SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Teams and Groups Sprawl Audit
description: Audit Microsoft 365 Groups and Teams for ownerless groups, public teams, guest access and inactivity that expand the Copilot and oversharing surface.
---
# Teams and Groups Sprawl Audit
> **TL;DR:** This skill audits Microsoft 365 Groups and Teams for sprawl and governance gaps, ownerless groups, public teams holding sensitive content, guest access and inactive teams, and ranks them by how much they expand the Microsoft 365 Copilot and oversharing surface.
## What does the Teams and Groups sprawl audit examine?
This skill audits Microsoft 365 Groups and Microsoft Teams using Microsoft Graph and Microsoft Entra signals to find governance gaps that drive sprawl. It surfaces ownerless groups, public teams holding sensitive content, guest membership and teams with no recent activity. Each gap widens the connected SharePoint Online footprint that Microsoft 365 Copilot can reach, so the audit ranks them by oversharing impact. The result is a prioritised cleanup list that supports lifecycle and least-privilege governance. It reads group and team data only and makes no changes.
## When should you run this skill?
- "Audit our Microsoft 365 Groups and Teams for sprawl"
- "Find ownerless groups in our tenant"
- "Which public teams hold sensitive content?"
- "Show me inactive teams we can clean up"
- "Where does guest access expand our Copilot surface?"
- "Assess group governance gaps before a Copilot rollout"
## How this skill works, step by step
1. Connect read-only to Microsoft Graph and Microsoft Entra with assessment scopes.
2. Enumerate Microsoft 365 Groups and their connected Teams and SharePoint sites.
3. Identify ownerless groups and groups with a single owner.
4. Detect public teams and assess the sensitivity of their connected content.
5. Enumerate guest members and the resources they can reach.
6. Measure activity to flag inactive or dormant teams.
7. Correlate each gap with its connected SharePoint exposure.
8. Score each group by ownership health, visibility, guest reach and activity.
9. Output the prioritised sprawl audit without modifying any group or team.
## Output format
The skill returns a sprawl audit table, one row per group or team.
| Group | Visibility | Owners | Guests | Last active | Risk | Recommended action |
| --- | --- | --- | --- | --- | --- | --- |
| Finance Team | Public | 1 | 3 | 2 days ago | High | Set Private, review guests |
| Project Atlas | Private | 0 | 0 | 8 months ago | Medium | Assign owner or archive |
| Social Club | Public | 2 | 0 | 1 day ago | Low | Confirm intent |
Summary:
- Total groups audited: 612
- Ownerless groups: 38
- Public teams with sensitive content: 21
- Groups with guest access: 144
- Inactive teams: 97
- High risk: 59
## Scope and safety
This skill is read-only by default and makes no changes to groups, teams, membership or visibility.
This skill does NOT:
- Create, delete, archive or change visibility of any group or team.
- Add or remove owners, members or guests.
- Apply expiration, retention or lifecycle policies.
- Modify connected SharePoint sites or content.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Read Microsoft 365 Groups, Teams and Entra membership signals via Microsoft Graph | Microsoft 365 E3 |
| Assess connected SharePoint oversharing and data access governance for at-risk groups | Microsoft 365 E5 with SharePoint Advanced Management |
### Least-privilege roles
- Global Reader (read-only audit of groups, teams and membership)
- SharePoint Administrator (read) where connected site exposure is assessed
### Microsoft Graph permissions (read-only)
- `Group.Read.All` — read Microsoft 365 Groups, owners, members and visibility
- `Directory.Read.All` — read guest accounts and directory membership
- `Sites.Read.All` — read connected SharePoint sites to assess oversharing exposure
- `Files.Read.All` — read connected content to assess sensitivity
- `AuditLog.Read.All` — read activity signals to flag inactive or dormant teams
## Sources and compliance
- [Governance for Microsoft 365 Groups, Teams and SharePoint](https://learn.microsoft.com/en-us/microsoft-365/solutions/groups-sharepoint-governance)
- [Manage Microsoft 365 Groups expiration](https://learn.microsoft.com/en-us/microsoft-365/solutions/microsoft-365-groups-expiration-policy)
- Maps to Essential Eight: Restrict administrative privileges and reduce unnecessary access through lifecycle governance.
