Skip to main content

Articles in this section

Print

Office 365 Groups Certification Review

  • Updated

Office 365 Groups Certification Review

Rule description

This rule returns Microsoft 365 groups based on the specified query and sends a request to the group's owner(s) to certify the group membership accuracy and the need for the group's continued existence.

For more details about group certification, please see the Configuration of Group Membership and Team Certification article.

When to use this rule

Without proper periodic control, Active Directory and Microsoft 365 may become polluted with an excessive amount of groups. This problem increases if you have both on-premises and cloud-based directories.

One of the solutions to keep the growing number of groups under control is to enforce group attestation and certification processes. Group Certification is a process in which group owners review and certify that the group itself and its membership are correct and current.

Use this rule when you need the owners of Office 365 groups to check and certify:

  • The Microsoft 365 group existence

  • The Microsoft 365 group membership accuracy

  • Both the Microsoft 365 group existence and the group membership accuracy

Supported certifiers: users.

NOTE: In case a replication group is configured in your environment, Cayosoft recommends running certification rules on the publisher for better performance.

Rule settings

Query section

Setting name Description

General Settings

Group type

Select the type of Office 365 groups for certification:

  • Microsoft 365 group (unified)

  • Security group (cloud only)

Display Name starts with

Email starts with

Specify search queries to identify groups included in the certification process.

Certification period (days)

Specify the certification period in days. By default, a new certification task is created for each group every time the rule runs.

The rule’s schedule determines the certification period. You can set a custom number of days if you want the rule to run more frequently. If a group has a pending or completed certification task within the set period, the rule will skip creating new tasks for that group. Once the specified number of days passes, new certification tasks will be created the next time the rule runs.

Other Query Settings

Members filter

Specify if you want to run the certification review for:

  • All Teams in the rule scope.

  • Teams with at least one guest member.

  • Teams with guest members only. In this case, the Team will be sent to certification if it has no other members than guests.

Properties to display

Each object property defined in this setting matches the column that will be displayed in the Web Portal for this web query.

To display additional columns, add the required properties to the Properties to display list.

Filter

 

Set the filtering conditions to hide unwanted data based on criteria not supported in the Query criteria setting.

Example: filter by the found object Distinguished Name.

TIP: For optimal performance, use the Query criteria setting above to filter objects whenever possible.

Sort by

Sort result object list.

Initialization script

Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule.

Due to the PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria.

IMPORTANT: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.

Example: Update AD users, created in the last ten days.

  1. Add this initialization script

    Copy
    {$global:DatePeriod = (Get-Date).AddDays(-10)}

  2. Use the $DatePeriod variable in the query criteria builder:

Action section

Setting name Description

Type of certification

 

There are three types of certification:

  • The group is still needed - the certifier should check whether he needs this group or not. Group membership is not essential in this case.

  • The group's membership is accurate - the certifier should certify the membership of the group is correct, and mark those members that need to be removed.

  • The group is still needed, and the membership is accurate - the certifier should check both whether he needs this group and the membership of the group.

Work Item Title

Work item title

The work item title describes the work item for the user in notification emails and the list of work items in the Web Portal.

Work item comment

Specify the comment for the created work items.

Certifiers

User(s) listed as group owners

Specify if the owner of the target group should be the certifier. In this case, the group owner will be requested to provide group certification.

Selected user(s)

Provide Microsoft 365 user ID for one or more user accounts to be certifiers if needed.

Defined by script

You can use a script that sets the certifiers. The script should return an array of strings; each string equals the object ID of the certifier.

Example:

Copy
{ @("9203750c-c989-4e7e-a86b-786a269f307d","811e4b97-c76d-4e7b-9b2b-be5b5e6df22c") }

Remediation and Expiration

Certification review expires in (days)

Specify the number of days for certifiers to complete the certification review. If the review is not completed within the given period, the certification request is set to Expired, and remediation actions are taken, as configured below.

Remediation

Select what action to perform when the certification review expires:

NOTE: To perform a remediation action, the Cancel Expired Work Items rule should be run, and the 'Expired' notification even should be enabled.

  • Send a report to the certifier.

  • Send a report and delete the group.

Email Notifications

Notification

Select events and configure email notifications to send upon these events:

  1. A new certification request was created: A notification is sent when the certification rule runs.

  2. The group is certified: A notification is sent when the Certify web action is performed.

  3. The certification request expired: A notification is sent when the Cancel Expired Work Items rule runs.

  4. The certification request was canceled: A notification is sent when the Certify web action is performed.

Output section

This section defines the output format of this rule.

To get more information about this section, please see the Rule Output section article.

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Rule Enforce/Schedule section article.

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.