Monitoring the Removal of Office 365 Groups (and Teams)

Group Soft-deleted Recovery

Preventing Office 365 Group Owners Doing the Wrong Thing

I recently received a question from a reader asking if there was any way to prevent the owners Office 365 Groups from being able to remove groups. The fear is that someone will go ahead and remove a group that holds important information.

The answer is that you can do nothing to prevent an owner removing a group, including all the resources associated with the group – mailbox, team site, team, plan, notebook, and so on. Office 365 gives tenant administrators the tools to restrict group creation but offers nothing to stop group removal. Owners are all-powerful when it comes to their group.

Different in the Cloud

If you worked with SharePoint on-premises, granting this kind of authority to group owners might seem excessive. In the world of SharePoint on-premises, it’s a big deal to create a site collection and those who have control over site collections tend to be people who know their way around SharePoint permissions and administrative functions.

Things are a lot more democratic in the cloud, at least in this respect. Every Office 365 group (or team) has its own site collection. And every group or team has its own set of owners that have all the control in the world over the site collection due to radically simplified membership model used by Office 365 Groups. Remember, there are only two types of permissions – owners and members, and members enjoy the rights to access any resource available to the group, up to and including the right to remove content.

Moving from the structured, controlled, and permission-tight on-premises world to Office 365 needs a cultural shift on the part of tenant administrators. New apps like Group and Teams bring new ways of working that do not sit well with some, but it’s indicative of a transition for applications like SharePoint and Exchange that are the center of their own universes on-premises to become providers of functionality in the cloud. SharePoint Online makes document management functionality available to Office 365 apps; Exchange does likewise for mailbox and calendar functionality. It’s a big step change.

Options to Control Group Deletion

To return to the original question, is there anything that you can do to check deletions of groups and their associated resources? Well, there’s nothing available in the Office 365 Admin Center to address the problem, so you must create your own solution. And because neither the cmdlets used to work with Office 365 Groups or Teams support the Exchange RBAC model, we cannot make the Remove-UnifiedGroup or Remove-Team cmdlets unavailable to team owners. But here are a few options for you to consider.

First, Paul Cunningham has a potential solution on Practical365.com. In this case, you run PowerShell scripts to track changes made to Office 365 Groups in a tenant, including deleted groups. You can then review the list of deleted groups and decide whether you should recover any of the groups.

Second, you could apply Office 365 classification labels as the default label for the SharePoint document libraries used by groups. When a library has a default label, SharePoint stamps all the existing documents in the library with the label and applies the label to new documents upon creation. This approach will not stop owners removing groups, but it does make sure that you will not lose important documents if you forget to recover a deleted group.

Third, you write your own solution with PowerShell to exploit the fact that Office 365 keeps deleted groups in a soft-deleted state for 30 days. All deleted groups go through this stage whether an owner or administrator removes a group through OWA, PowerShell, Teams, Planner, the Exchange Admin Center, the Office 365 Admin Center, or a mobile app. During this time, you can recover a deleted group and restore it to full health.

What you might want to do is create a script to run daily to:

  • Use the Get-AzureADMSDeletedGroup cmdlet to create a list of soft-deleted groups. For example, this command lists all soft-deleted groups in ascending date order, so that the groups approaching the end of their soft-deleted period appear first.
Get-AzureADMSDeletedGroup | Sort DeletedDateTime | Format-Table Id, DisplayName, DeletedDateTime, Description -AutoSize
  • Email the list to tenant administrators for review, potentially highlighting groups due for permanent deletion in the next five days. You could use something like this to focus on groups that need attention.
$CheckDate = (Get-Date).AddDays(-5)
$Today = (Get-Date)
$Grp = (Get-AzureADMSDeletedGroup | Sort DeletedDateTime | Select Id, DisplayName, DeletedDateTime, Description)
$Grp
ForEach ($G in $Grp) {
        If ($G.DeletedDateTime -le $CheckDate) {
           $TimeToGo = ($G.DeletedDateTime).AddDays(30) - $Today 
           $Line = $G.DisplayName + " is due for permanent removal on " + ($G.DeletedDateTime).AddDays(30) + " You have " + $TimeToGo.Days + " days and about " + $TimeToGo.Hours + " hours to recover the group."
           Write-Host $Line -Foregroundcolor Red 
     }
 }

After originally publishing this article, I was reminded by Christophe Fiessinger (Microsoft) that you can also use Office 365 activity alerts or alert policies to receive email notifications when someone deletes a group.

Recovery Can Take Time

Recovery of a soft-deleted group is a matter of running the Restore-AzureADMSDeletedDirectoryObject cmdlet (see this article). Behind the scenes, Office 365 synchronizes details of the restored group to the different workloads to make applications aware that the group is back in business. Synchronization to application directories like EXODS (for Exchange Online) or SPODS (SharePoint Online) is rapid. It takes a little longer for all the resources managed by the workloads to become available.

Teams is invariably the last workload to complete, and it can take up to 24 hours following recovery before a restored team appears in clients. There is no obvious reason why Teams should be so slow except that the background processes to reconnect chats and media from the underlying Azure services take their own good time.

Cultural Transitions

This is only one example of how people who want the way things worked on-premises to be the same in the cloud are invariably disappointed. Office 365 used to be composed of thinly-disguised versions of on-premises applications. It’s a very different place now, and if you don’t change your thinking and evolve to keep pace with the cloud, you’re not going to be happy.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.