- Aligns with ISM controls for access control, guest access management and account lifecycle.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Teams and Groups Sprawl Audit
TL;DR: This skill audits Microsoft 365 Groups and Teams for sprawl and governance gaps, ownerless groups, public teams holding sensitive content, guest access and inactive teams, and ranks them by how much they expand the Microsoft 365 Copilot and oversharing surface.
What does the Teams and Groups sprawl audit examine?
This skill audits Microsoft 365 Groups and Microsoft Teams using Microsoft Graph and Microsoft Entra signals to find governance gaps that drive sprawl. It surfaces ownerless groups, public teams holding sensitive content, guest membership and teams with no recent activity. Each gap widens the connected SharePoint Online footprint that Microsoft 365 Copilot can reach, so the audit ranks them by oversharing impact. The result is a prioritised cleanup list that supports lifecycle and least-privilege governance. It reads group and team data only and makes no changes.
When should you run this skill?
- “Audit our Microsoft 365 Groups and Teams for sprawl”
- “Find ownerless groups in our tenant”
- “Which public teams hold sensitive content?”
- “Show me inactive teams we can clean up”
- “Where does guest access expand our Copilot surface?”
- “Assess group governance gaps before a Copilot rollout”
How this skill works, step by step
- Connect read-only to Microsoft Graph and Microsoft Entra with assessment scopes.
- Enumerate Microsoft 365 Groups and their connected Teams and SharePoint sites.
- Identify ownerless groups and groups with a single owner.
- Detect public teams and assess the sensitivity of their connected content.
- Enumerate guest members and the resources they can reach.
- Measure activity to flag inactive or dormant teams.
- Correlate each gap with its connected SharePoint exposure.
- Score each group by ownership health, visibility, guest reach and activity.
- Output the prioritised sprawl audit without modifying any group or team.
Output format
The skill returns a sprawl audit table, one row per group or team.
| Group | Visibility | Owners | Guests | Last active | Risk | Recommended action |
|---|---|---|---|---|---|---|
| Finance Team | Public | 1 | 3 | 2 days ago | High | Set Private, review guests |
| Project Atlas | Private | 0 | 0 | 8 months ago | Medium | Assign owner or archive |
| Social Club | Public | 2 | 0 | 1 day ago | Low | Confirm intent |
Summary:
- Total groups audited: 612
- Ownerless groups: 38
- Public teams with sensitive content: 21
- Groups with guest access: 144
- Inactive teams: 97
- High risk: 59
Scope and safety
This skill is read-only by default and makes no changes to groups, teams, membership or visibility.
This skill does NOT:
- Create, delete, archive or change visibility of any group or team.
- Add or remove owners, members or guests.
- Apply expiration, retention or lifecycle policies.
- Modify connected SharePoint sites or content.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Read Microsoft 365 Groups, Teams and Entra membership signals via Microsoft Graph | Microsoft 365 E3 |
| Assess connected SharePoint oversharing and data access governance for at-risk groups | Microsoft 365 E5 with SharePoint Advanced Management |
Least-privilege roles
- Global Reader (read-only audit of groups, teams and membership)
- SharePoint Administrator (read) where connected site exposure is assessed
Microsoft Graph permissions (read-only)
Group.Read.All— read Microsoft 365 Groups, owners, members and visibilityDirectory.Read.All— read guest accounts and directory membershipSites.Read.All— read connected SharePoint sites to assess oversharing exposureFiles.Read.All— read connected content to assess sensitivityAuditLog.Read.All— read activity signals to flag inactive or dormant teams
Sources and compliance
- Governance for Microsoft 365 Groups, Teams and SharePoint
- Manage Microsoft 365 Groups expiration
- Maps to Essential Eight: Restrict administrative privileges and reduce unnecessary access through lifecycle governance.
- Aligns with ISM controls for access control, guest access management and account lifecycle.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on