The last time I wrote about the Azure Active Directory expiration policy for Office 365 Groups, I said that I thought the policy did a good job but that it needed improvement. In a nutshell, instead of expiring groups solely based on age, the algorithm should take user activity into account. That’s just what Microsoft has done in a revision of the policy now in private preview. The good news is that the new approach works well, even if some small tweaks would make it even better.
Easy to Miss Emailed Notifications
The old approach forced group owners to react to an email notification received 30 days before a group expired. If no response happens, Office 365 soft-deletes the group and eventually, 30 days later, permanently removes the group and all its resources (SharePoint, Planner, etc.). The mechanism worked if group owners paid attention to the notification messages. If not, perhaps because the owners didn’t check email or were on vacation, the danger exists that Office 365 would go ahead and remove an important group.
Slightly More Proactive Checking
My April 2018 article explains how to use PowerShell to check for expiring groups. Although running a PowerShell script to check group expiration status is more proactive than simply waiting for notifications to arrive, it still requires administrators to act. It’s just another thing to do in an endless list of to-do items that might never get done.
The new approach is to monitor activity within groups as they approach their expiration date. If the group is not auto-renewed, group owners receive email notifications to extend the lifetime of the group. In the background, Office 365 examines signals collected in the Microsoft Graph to decide if the group is active. The Graph gathers a very wide set of signals, but not every activity that happens in a group is considered good evidence that it is active.
Microsoft says that they will tweak the set of signals used for renewal decisions over time. For now, they look for the following signals:
- In the SharePoint site belonging to the group: a group member views, edits, downloads, moves, shares, or uploads a file.
- In Outlook conversations: a member joins the group or interacts with a conversation (reads or replies to a conversation or likes a message in a group conversation). It’s important to say that sending email to a group is not a signal used for activity. This could be an issue for groups with guest members whose only interaction with the group is via email.
- In Teams: a member opens a channel in the team.
If no signals are seen since the last time the group was renewed and the group owner doesn’t respond to the notification to renew the group, the group expires and is soft-deleted. Owners receive another email notification to tell them that the group has been removed. They can recover the group during the 30 days it stays in soft-deleted status. Recovery is impossible once a group is hard-deleted.
Once Office 365 sees signals to indicate that a group is active, it goes ahead and renews the group automatically. The same result happens as when a group owner responds to the notification and renews the group manually: the group lifetime is extended by the period set in the expiration policy (usually something like one or two years).
When a group is renewed, Office 365 logs an “Autorenew group” audit record in the Azure portal (Figure 1). An “Updated group” audit record is also captured in the Office 365 audit log. In both cases, examining the ExpirationDateTime (next expiration date) and RenewedDateTime (last renewed date) tell you the autorenewal details.
Opportunities to Improve
I don’t like that sending a message to a group is not considered a signal of activity. Microsoft has made a big thing of replacing distribution lists with Office 365 Groups. Many groups have guest members who can only interact with others in the group by emailing contributions. Those messages are ignored, and the group expiration policy relies on a tenant member opening the group with Outlook to interact with conversations. It’s true that guests can generate a valid renewal signal by interacting with the SharePoint Online site belonging to the group, but this probably won’t happen for email-centric groups that replace distribution lists.
I know why Microsoft has taken this position. Many groups host connectors to ingest information from network sources like Twitter or third-party apps. The intention is that auto-renew happens based on human interaction with the group. As I note, some of those humans are guests who only communicate with the group via email, so I think this is one of the areas where Microsoft might tweak in the future.
Auto Renewal is the Default
Once Microsoft makes this change generally available, autorenewal will be the default for any tenant who configures a group expiration policy. You can’t opt out to force owners to manually renew expiring groups.
Remember that a group expiration policy is an Azure Active Directory premium feature. Every account in a group covered by the policy needs an Azure Active Directory P1 license. Guest users are licensed based on five guests per license.