← Back to Blog

M365 Group Cleanup Before Copilot: Kill the Zombie Teams

E2E Agentic Bridge·March 2, 2026

M365 Group Cleanup Before Copilot: Kill the Zombie Teams

Every Microsoft 365 tenant has them. Abandoned Teams channels created for a project that ended two years ago. Distribution groups from a reorganization that never got deleted. M365 Groups with 200 members that nobody remembers creating.

They're harmless, right? Just digital clutter.

Not anymore. Microsoft Copilot changed the equation. When you deploy Copilot, every M365 Group becomes a data access boundary — or more accurately, a data access hole. Copilot indexes content across your entire tenant, and those zombie groups with their forgotten files, stale conversations, and outdated permissions are now active liabilities.

Here's how to find them and kill them before Copilot turns your organizational debt into a data breach.

Why Zombie Groups Matter Now

Before Copilot, abandoned M365 Groups were an annoyance. IT admins knew they existed but had bigger fires to fight. The files sat there, the Teams channels gathered dust, and nobody cared.

Copilot cares. According to Microsoft's own documentation on Copilot data access, Copilot respects existing permissions — it can access anything the user can access. If a user is still a member of that zombie Team from 2021, Copilot can surface every file, every conversation, every shared document from that group in response to a prompt.

The problem compounds because M365 Group membership tends to be additive. People get added to groups and rarely removed. The average enterprise user has access to over 20,000 files they've never opened. Copilot turns that latent access into active discovery.

Think about what lives in those abandoned channels:

  • Draft strategy documents that never got finalized
  • Salary discussions from a hiring process
  • Vendor negotiations with pricing details
  • Internal debates about product decisions
  • Customer complaints shared for context

All of it is now Copilot-searchable for every member who was never removed.

Step 1: Find Your Zombie Groups

The first step is identifying which groups are actually dead. Microsoft provides several signals through the Microsoft 365 Admin Center and Microsoft Entra ID.

Use the Microsoft 365 Admin Center Reports

Navigate to Reports > Usage > Microsoft 365 Groups activity. This report shows the last activity date for each group across Exchange, SharePoint, Yammer, and Teams. Any group with no activity in 180+ days is a candidate for review.

For a more programmatic approach, use Microsoft Graph API:

$cutoffDate = (Get-Date).AddDays(-180).ToString("yyyy-MM-dd")

Get-MgGroup -All | ForEach-Object {
    $group = $_
    $activity = Get-MgReportM365AppUserDetail -Period "D180" |
        Where-Object { $_.GroupId -eq $group.Id }

    if (-not $activity) {
        [PSCustomObject]@{
            DisplayName = $group.DisplayName
            Id = $group.Id
            CreatedDate = $group.CreatedDateTime
            MemberCount = (Get-MgGroupMember -GroupId $group.Id -All).Count
        }
    }
}

Check SharePoint Site Activity

Every M365 Group gets a SharePoint site. The SharePoint Admin Center shows site activity metrics. Sort by "Last activity" and you'll quickly see which group sites haven't been touched in months or years.

Review Teams Activity

In the Teams Admin Center under Analytics & Reports > Usage reports, the Teams usage report shows which teams have active users. Cross-reference this with your M365 Groups list to find Teams that exist as groups but have zero active conversations.

Step 2: Classify Before You Delete

Don't just mass-delete everything that looks inactive. Some groups are inactive for legitimate reasons — annual review committees, seasonal project teams, or reference archives. Classify your zombie groups into categories:

Category 1: True Zombies — No activity in 12+ months, no upcoming business reason to exist, content is either duplicated elsewhere or no longer relevant. These get deleted.

Category 2: Archive Candidates — Inactive but contain content that might have retention value. These get archived — remove from Copilot's index while preserving the data.

Category 3: Permission Cleanup — The group serves a purpose but has accumulated members who shouldn't be there. These get a membership audit.

Category 4: Keep — Recently inactive but has a business justification. Document why and set a review date.

Step 3: Remove Groups from Copilot's Reach

For groups you want to archive rather than delete, you have several options to remove them from Copilot's indexing scope.

Use SharePoint Advanced Management

SharePoint Advanced Management (SAM), included with Microsoft 365 E5 or as an add-on, provides Restricted Access Control for SharePoint sites. This lets you restrict site access to specific users or security groups, effectively removing the content from Copilot's reach for everyone else.

Apply Sensitivity Labels

Microsoft Purview sensitivity labels can exclude content from Copilot processing. Apply a sensitivity label configured to prevent Copilot access to the group's SharePoint site and associated content. This is the Microsoft-recommended approach for keeping content accessible to authorized users while excluding it from AI summarization. For a detailed walkthrough, see our guide on sensitivity labels for Copilot.

Set the Group to Private

If a group is currently public (org-wide access), switching it to private immediately reduces Copilot's ability to surface its content. Only explicit members will have Copilot access to the group's files and conversations.

