AvePoint Learn
Request article
Contact support
Request article
Contact support
English

    Home > Microsoft 365 Groups/Microsoft Teams Provisioning and Management > Group/Team Policy

    Export to PDF

    Group/Team Policy

    The group/team policy allows you to customize rules to automatically manage your Microsoft 365 Groups and Microsoft Teams. Group/Team policies are also required when you import existing groups or teams by using the Import Existing Microsoft 365 Objects feature. Group/Team policies work in conjunction with Group/Team Lifecycle Management services to not only automatically govern groups/teams associated with each policy, but also empower business users to easily manage the lifecycle of groups/teams.

    To create or manage policies, click Policy in the Request Management group within Settings. The group/team policy is integrated with the Group/Team/Community Policy. When you create a policy, choose the policy type Group/Team/Community Policy.

    In the interface for creating or editing a group/team policy, configure the following settings:

    1. Policy Name and Description – Enter a Name for the new policy. Then, enter an optional Description for future reference.

    2. Policy Category – Categories are used to organize AvePoint Cloud Governance policies. Select an existing category from the drop-down list or create a new category for this policy by clicking Create New then configuring the new category in the Create Category interface.

    3. Workspace Type – Choose Microsoft 365 Groups/Microsoft Teams.

    4. Tenant – Select a Microsoft 365 tenant from the drop-down list. Your Microsoft 365 tenant is displayed here when your tenant has a Microsoft Entra ID app profile configured in AvePoint Online Services. For details, refer to Create App Profiles or Microsoft 365 Service Account Profiles.

    5. Click the arrow on the right-hand side to continue, or click Cancel to return to the Policy Management interface without saving any configurations.

    6. Group Team Site Quota – Enter the storage quota for Microsoft 365 Group team sites that are created along with new Microsoft 365 Groups.

      NOTE

      A storage quota of less than 25600 GB will take effect only if the site storage limit is enabled in your SharePoint admin center > Settings > Site storage limits > Manual. The group team site quota will be set as 1024 GB if you don’t allocate a storage quota for group team sites.

    7. External Sharing – Choose whether to use AvePoint Cloud Governance to set unique guest access or external sharing settings for Microsoft 365 Groups and group team sites. The groups or teams associated with the policy can have more restrictive settings than the global configurations in the Microsoft 365 admin center.

      Note the following:

      • The unique guest access and external sharing settings in this policy will take effect when the tenant-level external sharing settings are turned on in Microsoft 365. To turn on all the external sharing settings for Microsoft 365 Groups and SharePoint, you can go to the Microsoft 365 admin center > Settings > Org settings. If you want to enable the tenant level external sharing settings only when external sharing is allowed in your tenant, you can predefine the guest access and external sharing settings in the policy, and go to turn the external sharing settings later in Microsoft 365 when everything is ready.

      • Once the integration with sensitivity labels is enabled for your tenant, the sharing settings will be managed by the applied sensitivity label setting and do not require configuration in the policy.

      You can enable the following options:

      • Set unique guest access settings for the group

        With this option enabled, you can also choose whether to Allow group owners to add people outside the organization to the group. Here, people outside the organization refer to guest users who have been added to your Microsoft Entra. If you allow guest users to become group members, you can choose whether to Allow group owners to invite new external users who are not already in Microsoft Entra. When new external users need to be added to groups, AvePoint Cloud Governance will add the new external users to your Microsoft Entra first.

        If you do not allow guest access for groups applied with this policy, select the Set unique guest access settings for the group checkbox and deselect the Allow group owners to add people outside the organization to the group checkbox.

