As a systems admin, one of the most challenging things about coming into a new environment used to be one of the most challenging things about staying in an environment long-term: managing groups.
You start a new job and you're staring down the barrel of the last guy's idea of best practices. In a small shop, you might get lucky and have only a handful of resources to manage at all, but in every shop I've supported, there are thousands (upon thousands) of groups. Not even counting distribution groups, I probably had close to 9000 groups in my last job, and that's not a huge number at all. But trying to figure out what they are, why they exist, and whom to ask? That's a herculean effort that normally just results in a group graveyard that you're stuck replicating in your AD for years...and years.
At one point I got approval to try to streamline it, assigning domain local groups to resources by access level, then building domain global role groups and assigning users to those, then tying them together. Pulling audit reports became much more complicated, and the help desk (in spite of training) continued to assign users directly to the resource groups. It took 6 months to get through one department, and the project was ultimately terminated (fixing groups is easy; fixing processes was another matter entirely).
Windows 2016 brought group expiration to the on-prem world. While I've been excited to see a number of organizations begin to embrace Windows 2016 Active Directory, I was disappointed the feature didn't immediately make its way to Azure AD.
Just announced Friday? Azure AD Premium Expiring Groups. Woohoo!
Now when an Office 365 Group is created, and all the members of that group have an Azure AD Premium license, that group can be set to expire. Current options are limited to number of days, with a recommended minimum value of 31. You can even set defaults for the tenant, though that will likely be overkill for most organizations.
When a group comes up for expiration, the group owners receive a prompt to either let the group expire or manually renew it. Make sure a business user is a group owner, and they can share responsibility for keeping your environment clean, up-to-date, and secured against forgotten permissions.
Expiration notices are sent 30, 15, and 1 day(s) prior to expiration, and expired groups can be recovered for up to 30 days past expiration.
Delightfully, this new capability also includes a new version of AAD PowerShell Module (220.127.116.11) with group lifecycle policy controls.