-
Notifications
You must be signed in to change notification settings - Fork 75
/
OffboardUser.ps1
139 lines (98 loc) · 5.47 KB
/
OffboardUser.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
Connect-ExchangeOnline
connect-azuread
connect-msolservice
$upn = read-Host 'Offboarding Office 365 Username:'
$Delegate = read-Host 'Username of who is going to be having access to shared mailbox'
$User = Get-AzureADUser -ObjectId $upn
Remove-AzureADUserManager -ObjectId $User.ObjectId
#.\Remove_User_All_Groups.ps1 $upn -verbose -includeaadsecuritygroups
#---------------------------------------------------------[Declarations]--------------------------------------------------------
# Arrays for capturing the actions
$owned = @()
$memberof = @()
#---------------------------------------------------------[Execution]--------------------------------------------------------
# Get all of the Office 365 groups
$azgroups = Get-AzureADMSGroup -Filter "groupTypes/any(c:c eq 'Unified')" -All:$true
Write-Output "$($azgroups.Count) Office 365 groups were found"
# Get info for departing user
$AZuser = Get-AzureADUser -SearchString $upn
# Get info for delegate
$AZdelegate = Get-AzureADUser -SearchString $delegate
# Check each group for the user
foreach ($group in $azgroups) {
$members = (Get-AzureADGroupMember -ObjectId $group.id).UserPrincipalName
If ($members -contains $upn) {
Remove-AzureADGroupMember -ObjectId $group.Id -MemberId $AZuser.ObjectId
Write-Output "$upn was removed from $($group.DisplayName)"
$memberof += $group
$owners = Get-AzureADGroupOwner -ObjectId $group.id
foreach ($owner in $owners) {
If ($upn -eq $owner.UserPrincipalName) {
# Add a new owner to prevent orphaned
Write-Output "$delegate was added as a new owner"
Add-AzureADGroupOwner -ObjectId $group.Id -RefObjectId $AZdelegate.ObjectId
# Now we can remove the user
Write-Output "$upn was removed as ownerof $($group.DisplayName)"
Remove-AzureADGroupOwner -ObjectId $group.Id -OwnerId $AZuser.ObjectId
$owned += $group
}
}
}
}
# Groups that the user owned:
Write-Output "$upn was removed as Owner of:"
$owned | Select-Object DisplayName, Id
#Groups that the user was a member of:
Write-Output "$upn was removed as Member of:"
$memberof | Select-Object DisplayName, Id
$Password = [system.web.security.membership]::GeneratePassword(10,2)
$Results = write-host "New password is: $Password"
Set-MSOLUserPassword -UserPrincipalName "$upn" -ForceChangePassword $false -NewPassword '$Password'
Revoke-AzureADUserAllRefreshToken -ObjectId $upn
#Set-AzureADUser -ObjectID $upn -AccountEnabled $false
Set-Mailbox $upn -Type shared
start-sleep -s 90
set-mailbox $upn -MessageCopyForSentAsEnabled $True
set-mailbox $upn -MessageCopyForSendOnBehalfEnabled $True
Set-Mailbox -Identity $upn -HiddenFromAddressListsEnabled $true
#Set-MailboxAutoReplyConfiguration -Identity $upn -AutoReplyState Enabled -InternalMessage "$upn is no longer with COMPANY. Your email has been forwarded to $delegate and will be handled by them. Please update your contact information accordingly. If you have any questions or issues, please feel free to call us at NUMBER" -ExternalMessage "$upn is no longer with COMPANY. Your email has been forwarded to $delegate and will be handled by them. Please update your contact information accordingly. If you have any questions or issues, please feel free to call us at NUMBER"
Set-Mailbox -Identity $upn -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $Delegate
Add-MailboxPermission -Identity $upn -User $Delegate -AccessRights FullAccess
Write-host "Completed. Password changed to $Password for account $EmailAddress"
$DistributionGroups= Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$upn"}
$DistributionGroups
# Get all mail-enabled security groups
$SecurityGroups = Get-DistributionGroup -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "MailUniversalSecurityGroup"}
# Remove the user from each security group
foreach ($Group in $SecurityGroups) {
Write-Host "Removing user $($UserDisplayName) from $($Group.DisplayName)..."
Remove-DistributionGroupMember -Identity $Group.Identity -Member $upn -Confirm:$false
}
# Reprocess licenses for each security group
foreach ($Group in $SecurityGroups) {
Write-Host "Reprocessing licenses for $($Group.DisplayName)..."
Set-DistributionGroup -Identity $Group.Identity -ForceUpgrade
}
Set-AzureADUser -ObjectID $upn -AccountEnabled $false
$UserToRemove = "$upn"
Try {
#Get the user
$User = Get-AzureADuser -ObjectId $UserToRemove
#Get All Security Groups of the user
$GroupMemberships = Get-AzureADUserMembership -ObjectId $User.ObjectId -All $true | Where {$_.ObjectType -eq "Group" -and $_.SecurityEnabled -eq $true -and $_.MailEnabled -eq $false}
#Loop through each security group
ForEach($Group in $GroupMemberships)
{
Try {
Remove-AzureADGroupMember -ObjectId $Group.ObjectID -MemberId $User.ObjectId -erroraction Stop
Write-host "Removed user from Group: $($Group.DisplayName)"
}
catch {
#Remove-DistributionGroupMember -identity $group.mail -member $userid -BypassSecurityGroupManagerCheck # -Confirm:$false
write-host -f Red "Error:" $_.Exception.Message
}
}
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}