There is a new feature published at Microsoft roadmap site:
Microsoft 365 admin center: Manage ownerless Microsoft 365 groups and teams
Teams, Outlook groups, Team Sites etc. powered by Microsoft 365 Groups supports two roles: members and owners. Members can collaborate with others in the group through files, emails, messages etc. Owners manage the group membership and monitor content and conversations. When employees leave an organization or switch projects internally, it results in their existing user accounts getting deleted. If such employees were group owners, keeping track of their groups becomes critical to ensure accountability within the organization. We have introduced a new ownership governance policy to help automate the management of ownerless groups by requesting active members to become owners of the group. Admins can define who is eligible for these notifications and configure what notifications and how often these notifications are sent to active group members. Users, who are members of the ownerless groups can simply accept or decline request via the actionable email message.
Feature ID: 180749
Added to roadmap: 10/10/2023
Last modified: 10/10/2023
Product(s): Microsoft 365 Admin Center
Cloud instance(s): GCC
Platform(s): Web
Release phase(s): General Availability
But based on the feature description – all looks exactly as what we already have for years as “Microsoft 365 ownerless groups policy” which you can configure under Microsoft 365 Admin Center -> Settings -> Org settings -> Microsoft 365 groups
What if you need to update thousands of m365 groups? E.g. membership – to add a group owner or member.
In my case, it was Microsoft 365 ownerless groups policy… Details are here but in short, I needed to update ownership for 10,000 m365 groups adding 10 accounts to group owners, 1,000 groups per account.
And I figured out for myself that the fastest way is to use Microsoft Graph API with PowerShell parallel trick. Here is the PowerShell code:
There is a team (including SharePoint site) under Microsoft Teams. There are multiple channels under this team with types: – standard channel – shared channel – private channel
A single group owner (team owner) leaves company and the team (group) becomes ownerless. Question: what will happen with private and shared channels?
A group (team) gets a new owner. Question: what will happen with private and shared channels?
“Microsoft Teams – Teams And Channels Service made you an owner of a channel”
You are in the process of cleaning-up large Microsoft 365 environment. You need to delete SharePoint sites (e.g. due to inactivity) but you cannot get confirmation from site owners (e.g. sites or groups are ownerless).
Deleted sites could be restored within 93 days of deletion if somebody rise a hand, but there is still a risk of possible loosing of important information, e.g. in case site is needed one a year. So you need to do clean-up but at the same time you want to decrease risks of loosing information.
So, you might want to do something with sites to engage users to volunteer to be site owner if they want to keep this site – e.g. prevents using the site the regular way and let users know that the site will be deleted etc., but do not actually delete site until it will be fully clear that site is not needed for anyone and can be safely deleted.
Let us call it “Staging” period. Depending on your org culture/rules/licensing etc. it might be 6 months, or 1 year or 5 years or more.
Approach options
generally, the options are (random order):
Set site to Read-Only mode
Set site to No-Access mode
Convert group from Public to Private
Remove access to the site (remove users from group)
Rename the site
Put a banner on a top bar with a message
Message to Teams or Yammer chat
Send e-mail to site members
Implement a Microsoft 365 ownerless groups policy
You might choose to set sites to read-only mode or even no-access mode. If so – users that are still need this site are loosing ability to work with site, but site is not deleted. Consider archiving as kind of scream-test phase before actual sites deletion.
If a user who needs this site would scream (rise a ticket to restore site) – you can trigger processes of a) finding new owner for the site b) excluding the site from clean-up process c) actual restoring site to normal mode
There are some options to setup a site to Read-Only or NoAccess mode. Here is the PowerShell command:
$siteurl = "https://contoso.sharepoint.com/teams/Team-SO-B"
Get-PnPTenantSite -Identity $siteurl | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState ReadOnly
Get-PnPTenantSite -Identity $siteurl | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState NoAccess
Get-PnPTenantSite -Identity $siteurl | ft -a Url, LockState
Set-PnPTenantSite -Identity $siteurl -LockState Unlock
The problem is what if the site is teams-connected or yammer-connected or just group-based. Here are some test results:
Services SharePoint site is connected to/Site State
Read-Only
NoAccess
Outlook only
N/A
N/A
SharePoint and Outlook
Outlook emails: OK Outlook files: read-only experience; No options to upload or create document; Documents are open in read-only mode. “The file couldn`t be saved to group” error message when trying to save file to a group library.
Outlook emails: OK Outlook files: empty screen; No error messages; Documents are not visible; “The file couldn`t be saved to group” error message when trying to save file to a group library.
SharePoint and Yammer
SharePoint, Teams and Outlook
Teams chats: OK Teams files: documents are open as read-only; No options to upload or create a new document SharePoint: “This site is read-only at the administrator’s request.”
