-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathAzure_Offboarding_script
108 lines (69 loc) · 4.33 KB
/
Azure_Offboarding_script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#Script was generated by ChatGPT and then modified (heavily at this point)
#This was made primarily for a specific environment but can be used with any o365 tenant.
#Just make sure to tweak some stuff like the "X-" in display names. Those lines can be commented out if desired.
# Connect to Azure AD\Exchange\MSOnline modules
if((Read-Host -Prompt "Do you need to connect to AzureAD and or ExchangeOnline Modules? (yes/no)") -eq 'yes')
{
Connect-MsolService | Out-Null
Connect-AzureAD | Out-Null
Connect-ExchangeOnline | Out-Null
}
#Need to add "-Remove All licensing" once I get that working
Write-Host -ForegroundColor Yellow "This script will perform the following actions on a users o365 account:`n
-Block sign-in's
-Hide user from the global address list (GAL)
-Convert the mailbox into a shared mailbox
-Place an X in front of the display name
-Remove from all groups `n"
DO{#Using a do-while for multiple offboardings, will be prompted if there are more users in the "While" part down below
# Get the user
$user = Get-AzureADUser -ObjectId (Read-Host -Prompt "Please enter the users UPN")
#Check if user is already offboarded (this is specific to SSG)
if($user.DisplayName -like "*X-*"){
Write-Host -ForegroundColor Red "*** User is already offboarded per display name: $($user.DisplayName)"
if ((Read-Host -Prompt "Would you like to continue with the offboarding script? (yes/no)") -eq 'no') {
Write-Host -ForegroundColor Green "`n***** Exiting Script *****`n"
exit
}
}
Write-Host -ForegroundColor Yellow "`nBeginning offboarding process for: $($user.UserPrincipalName)"
# Block the user's sign-in and Revoke all Azure tokens (which I think Blocking sign-in already does, but just to be safe)
Set-AzureADUser -ObjectID $user.UserPrincipalName -AccountEnabled $false
Revoke-AzureADUserAllRefreshToken -ObjectId $user.UserPrincipalName
Write-Host -ForegroundColor Cyan "Sign-in's are blocked."
# Hide the user from the global address list in Exchange
Set-Mailbox -Identity $user.UserPrincipalName -HiddenFromAddressListsEnabled $true
Write-Host -ForegroundColor Cyan "User has been hidden from the global address list."
# Convert the mailbox to a shared mailbox
Set-Mailbox -Identity $user.UserPrincipalName -Type Shared
Write-Host -ForegroundColor Cyan "Mailbox has been converted to a shared mailbox."
# Update the user's display name to contain the "X" in front
Set-AzureADUser -ObjectId $user.ObjectId -DisplayName ("X-" + $user.DisplayName)
Start-Sleep -Seconds 5
Write-Host -ForegroundColor Cyan "Display Name Updated with 'X' in front.`n"
#Wait 5 seconds before moving on. Some groups are controlled by GAL visibility
Start-Sleep -seconds 5
# Remove the user from all groups and print the group names
$groups = Get-AzureADUserMembership -ObjectId $user.UserPrincipalName
Write-Host -ForegroundColor Yellow "Removed from groups:"
foreach ($group in $groups)
{
try
{
Remove-AzureADGroupMember -ObjectId $group.ObjectId -MemberId $user.ObjectId
Write-Host -ForegroundColor Cyan "$($group.DisplayName)"
}
catch #Some DL groups are controlled by GAL visibility and cannot be removed this way ¯\_(ツ)_/¯ at least for SSG
{
Write-Host -ForegroundColor Red "Unable to remove group: $($group.DisplayName) `nThis is likely a dynamically assigned group."
}
}
Write-Host -ForegroundColor Yellow "`nDevices associated to user per intune:"
Get-MsolDevice -RegisteredOwnerUpn $user.UserPrincipalName | fl DisplayName,DeviceOsType,DeviceTrustLevel,DeviceTrustType,Enabled,ApproximateLastLogonTimestamp
Write-Host -ForegroundColor Yellow "Process completed for: $($user.DisplayName) || $($user.UserPrincipalName)"
else
{
Write-Host -ForegroundColor Red "************`nOffboarding Canceled`n************"
}
}While ((Read-Host -Prompt "`n`nIs there another user you would like to offboard?. (yes/no)") -eq 'yes')
Write-Host -ForegroundColor Green "************************`nScript Completed`nPlease refer to ITGlue Offboarding documentation for any further steps.`n************************"