Whenever the expiration policy changes a calculation will be done based on the group creation date. You can find the group creation date by using Microsoft Graph. From the top of my head, if you install the Microsoft.Graph PowerShell module and connect with a user with sufficient permissions you could use the Get-MgGroup cmdlet. Make sure to pass along the -Property argument and include createdDate and createdDateTime.
How to check o365 group expiration prior to turning rule
We're looking at enabling group expiration for O365 groups in Azure AD (groups > expiration)
Is there a way to audit what groups would be triggered by this policy before enabling it?
According to this page https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-lifecycle - groups older than the expiration once the policy is set will be set to 35 days
So my understanding is, if we set a policy for expiration after 180 days, and there's a group that was 200 days since last activity, it's given a grace period of 35 days, correct?
My hope is there is some way we can audit this to know the impact before we turn it on. If there's suddenly going to be hundreds of alerts being sent out, that would be good to know before activating this policy.
3 answers
Sort by: Most helpful
-
-
Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,016 Reputation points
2022-06-24T23:06:11.857+00:00 Hello @Matthew P , if the group age in days is greater than the expiration interval, then the 35 days grace period will be set for them.
To see which groups will get a grace period you can use the following PowerShell script:
Connect-MgGraph -Scopes "Group.Read.All" Get-MgGroup | Where-Object CreatedDateTime -GE ([datetime]::UtcNow).AddDays(-30)
Selected groups will be impacted in the same way, emails will be sent only if the group has not been renewed.
Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.
-
Freddie Christiansen 1 Reputation point
2024-04-17T12:26:35.3433333+00:00 You can use the Microsoft Graph to get the expirationDateTime for when a group in Entra ID is due to be deleted.
GET https://graph.microsoft.com/v1.0/groups/{group-id}?$select=displayName,expirationDateTime