      • Set unique external sharing settings for the site collection associated with the group

        With this option enabled, you can also choose whether to Allow users to share the group team site content with people outside the organization. If you allow this, select the scope of external users:

        • Anyone

        • New and existing external users

        • Existing external users

    8. Access Request Settings – Choose whether to Set unique access request settings. With the option selected, configure the following settings:

      • Allow members to share the site and individual files and folders – Choose whether to allow users in the group to share the group team site and individual files and folders with other people. With this checkbox selected, the Allow members to invite others to the site members group. This setting must be enabled to let members share the site checkbox is automatically selected. Deselect the second checkbox if you only allow site members to share individual files and folders but do not allow members to share the group team site with others.

      • Allow access requests – Select this checkbox to allow users to request access to the group team site of the group applied with this policy. Then, select who will receive access requests on the group team site.

        • Send access requests to the site owners group

        • Send access requests to the following email address – Enter the email addresses of the approvers in the text box.

          NOTE

          Only members of the site owners group can accept or decline the access requests.

        You can also define a custom message that can be shown to users who see the access request page. Enter your custom message in the text box.

    9. Group/Team Lifecycle Management Request Types – Choose whether to enable the request types for the Group/Team Lifecycle Management service. The request types that you select here will be available for business users in the following situations:

      • Business users can submit Group/Team Lifecycle Management service requests for the corresponding Microsoft 365 Groups/Microsoft Teams based on the enabled request types.

      • If you enable group/team inactivity threshold or lease management in the policy, in the automatically generated group/team inactivity threshold tasks or group/team lease expiration tasks, task assignees can request to delete Microsoft 365 Groups/Microsoft Teams, extend group/team lease, or archive teams depending on the request types you enabled here.

        To make AvePoint Cloud Governance generate the corresponding lifecycle action tasks, ensure the following built-in services are active:

        • Group/Team Lifecycle Management Extend Service

        • Group/Team Lifecycle Management Delete Service

        • Team Lifecycle Management Archive Service

      • If Enable deletion of the group/team or Enable archiving of the team is selected here, you can Enable automatic deletion of the group/team or Enable automatic archiving of the team in the following sections: Group/Team Inactivity Threshold and Group/Team Lease Management. In the task for deletion or archiving, the task assignee can delete the group/team or archive the team.

      Enable the following request types by selecting the corresponding checkboxes. For each request type, you can choose to Use the default approval process, select a created approval process from the drop-down list, or click Create New to create a new approval process. If the configurations of the selected approval process do not meet your requirements, click Create From This Existing Approval Process to create a new approval process based on the selected approval process. The approval process will be triggered when service requests to manage groups/teams are submitted.

      • Enable deletion of the group/team – Select this checkbox to allow business users to delete the group/team upon request.

      • Enable extension of the group/team lease – Select this checkbox to allow the lease of a group/team to be extended upon request. You can choose one of the following methods to set limitations on the extension:

        • Each extension must be a specific period – Enter a number in the text box and select Days, Weeks, Months, or Years from the drop-down list as the unit.

        • Each extension cannot exceed a specific period – Enter a number in the text box and select Days, Weeks, Months, or Years from the drop-down list as the unit.

      • Enable group/team policy change – Select this checkbox to allow business users to request a different policy for groups/teams that have this policy applied. With this option enabled, you can enable the following option: Choose the policies that are presented to users in the Change Group/Team Policy service request, and then select your desired group/team policies from the table. When a business user starts a request to change a policy for a group or team that has this policy applied, the business user can only choose a policy from the policies you selected here.

      • Enable Microsoft 365 group team site quota change – Select this checkbox to allow business users to request to change the Microsoft 365 group team site quota. Choose from the following methods to set limitations on the group team site quota change:

        • Allow quota change to any available size – Choose this option to allow business users to request to change the group team site quota to any available size.

        • Allow quota upgrade or downgrade within [Specified Size] GB – Choose this option to allow business users to upgrade or downgrade the group team site quota, and the quota change cannot exceed the size defined here. Enter a number in the text box. For example, if you enter 5 here and the site quota is 10 GB, then business users can only change the site quota to 5-15 GB.

