Articles in this section

See more
Print

Office 365 Groups Certification Review rule

Avatar
Tatiana Golubovich
  • Updated
Follow

 

Rule description

This rule returns Office 365 groups based on the specified query and then sends a request to the group's owner(s) to certify the group membership accuracy and the need for group continued existence.

For more details about group certification, please see Configuration of Group Membership Certification article.

 

When to use this rule

Without proper periodic control, Active Directory and Office 365 may become polluted with an excessive amount of groups. This problem increases if you have both on-premises and cloud-based directories. One of the solutions to keep the growing number of groups under control is to enforce group attestation and certification process. Group Certification is a process when group owners reviews and certifies that the group itself and its membership is correct and current.

Use this rule when you need the owners of Office 365 groups to check and certify:

  1. The Office 365 group existence
  2. The Office 365 group membership accuracy
  3. Both the Office 365 group existence and the group membership accuracy

 

Supported certifiers: users. 

 

Note: In case of a replication group is configured in your environment, for better performance Cayosoft recommends to run certification rules on the publisher.

 

Rule Settings

Query Section

Setting name Description

General Settings

  

Group type

Select the type of Office 365 groups for certification:

  1. Office 365 group (unified)
  2. Security group (cloud only)

Display Name starts with

Email starts with

Specify search query to identify groups included into certification process.

Certification period (days)

Specify the certification period in days.

By default, the certification rule execution schedule defines the certification period. A new certification task is created for each group on every rule execution. You can set the desired certification period in days if you want to run the rule more frequent then the certification period. The rule would ignore groups that have pending or completed tasks within this period.

Other Query Settings

  

Members filter

Specify if you want to run the certification review for:

  1. All Teams in the rule scope.
  2. Teams with at least one guest member.
  3. Teams with guest members only. In this case, the Team will be sent to certification if it has no other members than guests.

Properties to display

Properties to display, specified in the rule, are not the actual properties that used in the Output report. The output report has special, non-changeable format. It displays id, group name, assigned to, status, error fields.

If the Id field is empty in the report, it means that the work item for certification was not created for the group. This may happen if the group doesn't have the owner, for example.

Filter

 

To hide unwanted data based on criteria set the filtering conditions here.

Example: filter by the found object Display Name.

Sort by

Sort result object list.

Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to PowerShell limitations, it is not possible to use the calculated expressions in filter criteria. That is the point where initialization script can help. You can initialize a global variable in this setting and then use it in filter criteria.

Important: To use a variable, declared in initialization script, in the query scope, it must be global: $global:<variable name>.

Example: List groups, created in the last ten days.

  1. Add this initialization script:
{$global:DatePeriod = (Get-Date).AddDays(-10)}
  1. Use $DatePeriod variable in filter criteria builder:

 

Action Section

Setting name Description

Type of certification

 

There are three types of certification:

  1. The group is still needed - the certifier should check whether he needs this group or not. Group membership is not essential in this case.
  2. The group's membership is accurate - the certifier should certify the membership of the group is correct, and mark those members that need to be removed.
  3. The group is still needed, and the membership is accurate - the certifier should check both whether he needs this group and is the membership of the group.

Work Item Title

  

Work item title

Work item title describes the work item for the user in notification emails and the list of work items in Web Portal.

Work item comment

Specify the comment for the created work items.

Certifiers

  

User(s) listed as group owners

Specify whether the owner of the target group will be the certifier.

Selected user(s)

Provide Office 365 user ID for one or more user accounts.

Defined by script

Specify script that sets the certifiers. The script should return an array of strings; each string equals to the object ID of the certifier.

Example:

{ @("9203750c-c989-4e7e-a86b-786a269f307d","811e4b97-c76d-4e7b-9b2b-be5b5e6df22c") }

Remediation and Expiration

  

Certification review expires in (days)

Specify the number of days for certifiers to complete the certification review. If the review is not completed within the given period, the certification request is set to Expired, and remediation actions are taken, as configured below.

Remediation

Select what action to perform when the certification review expires:

  1. Send a report to the certifier
  2. Send a report and suspend the group
  3. Send a report and delete the group

Email Notifications

  

Notification

Select events and configure email notifications to send upon these events:

  1. New certification request created
  2. The group is certified
  3. The certification request expired
  4. The certification request canceled 

 

Output Section

This section defines the output format of this rule.

To get more information about this section, please see the Output section article.

 

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Enforce/Schedule section article.

 

 Change History

Version Notes
8.2.0 Members filter is added.
6.4.0 Certification period (days) setting is added.
5.4.0 The rule was introduced in the product.

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.