Australian universities were built to share knowledge openly, but many now face a growing Microsoft 365 blind spot where collaboration sprawl is quietly driving up both risk and cost. As Copilot raises the stakes, strong governance is becoming essential not just for security, but for visibility, licence value, and long-term control.
This article covers:

Australian universities are built for collaboration, but years of grandfathered licensing and unmanaged growth have left many with sprawling Microsoft 365 tenants they can no longer see clearly. This blog will explain why M365 sprawl has become both a financial and a security problem, from tens of thousands of unmanaged SharePoint sites to external shares that never expired, and why the configuration layer deserves the same protection as the data itself. It also covers what Copilot changes for ungoverned environments and how better licence governance turns a growing Microsoft bill into real value. For university IT leaders, governance is no longer optional housekeeping. It underpins security, cost control, and Copilot readiness.
Australian universities sit at an interesting and challenging intersection when it comes to data sharing and cybersecurity.
By default, they’re built for collaboration and knowledge sharing across different categories of users, but they’re also the owners of significant sensitive data. Microsoft 365 is the digital backbone that holds much of this together. But as the platform has grown in scale and complexity, a critical question has emerged: Are universities struggling with Microsoft 365 governance?
The evidence suggests many are, and the consequences of getting it wrong are more serious than most vice-chancellors would care to admit.
Many universities have had legacy access to Microsoft’s collaboration suite for years, often well over a decade. They’ve benefitted from grandfathered licensing agreements that provided generous storage and platform access at fairly low cost. The issue we’re now witnessing with that benefit is what we at Coreview call ‘M365 sprawl’.
Universities have an enormous user and workload footprint across SharePoint, Microsoft Teams, and OneDrive. Students, academic staff, researchers, administrators, and alumni create years of accumulated data, often with very little systemic governance to manage it.
We saw this firsthand when one of Australia’s largest universities came to us, having reached, in their own words, a breaking point. They had 70,000 SharePoint sites within their Microsoft tenant and genuinely didn’t know which were active, which were dormant, or which could be safely archived. That challenge became significantly more urgent when Microsoft announced it was changing those grandfathered licensing rules; unlimited storage at a low cost was going away, and universities would now be billed for what they hold. Suddenly, a governance problem became a financial one too.
The panic was real, and the scramble that followed wasn’t just about a one-time cleanup. Universities need to understand how to implement governance principles that prevent the tenant from drifting straight back to where it started the moment the cleanup is complete.

While it’s often storage and cost issues that prompt universities to act and reach out to us, there’s a more serious problem at play here, and most universities aren’t even considering it yet.
The legacy sprawl that universities have to contend with presents a real security risk. Their M365 tenant contains vast amounts of data that’s incredibly sensitive and specific to the university. Many haven’t considered how they’re governing the sharing of that data's permissions.
The picture is never one thing. We see external sharing links created years ago that have never expired; Microsoft Teams channels with external users long after a project or partnership has ended; OneDrive stores with vast amounts of data accessible beyond the intended audience; SharePoint sites that no longer have an assigned administrator but are still storing data and accessible to people who probably shouldn’t have that access.
It’s a very large blob of poorly managed data and weak points that, as universities try to get their heads around it, leave many doors open to cybersecurity attacks and data breaches.

One of the most distinctive challenges for universities in this space is balancing external sharing and security governance.
Research is a significant aspect of university life, with staff often collaborating globally with research partners, government bodies and industry representatives. In many cases, anything that’s shared has approval layers, and nothing goes external without proper review, but we too often see that there’s no cleanup once the project ends.
In 99 out of 100 cases, nothing happens, but in that one remaining case, the consequences can be severe. Let’s say the external researcher’s account gets compromised or maliciously attacked; that attacker now has a ready-made entry point into your Microsoft tenant via a share that was never closed.
It may only be a small hole, but across a university M365 ecosystem with thousands of active and dormant SharePoint sites, the number of such holes is rarely few.
Ten years ago, when organisations were only just starting their journeys with M365, the landscape was very different. The collaboration suite was Word, PowerPoint, and possibly OneDrive. Fast forward to 2026, and M365 is the digital backbone and security control centre for entire companies, including moving to a predominantly Cloud-based work model.
This expanded M365 ecosystem is governed by the configuration layer, where administrators adapt the default settings across M365 to suit business needs. There are tens of thousands of these settings, and if they’re not set up correctly from the start, they can easily be manipulated. What we’re seeing is universities moving to a Cloud-based work model without doing due diligence on these settings and without hardening their M365 ecosystem beforehand, which is opening them up to significant risk.
I like to use the analogy of a glass of water here to really bring this point home.
Think of your M365 tenant as a glass of water. The water is all of the information your organisation creates and stores inside M365, including emails, documents, Teams conversations, and SharePoint content. The glass is the tenant itself; the configurations, settings, and security controls that govern how everything operates.
Most organisations have thought carefully about backing up the water but not about backing up the glass, or what to do if the glass gets cracked. If that glass shatters completely, you need to recover it before you can recover the water.
Copilot is one of the most powerful productivity tools Microsoft has released, and we’re advocates for it when it’s deployed well. But for universities sitting on years of ungoverned sprawl, it introduces the end of security by obscurity.
Before Copilot, a university could theoretically manage data risk through complexity, such as nested folder structures, informal access conventions, and configurations that were imperfect but functional. Copilot cuts straight through this, finding things automatically at machine speed.
Before you introduce Copilot, it’s essential to prepare your tenant. We’ve seen the horror stories of what happens in unprepared environments, including Copilot locating extremely sensitive information (that it theoretically should never have been able to access) with very little effort. From senior staff pay slips to sensitive HR information, like termination notices, it’s all sitting there for Copilot to find.
Governance shouldn’t be a blocker to implementing a tool like Copilot, especially given its capacity to support workloads across multiple teams, but it’s vital to be Copilot-ready through clear, effective governance and controlled security settings. That way, everyone can access and utilise it with confidence.
One additional key aspect of universities' and M365 governance lies in their licensing. Universities typically have their own license contracts and a complex academic enterprise agreement that covers a range of M365 license entitlements, with different levels of service, usually at quite high fees.
License management controls within universities are complicated by sheer volume and the requirement to retain certain licenses for current and past students, so they can continue to access relevant support services long after graduation.
Again, there’s a balancing act in paying for this ever-growing blob of licensing requirements while still ensuring it’s well managed and governed. What we tend to see is universities buying more licenses from Microsoft without proper visibility into where there might be licensed users who no longer need those licenses.
Addressing this is rarely about reducing the Microsoft bill by dropping licences, but about getting significantly improved licence governance and visibility so you can optimise paid-for and active licenses.
For example, if a user only needs a handful of Microsoft services but has full access to an expensive suite, there may be an opportunity to reallocate, downgrade or provide support for license adoption so that the user gets the full benefits. We might say, “Hey, Bob in finance, do you know that you've got this really cool entitlement set with Microsoft? I can see you're only ever logging into your Exchange mailbox, and occasionally you're logging in and out of OneDrive. Did you know you've got access to SharePoint and Teams to do cool things?”
In the same way you need governance around your data, you need governance around your licenses to ensure you’re getting real value.
Microsoft is expensive and for good reason. It’s a powerful platform, but prices aren’t going down. Universities need to ensure they manage this investment so that they’re not just securing their data and protecting their ecosystem, they’re also getting good value for money.
Wondering how your own tenant stacks up? Run a free tenant security scan and find out.