Connectors · Microsoft

Microsoft 365

Rencore monitors Microsoft 365 Groups across 29 governance policies, 24 reports, and 11 inventories, detecting group sprawl, stale memberships, and lifecycle issues automatically.

Digital Workplace AI & Agents Code

Published 16 May 2026 For M365 Product Owner, IT Admin, CISO

Book a demo Start free trial

Rencore Microsoft 365 Groups governance is a set of 29 policies, 24 reports, 10 segments, and 11 inventories that continuously audit M365 groups, users, and memberships. It detects groups without owners, groups with excessive guest membership, inactive groups consuming resources, and naming convention violations, providing the core governance layer that underpins Teams, SharePoint, and Planner workloads.

105 governance capabilities: 11 inventories · 29 policies · 24 reports · 10 segments · 3 automations · 3 provisioning templates

Why govern Microsoft 365 with Rencore

Control group sprawl

Detect groups without owners, groups with no recent activity, and groups created outside approved processes. 29 policies cover every aspect of the group lifecycle from creation to archival.
Manage membership and guests

Find groups with excessive guest members, members who left the organization but retain group access, and distribution lists with stale membership that should be converted or removed.
Enforce naming and classification

Flag groups violating naming conventions, groups missing required sensitivity labels, and groups without proper classification metadata for compliance requirements.
Foundation for M365 governance

Microsoft 365 Groups underpin Teams, SharePoint sites, Planner plans, and shared mailboxes. Group governance is the foundation that all other M365 governance builds on.

What Rencore discovers

Rencore automatically inventories these Microsoft 365 object types.

User

All users registered in your tenant (internal, external)
Group

All Entra ID groups in your Tenant (Security groups, Microsoft 365 groups)
Sensitivity Label

All sensitivity labels configured in your tenant
Subscription

All subscriptions with their licenses available in your tenant
Service Assignment

Details when a service or app has been assigned to the user
Message Center Message

All messages from the Microsoft 365 Message Center
App

All Microsoft 365 apps included in your available subscriptions
User Activity

Details when a Microsoft 365 service has been used the last time by a specific user
Deleted User

All users that have been deleted from your tenant
Deleted Group

All groups that have been deleted from your tenant
Rooms & Equipment

All rooms and equipment configured in your tenant

How Microsoft 365 Groups governance works in Rencore

Rencore connects to Microsoft 365 via Microsoft Graph API and inventories all groups, users, memberships, guest accounts, and group metadata. This is Rencore’s core service connector that provides the identity and group foundation for all other M365 governance policies. 29 policies run on every scan cycle covering sprawl, access, naming, and lifecycle.

The group governance foundation

Every Teams workspace, SharePoint team site, Planner plan, and shared mailbox is backed by a Microsoft 365 Group. Governing groups is governing your entire M365 collaboration layer. Without group governance, sprawl in Teams, SharePoint, and Planner is undetectable.

Who uses Microsoft 365 Groups governance

M365 product owners use it as their primary governance dashboard for the entire tenant. IT administrators track group lifecycle and enforce naming standards. CISOs monitor guest membership and external access patterns across all M365 workloads.

Getting started

Connect your Microsoft 365 tenant. Groups governance activates automatically as the core Rencore connector. All 29 policies run on first scan with no additional configuration.

Policies

29 governance rules that detect violations and risks.

Severity Category

Groups with external owners

Shows groups that have external users as owners

High Security
Disabled user accounts with assigned licenses

Shows disabled user accounts which have any licenses assigned

High Costs
Global administrators without MFA

Shows global administrators that have not activated multi factor authentication

High Security
Administrators without MFA

Shows administrators that have not activated multi factor authentication

High Security
Over-licensed user Accounts

User accounts that have more than one License assigned with overlapping apps.

High Costs
Disabled user accounts

Shows all disabled user accounts

Medium User Offboarding
Groups with disabled user accounts

Shows groups with users (owners and members) that have disabled accounts

Medium User Offboarding
Groups with external users

Shows groups that have external users

Medium External Access
Groups with very few owners

Shows Groups which have fewer owners than defined threshold (default 2 owners)

Medium Operation
Inactive external users

Shows external users that have not signed in for more than 6 month

Medium External Access
Guest users with a Dynamics license assigned

Guest users with a Dynamics license assigned

Medium Costs
Admin accounts with an Office 365 E3 license assigned

Admin accounts with an Office 365 E3 license assigned (Note: please adjust the email address, prefix or postfix to your company settings)

Medium Costs
Service plans assigned in the last 4 weeks

Shows service plans assigned to users in the last 4 weeks

Medium Operation
Users with passwords not changed in last 6 months

Shows users that have not changed their password for more than 6 months

Medium Security
Inactive internal users

Shows internal users that have not signed in for more than 6 month

Medium External Access
License usage for Visio, Project and Power BI Pro

Shows units consumed for critical licenses like Visio, Project and Power BI Pro

Medium Costs
Licenses assigned to disabled users

Shows licenses which are assigned to users with account enabled set to false

Medium Costs
Licenses assigned to external users

Shows licenses which are assigned to external users and could be removed or might unnecessary

Medium Costs
Licenses assigned to inactive users

Shows licenses which are users that have not signed in in last 90 days

Medium Costs
Licenses with unused seats

Shows licenses which have a high number of unused seats

Medium Costs
Users who are creating Microsoft Loop Teams Components

A list of users that are creating Microsoft Loop components in their OneDrive

Medium Operation
External Users with pending acceptance

External users which have not accepted invitation to your tenant

Low External Access
Unused Licenses

Shows M365 licenses with more enabled units than consumed units

Low Costs
Disabled room/place accounts

Shows rooms/places with disabled accounts

Low Operation
External users invited 3 month ago with pending acceptance

Shows external users invited more than 3 month ago that have not accepted invitation to the tenant

Low External Access
Users with E3 license not using Outlook in last 12 month

Show Users with E3 license not using Outlook in last 12 month.

