-
Notifications
You must be signed in to change notification settings - Fork 0
/
Azure_offboarding_CSV
92 lines (58 loc) · 3.7 KB
/
Azure_offboarding_CSV
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
#Script was generated by ChatGPT and then modified (heavily at this point)
# Connect to Azure AD and exchange online
if((Read-Host -Prompt "Do you need to connect to AzureAD\ExcghangeOnline\MsolService Modules? (yes/no)") -eq 'yes')
{
Connect-MsolService | Out-Null
Connect-AzureAD | Out-Null
Connect-ExchangeOnline | Out-Null
}
#Need to add "-Remove All licensing" once I get that working
Write-Host -ForegroundColor Yellow "This script will perform the following actions on a users o365 account:`n
-Block sign-in's
-Hide user from the global address list (GAL)
-Convert the mailbox into a shared mailbox
-Place an X in front of the display name
-Remove from all groups `n"
#Prompts user to enter filepath for CSV. MIGHT need " " if there are spaces in the filepath.
$user_list = Import-Csv (Read-Host -Prompt "`nEnter filepath of CSV, including name of CSV and file extension. (Will need to surround path in quotes ONLY IF there are spaces")
foreach ($user_object in $user_list){
$upn = $user_object.UserPrincipalName
$user = Get-AzureADUser -Filter "userPrincipalName eq '$upn'"
Write-Host -ForegroundColor Yellow "`nBeginning offboarding process for: $($user.UserPrincipalName)"
# Block the user's sign-in and Revoke all Azure tokens (which I think Blocking sign-in already does, but just to be safe)
Set-AzureADUser -ObjectID $user.UserPrincipalName -AccountEnabled $false
Revoke-AzureADUserAllRefreshToken -ObjectId $user.UserPrincipalName
Write-Host -ForegroundColor Cyan "Sign-in's are blocked."
# Hide the user from the global address list in Exchange
Set-Mailbox -Identity $user.UserPrincipalName -HiddenFromAddressListsEnabled $true
Write-Host -ForegroundColor Cyan "User has been hidden from the global address list."
# Convert the mailbox to a shared mailbox
Set-Mailbox -Identity $user.UserPrincipalName -Type Shared
Write-Host -ForegroundColor Cyan "Mailbox has been converted to a shared mailbox."
# Update the user's display name to contain the "X" in front
Set-AzureADUser -ObjectId $user.ObjectId -DisplayName ("X-" + $user.DisplayName)
Start-Sleep -Seconds 5
Write-Host -ForegroundColor Cyan "Display name updated with 'X' in front.`n"
#Wait 5 seconds before moving on. Some groups are controlled by GAL visibility
Start-Sleep -seconds 5
# Remove the user from all groups and print the group names
$groups = Get-AzureADUserMembership -ObjectId $user.UserPrincipalName
Write-Host -ForegroundColor Yellow "Removed from Groups:"
foreach ($group in $groups)
{
try
{
Remove-AzureADGroupMember -ObjectId $group.ObjectId -MemberId $user.ObjectId
Write-Host -ForegroundColor Cyan "$($group.DisplayName)"
}
catch #Some DL groups are controlled by GAL visibility and cannot be removed this way ¯\_(ツ)_/¯ at least for SSG
{
Write-Host -ForegroundColor Red "Unable to remove group: $($group.DisplayName) `nPlease seek manual intervention in o365 tenant."
}
}
Write-Host -ForegroundColor Green "`nDevices associated to user per intune:"
Get-MsolDevice -RegisteredOwnerUpn $user.UserPrincipalName | fl DisplayName,DeviceOsType,DeviceTrustLevel,DeviceTrustType,Enabled,ApproximateLastLogonTimestamp
Write-Host -ForegroundColor Yellow "Process completed for: $($user.DisplayName) || $($user.UserPrincipalName)"
Write-Host -ForegroundColor Red "`n ========== `n NEXT USER `n ========== `n"
}
Write-Host -ForegroundColor Green "************************`nScript Completed`nPlease refer to ITGlue Offboarding documentation for any further steps.`n************************"