InfoSec regulations like GDPR, PCI DSS, HIPAA, and CPG234 essentially boil down to having good control of access to data, and proving control under audit.
ISO 27001:2013 requires business reasons why people have access to data. Financial institution spot checks must prove data access is appropriate.
These are difficult things to show when permissions are a mess in Microsoft Teams, SharePoint and OneDrive.