M365 Governance: 10 Mistakes That Are Costing You

Microsoft 365 is the backbone of most Australian businesses. Email, Teams, SharePoint, OneDrive, Power Platform — it's all running on M365. But here's the problem: most organisations deployed M365 without a governance plan, and now they're paying for it in security gaps, compliance risk, and productivity loss.

After managing M365 environments across hundreds of thousands of users, we've seen these mistakes repeated over and over. Here are the 10 most costly ones — and exactly how to fix them.

Mistake 1: No Naming Conventions for Teams and Channels

What's going wrong: Teams multiply like rabbits. "Team 1", "Meeting Notes", "Test", "John's Stuff", "Project Alpha v2 Final" — within months, nobody can find anything. There are duplicate teams, abandoned teams, and no way to know which team holds which data.

Why it costs you: - Users create duplicate teams because they can't find the existing one - Sensitive data gets shared in the wrong team - Onboarding new employees takes longer because they have to navigate chaos - IT wastes hours searching for the right team during incidents

The fix:

Implement a naming policy using Azure AD naming conventions:

[Department]-[Project/Purpose]-[Year]

Examples: - FIN-Budget2026-2026 - MKT-CampaignAlpha-2026 - HR-Onboarding-2026

Configure this through the Microsoft Teams admin centre:

1. Go to Teams admin centre → Teams settings → Naming policy
2. Set a prefix with department and suffix with year
3. Block certain words (TEST, TEMP, etc.) from team names
4. Require approval for new team creation (optional but recommended)

Bonus fix: Implement a team lifecycle policy. Auto-archive teams that haven't had activity in 90 days. This keeps your environment clean without manual intervention.

Mistake 2: Ungoverned SharePoint Site Sprawl

What's going wrong: Anyone with a Microsoft 365 licence can create a SharePoint site. Within a year, you have 5,000 sites, 3,000 of them unused, and no idea which ones contain sensitive data. If you're also evaluating an intranet project, see our SharePoint Intranet Cost Guide for realistic budgeting.

Why it costs you: - Data sprawl makes compliance audits a nightmare - Unused sites accumulate stale data that increases your storage costs - You can't enforce policies on sites you don't know exist - External sharing controls are meaningless if there are thousands of unmonitored sites

The fix:

1. Audit immediately. Run a SharePoint site inventory. Identify all sites, their owners, last activity date, and external sharing status.
2. Implement lifecycle policies. Use Microsoft 365 lifecycle management to auto-archive or delete sites after a defined period of inactivity (60–90 days).
3. Restrict site creation. Not everyone needs to create SharePoint sites. Limit creation to IT and department leads.
4. Classify sites. Tag sites by sensitivity: Public, Internal, Confidential, Restricted. Apply different policies to each classification.
5. Quarterly reviews. Schedule quarterly site reviews with department heads. They know which sites are still needed; you don't.

Tool tip: Microsoft Purview Data Lifecycle Management can automate site archival based on inactivity. Configure it once, let it run.

Mistake 3: No Data Classification

What's going wrong: Everything is either classified as "Confidential" or not classified at all. There's no middle ground, so the label becomes meaningless. Users ignore classification because it doesn't help them do their job.

Why it costs you: - Can't enforce data protection policies without knowing what's sensitive - Compliance failures because you can't demonstrate data governance - Accidental data leakage because users don't know what's sensitive - DLP policies can't work effectively without classification

The fix:

Implement a simple classification scheme:

Label	Description	Protection
Public	Marketing materials, public website content	No restrictions
Internal	Internal documents, general communications	Block external sharing
Confidential	Financial data, contracts, client information	Require encryption, block external sharing, audit access
Highly Confidential	Personal data, health records, trade secrets	Encrypt, require MFA, restrict to named individuals

Implementation steps:

1. Create sensitivity labels in Microsoft Purview Information Protection
2. Start with audit mode. Let users classify for 2–4 weeks without enforcement
3. Auto-label where possible. Train classifiers to recognise document types (financial reports, HR documents, contracts)
4. Enforce gradually. Move from "warn" to "block" over 2–3 months
5. Train users. Explain what each label means and why it matters

Pro tip: Keep it simple. Four labels are better than twelve. Users won't remember a complex scheme, and complexity leads to misclassification.

Mistake 4: Missing Retention Policies

What's going wrong: Data accumulates forever. Old emails, abandoned document libraries, Teams messages from 2019 — it's all still there, growing your storage costs and increasing your compliance risk.

Why it costs you: - Regulatory risk. ATO requires 7-year retention for financial records. Fair Work requires 7 years for HR records. If you're not retaining appropriately, you're non-compliant. - EDiscovery becomes impossible when you have millions of items to search through - Storage costs balloon as data accumulates indefinitely - Data breach impact increases because you're storing data you don't need

The fix:

Define retention by data type:

Data Type	Retention Period	Reason
Email	7 years	Australian business records requirements
Financial documents	7 years	ATO compliance
HR records	7 years after termination	Fair Work requirements
Contracts	7 years after expiry	Legal limitation period
Teams messages	7 years	Business communications
Project documents	2 years after completion	Business requirements
General files	1 year	Default business requirement

Implementation:

1. Create retention labels in Microsoft Purview Data Lifecycle Management
2. Apply auto-labeling using trainable classifiers for common document types (invoices, contracts, HR forms)
3. Configure retention policies for mailboxes, SharePoint sites, and Teams
4. Test with a pilot group before broad deployment
5. Document your retention schedule — this is required for compliance audits

Common trap: Don't set retention to "forever" because you're afraid of deleting something. That's not governance — that's hoarding. Define clear retention periods and stick to them.

