Stop Manual Tenant Cleanup—PowerShell Does It Better

Too many admins spend Friday afternoons hunting for outdated users and misconfigured settings. Here’s the kicker—each missed account is a new risk, just waiting to happen. Today, you’ll see how a smart set of PowerShell scripts can automate your tenant governance, lock down compliance, and actually save your weekends.The Hidden Mess: What Admins Miss in Manual ReviewsIf you’ve ever peeked behind the curtain of your Microsoft 365 tenant, you probably know that feeling—like looking at a half-organized junk drawer that keeps collecting random odds and ends. On the surface, everything appears manageable. You’re logging in, scanning user accounts, tweaking a setting here or there. Maybe you’re running that same PowerShell snippet you grabbed off TechNet three years ago. It feels organized enough. But the second you start digging into the details, odd little gaps start cropping up. There’s always a handful of accounts where you’re not sure why they’re enabled, a few security groups with names nobody recognizes, and SharePoint sites that haven’t seen activity since the last re-org.Let’s talk about the myth of “manual governance.” You know the drill—log in, page through the admin center, check the last sign-in dates, maybe send a couple of emails asking managers if these accounts are still in use. The idea is simple but deceptive. You can only look at what’s already on your mind, or what the interface puts in front of you. The really sneaky problems rarely show up in dashboards or notifications. One day you’re convinced you’ve nailed it. The next day, a compliance audit turns up two dozen shadow guest accounts and a stack of unassigned licenses quietly racking up costs.That brings up a scenario I see all the time. Take one admin—let’s call her Claire. Claire does her quarterly review by the book. She combs through every list she can find, checks the Exchange mailboxes, prunes out a few guest users, and thinks she’s done. A month later, an auditor uncovers that nobody offboarded several project contractors from the previous year. Those accounts are still active, assigned critical permissions, and, as a bonus, sitting on a few expensive licenses. Then there are SharePoint links from the last marketing campaign, wide open for external users because nobody set expiration dates on guest sharing.This isn’t unique to Claire, and it’s not about a lack of effort. Most admins do a reasonable job—at least, as far as checklists and spot checks go. But according to Gartner and a handful of other IT studies, up to 30% of Microsoft 365 licenses often sit unused across organizations. Orphaned accounts—in other words, user objects left behind after someone leaves or changes roles—can linger in the system for months. These zombie accounts tend to accumulate more in environments where offboarding is a separate process, HR and IT don’t always talk, and ownership for guest access is a passing conversation, not a tracked workflow.Think about it like cleaning your house. It’s easy to vacuum the living room and wipe the kitchen counters. It looks clean enough when people visit. But if you never open the closets or check under the bed, all sorts of clutter piles up right out of sight. With your tenant, it’s groups and users and sharing links shoved into forgotten corners. Everything looks good—until the day someone on the security team decides to “look closer,” and suddenly you’re spending your weekend closing doors you didn’t even know were open.And here’s the catch: the Microsoft 365 portal and security center make it really simple to feel productive. The interfaces show you the most recent sign-ins, flag obvious alerts, and give you pie charts that look reassuring. But risky settings—like guest sharing with no expiration, app passwords still enabled for accounts with MFA, or directories overflowing with stale teams—hide behind extra menus or need cross-referencing with multiple reports. It’s easy to miss the big picture.Microsoft MVPs who live in this space see it all the time. When admins rely on spot checks or dashboard data, they end up missing more than half the risky configurations. Not because they’re careless, but because the system isn’t designed for holistic visibility. The manual review leaves blind spots everywhere.If manual efforts are missing so much, the question becomes obvious. How do you make sure you’re not just cleaning the living room while the basement floods with old access and unused resources? We’ve seen what happens when things get missed. Those dormant accounts aren’t just wasting budget—they’re a weak point in your security posture. Stale external links look harmless until someone finds that “confidential” doc with a six-month-old guest link floating around a vendor’s inbox. It’s a compliance nightmare waiting to happen.This is why it pays to think beyond just reacting to alerts or spot-checking once a quarter. True tenant hygiene asks for a system that doesn’t trust your memory, habits, or even the built-in admin reports. Because, let’s be honest, most