Episode Details

Too many admins spend Friday afternoons hunting for outdated users and misconfigured settings. Here’s the kicker—each missed account is a new risk, just waiting to happen. Today, you’ll see how a smart set of PowerShell scripts can automate your tenant governance, lock down compliance, and actually save your weekends.The Hidden Mess: What Admins Miss in Manual ReviewsIf you’ve ever peeked behind the curtain of your Microsoft 365 tenant, you probably know that feeling—like looking at a half-organized junk drawer that keeps collecting random odds and ends. On the surface, everything appears manageable. You’re logging in, scanning user accounts, tweaking a setting here or there. Maybe you’re running that same PowerShell snippet you grabbed off TechNet three years ago. It feels organized enough. But the second you start digging into the details, odd little gaps start cropping up. There’s always a handful of accounts where you’re not sure why they’re enabled, a few security groups with names nobody recognizes, and SharePoint sites that haven’t seen activity since the last re-org.Let’s talk about the myth of “manual governance.” You know the drill—log in, page through the admin center, check the last sign-in dates, maybe send a couple of emails asking managers if these accounts are still in use. The idea is simple but deceptive. You can only look at what’s already on your mind, or what the interface puts in front of you. The really sneaky problems rarely show up in dashboards or notifications. One day you’re convinced you’ve nailed it. The next day, a compliance audit turns up two dozen shadow guest accounts and a stack of unassigned licenses quietly racking up costs.That brings up a scenario I see all the time. Take one admin—let’s call her Claire. Claire does her quarterly review by the book. She combs through every list she can find, checks the Exchange mailboxes, prunes out a few guest users, and thinks she’s done. A month later, an auditor uncovers that nobody offboarded several project contractors from the previous year. Those accounts are still active, assigned critical permissions, and, as a bonus, sitting on a few expensive licenses. Then there are SharePoint links from the last marketing campaign, wide open for external users because nobody set expiration dates on guest sharing.This isn’t unique to Claire, and it’s not about a lack of effort. Most admins do a reasonable job—at least, as far as checklists and spot checks go. But according to Gartner and a handful of other IT studies, up to 30% of Microsoft 365 licenses often sit unused across organizations. Orphaned accounts—in other words, user objects left behind after someone leaves or changes roles—can linger in the system for months. These zombie accounts tend to accumulate more in environments where offboarding is a separate process, HR and IT don’t always talk, and ownership for guest access is a passing conversation, not a tracked workflow.Think about it like cleaning your house. It’s easy to vacuum the living room and wipe the kitchen counters. It looks clean enough when people visit. But if you never open the closets or check under the bed, all sorts of clutter piles up right out of sight. With your tenant, it’s groups and users and sharing links shoved into forgotten corners. Everything looks good—until the day someone on the security team decides to “look closer,” and suddenly you’re spending your weekend closing doors you didn’t even know were open.And here’s the catch: the Microsoft 365 portal and security center make it really simple to feel productive. The interfaces show you the most recent sign-ins, flag obvious alerts, and give you pie charts that look reassuring. But risky settings—like guest sharing with no expiration, app passwords still enabled for accounts with MFA, or directories overflowing with stale teams—hide behind extra menus or need cross-referencing with multiple reports. It’s easy to miss the big picture.Microsoft MVPs who live in this spac