Prevent group sprawl and save time by automatically archiving, instead of manually deleting Microsoft 365 groups.
Prevent Group Sprawl Before it Becomes a Problem
Many organizations begin using Microsoft 365 and love the group-based tools it provides. Once an organization incorporates these tools, however, they are introduced to the downside of these groups, group sprawl. Save your IT departments from racking their brains with the numerous ways Microsoft provides to simplify M365 group creation and management.
The first preventative option is to shut down the ability for end users to create more M365 groups, which prevents future sprawl. This does not address the issue of existing M365 groups and whether they should persist in the tenant or whether they can be deleted or archived. An ideal way to handle these existing groups and prevent sprawl is an automated archival process. Learn how to retain all the M365 groups and their data, rather than deleting by automatically archiving groups in the steps below.
There are several pieces that need to be created or set up before the archival automation can be created.
Create an App
An app should be created in Azure to get a token to access a variety of group resources in the tenant and for specific M365 groups. A couple of permissions will need to be given to the app for it to be ready for automation.
All the automation will be created using a service account, so a service account user should be created, and the account will need to be assigned the Group Administrator role. In addition, the account will require a premium flow license to be able to use several of the connectors outlined in the flows below.
Step 1: Create Archival Automation
The archival automation will consist of 3 Power Automate flows all created by the service account.
Step 2: Determine Workspaces to Archive
The initial flow will grab a report of all the groups and their activity over the last 6 months. For each group that does not have any activity in the last 6 months, it will be added to a list for archive approval. The below diagram outlines at a high-level what this flow may look like*.
*Note: The above diagram filters out groups based on a specific sensitivity label (Workspace).
To begin, the flow will grab a report listing all M365 groups in the tenant, and whether the group resources have seen any activity in the last 6 months. The flow will then iterate through each group in the report to determine if each group has activity or not. If a group does not have activity, the flow will then need to grab the group’s resources and add them into the list where the inactive group information is being maintained. In addition, certain types of groups, such as those with a specific sensitivity label applied, should be checked before archiving. This check can be done in the inactive groups prior to putting them in the list.
Step 3: Trigger Archival Requests
The second flow will run once a month and use the list of inactive groups to determine which of those groups should have an archival request sent out. A few notes on things to look out for:
The flow should be set to run after the first flow finishes
The list should maintain the status of groups and whether they have been archived or rejected for archival
The flow will grab all the groups in the list that have not already been archived and will then iterate through the received list of groups and check if any of them have been rejected for archive. If they have been rejected and the rejection was more than a chosen period of time, such as 6 months, it’ll automatically delete the item from the list so the item can be re-added next month, and approval can be sent out again. If it was rejected less than a chosen period ago, it will not resend an approval and instead leave the item as is for historical purposes. If the item has not been rejected, that should trigger the final flow and send the group details to the final flow.
Step 4: Archival Requests and Reminders
The final flow will send an archive request to all the group members for someone to approve or reject the archival process. If no response is received, the flow will run once a week for up to 3 weeks. If no one responds after 3 weeks, the group will automatically be archived and the item in the list will be updated. If the archive has been approved, then archive the group and update the item in the list. If it was rejected, then update the item in the list.
The archival process for a group entails adding the service account both as an owner, and member of the group, removing all other owners and members from the group, changing the sensitivity label to Archive, and informing all the former group members of the archival.
Group sprawl is one of the biggest issues in M365 tenants, but implementing controls and automation is a key way to mitigate that. This automation will allow your organization to maintain group data but also limit user access to mitigate concerns around stale data and privacy. For any questions about the archival process reach out to JourneyTEAM for assistance.