tenants grow more complex and messy over time—not less. Without a real way to track, audit, and clean things up, your manual process is basically a game of whack-a-mole, and the moles always get faster.So, the bigger pain isn’t just about the time you spend clicking through endless menus or tracking down last login dates. The real cost lives in the growing shadow of unchecked risk—security, compliance, and even reputation. But there actually is a more reliable answer. The question is: what does true tenant hygiene really look like, and what does it take to get there? Let’s shift gears and move from theory to real-world solutions.PowerShell: The Admin’s Secret WeaponIf you walk into most offices and say “PowerShell,” you’ll either get a knowing nod or a panicked look—sometimes both from the same person. For a long time, it had the reputation of being a tool for the datacenter crowd, the people who live knee-deep in server racks, not your average Microsoft 365 admin. But Microsoft has a habit of putting PowerShell at the center of everything new in their cloud stack, and there’s a reason for that. It quietly bridges all those annoying gaps you find between shiny admin portals and real-world needs. The PowerShell window isn’t flashy, but it’s the only reliable way to see below the dashboards and actually keep pace with what’s happening across your tenant.Most of us started with PowerShell just trying to fix something the UI wouldn’t let us do. Maybe it was unlocking a mailbox, or mass-removing licenses after a department shutdown. Those one-off fixes are fine, but there’s way more on the table. What changes everything is automation. When you start letting PowerShell do these checks for you—on a schedule, across all the places the admin portals don’t reach—you move past chasing your tail in the GUI. Suddenly, the job is less about reactively hunting for issues and more about having risks surface themselves in a neat report, right when you need it.Here’s where most admins get stuck: they treat PowerShell like a copy-paste tool. Google up a script, slap it in, press enter, hope for the best, and then jump back into the interface for anything that looks complicated. It’s the shortcut mentality—and sometimes it works. But automation isn’t about grabbing two lines of code and hoping nothing breaks. It’s about getting the results you need, consistently, without crossing your fingers every time. Reliability is the name of the game. If you don’t know exactly what a script is about to touch, you’re one typo away from a very long night.Let’s get concrete for a moment. There’s a mid-size non-profit I worked with that used to block off every Thursday afternoon just for user and license audits. It sounds excessive, but three or four people would pour over Excel exports, compare sign-in logs to HR spreadsheets, and send out “Is this account still in use?” emails. All in, four hours a week just keeping up with churn. When they finally set up a scheduled PowerShell script, that whole review shrank to a ten-minute task. The script pulled fresh data every week, flagged accounts with no activity, and compiled license usage into a single file that required maybe two follow-up questions instead of forty. They didn’t just save time—they stopped missing the little rogue accounts that caused past audit headaches.That’s the thing: every PowerShell module brings a different set of superpowers to your tenant cleanup. The classic MSOnline module helps you slice through those sprawling license lists and spot unassigned or orphaned subscriptions practically instantly. With AzureAD, you can finally see the forest and the trees—dumping lists of inactive users, auditing who has passwordless auth enabled, and tracking group memberships in seconds. If you’re wrangling shared mailboxes or checking who still has permissions after a re-org, ExchangeOnline brings all those user objects and mailbox properties into focus, not just the handful visible in Outlook on the web. Then SharePointPnP steps in for the land of hidden team sites and stale files, letting you find which sites haven’t seen a legitimate login in months, and who’s left as an owner after most of the project team walked out.Want a taste of what these modules can do, right out of the box? Try this: with just a few lines, you can have PowerShell return every user who hasn’t logged in for ninety days—no pivot tables, no manual data merges, just the real list, ready to go. For external sharing, you can generate a report of every single guest account with active permissions, or run a script that sweeps through SharePoint and flags sites with no recent edits, so you’re not chasing phantom projects or leftover teams. Once you have visibility, things that used to need hours of cross-checking get mapped out in five minutes.If your biggest pain is unused licenses stacking up, you can automate the hunt for those too. Picture a scheduled script that grab

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365–6704921/support.

If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.