Mistake 5: No External Sharing Controls

What's going wrong: Anyone can share any document, any SharePoint site, any Teams channel with anyone outside the organisation. Client data, financial reports, HR documents — all one click away from leaving your control.

Why it costs you: - Data leakage is inevitable without controls - Compliance failures (privacy laws, industry regulations) - Loss of intellectual property - No audit trail of what was shared and with whom

The fix:

1. Restrict external sharing by default. Disable external sharing at the tenant level, then enable it selectively for specific sites and groups that need it.
2. Configure SharePoint external sharing policies:
3. Tenant level: Set to "New and existing guests" (not "Anyone")
4. Site level: Override per-site based on business need
5. Require authentication for external sharing (no anonymous links)
6. Implement guest access controls:
7. Limit guest access to specific sites
8. Require MFA for guest accounts
9. Set expiration dates on guest access
10. Monitor external sharing. Use Microsoft 365 audit logs to track what's being shared externally.
11. Regular reviews. Monthly review of external sharing activity with department heads.

Quick win: Block "Anyone" links (anonymous sharing) immediately. This is the most common vector for accidental data leakage. If someone needs to share externally, they should share with specific people, not create public links.

Mistake 6: Ignoring Conditional Access

What's going wrong: Users sign in with a password and that's it. No MFA, no device compliance check, no location-based restrictions. If a password is compromised (and it will be), the attacker has full access.

Why it costs you: - Account compromise is the #1 attack vector - No ability to enforce device compliance - No ability to block risky sign-ins - Compliance failures for organisations with regulatory obligations

The fix:

Implement a layered Conditional Access strategy:

Essential policies (deploy immediately):

Policy	Action
Block legacy authentication	Block all legacy auth protocols
Require MFA for all users	Enforce MFA for every sign-in
Block risky sign-ins	Block sign-ins from high-risk locations
Require password change	Force password change for compromised accounts

Enhanced policies (deploy within 30 days):

Policy	Action
Require compliant devices	Block access from non-compliant devices
Require approved client apps	Block access from unapproved apps
Block non-Australian countries	Block sign-ins from countries where you have no operations
Require phishing-resistant MFA for admins	Hardware tokens for privileged accounts

Advanced policies (deploy within 90 days):

Policy	Action
Risk-based sign-in	Step-up authentication for risky sign-ins
Continuous access evaluation	Real-time session controls
Network location controls	Different policies for office vs remote
Session controls	Limit session duration for risky access

Implementation approach:

1. Start in report-only mode. Monitor for 1–2 weeks to identify users who would be affected
2. Communicate with affected users. Explain what's changing and why
3. Deploy essential policies first. These have the highest impact
4. Add enhanced policies gradually. One policy per week
5. Monitor and tune. Adjust based on user feedback and sign-in analytics

Mistake 7: No Power Platform Governance

What's going wrong: Users are building Power Apps, Power Automate flows, and Power BI reports without any oversight. Data is flowing between services without controls. Shadow IT is rampant through the Power Platform.

Why it costs you: - Data exfiltration risk through uncontrolled connectors - Compliance violations when sensitive data flows to personal Power Apps - Duplicate solutions being built by different teams - No visibility into what Power Platform resources exist in your tenant

The fix:

1. Implement DLP (Data Loss Prevention) policies for Power Platform:
2. Define business and non-business connectors
3. Block sensitive data from flowing to non-business connectors
4. Start in audit mode, then enforce
5. Create an environment strategy:
6. Default environment: Restricted, limited access
7. Developer environments: For IT-approved development
8. Production environments: For approved business applications
9. Require admin approval for new connectors
10. Monitor Power Platform usage. Use the Power Platform admin centre to track usage, identify orphaned resources, and monitor connector activity
11. Establish a centre of excellence. Designate Power Platform champions in each department who can guide development and enforce standards

Quick win: Restrict the default environment to IT and designated Power Platform developers. This immediately reduces shadow IT risk.

Mistake 8: Skipping Teams Phone Planning

What's going wrong: Teams Phone was deployed without network assessment, QoS configuration, or user training. Calls drop, audio is choppy, and users revert to personal mobiles for important calls.