          Note the following:

          • If you allow business users to change the group team site quota, make sure Manual storage management is enabled in SharePoint Online admin center > Settings > Site storage limits.

          • The maximum group team site quota cannot exceed 25600 GB.

          • The group team site quota cannot be reduced to be less than its current size.

      • Enable archiving of the team – Select this checkbox to allow business users to request to archive the team. Then you can choose to Enable team membership and team site permission changes before team archiving. Select a Team archiving profile from the drop-down list or click Create New to create a new profile. For details on configuring a team archiving profile, see Team Archiving.

        When a team is archived, the team membership and team site permissions will be changed according to the configurations in the archiving profile.

      • Enable restore of the archived team – Select this checkbox to allow business users to request to restore the archived team.

    10. Group/Team Inactivity Threshold – An inactivity threshold is the amount of time that any content in the corresponding group team sites, files, notebook, calendar, mailbox, Microsoft Teams channel conversations, or Outlook group conversations has been added or modified.

      Note the following:

      • By default, AvePoint Cloud Governance calculates the inactivity of a group team site’s top-level site and subsites based on the Report.LastActivityDate property and retrieve the last activities of a group/team using the Microsoft Graph Beta APIs.

      • When Display concealed user, group, and site names in all reportsis enabled in Org settings > Services > Reports in your Microsoft 365 admin center or your organization is using the Microsoft 365 Government GCC High environment, the activities of a group team site’s subsites cannot be used to determine whether the site reaches the inactivity threshold. AvePoint Cloud Governance calculates the site inactivity based on the LastItemUserModifiedDate property of the top-level site, and any updates in the subsites will not change this property value. If you have also configured an impersonation account in Settings > Impersonation Account Management, the impersonation account will be used to invoke Exchange Web Services APIs to retrieve the last modified time of the corresponding calendar of the group/team and the time that the group/team receives the latest email in the Outlook’s inbox for inactivity calculation.

      • Changes to a group’s plan in Planner are not regarded as activities since Microsoft 365 does not provide API to retrieve a plan’s last modified time.

      The inactivity threshold setting helps reduce the number of unused groups/teams and group team sites in your Microsoft 365 environment. Configure the following inactivity threshold settings:

      1. Enable group/team inactivity threshold – Select this checkbox to enable the inactivity threshold for Microsoft 365 Groups/Microsoft Teams. When a group/team reaches the inactivity threshold, a group/team inactivity threshold task will be automatically generated and assigned to business users selected in the approval process below. In the group/team inactivity threshold task, business users can continue allowing access to the groups/teams and corresponding team sites. The business user can also choose to archive the team or delete the group/team if you enable archiving or deletion in the Group/Team Lifecycle Management Request Types section above.

        Configure the inactivity threshold by entering a number in the text box and selecting Day(s), Week(s), Month(s), or Year(s) from the drop-down list as the unit of time.

      2. Approval Process – Select an approval process from the drop-down list for the group/team inactivity threshold task or click Create New to create a new approval process.

        If the configurations of the selected approval process do not meet your requirements, click Create From This Existing Approval Processto create a new one based on the selected approval process.

      3. You can Enable group/team inactivity threshold warning to notify the approvers before the group/team inactivity threshold task is generated. Then, you must select a reminder profile from the Reminder profile drop-down list. You can also click Create New to create a new reminder profile. For detailed information about creating reminder profiles, refer to the Configure Reminder Profiles for Upcoming Expiration section.

      4. You can enable the additional group/team lifecycle action as the escalation when the inactivity threshold task is overdue by configuring the following settings:

        • Enable an additional group lifecycle action – With the option selected, select a group automated escalation profile from the drop-down list. The group lifecycle action will be executed based on the configurations in the profile. You can configure a group automated escalation profile in Settings > Request Management > Automated Escalation Profile for Microsoft 365 Groups. For more instructions, refer to Automated Escalation Profile for Microsoft 365 Groups.

