Office 365 – Offboarding users with Powershell

Office 365 – Offboarding users with Powershell

0 31913

One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organiz

Disable Office 365 Services with PowerShell
Disable Giphy in Microsoft Teams
Office 365 Powershell Connections

One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organizations this can be easily accomplished with some Powershell scripting. Since this is a multi-step process, lets break it down into simple steps. Let’s first connect to all the required services, in this example those services will be:

– Sharepoint
– Exchange
– AzureAD

$usercredential = Get-Credential $Session = New-Pssession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-Pssession $session
Connect SPOService -Url https://<SP Admin Center>.sharepoint.com -credential $cred
Connect-AzureAD -Credential $cred
#Initializing Variables
$User = Get-AzureADUser -ObjectId $Username
$Mailbox = Get-Mailbox | Where {$_.PrimarySmtpAddress -eq $username}
$Manager = Get-AzureADUserManager -ObjectId $user.ObjectId
$OutOfOfficeBody = @"
Hello  
Please Note I am no longer work for The Code Asylum anymore.    
Please contact $($Manager.DisplayName)
$($Manager.UserPrincipalName)
for any questions.  
Thanks!
"@

#Set Sign in Blocked
Set-AzureADUser -ObjectId $user.ObjectId -AccountEnabled $false

#Disconnect Existing Sessions
Revoke-SPOUserSession -User $Username -confirm:$False
Revoke-AzureADUserAllRefreshToken -ObjectId $user.ObjectId

#Forward e-mails to manager
Set-Mailbox $Mailbox.Alias -ForwardingAddress $Manager.UserPrincipalName -DeliverToMailboxAndForward $False -HiddenFromAddressListsEnabled $true

#Set Out Of Office
Set-MailboxAutoReplyConfiguration -Identity $Mailbox.Alias -ExternalMessage $OutOfOfficeBody -InternalMessage $OutOfOfficeBody -AutoReplyState Enabled

#Cancel meetings organized by this user
Remove-CalendarEvents -Identity $Mailbox.Alias -CancelOrganizedMeetings -confirm:$False

#RemoveFromDistributionGroups
$DistributionGroups= Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$Username"}

foreach( $dg in $DistributionGroups)
    {
    Remove-DistributionGroupMember $dg.name -Member $Username -Confirm:$false
    }

#Re-Assign Office 365 Group Ownership
$Office365GroupsOwner = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Owners| foreach {$_.name}) -contains $mailbox.Alias}
$NewManagerGroups = @()
foreach($GRP in $Office365GroupsOwner)
    {
    $Owners = Get-UnifiedGroupLinks $GRP.Alias -LinkType Owners
    if ($Owners.Count -le 1)
        {
        #Our user is the only owner
        Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName
        Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Manager.UserPrincipalName
        $NewManagerGroups += $GRP
        Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false
        Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false
        }
    else
        {
        #There Are Other Owners
        Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false
        }
    }

#Remove from Office 365 Groups
$Office365GroupsMember = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Members | foreach {$_.name}) -contains $mailbox.Alias}
$NewMemberGroups = @()
foreach($GRP in $Office365GroupsMember)
    {
    $Members = Get-UnifiedGroupLinks $GRP.Alias -LinkType Members
    if ($Members.Count -le 1)
        {
        #Our user is the only Member
        Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName
        $NewMemberGroups += $GRP
        Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false
        }
    else
        {
        #There Are Other Members
        Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false
        }
    }

#Send OneDrive for Business Information to Manager
$OneDriveUrl = Get-PnPUserProfileProperty -Account $username | select PersonalUrl
Set-SPOUser $Manager.UserPrincipalName -Site $OneDriveUrl.PersonalUrl -IsSiteCollectionAdmin:$true

#Send Final E-mail to Manager

#BuildHTMLObjects

If ($DistributionGroups)
{
    $DGHTML = " The user has been removed from the following distribution lists
” foreach( $dg in $DistributionGroups) { $DGHTML += ”
$($dg.PrimarySmtpAddress)
” } $DGHTML += ”

” } If ($Office365GroupsOwner) { $O365OwnerHTML = ” The user was an owner, and was removed from the following groups

” foreach($GRP in $Office365GroupsOwner) { $O365OwnerHTML += ”
$($GRP.PrimarySmtpAddress)
” } $O365OwnerHTML += ”

” } If ($Office365GroupsMember) { $O365MemberHTML = ” The user was a member, and was removed from the following groups

” foreach($GRP in $Office365GroupsMember) { $O365MemberHTML += ”
$($GRP.PrimarySmtpAddress)
” } $O365MemberHTML += ”

” } If ($NewManagerGroups) { $NewOwnerAlertHTML = ” *Attention Required* The user was the only owner of the following groups. Please verify if there is any content in those groups that is still needed, otherwise, archive the groups as per normal procedure

” foreach($GRP in $NewManagerGroups) { $NewOwnerAlertHTML += ”
$($GRP.PrimarySmtpAddress)
” } $NewOwnerAlertHTML += ”

” } If ($NewMemberGroups) { $NewMemberAlertHTML = ” *Attention Required* The user was the only member of the following groups. Please verify if there is any content in those groups that is still needed, otherwise, contact the owner of the groups to be removed, or to archive the group

” foreach($GRP in $NewMemberGroups) { $NewMemberAlertHTML += ”
$($GRP.PrimarySmtpAddress)
” } $NewMemberAlertHTML += ”

” } $Subject = “User Offboarding Complete: $($User.UserPrincipalName)” $ManagerEmailBody = @” Hello $($Manager.DisplayName) This is an automated e-mail from IT to let you know that the account $($User.UserPrincipalName) has been de-activated as per normal standard procedure. All e-mails have been forwarded to you! $DGHTML $O365OwnerHTML $O365MemberHTML $NewOwnerAlertHTML $NewMemberAlertHTML You have also been assigned ownership of the OneDrive for Business of the account. Please navigate to the following URL : $($OneDriveUrl.PersonalUrl) and save any important data within 30 days. If you have any questions, please contact the IT Department. Thank you! “@ Send-MailMessage -To $Manager.UserPrincipalName -from j.holder@thecodeasylum.com -Subject $Subject -Body ( $ManagerEmailBody | out-string ) -BodyAsHtml -smtpserver smtp.office365.com -usessl -Credential $cred -Port 587

 

Post Views: 29,515

RECOMMENDED FOR YOU

Loading...
Newer Post
Older Post

COMMENTS

WORDPRESS: 0

Leave a Reply

This site uses User Verification plugin to reduce spam. See how your comment data is processed.

This site uses Akismet to reduce spam. Learn how your comment data is processed.