For every self-service environment in Microsoft 365, sprawl and information security are key components that must be managed for effective enterprise risk management. What’s the best way to manage it all? We’ll review the pros and cons of Microsoft’s out-of-the-box features, creating your own PowerShell scripts and Power Automate flows, and an automated third-party solution.
In 2021, our state of Microsoft 365 report revealed that 61.4% of organizations have self-service enabled in some way. With the idea of cloud collaboration picking up more speed after this report, and adoption for Microsoft 365 having grown, it’s safe to say that more and more organizations are opting for self-service for one key reason: it works.
End users get the flexibility and freedom to collaborate and take ownership of their Microsoft 365 environment. The result? People end up building great things. But, with great power comes great responsibility. When you enable self-service, two consequences must be closely considered: sprawl and security.
It’s common for issues with sprawl and security to come up in a self-service-enabled environment. These risks need to be closely monitored and managed to ensure your organization’s data stays secure.
This blog is the third in our series on self-serve, so if you’re looking for more information on the benefits and risks of self-serve, best practices for managing it, how an automated solution like ShareGate can help you manage it, check out the other blogs in the series:
- Collaborative governance: The pros and cons of enabling self-service in Microsoft 365
- 5 Best practices for smarter IT governance in your Microsoft 365 self-serve environment
- How ShareGate can help you manage your Microsoft 365 self-serve environment
In this blog, we’re going to first look at key reasons why sprawl is such a problem and the common information security risks of a self-service environment. Then, we present a way forward with 3 methods for managing sprawl and security.
If done correctly, you can get all the benefits of self-service plus zero sprawl and enhanced risk management. Let’s dive in!
Table of contents
- What exactly is sprawl in my Microsoft 365 environment?
- What are the security risks of using a self-serve environment?
- Method 1 – Manual risk management: Use Microsoft’s out-of-the-box management tools
- Method 2 – Common security risks and compliance: Use PowerShell scripts and Power Automate to manage your self-serve environment
- Method 3 – Supercharge security and governance by automating your Microsoft 365 self-service environment using ShareGate
- Information security can be easy with self-serve
What exactly is sprawl in my Microsoft 365 environment?
Simply put, the term ‘sprawl’ conveys the volume of unnecessary data that can clutter up your Microsoft 365 environment. Sprawl can include any form of the company’s data—from files and objects to archives and analytics.
Organizations are adding enormous amounts of data every day, a situation that is perhaps unavoidable. It’s estimated that almost 80% of this data is unstructured and unused. Add to this a self-serve environment where end users are in control and are unaware of how they’re contributing to sprawl, and you can have a real mess on your hands.
In this kind of scenario, sprawl can pose two major threats:
- Security: If all of this unstructured and unnecessary data is outside the realm of your management capabilities, how are you sure that you can protect it? This is why out-of-control sprawl poses serious information security risks for the entire organization.
- Value: If the company’s data is unstructured, it makes searching and navigating through your Microsoft 365 environment a major issue. If you’re unable to locate this data, you can’t use it. That’s a drain on productivity and friction for your end users.
The ‘group sprawl’ phenomenon
A phenomenon called ‘group sprawl’ can occur when you’re working in teams and dealing with a self-service environment. This is often a particularly big problem for large organizations. Some distinct risks of group sprawl in a self-serve environment to keep in mind include:
- Group creation: When anyone in your Microsoft 365 environment can create groups, it often adds to server space and the amount of secondary data that’s being added in each group. With the number of groups spiraling out of control, managing data in each one can be a problem.
- Provisioning: When you create a plan, team site, new team, a new group, or a new workspace, a new group is automatically provisioned. As a result, users unfamiliar with Microsoft 365 management can end up provisioning groups without realizing it.
Key takeaway: An interesting thing to note about sprawl is that in most cases, it springs up because end users need training in Microsoft 365 management or due to a lack of automation that can manage sprawl on the go.
What are the security risks of using a self-serve environment?
Two major information security risks come up when you enable self-serve in your Microsoft 365 environment.
1. Lack of control over data and end users
Missing visibility, lowered control over sensitive data, difficulty in enforcing policies, and a lack of ability to detect information security breaches are common issues that can come up in a self-serve environment.
2. External attacks
Self-serve environments can be more vulnerable to attacks such as malware and ransomware.
But don’t worry, there are ways to mitigate the risk of sprawl and security threats in your self-serve-enabled environment! We’ll compare using:
- Microsoft’s out-of-the-box management tools
- PowerShell and Power Automate
- ShareGate, an automated management solution for Microsoft 365
👉You deserve serenity: Let our free online course be your guide to getting sprawl under control now and in the future.