        • Enable an additional team lifecycle action – With the option selected, select a team automated escalation profile from the drop-down list. The team lifecycle action will be executed based on the configurations in the profile. You can configure a team automated escalation profile in Settings > Request Management > Automated Escalation Profile for Microsoft Teams. For more instructions, refer to Automated Escalation Profile for Microsoft Teams.

        NOTE

        When the group/team inactivity threshold task is overdue and the group/team deletion task is generated as the escalation, if the deletion is rejected by the approver, a new inactivity threshold task will be generated for the task assignee to complete.

        For an existing policy that was configured before June 25, 2021, where the automatic deletion/archiving action was originally configured as an additional lifecycle action in the policy, you can now use the automated escalation profile to customize the escalation into multiple stages, and the instructions above are for your reference.

        If you want to update the original settings for the Escalation with automatic deletion/archiving method, you can configure the following settings:

        • Enable automatic deletion of the group/team – Select this checkbox to delete the group/team if the group/team inactivity threshold task is not completed after a specific amount of time. Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list as the unit of time.

          NOTE

          If you enable this option, you must select the Enable deletion of the group/team checkbox in the Group/Team Lifecycle Management Request Types field above.

          You can also enable the following options:

          • Enable a reminder for the approvers before the group/team deletion task is generated – Select this checkbox to send notification emails to approvers before the group/team inactivity threshold task is generated. Select a reminder profile from the drop-down list. You can also click Create New to create a new one. For more information about configuring a reminder profile, refer to Configure Reminder Profiles for Upcoming Expiration.

          • Notify the following people upon the deletion of the group/team – Select this checkbox to notify specific users when the group/team is deleted. Enter the names of the users in the text box and press Enter to check if the names are valid. Then, you must select an email template from the Email template drop-down list.

        • Enable automatic archiving of the team – Select this checkbox to archive the team if the team inactivity threshold task is not completed after a specific amount of time. When the team is archived, the conversations and files in the team become read-only. Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list as the unit of time.

          NOTE

          If you enable this option, you must select the Enable archiving ofthe team checkbox in the Group/Team Lifecycle Management Request Types field above.

          You can also enable the following options:

          • Enable a reminder for the approvers before the team archiving task is generated – Select this checkbox to send notification emails to approvers before the team archiving task is generated. Select a reminder profile from the drop-down list. You can also click Create New to create a new one. For more information about configuring a reminder profile, refer to Configure Reminder Profiles for Upcoming Expiration.

          • Notify the following people when the team is archived – Select this checkbox to notify specific users when the team is archived. Enter the names of the users in the text box and press Enter to check if the names are valid. You can also enter $ to select from the following roles: $Group Owner, $Primary Group Contact, and $Secondary Group Contact. For detailed descriptions of the roles, refer to Appendix F - Supported Variable Roles. Then, select an email template from the Email template drop-down list.

    11. Group/Team Lease Period Management – A group/team lease period is the amount of time allotted wherein the Microsoft 365 Group/Microsoft Team is valid in Microsoft 365. This setting helps manage the expired groups/teams in your Microsoft 365 environment. Configure the following lease period management settings:

      1. Enable group/team lease management – Select this checkbox to enable the lease period for groups/teams. When the group/team lease expires or when the last lease extension expires, a group/team lease expiration task will be automatically generated and assigned to the business user selected in the approval process below. In the group/team lease expiration task, the business user can choose to extend the group/team lease, delete the group/team, or archive the team if you enable lease extension, archiving, or deletion in the Group/Team Lifecycle Management Request Types section above.

        Configure the lease period by entering a number in the text box and selecting Day(s), Week(s), Month(s), or Year(s) from the drop-down list as the unit of time.

      2. Approval Process – Select an approval process from the drop-down list for the group/team lease expiration task, or click Create New to create a new one.

        If the configurations of the selected approval process do not meet your requirements, click Create From This Existing Approval Processto create a new one based on the selected approval process.

