Governance Tip - Group Expiration Policies

What is an Office 365 Group Expiration Policy?

A Group expiration policy is one method to control the lifecycle of Office 365 groups. Enabling group expiration provides an automated process which facilitates the removal of Office 365 groups which have not been utilised within a predetermined amount of time. When applying an expiration policy, there are multiple services which may be affected, including; Teams, Exchange, SharePoint, and Planner.

How do they work?

When an expiration policy is assigned, the number of days as defined by the policy dictate the length of time for which the group will remain prior to a removal process initiating. However, prior to removal of the group the owners are provided with several notifications indicating the group is set to expire, and owners are provided an opportunity to extend the group lifetime (the amount of time in days prior to the group expiring). Notifications regarding group expiration are received either by email or via teams notifications depending on the Office 365 application assigned to the group.

When an expiration policy is triggered to remove a group, the affected Office 365 group is soft deleted, meaning that anything related to that group, including conversations, files, and data, may be restored within 30 days, however, will be hard removed after the 30 day period. In this scenario any data pertaining to the expired group once hard deleted is no longer accessible or available. To ensure only groups that haven’t been utilised within the specific time frame are removed, expiration policies have smarts built into them so that groups containing recent activity are not removed and have their group lifetime automatically extended.

Groups automatically have their group lifetime extended via the following activities

• SharePoint - view, edit, download, move, share, or upload files.
• Outlook - join group, read or write group message from the group, and like a message (Outlook on the web).
• Teams - visiting a teams channel.

Defining a use case

Deploying and Office 365 group expiration policy requires planning to ensure they are fit for purpose and do not have a negative affect on retaining important and required data. Not all Office 365 groups are suited to automatic expiry via expiration policies and therefore you will need to ensure you have a process to identify groups that are suitable and those which are not. The scope defined for your expiration policy is of utmost importance as this affects whether all, or a subset of groups will be included and potentially expired. The policy is disabled when the scope is set to none. Additionally, only a single expiration policy can be defined for a single organisation, therefore how the policy is configured and executed needs in line with the requirements for each group bound by the policy.

Legal hold and retention policies

Organisations relying on legal hold and retention policies may still utilise expiration policies. For these scenarios, whilst groups expire and data becomes unavailable for staff to access via the applications they utilise, those responsible for compliance and retention still have access for discovery purposes to search for and review data located in associated mailboxes and SharePoint sites of a purged group.

Requirements to deploy expiration Policies

Enabling group expiration requires at least Azure Active Directory P1 licenses deployed within your organisation, which are also included as part of Azure Active Directory P2, EMS E3, and EMS E5 license types. This license type doesn’t need to be explicitly assigned to each account, however, they must be present within your Office 365 tenant.

Those who are tasked with configuration the expiration policy require either Global Administrator, Group Administrator, or User Administrator, whilst any standard user account is able to review expiration policy settings and renew groups where required.

Where the policy is assigned for selected groups, an administrator is required to add or remove groups where required, there is no option of staff to configure their groups with an expiration policy at creation or at a later stage.

Group Expiration Administration Examples

• A group expiration policy can be defined as either 180 days, 365 days, or a custom value. A custom value can not be less than 30 days:

  
  ×

• The scope of the expiration policy can be switched off (none), or include all groups, or a selection of groups:

  
  ×

Show me how it is done!