How to find ownerless Microsoft Teams – Part 2

In my first blog post about how to manage ownerless Microsoft Teams, I wrote about the standard tools by Microsoft. In this blog post, I will give you some inputs how to use the Microsoft Graph API in combination with SharePoint Online and Microsoft Flow to find ownerless M365 groups and to stay informed about ownerless teams or Microsoft 365 groups.

I will use the Graph API to get a report about the existing Microsoft Teams. This dataset is filtered on ownerless teams and is written to a SharePoint list. When stored in the SharePoint list, you can extend the solution by triggering a Microsoft Flow to notify the service desk, for example.


Required tenant setting

The solution is based on the usage reporting data from Microsoft. And therefore, we need to check an org-wide setting in our tenants before we can continue.

Please open the Microsoft Admin center and go to

Settings -> Org settings -> Services -> Reports

Please check, if the option is active and Microsoft conceals user, group and site names in all usage date reports.

Screenshot of the Microsoft Admin Center and the setting to enable/disable displaying concealed username and group name in usage reports
Setting about displaying concealed username and group name in usage reports

If so, please discuss with your security and HR team, if you can disable it. Otherwise, you can stop reading here. Of course, we need some basic information like group or username to find ownerless Microsoft Teams. Or better to say to get some actions on the results.

When this feature is active, and this will be the case, Microsoft will hide user related information in usage reports. The reported data includes just alpha-numeric strings instead of the display name of a user or a M365 group.

You can read more details at the end of this post.


Create the required SharePoint Online list

First, we need a place to store our reported ownerless Microsoft 365 groups and teams. I have decided to use a generic list in Microsoft SharePoint Online.

It’s easy so implement and most of you will already use SharePoint Online. Also, it is easy to extend the solution depending by a PowerBI dashboard etc.

This means the first task on our list: create a list in SharePoint Online.

The SharePoint list will exist of X columns:

NameType
Report Refresh DateDate & Time
Group IDSingle line of text
Group Display NameSingle line of text
Group TypeSingle line of text
Is DeletedSingle line of text
Member CountSingle line of text
External Member CountSingle line of text
Last Activity DateDate & Time

You can set the column Report Date as date only and the display type to friendly. So, it is easier for you to read. All other columns can be created with default settings.

Next, I recommend customizing the list view to group the list items by report date.

To make it easier to deploy the solution, I’ve prepared a short PowerShell script to create the SharePoint list. You can find it here in my GitHub repository. Just customize the tenant URL, list name and list display name to your needs.


Prepare the required permissions in your Azure AD

As I said at the beginning of this post, the script will use the GraphAPI to gather information about your Microsoft Teams or Microsoft 365 groups. To do this, we first need to register an app in our Azure AD and give it the appropriate permissions.

As I will use this app registration for several automatism tasks around Microsoft Teams, I name it MSTeams_Automation. The app runs only in my tenant and doesn’t need cross tenant permissions.

Screenshot how to register a new app in our Azure AD portal
Register a new app in the Azure AD portal
Screenshot how to assign the required Reports.Read.All Graph API permission to the app
Grant Report.Read.All Graph API permissions to the new app

When the app is created, we can assign the Graph API permissions to the app, and it will be able to read report data of our Microsoft 365 tenant. The assigned permissions need an Admin consent. You will need Global Administration rights to accomplish this job.

Screenshot about missing admin grant consent in the Azure AD portal
Grant admin consent for the new Graph API permissions
Screenshot about the granted admin consent in the Azure AD portal
Check Graph API permissions

In the final step, I will create an app secret and store is safely for the further usage. Please note that the secret will be shown only once. If you don’t store it in your password safe or elsewhere and lose it, you need to recreate it again and change it in your applications.

Add a client secret to the new app registration
Create a client secret for the app
Screenshot of the new app secret
Gather the client secret

Gather a report about Microsoft 365 groups and filter for ownerless Teams

My PowerShell script gather all Microsoft 365 group usage activities and filters it for ownerless groups. Only the ownerless groups will be written to earlier created Microsoft SharePoint Online list.

The script uses the Graph API endpoint to get a M365 group activity report collection. The Graph API creates a CSV file with the following information:

  • Report Refresh Date
  • Group Display Name
  • Is Deleted
  • Owner Principal Name
  • Last Activity Date
  • Group Type
  • Member Count
  • External Member Count
  • Exchange Received Email Count
  • SharePoint Active File Count
  • Yammer Posted Message Count
  • Yammer Read Message Count
  • Yammer Liked Message Count
  • Exchange Mailbox Total Item Count
  • Exchange Mailbox Storage Used (Byte)
  • SharePoint Total File Count
  • SharePoint Site Storage Used (Byte)
  • Group Id
  • Report Period

My script imports the CSV data file and finds ownerless Microsoft Teams in this dataset. When an owner for a M365 group is missing, the script adds an entry to our SharePoint Online list with the following information:

  • Report Refresh Date
  • Group Display Name
  • Last Activity Date
  • Group type
  • Member count
  • Guest Member Count
  • GroupId


Create a Microsoft Flow to notify someone

Now we have a SharePoint list with ownerless Microsoft Teams and work with this content. For example, you can create a Microsoft Flow to send a notification when a new item is added to the SharePoint list.


Good to know

The list includes just alpha-numeric strings instead of display names for users and M365 groups – what’s that?

It is possible that a policy is enabled in your tenant to conceal the following attributes in Microsoft 365 reports:

  • Group Display Name
  • Owner Principal Name

Microsoft introduced this policy on the 1st of September 2021, and it leads to alpha-numeric strings instead of display name. This is an ongoing process to support companies in their local laws and protect the data of everyone in our tenant.

For further reading and how to disable this policy I’ve linked the official Microsoft docs article at the end of this post.

Of course, our solution to detect ownerless teams need the display name of the related Microsoft 365 group. Therefor I found another way to get the needed information and will write an post about it shorty. For the moment, you need to disable this setting in the M365 Admin Center to get the full Teams display name.

When does Microsoft update the usage report?

Microsoft updates the usage report data once a week on Monday. That’s why I recommend running the script once in a month.

I found some Teams without an owner, but the usage report doesn’t recognize it!

It looks like the usage report still lists owner, even the user object is deleted in the Azure Active Directory. This is related to the Azure AD user recycle bin. The user object still exists, even it is deleted. Therefor the user is still assigned in the usage report as owner of a Microsoft 365 group.

Only when the user object has also been deleted from the recycle bin, the Microsoft Teams will be displayed in the report without an owner.


Microsoft 365 group activity report – Root GraphAPI

M365 group activity report – Get group details

Microsoft 365 reports show anonymous usernames instead of actual usernames

GitHub Repository – How-to-find-ownerless-Microsoft-Teams

Leave a Reply

Your email address will not be published.