Office 365 Knowledgebase : Service account lifecycle project update

Feedback: One of the primary issues raised was around who should receive account renewal notifications. What we heard from administrators is that emailing the service account itself is not always the best way to reach those who can speak for the account.

Our Response: By default, the notifications will go to the service account email mailbox, but domain administrators or authorized administrators will be able to change the notification address to be any, or all, of the following:

• Authorized administrators
• Domain administrators
• Individuals with mailbox access, with any of the following permissions:
• Full mailbox
• Send as
• Send on behalf
• An alternate email address supplied by the administrator (e.g. a Google Group address)

Feedback: The renewal notification emails need to have sufficient context for the recipient to understand which account is expiring.

Our Response: This was great feedback and we are making the following changes to ensure that recipients understand what account is expiring:

• We will include all of the email aliases associated with the service account in the renewal email.
• Domain administrators will be able to add custom text to the standard renewal email, providing additional context that we may not be aware of.
• Administrators will be able to add custom text to the renewal notification sent to a specific account or to all accounts in the domain.
• Administrators will also be able to preview what the renewal notification will look like within the Wisc Account Admin site.

Feedback: Domain Administrators would like to be able to easily see the renewal status of service accounts, and download a report of accounts and their expiration dates.

Our Response: The Wisc Account Admin site will have a new service account page that includes the following:

• Expiration dates for all service accounts in the domain
• Date when the service account is eligible to be renewed
• Links to manage the account’s renewal activity
• Option to export the information to a .csv file

Additionally, the individual service account page will show a log of when renewal emails were sent and who last renewed the account.

Feedback: Some domain administrators would like to be able to renew service accounts rather than expecting account user(s) to respond to the renewal email.

Our Response: We are supporting this request in a couple of ways:

• First, administrators can change the renewal notification email to go to themselves or to a custom email address (see above).
• Second, domain and authorized administrators will be able to renew service accounts directly from the Wisc Account Admin site's account administration page. A renewal option will only appear on the page when the account is within 6 months of its expiration.

Feedback: A common question was if we will offer exemptions for critical accounts to ensure they are not accidentally deleted. Examples include accounts used with ticketing systems, privileged accounts used with other services, or accounts associated with campus VIPs.

Our Response: We are working on an alternative to service accounts for some of these use cases.

We will also offer an exemption request process. The request must include a business case and will be reviewed to verify that no reasonable alternative exists.

Feedback: People are confused by the timeline for account deactivation and deletion. The Microsoft 365 team presented a 12 month timeline to deactivation but they plan to send renewal notifications 6 months after the last renewal.

Our Response: We agree and we are modifying our approach and how we describe the process.

• Instead of setting a renewal date on the account, we will set an expiration date.
• 6 months before the account is set to expire, we will begin sending monthly renewal notifications.
• When an account is renewed, it will set the next expiration date to be 1 year from the original expiration date.
• We will also develop a visual aid for the renewal lifecycle.

Example renewal:

• Jan 5, 2026: A new service account, example-account@doit.wisc.edu, is provisioned, and the expiration date is set to Jan 5, 2027 (1 year from the creation date)
• July 5, 2026 (6 months before expiration date): We begin sending monthly email notifications saying the account is ready for renewal
• On Sept 15, 2026: Someone affiliated with the account clicks the renewal link and renews the service account
• The account’s expiration date is reset to Jan 5, 2028 (1 year from the original expiration date)

Feedback: Sending a renewal email with a link that people need to click and may redirect to the NetID login page is going to look like a phish.

Our Response: Yes, it will. We hope the following will help reassure people that it is not a phishing attempt:

• Administrators will be able to provide custom content to the renewal notification emails.
• We will have KB articles and a robust communication campaign to raise awareness before people start receiving the notifications.

We are working on other ways to make the email look less like a phishing email. If you have other suggestions, please email us.

Feedback: What about records retention?

Our Response: We are working with the University Archives and Office of Compliance to determine if there are records retention concerns related to deleting service accounts that are different from deleting NetID accounts or Office365 Groups. We expect to have a better answer and specific guidance prior to rollout.

Feedback: Domain administrators would like a report with the last activity date for service accounts in their domains.

Our Response: Unfortunately this isn’t something we can provide. Account "activity" includes a wide range of possible actions, many of which are not directly visible within M365. If we could produce a truly meaningful report of account activity, we would take a different approach to service account lifecycle management.