PowerShell script to extend the expiration date of Microsoft 365 groups using Azure Automation and Managed Identity

ExtendM365GroupExpiration.ps1

<#
.SYNOPSIS
    This PowerShell script extends the expiration date of Microsoft 365 groups and sends the results to a Microsoft Teams channel.

.DESCRIPTION
    To use this script with Azure Automation, follow these steps:

    1. Create an Azure Automation account in the Azure portal.
    2. Import the required modules (Az.Accounts, MSGraphSDK) into the Automation account.
    3. Create a new PowerShell Runbook and paste the entire script.
    4. Save and publish the Runbook.
    5. Create a Managed Identity for the Automation account:
        a. In the Automation account, go to the "Identity" tab under "Settings."
        b. Enable the System Assigned Managed Identity.
    6. Grant the Managed Identity necessary permissions to read and update groups:
        a. Go to the Azure AD portal.
        b. Find the Enterprise Application corresponding to the Managed Identity.
        c. Add the required API permissions (Group.ReadWrite.All) and grant admin consent.
    7. Schedule the Runbook to run automatically as needed.
    
    You only need to update the values at the beginning of the script, where indicated. No other changes are required.

.AUTHOR
    Tomas Kirkegaard
#>

# Replace the placeholders with your actual values
$WebhookUrl = "your_webhook_url"
$GroupIDs = @("group_id_1", "group_id_2", "group_id_3")


# You don't need to change anything below this line #
#---------------------------------------------------#

# Import the required modules
Import-Module Az.Accounts
Import-Module MSGraphSDK

function Send-TeamsMessage {
    param(
        [string]$WebhookUrl,
        [string]$Title,
        [string]$Color,
        [string]$Text,
        [array]$Facts
    )

    $Body = @{
        "@type"      = "MessageCard"
        "@context"   = "http://schema.org/extensions"
        "themeColor" = $Color
        "title"      = $Title
        "text"       = $Text
        "sections"   = @(
            @{
                "facts" = $Facts
            }
        )
    } | ConvertTo-Json -Compress

    Invoke-RestMethod -Method Post -Uri $WebhookUrl -Body $Body -ContentType "application/json"
}

# Authenticate with the managed identity
$AzureContext = (Get-AzContext).Account.Id
$Token = (Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com" -Scope "Group.ReadWrite.All" -DefaultProfile $AzureContext).Token

# Initialize result message and facts array
$ResultMessage = "Results of extending group expiration dates:"
$FactsArray = @()

# Iterate through the list of group IDs and extend the expiration date for each group
foreach ($GroupID in $GroupIDs) {
    try {
        # Get the desired group and calculate the new expiration date
        $Group = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/groups/$GroupID" -AccessToken $Token
        $GroupName = $Group.displayName
        $CurrentExpiration = $Group.expirationDateTime
        $NewExpiration = (Get-Date $CurrentExpiration).AddYears(1).ToString("yyyy-MM-ddTHH:mm:ssZ")

        # Extend the expiration date
        Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/groups/$GroupID" -AccessToken $Token -Body "{ 'expirationDateTime': '$NewExpiration' }" -ContentType "application/json"

        # Add the fact to the facts array
        $FactsArray += @{
            "name"  = "Group:"
            "value" = "$GroupName"
        }
        $FactsArray += @{
            "name"  = "New Expiration Date:"
            "value" = "$NewExpiration"
        }
    } catch {
        # Add the error fact to the facts array
        $FactsArray += @{
            "name"  = "Error for Group ID:"
            "value" = "$GroupID"
        }
    }
}

# Send the result message to Microsoft Teams using the function
Send-TeamsMessage -WebhookUrl $WebhookUrl -Title "Azure Automation Script Results" -Color "0078D7" -Text $ResultMessage -Facts $FactsArray