Low Costs
Users with Power Platform Premium License

Users with assigned Premium License for Power Platform (per user plan)

Information Costs
External users

Shows external users (users with user type 'Guest')

Information External Access
Licenses with less than 10 units available

Shows licenses with less than 10 units available to assign to users.

Information Costs

Need a rule that isn't listed? Rencore's Policy Builder lets you create custom policies tailored to your organization. Learn more about the Policy Builder

Reports

24 analytics views and dashboards.

Monthly costs for unused licenses

Shows licenses which have unused seats

Bar Chart · Costs
License costs for disabled users

License costs for disabled users

Bar Chart · Costs
License costs for external users

License costs for external users

Bar Chart · Costs
Monthly costs for unused licenses

Shows licenses which have unused seats

Bar Chart · Costs
License costs for disabled users

License costs for disabled users

Bar Chart · Costs
Monthly license costs for external users

Monthly license costs for external users

Bar Chart · Costs
Users by Type

Groups users by their type

Pie Chart · Operation
Users by Region

Groups users by their country or region

Pie Chart · Operation
Internal Users

Shows all internal users

Pie Chart · Uncategorized
External Users

Shows all external users

Pie Chart · Uncategorized
Email Domains of External Users

Shows the domains of external user emails to be able to configure allowed domains

Donut Chart · Security
Suspended/Disabled Subscriptions

All subscriptions that are not enabled

List · Sprawl
Distribution Groups

All active distribution groups

List · Uncategorized
Groups with Teams

All groups with Teams connected

List · Uncategorized
Microsoft 365 Groups

All active Microsoft 365 groups

Pie Chart · Operation
Private Groups

All private groups

List · Operation
Public Groups

All public groups

List · Uncategorized
Security Groups

All active security groups

List · Uncategorized
Licenses with unused seats

Shows licenses which have a high number of unused seats

Bar Chart · Costs
License usage for Visio, Project and Power BI Pro

Shows units consumed for critical licenses like Visio, Project and Power BI Pro

Bar Chart · Costs
Licenses assigned to disabled user accounts

Shows licenses which are assigned to users with account enabled set to false

Bar Chart · Costs
Licenses assigned to external users

Shows licenses which are assigned to external users and could be removed or might unnecessary

Bar Chart · Costs
Licenses assigned to inactive users

Shows licenses which are users that have not signed in in last 90 days

Bar Chart · Costs
Users to be licensed with Rencore Governance

Used to calculate license costs for Rencore Governance

KPIs · Operation

Automations

3 automated remediation workflows.

Disable inactive external user accounts

Automatically disables external user accounts for users that have not signed in for more than 6 month
Notify users using Microsoft Loop Teams components about the technical implications

With this automation, users who create Microsoft Loop components will receive an email informing them about where the components are stored and what happens if someone deletes them.
Create ServiceNow Incident

Create a ServiceNow incident when an M365 Groups policy violation is detected. Requires a ServiceNow connection.

Segments

10 data groupings for targeted filtering.

Internal Users

Shows all internal users
External Users

Shows all external users
Disabled Accounts

Shows all disabled users
Suspended/Disabled Subscriptions

All subscriptions that are not enabled
Distribution Groups

All active distribution groups
Groups with Teams

All groups with Teams connected
Microsoft 365 Groups

All active Microsoft 365 groups
Private Groups

All private groups
Public Groups

All public groups
Security Groups

All active security groups

Provisioning Templates

3 resource creation templates.

Private M365 Group

Template for a private M365 group
Guest user invitation with approval

Invite an external person into the tenant. The manager approves first, then the guest receives a one-time link to accept terms. Only after both approvals does the guest identity get provisioned in Entra.
Guest user invitation without approval

Invite an external person directly, without manager approval. The guest still accepts terms via a one-time link before the identity is provisioned in Entra.

Frequently asked questions

What governance areas does Rencore cover?

Rencore covers six governance pillars: visibility and inventory across all Microsoft 365 services, ready-to-go policies with over 100 pre-built governance checks, compliance and audit evidence collection for regulatory requirements, extensibility and customization through custom policies and automations, cross-department collaboration with shared dashboards and role-based access, and AI and Copilot readiness to prepare tenants for secure AI adoption.

What is Rencore governance?

Rencore governance is a SaaS platform that continuously monitors your Microsoft 365 tenant for policy violations, configuration drift, and security risks across SharePoint, Teams, Power Platform, Copilot, and AI Agents. It automates compliance evidence collection, surfaces oversharing and sprawl, and provides actionable remediation workflows, reducing manual audit effort by up to 80%.

How do Rencore policies work?

Rencore ships with hundreds of pre-built policies that detect governance violations across every connector, oversharing, sprawl, cost overruns, security risks, and compliance gaps. Policies run on a continuous schedule, evaluate each discovered object against configurable rules, and flag violations with severity (High, Medium, Low), category, and a recommended action.

Trusted by