Microsoft Purview Governance Reviews for MSPs: Ownerless Sites Are Billable Cleanup
Microsoft is giving admins more ways to see stale, ownerless, and overexposed Microsoft 365 content. That is useful. It is not the fix.
For MSPs, the real deliverable is a governance review the client can understand: which SharePoint and Teams sites need owners, which permissions are too broad, which inactive workspaces should be archived or deleted, and which decisions need client signoff before your team touches anything.
Quick answer: Microsoft Purview governance reviews should become a paid MSP review package, not free admin cleanup. Use the Microsoft signals to find ownerless sites, stale SharePoint and Teams workspaces, attestation gaps, and oversharing. Then turn those findings into owner assignment, permission cleanup, archive/delete decisions, and a roadmap item with budget.
What Microsoft is surfacing now
Microsoft's Microsoft 365 roadmap entry for the Governance Reviews Dashboard points at a private preview dashboard for site owners. The useful theme is clear even before every tenant sees the same UI: Microsoft wants site governance tasks to stop living in scattered admin corners.
The pieces already exist around SharePoint Advanced Management and Microsoft 365 governance:
- SharePoint Advanced Management helps admins identify content sprawl, define site ownership policies, manage inactive SharePoint sites, and request recurring attestations.
- Site ownership policies can identify sites that do not meet owner or admin count requirements, notify the right people, and reduce the risk of ownerless sites.
- Inactive site policies can detect inactive SharePoint and Teams-connected sites, notify owners, and support read-only or archive actions when configured.
- Data access governance site reviews let admins ask site owners to review oversharing findings from reports like sharing links and content shared with Everyone except external users.
- Site attestation policies let admins request recurring reviews of site necessity, owners, members, permissions, and sharing settings.
That is a lot of signal. It still does not decide who owns the cleanup, who funds the work, or what happens when the client says the dead project site is somehow still critical.
Why this turns into MSP work
Microsoft can tell you a site has one owner. It cannot tell you whether that owner left the client six months ago, whether the office manager should approve archive, or whether legal wants the old project folder retained.
This is where MSPs either create value or quietly eat the work.
A typical tenant has the same mess in five versions:
- a Teams-connected SharePoint site created for a project that ended last year
- a site with one owner, and that owner is now disabled
- broad sharing links that nobody wants to defend during an audit
- files under retention that users think can just be deleted
- a client executive asking why Copilot found old junk in search results
None of that is solved by a dashboard. The dashboard starts the conversation. The MSP has to run the review, explain the risk, get decisions, and document the outcome.
If that sounds like normal monthly support, check the scope again. This work mixes admin review, security hygiene, client approval, retention context, and roadmap planning. That is not a password reset with nicer nouns.
What should be in the governance review
Do not sell "we will look at Purview." Sell the decisions the client gets back.
| Review area | What the MSP checks | Client decision needed |
|---|---|---|
| Site ownership | Ownerless sites, single-owner sites, disabled owners, stale admin assignments | Who owns each site now |
| Inactive sites | Last activity, Teams connection, site purpose, storage use, business owner | Keep, archive, delete, or review later |
| Oversharing | Anyone links, organization-wide links, Everyone except external users, high-permission libraries | Remove access, accept risk, or re-scope sharing |
| Attestation | Whether owners have confirmed site purpose, members, permissions, and sharing settings | Who signs off and how often |
| Retention and legal context | Retention labels, holds, regulated data, archive impact | What cannot be deleted or moved |
| Support boundary | Who requests cleanup, who approves disruption, what is included in support | What becomes paid project work |
That table is the product. Microsoft provides the admin signals. The MSP provides the decision record.
If the review finds compliance ownership gaps, tie it to a shared responsibility matrix. If it finds archive candidates, fold it into the Microsoft 365 Archive file-level archiving plan. If it creates budget work, put it on the client roadmap instead of leaving it in a ticket comment.
The cleanup should not be automatic
Automation is tempting here because the findings look tidy. Do not confuse tidy with safe.
An inactive SharePoint site might be a dead project. It might also be the place finance keeps old acquisition files. A single-owner Teams site might be low risk. It might also be the only workspace a department uses to pass approvals around. A site with Everyone except external users might be a careless mistake, or it might be a deliberate internal policy the client never documented.
The MSP job is not to click the most aggressive remediation button.
The MSP job is to separate four buckets:
- Clean up now: obvious stale links, disabled owners, duplicate admins, dead project spaces.
- Needs client owner: anything with business ambiguity, legal context, or user disruption.
- Accept risk: exceptions the client understands and signs off.
- Roadmap work: bigger cleanup, archive, retention, DLP, or permission redesign.
That last bucket is where the money is. It is also where clients get a better outcome, because the work gets approved before your team spends eight unpaid hours doing SharePoint archaeology.
How to package it
A governance review package does not need to be complicated. It needs a clear boundary.
Start with a fixed-scope review:
- 10 to 25 high-risk or inactive sites
- owner and admin count review
- oversharing sample review
- inactive site and archive candidate list
- attestation status summary
- client decision table
- cleanup estimate
- roadmap recommendations
Then split remediation from review.
The review tells the client what exists and what to do. The remediation quote covers owner changes, permission cleanup, archive work, retention coordination, and client communications.
That split matters. If you bundle the remediation into the review, the client hears "go clean up SharePoint." If you separate it, the client sees a decision process: findings first, approval second, cleanup third.
The client script
Use this when the client asks why a dashboard finding needs a paid review.
Microsoft can show us which sites look stale, ownerless, or overexposed. It cannot decide whether those sites still matter to your business.
We recommend a short governance review. We will identify the sites that need attention, confirm owners, flag oversharing, separate archive candidates from delete candidates, and bring back a decision list.
After that, you can approve cleanup, accept specific risks, or put larger work on the roadmap. We will not make broad access or archive changes without a business owner signing off.
That is calm and defensible. It also makes the MSP look like an advisor instead of someone forwarding Microsoft warnings.
How Scopable fits
Scopable is not a Purview console. It is where the MSP can carry the finding into the client workflow.
A governance review should become a client-facing item with scope, risk, owner, effort, budget, and next step. The finding starts in Microsoft 365, but the decision belongs in the account plan, the QBR, the roadmap, and sometimes the quote.
That is the difference between admin noise and paid cleanup.
Microsoft will keep adding signals. MSPs need to turn those signals into decisions clients can fund. If you want that workflow connected to assessments, roadmaps, budgets, and quotes, join Scopable early access.
