instead of two weeks.
How to Run It
Free Snapshot first — view-only score, four-state verdict, one sample finding, one snapshot per tenant per month per product, no credit card. If the answer is "yes my Teams environment has a sprawl problem," the CA$399 single assessment unlocks the full per-team list, the orphaned teams report, the activity rankings, and the JSON / HTML / CSV exports for 90 days.
Teams Assessment
CA$399 one-time
90-day access · 1 tenant · unlimited re-runs · MigrationFox-branded PDF
Buy CA$399 →Or run a Free Snapshot first — no credit card
Read more: Teams Assessment product page · Copilot Readiness deep-dive · The Complete Bundle