Microsoft 365 tenant hygiene best practices

Empty groups, stale Teams, and inactive accounts do not usually cause immediate incidents. They inflate search results, confuse access reviews, and make license reclamation harder. The longer you wait, the more political it becomes to remove "someone might need this."

Microsoft 365 groups multiply quickly — project teams, distribution lists, Planner boards, and SharePoint sites all leave artifacts.

• Groups with zero members or only the creator
• Teams with no activity in 12+ months still open to all members
• Dynamic groups with rules that no longer match intent
• Mail-enabled security groups used once for a migration

Distinguish hygiene from security: an inactive enabled account is both a license cost and an identity risk.

• Users enabled but inactive beyond your retention threshold
• Accounts without a manager attribute in large departments
• Duplicate or test accounts in production directories
• Former contractors whose access was partially removed

Intune and Entra device records drift when hardware is retired informally.

• Duplicate device records for the same physical machine
• Unmanaged devices with stale primary user assignments
• Devices not checked in for 180+ days still marked compliant

Tenant-level sharing settings set during onboarding often never get revisited as the organization matures.

• SharePoint default sharing more permissive than policy
• Anyone links enabled on sites with sensitive content
• Guest access settings inconsistent across teams and sites

Run hygiene passes in small batches — one department or one group type per sprint. Archive before delete where possible, and publish simple criteria ("no sign-in 180 days, manager approved") so removals are predictable.

Tenant Hawk highlights hygiene findings alongside security and cost so cleanup priorities stay visible in one dashboard.