O365 Group auto delete notification problems


We turned on the group auto delete option, (because users are creating tons of junk groups), but now we have another problem.


For years we have been training end users to ignore any email that looks like it's a phishing attempt.  What are some signs of a phishing attempt you ask?  Emails that say things like "Action required", or "You must do this or something bad will happen".  Key words to get people to act before they stop and think about it.


Then, after a few other problems, we started stamping every email that comes in from outside the company as "External" in the subject line.  That way it highlights to the employee that this is not an internal IS email.


Now users are getting the 0365 group renewal notices, and since they look like obvious phishing attempts, (they are stamped External so that makes them look even more suspicious). the users are not clicking on Renew, so then the group gets auto-deleted.  :(


So we are trying to figure out how to handle this.  One option would be to whitelist anything from, but we don't want to do that.  Another option would be to whitelist anything from microsoft's IP block, but we really don't want to do that and get crap from everyone on MS's cloud.  


So we are thinking about a whitelist for things that come from both microsoftonline and MS's IP range.  Instead of "External" we'd put in something like "Trusted Sender" or something like that.


Does anyone see any problems with that?  And if not, does anyone know MS's IP block?  I had it at some point in the past, but now I can't find it.


Thanks for any suggestions.



P.S. It would REALLY be nice if MS would give us the ability to customize these messages so that the users would think it's coming from our IT department.

7 Replies

I was wondering if a Flow could do this for you instead...alas there isn't a pre-built trigger for group creation.  Seems like a hole to me in the triggers and actions.  That way you could control the process.  


I suppose that you could trap for the emails by content (they all have the same basic format) using an Exchange Rule and then route them to a specified mailbox and trap that with a Flow trigger.  That would at least allow you to track this is happening and even assign some tasks to a person.  In theory you could call a PowerShell cmdlet to remove the group after the owners respond.

If you wanted to, you could create your own version of the "expired" groups functionality with PowerShell. I explained how and provided an example script in the post at



Thanks for the response.  When I click on your email below I get the post you made on this site, but then when I click on the link in that post, (the one going to, I get an error about " 

Error 1016 Ray ID: 3d815047998a253d • 2018-01-04 21:32:59 UTC

Origin DNS error"


I'd really like to see that article, so if you have another link to it I'd love to see it.




Looks like is down. I know that Blue Whale Web (the owner of the site) is revamping its properties, so this might account for the problem. The script is in the TechNet gallery at (I just checked). I shall have to see if I have a copy of the article somewhere.

best response confirmed by Ted McLaughlin (Contributor)

I found a copy of the article and will republish after I refresh it (eighteen months is a long time in the cloud). I am also going to update the script so that it reports some information about Teams... You'd have to do the work to generate email etc., but that's not all that hard.

Thanks for your help with this.  I'm extremely dangerous with powershell, so I'm more than happy to copy and paste someone else's work.  Especially someone who knows what they are doing.  :)




Just because someone can write a script is no indication of proficiency. At this point in my career, I am a hacker rather than a programmer, and proud to say that I enjoy hacking with PowerShell.