Compliance-Driven Access Control in Teams and SharePoint

We have specific compliance requirements for Teams and SharePoint, particularly for those that contain sensitive data. The key requirements include:

• Automated access control and review, through single point.  
• Detailed logging of user activities, requests, approvals, and changes.
• Visibility into IAM metrics, review statuses, and findings.

To address these requirements, we use Azure Entitlement Management; Azure Access Reviews and Packages. This approach requires that each member must undergo a two-step review process via Azure Access Package and Azure Access Review before being added to a team.

Teams and SharePoint sites without compliance needs (those without sensitive data) should remain unaffected by any policy or restrictions.

However we are facing challenge. Despite using the Access Package for access, a team owner retains can still add users directly to Teams. It's essential to note that a Team cannot function without an owner. And a Team cannot be without owner.

Solutions Under Consideration:

1. Grant a service account the team owner role;
2. Develop a custom solution to search Unified Audit log for, that removes members added manually (not sure which one);

I'd appreciate insights, suggestions, or recommendations from the community regarding the above or any alternative methods to address our challenge!