Why it costs you: - Poor call quality frustrates users and damages professional image - Missed calls and failed transfers cost business opportunities - Users bypass the system, defeating the purpose of the investment - Support costs increase as IT troubleshoots call quality issues

The fix:

1. Network assessment first. Before deploying Teams Phone:
2. Test bandwidth at all office locations
3. Identify and resolve bottlenecks
4. Ensure sufficient bandwidth for concurrent calls
5. Configure QoS (Quality of Service):
6. Prioritise voice traffic on the network
7. Implement DSCP marking for Teams audio, video, and screen sharing
8. Configure network equipment to honour QoS markings
9. Pilot before rollout:
10. Start with a 20–30 person pilot group
11. Test internal calls, external calls, call transfers, voicemail, and auto-attendants
12. Gather feedback for 2–4 weeks
13. User training:
14. How to make and receive calls
15. Call forwarding and delegation
16. Auto-attendant setup
17. Common issues and troubleshooting
18. Monitor call quality:
19. Use Teams call quality dashboards
20. Set up alerts for poor quality metrics
21. Review call quality data monthly

Mistake 9: No Documentation

What's going wrong: Only one person knows how the M365 environment is configured. They go on holiday, get sick, or leave — and nobody can troubleshoot, modify, or recover anything.

Why it costs you: - Single point of failure for critical knowledge - Extended downtime when the key person is unavailable - Onboarding new IT staff takes weeks instead of days - Compliance failures because you can't demonstrate your configuration

The fix:

Create and maintain these documents:

Essential documentation:

1. Architecture diagram. How your M365 tenant is configured — domains, DNS, connectors, Conditional Access policies, DLP policies, retention policies
2. Admin account inventory. All admin accounts, their roles, and who holds them (stored securely, not in a shared document)
3. Conditional Access policy documentation. Every policy, its purpose, and who's affected
4. DLP and retention policy documentation. What's configured and why
5. Backup and recovery procedures. Step-by-step guides for common recovery scenarios
6. Vendor and licensing inventory. What you're licensed for and what you're paying

Runbooks for common scenarios:

• New user provisioning
• User offboarding
• Password reset
• MFA recovery
• Mailbox recovery
• SharePoint site provisioning
• Teams creation and archival
• External sharing approval

Maintenance:

• Review and update documentation quarterly
• Assign a documentation owner
• Store documentation in a secure, accessible location (SharePoint, Notion, or a wiki)
• Include documentation updates as part of change management

Mistake 10: No User Training

What's going wrong: M365 features are deployed but users never receive training. They use Teams like email, store documents in their email instead of SharePoint, and never discover the tools that could make them more productive.

Why it costs you: - Low adoption means low return on your M365 investment - Users find workarounds that create security risks - IT support tickets increase because users don't know how to use the tools - Productivity gains from M365 features go unrealised

The fix:

Build a training programme that fits your culture:

Tier 1: Self-service resources - Create a knowledge base with how-to articles and videos - Pin frequently asked questions in Teams - Set up a "M365 Tips" channel with regular updates - Provide Microsoft's free training resources (Microsoft Learn, LinkedIn Learning)

Tier 2: Regular touchpoints - Monthly "Tips & Tricks" email highlighting one M365 feature - Quarterly lunch-and-learn sessions (30 minutes, casual format) - Department-specific training when new features are rolled out

Tier 3: Champions programme - Identify 1–2 power users per department - Give them early access to new features - They become the go-to resource for their colleagues - Recognise and reward their contributions

Tier 4: Onboarding integration - Include M365 training in new employee onboarding - Don't assume people know how to use Teams, SharePoint, and OneDrive - Provide a "getting started" guide in the first week

Key metrics to track: - Teams adoption rate - SharePoint site usage - OneDrive vs network drive usage - Self-service knowledge base views - Training attendance

The Governance Framework

These 10 mistakes share a common root cause: deploying technology without governance. Here's the framework to prevent all of them:

1. Assess

• What do you have? (Inventory of M365 resources)
• What's the risk? (Classify data and sites)
• What's the gap? (Compare against best practices)

2. Plan

• What policies do you need? (Naming, retention, sharing, access)
• What's the priority? (Start with highest-risk items)
• What's the timeline? (Phase implementation over 3–6 months)

3. Implement

• Deploy controls gradually (don't break everything at once)
• Start in audit mode where possible
• Communicate changes to users before enforcement
• For MSPs managing multiple tenants, see our MSP vs In-House IT comparison for delivery model considerations

4. Monitor

• Regular audits (monthly for critical controls, quarterly for others)
• Automated alerts for policy violations
• User feedback channels

5. Improve

• Review quarterly and adjust
• Stay current with Microsoft's new features and capabilities
• Benchmark against industry peers

Getting Started This Week

If you're overwhelmed by the scope of M365 governance, start with these three actions:

1. Block "Anyone" links in SharePoint. This takes 5 minutes and immediately reduces data leakage risk.
2. Enable MFA for all users. If you haven't already, this is the single highest-impact security improvement. See our Essential 8 Implementation Checklist for a step-by-step MFA deployment guide across all maturity levels.
3. Run a SharePoint site inventory. Know what you have before you try to govern it.

These three actions alone put you ahead of 80% of Australian businesses.

Related Guides

• Microsoft 365 Governance for MSP Tenants
• The 10 Biggest M365 Governance Mistakes
• Essential 8 Implementation Checklist
• How to Choose an MSP