Rule description
This rule returns Office 365 groups based on the specified query and sends a request to the group's owner(s) to certify the group membership accuracy and the need for the group's continued existence.
For more details about group certification, please see the Configuration of Group Membership Certification article.
When to use this rule
Without proper periodic control, Active Directory and Office 365 may become polluted with an excessive amount of groups. This problem increases if you have both on-premises and cloud-based directories. One of the solutions to keep the growing number of groups under control is to enforce group attestation and certification processes. Group Certification is a process in which group owners review and certify that the group itself and its membership are correct and current.
Use this rule when you need the owners of Office 365 groups to check and certify:
- The Office 365 group existence
- The Office 365 group membership accuracy
- Both the Office 365 group existence and the group membership accuracy
Supported certifiers: users.
Rule Settings
Query Section
Setting name | Description |
---|---|
General Settings |
|
Group type |
Select the type of Office 365 groups for certification:
|
Display Name starts with Email starts with |
Specify search queries to identify groups included in the certification process. |
Certification period (days) |
Specify the certification period in days. The default value is 'Every rule execution creates a new certification task per group'. By default, the certification rule execution schedule defines the certification period. A new certification task is created for each group on every rule execution. You can set the desired certification period in days if you want to run the rule more frequently than the certification period. The rule would ignore groups with pending or completed tasks within this period. So, if the default value is used, every time the rule runs new certification items will be created. If the number of days is specified, then the rule does not create any new certification items for a group with a pending or completed certification item state within the specified number. When the specified number of days passes, the new certification items will be created again when the rule runs. |
Other Query Settings |
|
Members filter |
Specify if you want to run the certification review for:
|
Properties to display |
Properties to display, specified in the rule, are not the actual properties that are used in the Output report. The output report has a special, non-changeable format. It displays id, group name, assigned to, status, and error fields. If the Id field is empty in the report, it means that the work item for certification was not created for the group. This may happen if the group doesn't have an owner, for example. |
Filter
|
To hide unwanted data based on criteria set the filtering conditions here. Example: filter by the found object Display Name. |
Sort by |
Sort result object list. |
Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use the calculated expressions in filter criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in filter criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: List groups, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Action Section
Setting name | Description |
---|---|
Type of certification
|
There are three types of certification:
|
Work Item Title |
|
Work item title |
The work item title describes the work item for the user in notification emails and the list of work items in the Web Portal. |
Work item comment |
Specify the comment for the created work items. |
Certifiers |
|
User(s) listed as group owners |
Specify if the owner of the target group should be the certifier. In this case, the group owner will be requested to provide group certification. |
Selected user(s) |
Provide Microsoft 365 user ID for one or more user accounts to be certifiers if needed. |
Defined by script |
You can use a script that sets the certifiers. The script should return an array of strings; each string equals the object ID of the certifier. Example: { @("9203750c-c989-4e7e-a86b-786a269f307d","811e4b97-c76d-4e7b-9b2b-be5b5e6df22c") } |
Remediation and Expiration |
|
Certification review expires in (days) |
Specify the number of days for certifiers to complete the certification review. If the review is not completed within the given period, the certification request is set to Expired, and remediation actions are taken, as configured below. |
Remediation |
Select what action to perform when the certification review expires: Note: To perform a remediation action, the Cancel Expired Work Items rule should be run, and the 'Expired' notification even should be enabled.
|
Email Notifications |
|
Notification |
Select events and configure email notifications to send upon these events:
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
8.2.0 | Members filter is added. |
6.4.0 | Certification period (days) setting is added. |
5.4.0 | The rule was introduced in the product. |
Comments
0 comments
Please sign in to leave a comment.