How to check o365 group expiration prior to turning rule

Matthew P 331 Reputation points
2022-06-23T16:18:43.12+00:00

We're looking at enabling group expiration for O365 groups in Azure AD (groups > expiration)

Is there a way to audit what groups would be triggered by this policy before enabling it?

According to this page https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-lifecycle - groups older than the expiration once the policy is set will be set to 35 days

So my understanding is, if we set a policy for expiration after 180 days, and there's a group that was 200 days since last activity, it's given a grace period of 35 days, correct?

My hope is there is some way we can audit this to know the impact before we turn it on. If there's suddenly going to be hundreds of alerts being sent out, that would be good to know before activating this policy.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,504 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Paul van Berlo 821 Reputation points
    2022-06-24T19:05:57.187+00:00

    Whenever the expiration policy changes a calculation will be done based on the group creation date. You can find the group creation date by using Microsoft Graph. From the top of my head, if you install the Microsoft.Graph PowerShell module and connect with a user with sufficient permissions you could use the Get-MgGroup cmdlet. Make sure to pass along the -Property argument and include createdDate and createdDateTime.

    1 person found this answer helpful.
  2. Alfredo Revilla - Senior Freelance SWE, SWA, IAM 27,016 Reputation points
    2022-06-24T23:06:11.857+00:00

    Hello @Matthew P , if the group age in days is greater than the expiration interval, then the 35 days grace period will be set for them.

    To see which groups will get a grace period you can use the following PowerShell script: 

       Connect-MgGraph -Scopes "Group.Read.All"   
   Get-MgGroup | Where-Object CreatedDateTime -GE ([datetime]::UtcNow).AddDays(-30)

    Selected groups will be impacted in the same way, emails will be sent only if the group has not been renewed.

    Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.

    1 person found this answer helpful.
  3. Freddie Christiansen 1 Reputation point
    2024-04-17T12:26:35.3433333+00:00

    You can use the Microsoft Graph to get the expirationDateTime for when a group in Entra ID is due to be deleted.

    GET https://graph.microsoft.com/v1.0/groups/{group-id}?$select=displayName,expirationDateTime
    0 comments