      3. You can Enable group/team lease expiration warning to notify the approvers before the group/team lease expiration task is generated. Then, you must select a reminder profile from the Reminder profile drop-down list. You can also click Create New to create a new reminder profile. For detailed information about creating reminder profiles, refer to the Configure Reminder Profiles for Upcoming Expiration section.

      4. You can enable the additional group/team lifecycle action as the escalation when the lease expiration task is overdue by configuring the following settings:

        • Enable an additional group lifecycle action – With the option selected, select a group automated escalation profile from the drop-down list. The group lifecycle action will be executed based on the configurations in the profile. You can configure a group automated escalation profile in Settings > Request Management > Automated Escalation Profile for Microsoft 365 Groups. For more instructions, refer to Automated Escalation Profile for Microsoft 365 Groups.

        • Enable an additional team lifecycle action – With the option selected, select a team automated escalation profile from the drop-down list. The team lifecycle action will be executed based on the configurations in the profile. You can configure a team automated escalation profile in Settings > Request Management > Automated Escalation Profile for Microsoft Teams. For more instructions, refer to Automated Escalation Profile for Microsoft Teams.

        For an existing policy that was configured before June 25, 2021, where the automatic deletion/archiving action was originally configured as an additional lifecycle action in the policy, you can now use the automated escalation profile to customize the escalation into multiple stages, and the instructions above are for your reference.

        If you want to update the original settings for the Escalation with automatic deletion/archiving method, configure the following settings:

        • Enable automatic deletion of the group/team – Select this checkbox to delete the group/team if the group/team lease expiration task is not completed after a specific amount of time. Enter a number in the text box and select Days, Weeks, Months, or Years from the drop-down list as the unit.

          NOTE

          If you enable this option, you must select the Enable deletion of the group/team checkbox in the Group/Team Lifecycle Management Request Types field above.

          • Enable a reminder for the approvers before the group/team deletion task is generated – Select this checkbox to send notification emails to approvers before the group/team deletion task is generated. Select a reminder profile from the drop-down list. You can also click Create New to create a new one. For more information about configuring a reminder profile, refer to Configure Reminder Profiles for Upcoming Expiration.

          • You can select the Notify the following people upon the deletion of the group/team checkbox to notify specific users when the group/team is deleted. Enter the names of the users in the text box and press Enter to check if the names are valid. Then, you must select an email template from the Email template drop-down list.

        • Enable automatic archiving of the team – Select this checkbox to archive the team if the team lease expiration task is not completed after a specific amount of time. When the team is archived, the conversations and files in the team become read-only. Enter a number in the text box and select Day(s), Week(s), Month(s), or Year(s) from the drop-down list as the unit of time.

          NOTE

          If you enable this option, you must select the Enable archiving ofthe team checkbox in the Group/Team Lifecycle Management Request Types field above.

          You can also enable the following options:

          • Enable a reminder for the approvers before the team archiving task is generated – Select this checkbox to send notification emails to approvers before the team archiving task is generated. Select a reminder profile from the drop-down list. You can also click Create New to create a new one. For more information about configuring a reminder profile, refer to Configure Reminder Profiles for Upcoming Expiration.

          • Notify the following people when the team is archived – Select this checkbox to notify specific users when the team is archived. Enter the names of the users in the text box and press Enter to check if the names are valid. You can also enter $ to select from the following roles: $Group Owner, $Primary Group Contact, and $Secondary Group Contact. For detailed descriptions of the roles, refer to Appendix F - Supported Variable Roles. Then, select an email template from the Email template drop-down list.

    12. Microsoft 365 Group Team Site Quota Threshold – Select the Enable Microsoft 365 group team site quota threshold checkbox to enable a quota threshold for Microsoft 365 group team sites. A quota threshold is the maximum resources that a group team site can use. If you select the checkbox, set the threshold by entering a number in the text box. Once a group team site’s storage reaches the quota threshold, a notification email will be sent to users defined in the Notification email recipients field. You can also enter $ to select from the following roles:

      • $Primary Group Contact

      • $Secondary Group Contact

      • $Group Owner

      For detailed descriptions of the roles, refer to Appendix F - Supported Variable Roles.

