O365 Groups Tidbit - Expiration Policy for O365 Groups
Following up on my last O365 Groups post (See this article) I thought I would go further into Expiration policies as they will help you manage O365 Groups and keep your Organizations AAD clean.
What kind of licensing do I need and what role is needed?
This feature is part of the Azure AD Premium subscription each member in the group that has the policy applied needs this license, and you need to be a Global Admin/Company Admin or User Admin to configure it.
Why would I configure this?
This feature will help AAD admins to manage the lifecycle of O365 Groups with minimal interaction from them or the group owners. This feature is designed to provide a simple check if the group is needed and an opportunity for users to self-recover if they accidentally delete the group or ignore requests.
How do I configure this?
- Open Azure AD Admin center and navigate to Groups then Expiration
- For the first field select 180, 365 or Custom. If you choose ‘Custom’ it will then provide a field to enter an integer equal to or greater than 1 but we recommend a minimum of 31
- For the second field provide the email address of a monitored mailbox
- Select All, Selected or None. If you choose ‘Selected ‘ it will provide all the available groups for you to select those that you want the policy to apply to
- Click Save
How does it work?
First it’s important to understand that the expiration date is based on the creation date of the group + numbers of days configured in AAD portal.
The group owner will receive an email on the 30/15/1 day pre-expiration date requesting they go and verify that the group is still in use. If they fail to verify by the expiration date or select that it is no longer needed then the group object will be deleted and retained for 30 days, the day after the group is deleted the owner will receive an email informing them about the procedure to restore the group. The group can be restored for 30 days after the 30 days the group is permanently deleted, if the group has objects like SharePoint Sites, Mailbox, etc attached the restore process can take up to 24 hours.
If objects attached to the group have retention policies or legal holds applied to them at the time of deletion then they will be moved to the respective containers in Security & Compliance for the period of retention and then deleted.
What happens if the Owner(s) have left the organization?
When the admin configured the feature they provided an email address, if the group has no owner (Remember a group can have multiple) then the emails previously mentioned will be sent to that email address.
PowerShell Cmdlet’s Get-AzureADMSGroupLifecyclePolicy New-AzureADMSGroupLifecyclePolicy Set-AzureADMSGroupLifecyclePolicy Remove-AzureADMSGroupLifecyclePolicy Add-AzureADMSLifecyclePolicyGroup Remove-AzureADMSLifecyclePolicyGroup