Method 1 – Manual risk management: Use Microsoft’s out-of-the-box management tools
For security, Microsoft Defender acts as the native information security and risk management tool to manage your Microsoft 365 environment. For sprawl, there’s no native OOTB capability in Microsoft 365. However, methods such as provisioning will come in handy.
Also, for both sprawl and security, OOTB Microsoft 365 management tools are resource-intensive, time-consuming, and can involve downloading a lot of spreadsheets to find what you’re looking for manually.
This does not imply that sprawl and information security risk management can’t be done with Microsoft’s OOTB tools. But, it’s better to understand certain limitations upfront and plan accordingly. As far as information security is concerned, here are some key scenarios where Microsoft Defender can be used to tackle threats:
Malware and ransomware protection
OOTB Microsoft 365 protection against malware and ransomware attacks includes an e-mail filtering service to scan malicious content, reporting and tracking capabilities to alert IT teams, versioning features to recover files encrypted by attackers, and more.
Incident response
Microsoft Defender collects data regarding all attacks happening throughout your Microsoft 365 environment to create alerts in context and keep you notified. The incident response flow can be visualized as follows:
Through this feature, you can see:
- When the attack happened
- Where it happened
- How it happened
- How much damage was done within your tenant (affected elements such as devices, users, etc.)
- A report detailing all data related to the attack
Vulnerability management
Microsoft Defender’s built-in Defender Vulnerability Management features continuously scans the environment for information security risks and identifies vulnerabilities. Some key capabilities include:
- A security baseline assessment to benchmark your organization’s risk compliance with established benchmarks
- An inventory software that tracks changes such as uninstalls, installations, system updates, etc.
- Tracking of all browser extensions being used throughout the entire organization
- Warnings or blocks against vulnerable applications
More capabilities can be viewed by checking Microsoft’s official documentation about vulnerability management in Microsoft 365.
Additionally, here are some OOTB features in Microsoft 365 that you can leverage to manage sprawl:
Creating a provisioning strategy
A provisioning strategy can help you manage sprawl by setting up an effective infrastructure. According to Microsoft MVP Richard Harbrdidge who joined us to talk about this very issue. This can include:
- Leveraging metadata during creation to add context to spaces
- Creating a post-creation ask policy to ask end users the reason for creating the space
- Directory experiences to manage a list of all existing spaces in Microsoft 365
- Having an automated request process in place for new sites and teams. This would look something like this:
Creating a retention policy
Creating a retention policy for all data can help delete unnecessary data. Of course, you’ll need to define a criteria so that valuable data isn’t accidentally deleted. However, note that this method won’t delete an inactive site since it can be part of a Microsoft 365 group.
Convert teams sites to channels
In case of sprawl showing up in the form of inactive team sites, you can convert them into channels to reduce the amount of clutter in Microsoft Teams. However, there’s no automated way to do this, so it must be done manually.
Method 2 – Common security risks and compliance: Use PowerShell and Power Automate to manage your self-serve environment
Rather than doing everything manually with OOTB features, PowerShell and Power Automate provide better capabilities for sprawl and risk management.
You can also harness the power of these PowerShell script examples to help you automate Microsoft admin tasks to foster productivity within your organization.
Here are some PowerShell script examples for sprawl and risk management:
1. Audit external user activity
Keeping a list of external user activity is a great way to manage information security in Microsoft 365. Here’s how to tackle this using PowerShell and Power Automate:
Using PowerShell:
The following PowerShell script retrieves a list of all external users and adds up their last login time and licenses in a CSV file. The CSV file can then be used to keep track of external user activity and information security risks. Here’s the script:
# Connect to the Microsoft 365 tenant
Connect-MsolService
# Retrieve a list of external users
$externalUsers = Get-MsolUser -All | Where-Object {$_.UserType -eq "Guest"}
# Create a variable to store the results
$results = @()
# Loop through each external user
foreach ($externalUser in $externalUsers) {
# Retrieve the user's last login time
$lastLoginTime = (Get-MsolUser -UserPrincipalName $externalUser.UserPrincipalName).LastPasswordChangeTimeStamp
# Retrieve the user's licenses
$licenses = $externalUser.Licenses
# Add the user's information to the results variable
$results += New-Object PSObject -Property @{
UserPrincipalName = $externalUser.UserPrincipalName
LastLoginTime = $lastLoginTime
Licenses = $licenses}}
# Export the results to a CSV file
$results | Select-Object UserPrincipalName, LastLoginTime, Licenses | Export-Csv -Path "C:\ExternalUserActivity.csv"
Using Power Automate:
All audit logs are available in Microsoft Purview. To track external user activities, create a workflow that collects audit logs and stores them in a repository such as a SharePoint list. The workflow can include details about specific activities that should trigger an alert and notify you.