Teams chats: OK Teams files: “403 FORBIDDEN” error message SharePoint: “ This site can’t be reached The webpage at https://contoso.sharepoint.com/teams/Team-STO-B might be temporarily down or it may have moved permanently to a new web address. ERR_INVALID_RESPONSE”
So you can see – behavior is inconsistent – users can still chat in Teams and Yammer and consume SharePoint content (in case the site in read-only) or get error messages or not very meaningful results (in case the site is in NoAccess mode) – so it would be not clear for users that the site is gong to be decommissioned.
If you are seeing “Ownerless group policy configuration failed” and “Please try again.” error message:
there might be some different reasons:
Microsoft said it is (was) a know problem – it happens sometimes (timeout?), if you configured the policy properly and have enough permissions. So just go back one step and try again – all should be good.
Sometimes “Ownerless group policy configuration failed. Failure in configuring ownerless groups policy” is a permissions issue SharePoint admin, Teams admin: cannot configure Ownerless Groups Policy Global admin: yes, can configure Ownerless Microsoft 365 Groups Policy. What is the minimum role required? According to a recent update of the Microsoft’s article – “A Global administrator can create a policy…”. In my experience – groups admin can also configure the policy
Note: Groups admin when configuring the policy can see warning message “You don’t have permissions to save changes”. No worries 🙂 => You will be able to save changes 🙂
Video tutorial on the policy configuration (at around 5:00 you can see this error message):
As SharePoint or Teams admin you can manage Microsoft 365 groups (create, update, delete, manage membership etc.) having your admin role activated. I use Azure registered app with “Group.ReadWrite.All” Microsoft Graph API delegated permission and Microsoft.Graph PowerShell module.
When a user was not a group member or group owner – and is added to the group members – user gets notification “You’ve joined the <Group Name> group” via e-mail that comes from a group e-mail address.
When a user is added to the group owners (or elevated to group owner if user was a group member) – user does not get notification.
When a user was a group owner and now is added to the group members – user does not get notification.
All the actions are logged into Microsoft 365 audit log under your personal Id.
Script samples:
# This script is just a sample to demonstrate basic technique on deletion m365 groups with PowerShell and MS Graph
# please do not run this script as is, but update it upon your needs
# authentication with personal Id
# app must have as minimum "Group.ReadWrite.All" Microsoft Graph API delegated permission
# user must have SharePoint admin (or Teams admin) roles activated
Connect-MgGraph -ClientId $clientid -TenantId $tenantId
Get-MgContext | Select-Object Scopes -ExpandProperty Scopes
# sample data
$groups = @()
$groups += [PSCustomObject]@{GroupId = '443d22ae-683a-4fe4-8875-7bd78227a026' }
$groups += [PSCustomObject]@{GroupId = 'e5805388-c18c-48c0-b42d-6223cf8f3d82' }
# Get Groups
foreach ($group in $groups) {
Get-MgGroup -GroupId $group.GroupId
}
# add members to the group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
$userId = 'df74e0d3-d78c-495b-b47a-549437d93cf7' # Adele
New-MgGroupMember -GroupId $groupId -DirectoryObjectId $userId
# add Owner to the group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
$userId = 'eacd52fb-5ae0-45ec-9d17-5ded9a0b9756' # Megan
New-MgGroupOwner -GroupId $groupId -DirectoryObjectId $userId
# Delete group
# add Owner to the group
$groupId = '443d22ae-683a-4fe4-8875-7bd78227a026'
Remove-MgGroup -GroupId $groupId
It is known that a single Microsoft Exchange account is not sending more than 10k emails per day.
It is also know that once activated – Microsoft 365 groups ownerless policy will be sending notifications for all groups in scope to specified number of group members within 24 hours.
The question is: what if there are more than 10,000 notifications to send (e.g. 4,000 ownerless groups and the policy is configured to send notification to 3 members per group – that gives us 12,000 notifications to send)? Would the policy send 10k notifications and the rest 2k notifications the next day?
I’m conducting an experiment. I created 10k groups in my lab tenant with one owner and 3 random members. Then I configured a policy that is sending notification to a 3 most active members (in this case – random members). And then I made all these groups ownerless by deleting the single owner Id from Azure AD (Microsoft Entra).
Here is what I got from users perspective:
user
user groups number
got messages day 1
got messages day 2
got messages total
1 Roger
5012
1374
2 Dick
5039
1349
3 Bob
5108
3412
4 Bapu
4908
1376
5 Stas
4996
1437
6 David
4959
1377
total
10325
Here is what audit log says:
Events “OwnerlessGroupNotified” day 1: 4949 Events “OwnerlessGroupNotified” day 2: 95 Events “OwnerlessGroupNotified” total: 5044 Each event details says 3 members were notified.
It seems like groups are selected by policy in random order.
Massive E-mails sending was started 43 minutes after midnight UTC
“OwnerlessGroupNotified” were logged at the rate of 1925 events during 1-st hour, 2029 events during 2-nd hour, 785 events during 3-rd hour, 176 events during 4-th hour, 26 events during 5-24 th hour, 95 events during next 25-48 hours so max rate was one event every 3 seconds in the beginning (or 1 e-mail per second) …