      Then, select an email template that will be used to send the email notification from the drop-down list.

    13. Deactivated Group/Team Contact Election – The existing group/team contact account will become deactivated when they’re removed from or blocked in Microsoft Entra. You can choose whether to Automatically start the ownership election process if either of the group/team contact accounts is deactivated. With the option enabled, an election task will be generated when either of the contacts is deactivated.

      If the current election task assignee becomes deactivated, the ongoing election task will be automatically canceled when Cloud Governance finishes the deactivated workspace contact status scan job, a new task will be generated and assigned to a new task assignee based on the following:

      • When the primary group/team contact is deactivated, AvePoint Cloud Governance will generate an election task for the secondary group/team contact. The secondary contact is set as the default user for the primary contact.

        • The secondary contact can select another user as the new primary contact. The secondary contact can also transfer the secondary contact role to another user.

        • If the original secondary contact confirms to be the new primary contact, the original secondary contact needs to select another user as the new secondary contact.

      • When the secondary group/team contact is deactivated, AvePoint Cloud Governance will generate the election task for the primary contact and the primary contact can select a user as the secondary contact.

      • When both the primary and secondary group/team contacts are deactivated, AvePoint Cloud Governance will generate an election task for all the group/team owners. After a group/team owner confirms to become the primary contact, the election process will be completed. When the group/team owner processes the election task, the owner can select a user as the secondary contact.

      You can also choose whether to Notify the following people when both the primary and secondary contact are deactivated. With the option selected, you can specify users or groups, or enter $ to specify a user role who will receive a copy of the notification email.

      Then, you can configure the following settings:

      • Email Settings – Choose to enable the following notifications by selecting the corresponding checkboxes:

        • Notify the user when the election task is assigned – Select this checkbox to send a notification email to a user when the election task is assigned to them.

        • Notify the primary contact when the group/team is assigned – Select this checkbox to send a notification email to a user when they become the primary group/team contact.

        • Notify the secondary contact when the group/team is assigned – Select this checkbox to send a notification email to a user when they become the secondary group/team contact.

        Each notification has a default email template. You can also select a custom email template.

      • Duration – Set the duration for the election task. If the nominee does not complete the election task within the duration, the election task will expire and can no longer be processed. A new task will be generated and assigned when Cloud Governance finishes running a new deactivated group/team contact status scan job. Enter a number in the text box, then select Day(s) or Week(s) as the unit.

        You can choose to notify the nominee before the assigned time is reached. Select the Remind the nominated user before the nomination task expires checkbox and select a reminder profile from the drop-down list. You can also click Create New to create a reminder profile. For more information, refer to Configure Reminder Profiles for Upcoming Expiration.

      NOTE

      The Election Process Management in Settings is only used to manage the site collection contact election process and it does not take effect on the group/team contact election process.

    14. Recertification or Renewal – You can choose whether to enable recertification or renewal. Choose one of the following options, and then select a recertification profile or renewal profile to apply the recertification or renewal settings to the group/team:

      • Recertification – Choose this option to enable periodic review of group/team membership and user permissions/SharePoint group permissions to the corresponding group team site in separated tasks.

      • Renewal – Choose this option to enable periodic review of group/team contacts, SharePoint group permissions to the corresponding group team site, group/team membership, and/or group/team metadata in one task.

    15. When you have finished configuring this policy, choose one of the following options:

      • Click the arrow on the left-hand side to go to the previous step to check and modify your configurations.

      • Click Save to save all configurations.

      • Click Save and Activate to save all configurations and activate the policy, which allows this policy to be used in services.

      • Click Cancel to return to the Policy Management interface without saving any changes.