Discover how to easily and securely implement governance policies through these 6 Power automate examples, equipping your organization with streamlined processes and enhanced data security.
2. Check for non-compliant devices
Devices that are violating your organization’s compliance and governance frameworks can be cybersecurity risks. Here’s how to tackle these with PowerShell and Power Automate:
Using PowerShell:
Note that you’ll need to install the Exchange Online Management module for this to work. Once you run the script using this module, PowerShell will check for all non-compliant devices using the ‘IsCompliant’ property. Here’s the script:
# Import the Exchange Online module
Import-Module ExchangeOnlineManagement
# Connect to Exchange Online
$UserCredential = Get-Credential
Connect-ExchangeOnline -Credential $UserCredential
# Get a list of all devices
$Devices = Get-MobileDevice
# Check each device for compliance
$NonCompliantDevices = @()
foreach ($Device in $Devices) {
if ($Device.IsCompliant -eq $False) {
$NonCompliantDevices += $Device}}
# Output the list of non-compliant devices
if ($NonCompliantDevices.Count -gt 0) {
Write-Host "The following devices are non-compliant:"
$NonCompliantDevices | Select-Object DisplayName, DeviceModel, DeviceOS, DeviceOSVersion, IsCompliant | Format-Table
} else {Write-Host "All devices are compliant."}
Disconnect-ExchangeOnline
Using Power Automate:
Device compliance policies in Microsoft Intune provide a way to check for non-compliant devices in Microsoft 365. Set up a Power Automate workflow that checks the compliance requirements status for each user through Microsoft Intune, and sends an alert when a specific action is triggered. For example, if a user is using a jailbroken device, you can set up a workflow that detects and blocks such devices and lets you know which user broke the compliance requirements.
3. Monitoring Microsoft 365 data transfers
PowerShell and Power Automate allow you to monitor data transfer for sensitive information in an automated manner. Here’s how it works:
Using PowerShell:
The following script will retrieve all data transfer information and store it in a CSV file. The CSV file can then be monitored to make sure there’s no breach of data happening. Here’s the script:
# Connect to the Microsoft 365 tenant
Connect-MsolService
# Retrieve a list of all data transfers
$dataTransfers = Get-MsolDataTransferService
# Create a variable to store the results
$results = @()
# Loop through each data transfer
foreach ($dataTransfer in $dataTransfers) {
# Retrieve the data transfer's status and progress
$status = $dataTransfer.Status
$progress = $dataTransfer.Progress
# Add the data transfer's information to the results variable
$results += New-Object PSObject -Property @{
SourceOrganization = $dataTransfer.SourceOrganization
DestinationOrganization = $dataTransfer.DestinationOrganization
Status = $status
Progress = $progress}}
# Export the results to a CSV file
$results | Select-Object SourceOrganization, DestinationOrganization, Status, Progress | Export-Csv -Path "C:\DataTransfers.csv"
Using Power Automate:
Auditing and reporting features in Microsoft 365 allow you to set data governance policies to check data compliance requirements. You can setup a workflow that checks the data transfer size and type and notifies you if a certain condition is triggered.
Finding inactive teams
Inactive teams can add to sprawl in your Microsoft 365 environment. Here’s how to tackle this:
Using PowerShell:
You can generate an activity report in PowerShell to locate inactive teams. The script checks if any activity in the SharePoint site or conversation in the group mailbox has occurred in the past 90 days. You can access it on Github here. Once you run the script, it’ll output information such as the number of groups scanned, the number of potential obsolete groups, the number of potential Teams-enabled groups, and the percentage of Teams-enabled groups.
Of course, once you have this information, you’ll have to reach out to the team owners to discover whether their team is still needed. If it is, then you might want to find out why it was considered inactive. If it’s not needed, then you’ll have to manually archive or delete the team. This whole process can be incredibly time-consuming.
Using Power Automate:
The Microsoft Teams usage report helps monitor activity in teams. You can use this to create a Power Automate workflow that triggers if a group has been inactive for a certain number of days. Start by creating a data source such as a SharePoint list to store information, collect data using the Microsoft Teams activity report, and set a condition that checks between the last activity data and the current date, and finally notifies you if the number of days exceeds a certain threshold.
Again, getting the information is just the first step, finding out what to do with it isn’t something Power Automate can help you with.
