Expiring Office 365 Groups

As a systems admin, one of the most challenging things about coming into a new environment used to be one of the most challenging things about staying in an environment long-term: managing groups.


You start a new job and you're staring down the barrel of the last guy's idea of best practices. In a small shop, you might get lucky and have only a handful of resources to manage at all, but in every shop I've supported, there are thousands (upon thousands) of groups. Not even counting distribution groups, I probably had close to 9000 groups in my last job, and that's not a huge number at all. But trying to figure out what they are, why they exist, and whom to ask? That's a herculean effort that normally just results in a group graveyard that you're stuck replicating in your AD for years...and years.


At one point I got approval to try to streamline it, assigning domain local groups to resources by access level, then building domain global role groups and assigning users to those, then tying them together. Pulling audit reports became much more complicated, and the help desk (in spite of training) continued to assign users directly to the resource groups. It took 6 months to get through one department, and the project was ultimately terminated (fixing groups is easy; fixing processes was another matter entirely).


Windows 2016 brought group expiration to the on-prem world. While I've been excited to see a number of organizations begin to embrace Windows 2016 Active Directory, I was disappointed the feature didn't immediately make its way to Azure AD.


Just announced Friday? Azure AD Premium Expiring Groups. Woohoo!


Now when an Office 365 Group is created, and all the members of that group have an Azure AD Premium license, that group can be set to expire. Current options are limited to number of days, with a recommended minimum value of 31. You can even set defaults for the tenant, though that will likely be overkill for most organizations.


When a group comes up for expiration, the group owners receive a prompt to either let the group expire or manually renew it. Make sure a business user is a group owner, and they can share responsibility for keeping your environment clean, up-to-date, and secured against forgotten permissions.


Expiration notices are sent 30, 15, and 1 day(s) prior to expiration, and expired groups can be recovered for up to 30 days past expiration.


Delightfully, this new capability also includes a new version of AAD PowerShell Module (2.0.0.137) with group lifecycle policy controls.

  • White LinkedIn Icon

© Copyright 2019

by Synergy Technical

Corporate Headquarters

2201 West Broad St.

Suite 100

Richmond, VA 23220

DC Office

1300 I St. NW

Suite 400E

Washington, DC 20005

New York Office

101 Avenue of the Americas

8th Floor

New York City, NY 10013

North Carolina Office

4242 Six Forks Rd.

Suite 1550

Raleigh, NC 27609

Georgia Office

715 Peachtree St. NE

Suite 100

Atlanta, GA 30308