Ownership Registry — Object Ownership and Recertification for Microsoft 365
Ownership Registry answers the question auditors, security officers and IT managers keep asking: who owns this, and is it still needed? It keeps a permanent record of accountability for every object in your Microsoft 365 tenant — independent of what Microsoft does or does not store — and holds no write permissions on that tenant.
The Problem It Solves
Microsoft 365 tenants grow faster than anyone can govern them. Shared mailboxes outlive the projects they were created for, Teams and SharePoint sites pile up, and service accounts keep running long after the person who requested them has left. Exchange has no owner field for shared mailboxes, and group owners go stale the day someone resigns. When the audit comes, nobody can say with confidence which of the 800 objects in the tenant are still needed, who is accountable for them, or why a five-year-old service account still has access to production. The usual answer is a spreadsheet that was accurate for about two weeks.
What It Does
- Complete inventory: a daily scan reads the tenant through Microsoft Graph and picks up every shared mailbox, M365 group, Team, SharePoint site, security group and service principal. New objects appear in the registry the day they are created.
- A named owner for everything: each object gets a primary and a backup owner. An object without an owner is not a footnote — it is the top item on the dashboard until someone is accountable.
- Recertification that runs itself: on a rotation you choose per object (monthly, every six months, or yearly), owners receive one email with one question — is this still needed? One click answers it, with no login and no training.
- Escalation with an end point: if nobody answers after two reminders, the registry opens a ticket in your service desk. A human decides what happens next.
- Evidence, not promises: every scan result, email, reminder, answer and escalation lands in an append-only audit log, so any object's full governance history can be reconstructed — the trail ISO 27001 and SOC 2 assessors ask for.
- Custom object types: register on-prem service accounts, file shares and your own object types by hand, for everything the Graph scan cannot see.
What It Will Not Do
Ownership Registry holds no write permissions on your tenant. It cannot disable, delete or modify anything — by design, provably, at the permission level. It also never treats silence as consent to remove something: an object whose owner is on vacation but which signed in yesterday is flagged as in use with an ownership problem, not as abandoned. Governance tools that delete on autopilot take down production integrations; this one opens tickets for humans. It complements the wider IT governance and compliance controls in your tenant.
How It Works
Connect a read-only link to your tenant in under an hour. The first scan fills the registry and the dashboard shows your ownership coverage from day one. Import known owners from an existing export and add the rest as they surface, watching coverage climb from 15% to 98%. Owners then confirm or decline by email on the schedule you set, and declined or unanswered objects become service-desk tickets with the full history attached, so your team decommissions deliberately and with evidence.
Who It Is For
IT managers, security officers and compliance leads running Microsoft 365 tenants that have grown past the point where a spreadsheet can track them — where shared mailboxes outlive their projects, group owners go stale the day someone resigns, and no one can say which objects are still needed or who is accountable for them.
Architecture and Security
The stack is deliberately small and auditable: Node.js 22, TypeScript, Fastify and PostgreSQL 17, with a React single-page app for administration. The audit log is append-only and enforced by a database trigger, so no code path can rewrite history. The tenant connection uses Microsoft Graph with app-only client credentials and read-only application permissions, plus Mail.Send for notifications; pagination and throttling are handled, and a failed collector never corrupts inventory state. Admin access is protected by Microsoft Entra ID sign-in (PKCE) with a dedicated app role, while the owner response page needs no login at all — it works with single-use token links. These are the same cloud security principles we apply across customer tenants.
Hosting and Cost
Ownership Registry runs on any Docker host on-premises or in a private cloud, and needs no inbound connections from Microsoft — it only calls out to Graph. The same container setup maps directly to Azure Container Apps with Azure Database for PostgreSQL, where a typical single-tenant deployment runs on €15–25 per month of infrastructure. All registry and audit data stays in your database, wherever you run it; nothing is stored outside your environment.
IDE Solutions builds and operates Ownership Registry and supports you end to end: tenant onboarding, hosting on your infrastructure or fully managed, import of existing ownership records, custom object types, and ongoing operation alongside our Microsoft 365 services and managed Azure cloud. Contact us for a demo against your own tenant — read-only, with evidence on the dashboard the same day.