Step 4: Clean Up Membership on Active Groups

For groups that survive the audit, clean up their membership. Over-permissioned groups are the number one vector for Copilot data exposure.

Run a membership review using Microsoft Entra ID Access Reviews:

  1. Navigate to Entra ID > Identity Governance > Access Reviews
  2. Create a new review targeting M365 Group memberships
  3. Set reviewers to group owners (they know who should be there)
  4. Configure auto-removal for users who don't get re-approved
  5. Set recurrence to quarterly

Access Reviews automate the ongoing cleanup. Without them, you'll be back in the same situation in six months.

Remove Inactive Members

Cross-reference group membership with sign-in activity. Users who haven't signed in for 90+ days and are still members of active groups represent unnecessary Copilot access. Microsoft Entra ID's sign-in logs combined with group membership data give you this picture.

Step 5: Implement Group Lifecycle Policies

Cleaning up once isn't enough. You need automated policies to prevent zombie groups from accumulating again.

M365 Group Expiration Policy

Microsoft 365 supports group expiration policies that automatically delete groups after a defined period of inactivity. Configure this in the Entra admin center:

  • Set expiration period (180 or 365 days is common)
  • Owners receive renewal notifications at 30, 15, and 1 day before expiration
  • If nobody renews, the group is soft-deleted (recoverable for 30 days)

This is the single most effective control against zombie groups. Enable it before your Copilot rollout, not after.

Naming Policies and Creation Controls

Restrict who can create M365 Groups. By default, every user can create them — which is why you have hundreds of abandoned ones. Limit group creation to specific roles or require approval through Entra ID group settings.

Implement naming conventions so groups are identifiable by department, project, and purpose. When cleanup time comes, a group named "FY24-Marketing-ProductLaunch" is much easier to evaluate than "Cool Project" or "Test Group 2."

Step 6: Audit Group-Connected Resources

Each M365 Group can have connected resources that expand the data surface:

  • SharePoint site with document libraries
  • Exchange mailbox with shared emails
  • OneNote notebook with meeting notes
  • Planner with task boards
  • Teams channels with chat history and files

When auditing a group, check all connected resources. A group might look inactive in Teams but have recent SharePoint uploads. Or vice versa — the Teams chat is dead but someone is still using the shared mailbox.

Pay special attention to shared mailboxes. Copilot can access email content in shared mailboxes if the user has permissions. Our coverage of Copilot and Exchange email risks explains how email access intersects with Copilot in detail.

The Numbers That Should Scare You

Based on aggregate data from enterprise Copilot deployments, the typical organization has:

  • 30-40% of M365 Groups with no activity in the last 6 months
  • 15-20% of Groups with no activity in over 12 months
  • Average group has 3.2x more members than actively use it
  • 60%+ of groups have at least one member who has left the organization but wasn't removed

If you have 500 M365 Groups (common for a mid-size enterprise), that means roughly 100 zombie groups with overly broad membership that Copilot can now mine for data. Each one is a permission boundary that nobody is maintaining.

The Cleanup Checklist

Before enabling Copilot for any user group, complete this M365 Group hygiene checklist:

  1. Export full group inventory — names, owners, member counts, last activity dates
  2. Identify zombies — no activity in 180+ days
  3. Classify each zombie — delete, archive, clean up, or keep
  4. Delete true zombies — soft-delete first, hard-delete after 30-day review
  5. Archive valuable inactives — apply sensitivity labels or restricted access
  6. Audit membership on active groups — remove users who don't belong
  7. Enable group expiration policy — 365 days maximum
  8. Restrict group creation — limit to approved roles
  9. Schedule quarterly access reviews — automate with Entra ID
  10. Document everything — your future self will thank you

This isn't optional. Every zombie group you leave in place is a Copilot data exposure vector that you're choosing to accept.

Building Ongoing Group Governance

Group cleanup is a prerequisite for Copilot, but governance is how you keep it clean. Build a group governance framework that includes:

  • Ownership requirements — every group must have at least two active owners
  • Purpose documentation — groups must have a description explaining their business purpose
  • Regular attestation — owners confirm quarterly that the group is still needed
  • Automated alerts — notify IT when groups lose all owners or go inactive

For a broader governance approach that covers all aspects of Copilot deployment, including groups, permissions, and data boundaries, check our Copilot governance framework guide.

Microsoft provides the tools. You need to configure and enforce them. The alternative is explaining to your CISO why Copilot surfaced a confidential board presentation from an abandoned Team that 200 people still had access to.

Take Action Now

Don't wait for a data incident to force a cleanup. Run your M365 Group audit today — before Copilot turns your organizational debt into a security event.

Scan your M365 environment now → Our free assessment identifies zombie groups, over-permissioned memberships, and Copilot-specific risks across your tenant in minutes.