Microsoft Adds More Group and Browser Controls to Azure AD

Microsoft recently rolled out several Azure Active Directory (AD) improvements, including the ability for administrators to set expiration policies for Office 365 groups.

After being in preview since last August, the new group expiration policy feature is now generally available. Policies specifying how long groups should exist can be set in days from the Azure AD Portal or by using Azure AD PowerShell. It's possible to set policies for some groups or for all groups.

There's one catch: Organizations need to have Azure AD Premium subscriptions in place to use this feature. That's true for "all members of the groups to which the expiration policy is applied," according to Microsoft's documentation.

Under the group expiration policies scheme, end users who are group owners get sent a series of notifications automatically before a group is set to expire expire. The notifications arrive "30 days, 15 days and 1 day" before the group's end date, giving owners the option to keep or delete the group. The group gets deleted automatically if there's no response, but group owners will receive another notification letting them know it was deleted. Group owners and Office 365 account administrators have 30 days from the group's termination date to restore a group.

There's an exception for groups where there's a legal hold in place, as those groups don't get deleted. The content of groups will still be accessible via e-discovery if retention policies were set using the Security and Compliance Center.

Office 365 end users can create groups unless they've been restricted beforehand by IT pros, typically through the creation of "security groups," as described in this documentation. The creation of an Office 365 group will automatically provision a SharePoint site, a Yammer group, an Outlook mailbox, OneNote and a chat space in Microsoft Teams, which are all managed via Azure AD. Deleting a group should get rid of all of those services that get automatically created with a group, according to a FAQ published by AvePoint, a Microsoft partner that offers Office 365 governance support.

Managed Browser Support
In other Azure AD news, the "managed browser" that's used with Microsoft Intune, Microsoft's mobile management service, can now use single sign-on and conditional access Azure AD capabilities, Microsoft announced last week. The Intune managed browser is a downloadable application for devices that follows policies set by Intune.

The single sign-on access feature for the managed browser app permits easier access by end users to all Azure AD-managed applications, both online and on-premises. It works with Android and iOS devices.

The conditional access capability for the Intune managed browser adds the ability to restrict access to organizational information, based on browser use. For instance, it's possible to block access to resources "from any other unprotected browsers like Safari or Chrome," Microsoft's announcement explained. When end users try to use those browsers, they'll get directed to use the Intune managed browser instead. The conditional access capability works across Office 365 services, as well as for "on-premises sites that you have exposed via the Azure AD Application Proxy" service, the announcement added.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Windows Autopilot for HoloLens 2 Hits Preview

    Windows Autopilot, Microsoft's PC self-provisioning program, is now being tested for use with the company's mixed-reality headset, the HoloLens 2.

  • Signs Point to Microsoft Charging for Use of APIs

    There are indications that Microsoft is mulling charging customers for software that uses its application programming interfaces.

  • The 2020 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generations of .NET and PowerShell, here's what's on tap from Microsoft this year.

  • Microsoft Extends Azure Hybrid Benefit Licensing to Linux

    Microsoft has expanded its Azure Hybrid Benefit licensing program to include Linux servers, particularly Red Hat Enterprise Linux or SUSE Linux Enterprise servers.