Microsoft Teams – Utilize the AzureADMSGroupLifecyclePolicy command to manage the teams group life cycle

With the Azure active directory powershell commandlets, we could control the lifecycle of office365 groups.Ideally when any office365 group is created for an action of creating a team in the backend it creates the azure ad group.With the Azure commandlets we have options to control the lifecycle of the office365 groups automatically.

Let’s say we ‘ve created Team for a partner project which completes in 1 year time period, we have got an option to expire this team in 1 year time during the team creation.This keeps the access reviews of the Microsoft Teams intact and ensures that only required persons have access to the company corporate data.

The default setting is unlimited days as it should be for most of the scenarios.

Firstly we need to connect to azuread module from the powershell. Since we do not have any group life cycle policy the value remains empty.

Below example creates a a new groupLifecyclePolicy. This policy can be applied to targeted set of office 365 groups.

New-AzureADMSGroupLifecyclePolicy -GroupLifetimeInDays 99 -ManagedGroupTypes "groupid" -AlternateNotificationEmails "sathish@ezcloudinfo.com"

The managed group type parameter provides us the option to choose how we can manage the groups in our environment. Keeping the value “None” will create the policy but will not be applied to any groups. Specifying them “All” will apply this policy to all Office 365 groups. “Selected” will provide us the option to choose specific Office 365 groups.

To test this we can try to apply this policy to single group Teams-Partners. This group was created as an action of creating a team in Microsoft Teams.

In order to apply to a group we have to run the below command by specifying the group ID.

Get-AzureADMSGroupLifecyclePolicy -Id "admsgroupid" | Add-AzureADMSLifecyclePolicyGroup -GroupId "ID"

If we need to apply this to a group of ID’s which were reviewed and require to set expiry we can apply them from a input csv.

$policy = "mentionthepolicyID"
#keep the groupid as the input value in the csv
$365group = import-csv ".\365group.csv" 
Foreach ($group in $groups) {
Add-AzureADMSLifecyclePolicyGroup -Id $policy -groupId $group.objectId}

We can run this on a periodic interval after performing access review on the Office 365 groups.There is also an option to notify the group owner on a particular period of time to review if they still require this group to be in the system. Keeping this option will remind the owner of the group who created the team to decide if they require to provide access to the users and external parties if the guest users are added to them.

We can then verify if it is applied for a group by using the commandlet Get-AzureADMSLifeCyclePolicyGroup by specifying the group id. This will return the output of to which AzureADMSgroup it have been assigned. We do have an option to extend the grouplifetime to our desired interval.

There are few organizations where the Office 365 group and teams group creation is provided as self service to users to increase the Office 365 adoption rate.In those cases the admin can review the groups created once in a month and apply the expiration policy for them.

This option will be better for the admins to create the expiry of the groups as per the company security policy.If we are doing a periodic review we can also use a input CSV for the selected groups and can apply the policy to these selected groups.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: