Microsoft 365 - Service Account Lifecycle Process

January 5, 2026.

Yes.

• Phase 1: All new service accounts created on/after January 5, 2026 will be provisioned with an expiration date set 1 year from their creation date.
• Phase 2: Starting in July of 2026, service accounts created prior to January 5, 2026 will also begin receiving expiration notifications. The month and day of their expiration will be based on their original creation date. Example: If a service account was created on January 12, 2019, its initial expiration date will be set to January 12, 2027. 

The goal is to set expiration dates and send initial expiration notifications to all existing service accounts by July 2027. Please note that these projections may change as we finalize details and incorporate campus feedback.

Service accounts will now be configured for 12 month expiration lifecycle process. Below is what you can expect.

• 6 months before the account is set to expire, we will begin sending monthly expiration notifications.
• When an account is renewed, it will set the next expiration date to be 1 year from the original expiration date.
• After 6 months if the account has not been renewed it will be soft-deleted but is still recoverable
• 30 days after an account is soft-deleted Microsoft purges the account. At that point the contents of the account are no longer recoverable.

Example renewal:

• Jan 5, 2026: A new service account, name@doit.wisc.edu, is provisioned/created, and the expiration date is set to Jan 5, 2027 (1 year from the creation date)
• July 5, 2026 (6 months before expiration date): We begin sending monthly email notifications with the expiration date and instructions for how to renew
• On Sept 15, 2026: Someone affiliated with the account clicks the renewal link and renews the service account
• The account’s expiration date is reset to Jan 5, 2028 (1 year from the original expiration date)

By default, the notifications will go to the service account email mailbox, but domain or authorized administrators will be able to change the notification address to be any, or all, of the following:

• Authorized administrators
• Domain administrators
• Individuals with mailbox access, with any of the following permissions:
• Full mailbox
• Send as
• Send on behalf
• An alternate email address supplied by the administrator (e.g. a Google Group address)

Configure who receives the notification:

1. Log into Wisc Account Administration site.
2. Search for or select the service account.
3. Expand Account Administration tab.
4. Click Renewal.
5. Under the "Renewal Notification Recipients" section, modify the settings per your needs.
6. When complete, click Save Selections.

Once an account is within six months of its expiration, it will start to receive expiration notification emails on a monthly basis until either it is renewed or soft deleted.

• It will include:
  • all of the email aliases/addresses associated with the service account
  • the date the account will be soft deleted
  • instructions on how to renew the account before it is soft delete
  
  Please see following article to review the content of these emails and how an account can be renewed: Microsoft 365 - Service account expiration notifications and renewal.
  
  All custom text will be included within the expiration notification emails.

• Domain administrators will be able to add custom text to the expiration notification emails sent to all service accounts in the domain. Follow these steps to modify this information:
  1. Log into Wisc Account Administration site.
  2. From the Delegated Administration page select the domain of the service accounts you want to modify the expiration notifications.
  3. Expand Account Expiration tab.
  4. Add custom message to the Customized Renewal Message text box.
  5. Click Save Message.
• Authorized administrators and Domain administrators will be able to add custom text to the expiration notification sent to specific accounts. Follow these steps to modify this information:
  1. Log into Wisc Account Administration site.
  2. Search for or select the service account.
  3. Expand Account Administration tab. 
  4. Click Renewal.
  5. Scroll down to the Customized Renewal Message section.
  6. Enter the service account specific message to be included in the expiration notification. 
  7. Click Save Message. 
• Administrators will also be able to preview what the expiration notification will look like within the Wisc Account Admin site.
  1. Log into Wisc Account Administration site.
  2. Search for or select the service account.
  3. Expand Account Administration tab. 
  4. Click Renewal.
  5. Scroll down to the Preview Renewal Email section.
  6. Click Show preview.

For complete details on the email notification and its content, please review Microsoft 365 - Service account expiration notifications and renewal.

When a service account reaches its expiration date, it will no longer be accessible or receive any emails. The account will be soft deleted.

