One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organiz
One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organizations this can be easily accomplished with some Powershell scripting. Since this is a multi-step process, lets break it down into simple steps. Let’s first connect to all the required services, in this example those services will be:
– Sharepoint
– Exchange
– AzureAD
#Connect to Exchange Online using your Office 365 administrative credentials $usercredential = Get-Credential $Session = New-Pssession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-Pssession $session #Connect to SharePoint Online Connect SPOService -Url https://<SP Admin Center>.sharepoint.com -credential $cred #Connect to AzureAD Connect-AzureAD -Credential $cred # Set the user variable with the user that is to be offboarded $Username = "John.David@thecodeasylum.com" #Initializing Variables $User = Get-AzureADUser -ObjectId $Username $Mailbox = Get-Mailbox | Where {$_.PrimarySmtpAddress -eq $username} $Manager = Get-AzureADUserManager -ObjectId $user.ObjectId $OutOfOfficeBody = @" Hello Please Note I am no longer work for The Code Asylum anymore. Please contact $($Manager.DisplayName) $($Manager.UserPrincipalName) for any questions. Thanks! "@ #Set Sign in Blocked Set-AzureADUser -ObjectId $user.ObjectId -AccountEnabled $false #Disconnect Existing Sessions Revoke-SPOUserSession -User $Username -confirm:$False Revoke-AzureADUserAllRefreshToken -ObjectId $user.ObjectId #Forward e-mails to manager Set-Mailbox $Mailbox.Alias -ForwardingAddress $Manager.UserPrincipalName -DeliverToMailboxAndForward $False -HiddenFromAddressListsEnabled $true #Set Out Of Office Set-MailboxAutoReplyConfiguration -Identity $Mailbox.Alias -ExternalMessage $OutOfOfficeBody -InternalMessage $OutOfOfficeBody -AutoReplyState Enabled #Cancel meetings organized by this user Remove-CalendarEvents -Identity $Mailbox.Alias -CancelOrganizedMeetings -confirm:$False #RemoveFromDistributionGroups $DistributionGroups= Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$Username"} foreach( $dg in $DistributionGroups) { Remove-DistributionGroupMember $dg.name -Member $Username -Confirm:$false } #Re-Assign Office 365 Group Ownership $Office365GroupsOwner = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Owners| foreach {$_.name}) -contains $mailbox.Alias} $NewManagerGroups = @() foreach($GRP in $Office365GroupsOwner) { $Owners = Get-UnifiedGroupLinks $GRP.Alias -LinkType Owners if ($Owners.Count -le 1) { #Our user is the only owner Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Manager.UserPrincipalName $NewManagerGroups += $GRP Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } else { #There Are Other Owners Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false } } #Remove from Office 365 Groups $Office365GroupsMember = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Members | foreach {$_.name}) -contains $mailbox.Alias} $NewMemberGroups = @() foreach($GRP in $Office365GroupsMember) { $Members = Get-UnifiedGroupLinks $GRP.Alias -LinkType Members if ($Members.Count -le 1) { #Our user is the only Member Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName $NewMemberGroups += $GRP Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } else { #There Are Other Members Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } } #Send OneDrive for Business Information to Manager $OneDriveUrl = Get-PnPUserProfileProperty -Account $username | select PersonalUrl Set-SPOUser $Manager.UserPrincipalName -Site $OneDriveUrl.PersonalUrl -IsSiteCollectionAdmin:$true #Send Final E-mail to Manager #BuildHTMLObjects If ($DistributionGroups) { $DGHTML = " The user has been removed from the following distribution lists
- "
foreach( $dg in $DistributionGroups)
{
$DGHTML += "
- $($dg.PrimarySmtpAddress) " } $DGHTML += "
- "
foreach($GRP in $Office365GroupsOwner)
{
$O365OwnerHTML += "
- $($GRP.PrimarySmtpAddress) " } $O365OwnerHTML += "
- "
foreach($GRP in $Office365GroupsMember)
{
$O365MemberHTML += "
- $($GRP.PrimarySmtpAddress) " } $O365MemberHTML += "
- "
foreach($GRP in $NewManagerGroups)
{
$NewOwnerAlertHTML += "
- $($GRP.PrimarySmtpAddress) " } $NewOwnerAlertHTML += "
- "
foreach($GRP in $NewMemberGroups)
{
$NewMemberAlertHTML += "
- $($GRP.PrimarySmtpAddress) " } $NewMemberAlertHTML += "
COMMENTS