Congratulations. Your Microsoft 365 tenant is now an archaeological Site.

If you deployed Microsoft Teams during the pandemic, your tenant is probably still carrying the scars.
Thousands of Teams created overnight. No lifecycle. No ownership model. No idea what would happen three years later.

Overnight collaboration sounded great. In practice it meant thousands of Teams being created with no plan for what would happen next.

People created a new Team just to book a meeting. Every department, project, and passing thought got its own Team. And with every one of those came a whole new SharePoint site, whether anyone realised it or not.

Fast forward a few years and we are now sitting on a mountain of abandoned Teams, forgotten SharePoint sites, and a whole lot of governance debt.

If you are lucky, you have a naming convention. If you are not, you have “Project Phoenix Final”, “Project Phoenix Meeting”, and “Project Phoenix Planner” all floating around with different owners, different permissions, and no idea which one is still active.

And that is before you even look at the SharePoint back end, where every Team has quietly spawned a site collection that nobody is managing, often with broken permission inheritance if you are really lucky.

What many organisations discovered later is that Teams is not just a chat tool.

It is a SharePoint provisioning engine with a messaging interface attached.

This is not just untidy collaboration.

It is a security risk.
It is a compliance risk.
And it destroys productivity.

Sensitive information sits in abandoned sites.
External guests keep access long after projects end.
Retention policies fail because nobody knows where the data actually lives.
Users waste time searching through multiple Teams trying to find the right document.

Then Copilot arrives….

And suddenly the AI assistant starts surfacing documents from Teams nobody remembers creating.
The problem was always there. Copilot just shines a very bright torch on it.

This did not happen by accident

Microsoft optimises for adoption.
Governance is left as an exercise for the customer.
That means everything is switched on, creation is open to everyone, and governance is something organisations are expected to figure out later.

Most organisations never do. Or they try, but by then the environment has already grown into something nobody fully understands. And when Copilot arrives, it does what AI does best. It surfaces all the chaos that was already there.

Documents from abandoned Teams.
Files shared externally years ago.
Content sitting in sites nobody has visited since 2021.

The technology is working exactly as designed. The architecture behind it is not.

Reality check for Microsoft 365 architects

In most tenants today:

• 30–50% of Teams are inactive
• Guest access is rarely reviewed
• Nobody can confidently list all SharePoint sites containing sensitive data
• Ownership of collaboration spaces is unclear

Copilot does not create these problems.

It simply makes them visible.

This is the uncomfortable truth about Microsoft 365 architecture in 2026. The platform makes it incredibly easy to create collaboration spaces. It does not make it easy to manage them five years later.
That part requires design, ownership, and discipline.

Without governance, Microsoft 365 becomes what every experienced SharePoint architect eventually recognises: an archaeological site of old projects, forgotten sites, and permissions that nobody dares to touch in case something important breaks. Everyone knows it is messy. Nobody wants to be the one who deletes the wrong thing.

So what actually works

The good news is that this mess is fixable.

The bad news is that there is no magic button. Governance is mostly boring operational discipline.

Start with an audit.
Use SharePoint Advanced Management (SAM),Microsoft Graph, Purview Content Explorer, or governance tools to answer simple questions:

• How many Teams have no owner
• How many sites have not been accessed in two years
• Where external guests still have access
• Which Teams have never had activity after creation

The answers are usually uncomfortable.
Then implement expiration policies. They are not perfect, but they are better than nothing. Just make sure you have a process to notify owners and archive anything worth keeping.

Enforce naming conventions. Yes, they are dull. No, users will not like them. Do it anyway.

Set up approval workflows for Team creation. Not to block people, but to slow them down long enough to think.

• Who is the owner.
• What is the purpose.
• When should it be deleted.

Make owners responsible. If you create a Team, you also own the SharePoint site behind it. That means managing permissions, reviewing guest access, and knowing when to shut it down.

Run regular clean up. Treat it like digital spring cleaning. Give people a list of the Teams and SharePoint sites they own and ask them to justify keeping them. You will be surprised how quickly things disappear when owners realise they are responsible.

This is also where SAM comes into play. Set up policies that sends ut notifications to Teams and SharePoint site owners when sites are inactive or are missing owners.
It also gives you visibility into the inactive sites, oversharing risks, and unusual access patterns, making it much easier to identify which collaboration spaces are abandoned, which ones are risky, and which ones actually still matter.

But tools alone are not enough. Someone still needs to act on the insights. A clean-up report does nothing unless someone is willing to press delete.

Governance checklist before the next Team is created

If you are responsible for a Microsoft 365 tenant in the Copilot era, these controls should exist before the next Team is created.

• Naming conventions for Teams and SharePoint sites and enforcement
• Team creation approval process using Power Automate or governance tools
• Expiration policies for inactive Microsoft 365 Groups and Teams
• Guest access review policies with automated access reviews through Entra ID
• Sensitivity labels applied to Teams and SharePoint sites
• Retention policies covering Teams chats, SharePoint libraries, and OneDrive
• Owner education explaining responsibilities and permission management
• Regular clean up campaigns with reporting and follow up
• Inventory and risk reporting using tools such as:
  • Microsoft Purview
  • Microsoft Graph API
  • Entra ID – Access Reviews
  • ShareGate

Honest question:
How many Teams exist in your tenant today that nobody can confidently explain the purpose of?
Most organisations are afraid to find out.

Further reading from the blog

If you are starting to untangle governance and access issues in Microsoft 365, a few other posts on the blog go deeper into the topics discussed here.

Guest access and external collaboration

External access is often where governance breaks down first. Sandra Saluti has written several practical guides on how to regain control of guest identities and collaboration.

• Time to Spring-Clean Your Stale Guest Accounts
• Using Access Packages for Flexible Access Management in Microsoft Entra

These articles explain how to govern guest onboarding, automate access reviews, and prevent external users from quietly keeping access forever.

Identity governance and access control

Many collaboration problems start with identity and access design. Per-Torben Sørensen regularly writes about Entra ID governance and identity security patterns that help keep permissions under control.

His posts are a great companion if you want to understand how identity governance connects to Teams, SharePoint, and collaboration security.

Oversharing and information exposure

If you want to understand why Copilot suddenly exposes messy permissions and uncontrolled data access, this earlier article dives into the oversharing problem in Microsoft 365.

• The Oversharing Problem in Microsoft 365

Cleaning up Teams and SharePoint sprawl is only part of the story. Understanding how data becomes visible across the tenant is the other half.

The part nobody wants to admit

Most organisations know they have this problem.
They just hope it is not that bad.
But Copilot changes the equation.
When AI starts reading across your tenant, the mess becomes visible. Not just to administrators, but to every user asking a question.

If you are not doing at least half of the governance work above, you are not governing your tenant.

You are gambling with it.

And Copilot is about to expose the odds.