How to Archive Inactive Office 365 Groups (and Teams)

GroupsArchive

Office 365 Groups Fade Out Eventually

Sooner or later some of the Office 365 Groups or Teams created within a tenant will become inactive. When this happens, you might be able to remove the group because the data in its resources is no longer needed. However, given the litigious nature of the business world, but some might need to be retained for compliance purposes. There’s no out-of-the-box method to mark an Office 365 group or team as inactive, but we can accomplish the goal with PowerShell.

Nice Vision with a Downside

Microsoft’s vision for Groups and Teams is that they are collaboration platforms that users should be able to create and use without hindrance. It’s a nice idea because it gives users collaboration tools to get things done.

Nice as the vision is, there is a downside. If you allow users to create new groups without oversight, you can end up with groups that are created for a purpose, used, and then discarded. This is not an issue in terms of resources because Microsoft provides the necessary horsepower to create as many mailboxes, sites, and plans as you might need However, it is an issue for address lists as the organization GAL can become very cluttered with groups.

The Joy of Clutter

We’ve seen similar problems in the past when administrators failed to secure the public folder root. Twenty years after Exchange 4.0 launched public folders on the unsuspecting world, we know all about the problems that free and easy creation cause. Many organizations now struggle to manage public folder rot, let alone the data held in those folders.

I’ve written about how you can identify obsolete Office 365 groups with PowerShell. The basic premise is that a group is inactive and becomes a candidate to be removed when no use is recorded of either the group mailbox, SharePoint site, or (for teams-enabled groups) chats.

Microsoft’s group expiration policy is another way to address the problem by removing groups once they reach a certain age. Unless, that is, you have a need to keep an obsolete group for compliance purposes.

Keeping Information Until Needed

Let’s assume that you spin up a group to assist in the planning and coordination of a financial project. After the project finishes, its group contains conversations about project issues, the calendar of meetings, and all the documents related to the project. This information might have to be retained for an extended period to meet the compliance regime that applies to the company. Office 365 event-based retention helps with this problem, but only if you apply suitable classification labels to all the content you need to keep.

One way to keep information for compliance purposes is to put a group into a state where its content is still available but cannot be accessed by users. However, there’s no equivalent of Exchange inactive mailboxes where holds placed on mailboxes control their retention. A different approach is needed.

Conceptually, the steps to archive a group are straightforward:

  • Add a new group owner. (they must be added as a member first). Ideally, this should be a special compliance administration account instead of a tenant administrator.
  • Remove all owners from the group’s membership list.
  • Remove all users from the group’s membership list.
  • Ensure that the group is private so that its documents can’t be found by Delve r other searches.
  • Block email by changing the group primary SMTP address and set RequireSenderAuthenticationEnabled property to $True to stop any external email being sent to the group. You could also change the primary SMTP address of the group to stop internal users sending email to the group.
  • Hide the group so that it is removed from the GAL.

The archived group is hidden from user view and unavailable through Teams, Planner, or any other group-enabled application.

We can also take advantage of the group custom properties to add some information to mark the group as inactive but retained for compliance. This will make archived groups easier to find if required. The result is that we have a hidden group where the data remains indexed and available for compliance purposes.

PowerShell Solves the Problem

Although Microsoft doesn’t provide an out-of-the-box method to archive groups, we can do the job with PowerShell. Here’s a script containing the code to do all the necessary work.

[PS] C:\> $CheckGroup = Read-Host -Prompt "Enter alias of group to archive"
$AGroup = (Get-UnifiedGroup $CheckGroup -ErrorAction SilentlyContinue)
If ($AGroup) {
     Write-Host "Archiving" $AGroup.DisplayName -ForegroundColor Yellow
   } Else {
     Write-Host $CheckGroup "group not found - terminating"
     Return }

# Get lists of current owners and members
$CurrentOwners = (Get-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Owners | Select Name)
$CurrentMembers = (Get-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Members | Select Name)
# Add a new owner - this is the address of the account that will continue to access the group
$AdminAccount = "Compliance Administrator"
Add-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Members -Links $AdminAccount
Add-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Owners -Links $AdminAccount
# Remove the other members and owners
ForEach ($O in $CurrentOwners) { 
        Remove-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Owners -Links $O.Name 
          -Confirm:$False}
ForEach ($M in $CurrentMembers) { 
        Remove-UnifiedGroupLinks -Identity $AGroup.Alias -LinkType Members -Links $M.Name 
          -Confirm:$False}

# Create SMTP Address for the archived group
$OldSmtpAddress = $AGroup.PrimarySmtpAddress -Split "@"
$NewSmtpAddress = $OldSmtpAddress[0] +  "_archived" + "@" + $OldSmtpAddress[1]
$AddressRemove = "smtp:"+$AGroup.PrimarySmtpAddress
# Update Group properties
Set-UnifiedGroup -Identity $AGroup.Alias -AccessType Private -RequireSenderAuthenticationEnabled $True -HiddenFromAddressListsEnabled $True -CustomAttribute1 "Archived" -CustomAttribute2 (Get-Date -Format s) -PrimarySmtpAddress $NewSmtpAddress 
Set-UnifiedGroup -Identity $AGroup.Alias -EmailAddresses @{remove=$AddressRemove}

Write-Host $AGroup.DisplayName "is now archived and" $AdminAccount "is the new group owner

A short time after the script runs, the group will disappear from clients. The exact time depends on the client. It is fastest for OWA because that client reads from the online directory. It is slowest for Teams because of the need to synchronize the changes with the Teams directory.

Finding Archived Groups

Marking archived groups through a custom property allows us to identify these groups very quickly. This command lists all groups marked as being archived:

[PS] C:\> Get-UnifiedGroup -Filter {CustomAttribute1 -eq "Archived"} | Select DisplayName

To restore an archived group to normal status, you need to assign a new owner to the group. The new owner can then add members as required and decide whether the group should be private or public. You would also need to restore the group properties to make it visible in the GAL and to remove the values in the custom properties that mark the group as archived. For example:

PS] C:\> Set-UnifiedGroup -Identity "ArchivedGroup" -HiddenFromAddressListsEnabled $False -CustomAttribute1 $Null -CustomAttribute2 $Null

Future Archiving

Hopefully, Microsoft will recognize the need to archive groups and deliver a similar capability in the future (but they will probably make it a premium feature). In the interim, the approach taken here is fully supported because none of the steps taken are out-of-the ordinary. After all, it’s just PowerShell.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.