Why the Office 365 Group Expiration Policy Needs Help
Blessed Relief at Office 365 Groups Expire
On March 14, Microsoft said that the Azure Active Directory expiration policy for Office 365 Groups was now generally available. The world sighed with relief, and then we all remembered that the expiration policy is a premium feature. In other words, you need an Azure AD Premium P1 license “for every user who is a member of an Office 365 group configured for expiration.”
Why Expiration is a Necessary Evil
In this case, I don’t mind Microsoft charging extra for a feature that can help bring order to unruly groups. Some tenants now have several thousand groups created for Outlook Groups, Teams, Yammer, and so on. I am sure that solid justification exists for each one of the groups through some urgent need for people to collaborate, but the cynical (or experienced) side of me says that many of these groups will be short lived. People think they need a group or team and spin it up or convince an administrator to create one for them, and promptly cease using the new collaboration space soon thereafter. This happened with public folders, shared mailboxes, site mailboxes, Yammer groups, team sites, and pretty well any other attempt by Microsoft to conquer collaboration.
The Problem with the Expiration Policy
The expiration policy works, and it does a good job of expiring groups after they reach a certain age. The only problem is that age is the only criterion considered by the policy. In the eyes of the expiration policy, a group or team that is very active and one of the most important collaboration spaces in the tenant is no more or no less than a team gently withering away because all its members have left the company.
Activity Rather Than Age
The solution is to take activity into account, which is what I explore when building a report of potentially obsolete groups. Unfortunately, Microsoft doesn’t factor activity into the expiration policy, which means that surprises might occur when important groups are removed. It is easy to recover removed groups and you have 30 days to notice the problem (and if the group or team is very active, its members will protest). However, during peak vacation periods or if someone is missing due to an extended illness, the problem might be overlooked.
PowerShell Tells When Groups Expire
All of which brings me to yet another PowerShell script. As you might know, I consider PowerShell an essential skill for Office 365 administrators, and this is an example of where PowerShell fills in the bits that Microsoft leaves undone. To get a heads-up about groups that are due to expire, we need to scan for groups that come under the scope of the expiration policy, check their last renewal date, and calculate how much longer remains before they need to be renewed.
The script is straightforward, even if it can be a little slow to run against hundreds or thousands of groups.
$LifeCycle = (Get-AzureADMSGroupLifeCyclePolicy).GroupLifeTimeInDays
$Report = @()
$Today = (Get-Date)
$GroupsinPolicy = 0
Write-Host “Finding Groups to check…”
$Groups = Get-UnifiedGroup | Select DisplayName, ExternalDirectoryObjectId, WhenCreated
Write-Host $Groups.Count “found. Now checking expiration status.”
ForEach ($G in $Groups) {
$Status = $Null
$Status = (Get-AzureADMSLifecyclePolicyGroup -Id $G.ExternalDirectoryObjectId).ManagedGroupTypes
If ($Status -ne $Null) {
$Days = (New-TimeSpan -Start $G.WhenCreated -End $Today).Days
$LastRenewed = (Get-AzureADMSGroup -Id $G.ExternalDirectoryObjectId).RenewedDateTime
$NextRenewalDue = $LastRenewed.AddDays($Lifecycle)
$DaysLeft = (New-TimeSpan -Start $Today -End $NextRenewalDue).Days
$GroupsInPolicy++
$ReportLine = [PSCustomObject][Ordered]@{
Group = $G.DisplayName
Created = $G.WhenCreated
AgeinDays = $Days
LastRenewed = $LastRenewed
NextRenewal = $NextRenewalDue
DaysLeft = $DaysLeft
}
$Report += $ReportLine }
}
Clear-Host
Write-Host "Total Groups in tenant:" $Groups.Count "Total Groups covered by expiration policy:" $GroupsInPolicy
$Report | Select Group, @{n="Last Renewed"; e= {$_.LastRenewed}}, @{n="Next Renewal Due"; e={$_.NextRenewal}}, @{n="Days before Expiration"; e={$_.DaysLeft}}
Here’s an example of the output. As you can see, the report tells me that I can relax because my groups will not expire anytime soon.
Total Groups in tenant: 159 Total Groups covered by expiration policy: 22 Group Last Renewed Next Renewal Due Days before Expiration ----- ------------ ---------------- ---------------------- Ask HR! 24/05/2017 09:35:16 13/06/2019 09:35:16 439 Office 365 for IT Pros 12/03/2018 14:07:16 31/03/2020 14:07:16 731 Advertising Committee 14/03/2018 19:36:44 02/04/2020 19:36:44 733 Corporate Accounting (Billing) 24/05/2017 09:33:29 13/06/2019 09:33:29 439 Aliso Veijo Hotels 16/05/2016 15:41:37 05/06/2018 15:41:37 66 Ben Owens Reports 28/09/2016 12:58:54 18/10/2018 12:58:54 201 The New Hydra Project Team 02/11/2016 21:38:47 22/11/2018 21:38:47 236
Creating a DIY Expiration Policy
Given the undoubted deficiencies that are obvious in the current expiration policy, it would not surprise me if Microsoft improves how the policy works in the next version. But that’s no reason for you to wait. You can use a script to find obsolete groups based on low activity and archive those groups after checking their actual usage. You could even combine the two scripts to create your own version of an activity-based expiration policy – and without having to pay for a single Azure AD Premium license.
Or just wait for Microsoft to do the right thing. They will – eventually.
Follow Tony on Twitter @12Knocksinna.
Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.