Seven Years Too Late, Microsoft Realizes the Reality of Group Sprawl
Microsoft seems to have had a sort of road to Damascus conversion in its invitation to tenant administrators to discuss Group Sprawl. For the purpose of this exercise, group sprawl is when a tenant has many Microsoft 365 groups (the new name for Office 365 groups) that are no longer in active use for some reason. Group sprawl is a problem because it complicates tenant management. Scripts take longer to run, it’s more difficult to distinguish active groups from inactive groups, and so on.
Some of us told Microsoft that sprawl was inevitable after they launched Office 365 Groups in November 2014 with the mantra of “free collaboration for all.” In other words, any user could create a group to collaborate with whomever they liked about whatever they liked. As far as Microsoft was concerned, the more groups, the merrier. As I said at the time, “Perhaps it’s because Microsoft has so much storage available within Office 365 that no one cares whether petabytes are occupied with the long-obsolete ramblings that group discussions can become.”
We’d been down this road before with public folders in Exchange Server. Those bitten by the need to clean up large public folder infrastructures where users had created and discarded folders by the thousands were all too aware of the consequences of allowing users to do what they liked. It’s not that people are bad. It’s just that they seldom make good IT decisions. The result is that tenant admins are still cleaning up public folders after 25 years.
The Progress of Groups
Microsoft’s open-ended approach served them well insofar as making groups relatively popular. In April 2017, they could report that 10 million Office 365 accounts used groups daily. At the time, Office 365 had just over 100 million users, so groups had 10% of the available base.
Although other applications like Power BI embraced Groups over time, Teams lit the touchpaper for an explosion of Groups. Microsoft’s laissez-faire attitude continued with Teams and more groups are in use today than ever before. However, it’s also true that more groups are not used today than ever before. The amount of group debris in tenants is startling.
Tools to Control Groups
Some tools are available to help control groups. In 2016, Microsoft implemented an Azure AD policy to control group creation. In 2017, a groups expiration policy appeared, originally based on age, and then refreshed in 2019 to take activity into account. But it took the advent of container management through sensitivity labels in 2020 before it was easy to block guest access to confidential groups (and teams). Nice as it was to have policy-based management, Microsoft made these features less attractive by insisting on premium Azure AD licenses for group management features. You could summarize group management capabilities by saying that Microsoft delivered too little, too late, for too much.
Microsoft’s View of Group Sprawl
Microsoft’s Damascene post admits that “Admins may need additional tools to manage large numbers of Microsoft 365 Groups and to deal with Group Sprawl.” They point to:
- Duplicate groups being created by users. Yes, because Microsoft allows groups to be created by everyone unless a tenant stops this, and then Microsoft charges for the group creation policy.
- Large numbers of inactive or obsolete groups. Yes, because Microsoft charges for the group expiration policy and doesn’t provide any other tools to help tenants identify inactive groups. Possibly this is why the Teams and Group activity report (PowerShell script) is so popular.
- Unnecessary provisioning of resources across multiple apps. In short, some groups don’t need a SharePoint Online site or an Exchange Online mailbox, but they all get them. The result is that the SharePoint Online admin center has difficulty dealing with so many sites, many of which are utterly unimportant.
- Inconsistencies in group policies across apps or within the same app. There are many moving parts of policies relating to groups from the basic Azure AD groups policy to sensitivity labels to the Azure B2B collaboration policy. Groups created by the Teams admin center have different settings to those created by the Teams desktop and browser clients (a problem due to be fixed in March). Teams can archive groups (teams) when they’re no longer required, but no other app can. The point is that the Microsoft 365 admin center and other administrative interfaces touch groups in different inconsistent ways. Given the central importance of Microsoft 365 groups to the ecosystem, they deserve a coherent approach to management in the Microsoft 365 admin center or elsewhere.
- A lack of governance tools. At last! It has only taken Microsoft seven years to realize and acknowledge this deficiency. The upside of Microsoft’s inactivity in this space has encouraged some ISV solutions (like Quest On-demand Group Management) , but Microsoft needs to do better. An audit of what’s available in terms of PowerShell scripts to manage Groups should give Microsoft some guidance about the holes they need to fix. For instance, Microsoft could create an out-of-the-box customizable app for users to request the creation of new groups based on Power Automate. And while they are improving the governance tools available for groups, Microsoft could eliminate the unnecessary licensing requirements for some basic group management features, like the naming policy.
Time for Action
I encourage tenant administrators involved in group management to tell Microsoft what you want to see done. Complete this form and talk to Microsoft. The alternative is to stay silent and moan, and that’s not right.
Need more information about Microsoft 365 Groups? Here’s a free eBook to help answer some important questions.