An account will stay within soft deleted state for approximately 30 days.

Yes - in most cases. Soft deleted accounts can be restored in Microsoft Azure Active Directory for 30 days. However, this relies on Microsoft and is not within our direct control.

As a domain administrator, follow these steps to attempt to restore an account which is in the soft deleted state:

1. Log into Wisc Account Administration site.
2. Select the domain which is hosting the service account.
3. Expand Domain Administration tab.
4. Click Deleted Accounts.
5. Within the "Deleted Account" page, find the service account and click Recover Deleted Account link.
   
   Note: The account should be available shortly after Recover Deleted Account is initiated but the timing depends on Microsoft. Factors such as mailbox size or complexity may impact how long it takes to fully recover the account. If the account is not available after 48 hours of recovery, please contact DoIT Help Desk.

 The Wisc Account Administration site will have a service account page that includes the following:

• Expiration dates for all service accounts in the domain
• Date when the service account is eligible to be renewed
• Links to manage the account’s renewal activity
• Option to export the information to a .csv file

Additionally, the individual service account page will show a log of when expiration emails were sent and who last renewed the account.

List of all accounts and their expiration:

1. Log into Wisc Account Administration site.
2. Select the domain you want to manage from the "Delegated Administration" tab.
3. Expand Domain Administration tab.
4. Click Account Expiration. A listing of all the service accounts within the domain will be listed.

Note: Within this page, you also have the option to receive a csv formatted file containing this information by clicking on the 'Request expiration report' link.

• Domain administrators can change the expiration notification email to go to themselves or to a custom email address (see above).
• In addition, domain and authorized administrators will be able to renew service accounts directly from the Wisc Account Admin site's account administration page. 

To renew an account:

1. Log into Wisc Account Administration site.
2. Search for or select the service account.
3. Expand Account Administration tab.
4. Click Renewal.
5. Within the top section, click Renew Account button.

Important: A renewal option will only appear on the page when the account is within 6 months of its expiration.

We understand that there are service accounts that are critical to campus operations and IT Partners have expressed concern that expiration/renewal notifications will be missed, misunderstood or misdirected. We have addressed these concerns with the following changes to the Service Account Life-cycle:

• Greater flexibility to define who receives the expiration/renewal notifications.
• Admins have the option to include custom messages in the expiration/renewal notifications.
• Service Accounts that don't require a username/password can be converted to Shared Mailboxes. Shared Mailboxes do not have the same yearly renewal requirement.

If you have reviewed these options and they do not address your use case, please have your domain administrator contact us so we can better understand the technical challenges that you are encountering.

Domain administrators can submit a support ticket with the DoIT Help Desk. Please make sure to provide the following information:

• The email address of the service account.
• Detailed information about how the service account is used.
• Why a Shared Mailbox is not a viable alternative for the use case or workflow.

Requests will be reviewed by UW-Madison Microsoft 365 leadership and processed accordingly.

The UW-Madison Microsoft 365 team will make every effort to format the content of these emails for secure delivery and usage.

In addition, domain administrators will be able to provide custom content to the expiration notification emails.

Yes. The UW-Madison Microsoft 365 team has released a new account type called 'shared mailbox'. Please see Microsoft 365 - Getting Started with Shared Mailboxes for complete details.

If the service account is only used for email and calendaring, it is highly recommended it be converted to a shared mailbox.

Reasons to convert a service account to a shared mailbox account:

• Shared mailbox accounts are exempted from the normal service account life-cycle process.
• Shared mailbox accounts will be accessed and interacted with the same way users currently do via Outlook clients - no training is needed.
• Wisc Account Administration site is used to manage shared mailbox accounts. 

UW-Madison Microsoft 365 team is working with the University Archives and Office of Compliance to determine if there are records retention concerns related to deleting service accounts that are different from deleting NetID@wisc.edu accounts or Microsoft 365 Groups. This information will be updated once we have a response.