Limitations
While PowerShell and Power Automate are less time-consuming than using Microsoft’s OOTB tools, there are certain limitations involved. These include:
- Time and maintenance: There’s still manual effort and time required to write the scripts and create the systems in PowerShell and Power Automate. More importantly, you’ll have to rewrite and adjust the scripts and systems when there’s a Microsoft 365 update or change in your environment.
- Learning curve and skilled resources: While PowerShell and Power Automate do help with risk management, there’s a learning curve involved. Not all IT admins have the required skills to manage security and sprawl through this method. So, either you’ll have to train current IT team members to get up to speed on how this works or specifically hire people with these skills.
Method 3 – Supercharge security and governance by automating your Microsoft 365 self-service environment using ShareGate
Our final method takes away the manual labor of creating complicated governance structures using OOTB features or PowerShell scripts and Power Automate flows.
By using ShareGate, IT teams can automate the manual effort of managing and monitoring sprawl and security in a self-service-enabled environment. There’s a simple, easy-to-use interface that takes care of threat protection and sprawl-related issues for you. Here’s the best risk management features that makes it easy for your team:
Manage risk: External sharing and guest access
The external sharing and guest access automations cover limitations in Microsoft 365’s OOTB features by providing capabilities for customizing security settings and policies for each team. IT managers can track everything that’s being shared externally and schedule periodic governance and compliance reviews to enable insider risk management.
The best part is that you can schedule reminders for your end users to review external sharing links and guest access in their teams, since they’re the ones who actually know whether they should be kept or removed.
So these features save your IT team time by automating the process of finding these security risks and by enlisting the people who actually know what to do to make decisions about them.
Inactive and orphaned teams detection for sprawl
ShareGate does a crawl of your Microsoft 365 environment to find inactive and orphaned teams that are adding to sprawl. This takes away the trouble of using built-in Microsoft 365 features such as teams usage reports that don’t paint a full picture of unnecessary content or PowerShell scripts that need to be maintained.
And, again, you can set up ShareGate to ask end users whether these teams should be kept, archived, or deleted, since they’re the ones who know best. ShareGate’s customer data shows that on average, 70% of inactive teams are resolved by end users, not IT.
Provisioning capabilities
ShareGate provisioning capabilities allow you to ensure end users are following your governance policies from the get-go. By empowering them to create the workspaces they need with your guardrails in place, you can avoid sprawl and security problems.
ShareGate’s custom provisioning templates make it easy for end users to collaborate. The best part is, they don’t even need a ShareGate account or license!
Bulk permissions management
Our centralized permissions management features helps IT teams tackle cybersecurity risks by getting a bird’s eye view of who has access to what throughout your tenant. With these insider risk management features, ShareGate users can categorize sensitive data and apply permission changes in bulk.
Get visibility with a user-friendly dashboard and straightforward reporting
You can’t manage what you can’t see. Having visibility into your environment will help you ensure that your environment is running smoothly, or it can help you discover any gaps that might exist in your policies.
ShareGate gives you instant visibility into the teams, groups, and sites in your Microsoft 365 environment, as well as their owners, members, purpose, externally shared links and guest users, and sensitivity.
You can drill down to get more information, but this bird’s eye view is a quick and easy way for your IT team to be sure that your environment is in good shape.
For even more details, you can create custom or pre-built reports based on Microsoft best practices. This way, you can centralize all of your Microsoft Teams and SharePoint information in one place instead of jumping from one admin center to another.
MVP tips: Manage the creation process of Microsoft 365 content
In this short clip from his ShareGate webinar, Microsoft MVP Vlad Catrinescu (@vladcatrinescu) gives useful tips about how to train end users—and when they start creating, how to check if they’re doing it right. Check it out:
Information security can be easy with self-serve
The hassle of managing everything yourself won’t work for organizations that need to scale and are constantly adding new end users. With self-service, IT managers don’t have to go back and forth and constantly manage end users, and end users have the freedom to collaborate without unnecessary barriers. It’s a win-win situation.
But to do this, the right tools need to be in place so that sprawl and security risks can be managed. Microsoft’s OOTB features are limited and time-consuming. PowerShell scripts and Power Automate flows still require some manual labor and a certain skill level that not all IT admins have.
Luckily, ShareGate helps your IT team get visibility into your environment, monitor what happens within it, automate time-consuming tasks, and ensure you keep sprawl and security under control.
Advanced capabilities for Microsoft 365 management enables IT managers to get all the benefits of self-service without the risks of security and sprawl. Talk to an expert to learn how ShareGate can help you stay on top of your self-service-enabled environment without the headache!