One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organiz
One of the many tasks that usually gets assigned to the IT department is part of the Offboarding process for exiting employees. For Office 365 organizations this can be easily accomplished with some Powershell scripting. Since this is a multi-step process, lets break it down into simple steps. Let’s first connect to all the required services, in this example those services will be:
– Sharepoint
– Exchange
– AzureAD
#
Connect to Exchange Online using your Office 365 administrative credentials
$usercredential = Get-Credential $Session = New-Pssession -ConfigurationName Microsoft.Exchange -ConnectionUri
https://outlook.office365.com/powershell-liveid/
-Credential $UserCredential -Authentication Basic -AllowRedirection Import-Pssession $session #
Connect to SharePoint Online
Connect SPOService -Url https://<SP Admin Center>.sharepoint.com -credential $cred #
Connect to AzureAD
Connect-AzureAD -Credential $cred #
Set the user variable with the user that is to be offboarded
$Username = "John.David@thecodeasylum.com" #Initializing Variables $User = Get-AzureADUser -ObjectId $Username $Mailbox = Get-Mailbox | Where {$_.PrimarySmtpAddress -eq $username} $Manager = Get-AzureADUserManager -ObjectId $user.ObjectId $OutOfOfficeBody = @" Hello Please Note I am no longer work for The Code Asylum anymore. Please contact $($Manager.DisplayName)
for any questions. Thanks! "@ #Set Sign in Blocked Set-AzureADUser -ObjectId $user.ObjectId -AccountEnabled $false #Disconnect Existing Sessions Revoke-SPOUserSession -User $Username -confirm:$False Revoke-AzureADUserAllRefreshToken -ObjectId $user.ObjectId #Forward e-mails to manager Set-Mailbox $Mailbox.Alias -ForwardingAddress $Manager.UserPrincipalName -DeliverToMailboxAndForward $False -HiddenFromAddressListsEnabled $true #Set Out Of Office Set-MailboxAutoReplyConfiguration -Identity $Mailbox.Alias -ExternalMessage $OutOfOfficeBody -InternalMessage $OutOfOfficeBody -AutoReplyState Enabled #Cancel meetings organized by this user Remove-CalendarEvents -Identity $Mailbox.Alias -CancelOrganizedMeetings -confirm:$False #RemoveFromDistributionGroups $DistributionGroups= Get-DistributionGroup | where { (Get-DistributionGroupMember $_.Name | foreach {$_.PrimarySmtpAddress}) -contains "$Username"} foreach( $dg in $DistributionGroups) { Remove-DistributionGroupMember $dg.name -Member $Username -Confirm:$false } #Re-Assign Office 365 Group Ownership $Office365GroupsOwner = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Owners| foreach {$_.name}) -contains $mailbox.Alias} $NewManagerGroups = @() foreach($GRP in $Office365GroupsOwner) { $Owners = Get-UnifiedGroupLinks $GRP.Alias -LinkType Owners if ($Owners.Count -le 1) { #Our user is the only owner Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Manager.UserPrincipalName $NewManagerGroups += $GRP Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } else { #There Are Other Owners Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Owners -Links $Username -Confirm:$false } } #Remove from Office 365 Groups $Office365GroupsMember = Get-UnifiedGroup | where { (Get-UnifiedGroupLinks $_.Alias -LinkType Members | foreach {$_.name}) -contains $mailbox.Alias} $NewMemberGroups = @() foreach($GRP in $Office365GroupsMember) { $Members = Get-UnifiedGroupLinks $GRP.Alias -LinkType Members if ($Members.Count -le 1) { #Our user is the only Member Add-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Manager.UserPrincipalName $NewMemberGroups += $GRP Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } else { #There Are Other Members Remove-UnifiedGroupLinks -Identity $GRP.Alias -LinkType Members -Links $Username -Confirm:$false } } #Send OneDrive for Business Information to Manager $OneDriveUrl = Get-PnPUserProfileProperty -Account $username | select PersonalUrl Set-SPOUser $Manager.UserPrincipalName -Site $OneDriveUrl.PersonalUrl -IsSiteCollectionAdmin:$true #Send Final E-mail to Manager #BuildHTMLObjects If ($DistributionGroups) { $DGHTML = " The user has been removed from the following distribution lists
-
- ” foreach( $dg in $DistributionGroups) { $DGHTML += ”
- $($dg.PrimarySmtpAddress)
” } $DGHTML += ”
” } If ($Office365GroupsOwner) { $O365OwnerHTML = ” The user was an owner, and was removed from the following groups
-
- ” foreach($GRP in $Office365GroupsOwner) { $O365OwnerHTML += ”
- $($GRP.PrimarySmtpAddress)
” } $O365OwnerHTML += ”
” } If ($Office365GroupsMember) { $O365MemberHTML = ” The user was a member, and was removed from the following groups
-
- ” foreach($GRP in $Office365GroupsMember) { $O365MemberHTML += ”
- $($GRP.PrimarySmtpAddress)
” } $O365MemberHTML += ”
” } If ($NewManagerGroups) { $NewOwnerAlertHTML = ” *Attention Required* The user was the only owner of the following groups. Please verify if there is any content in those groups that is still needed, otherwise, archive the groups as per normal procedure
-
- ” foreach($GRP in $NewManagerGroups) { $NewOwnerAlertHTML += ”
- $($GRP.PrimarySmtpAddress)
” } $NewOwnerAlertHTML += ”
” } If ($NewMemberGroups) { $NewMemberAlertHTML = ” *Attention Required* The user was the only member of the following groups. Please verify if there is any content in those groups that is still needed, otherwise, contact the owner of the groups to be removed, or to archive the group
-
- ” foreach($GRP in $NewMemberGroups) { $NewMemberAlertHTML += ”
- $($GRP.PrimarySmtpAddress)
” } $NewMemberAlertHTML += ”
” } $Subject = “User Offboarding Complete: $($User.UserPrincipalName)” $ManagerEmailBody = @” Hello $($Manager.DisplayName) This is an automated e-mail from IT to let you know that the account $($User.UserPrincipalName) has been de-activated as per normal standard procedure. All e-mails have been forwarded to you! $DGHTML $O365OwnerHTML $O365MemberHTML $NewOwnerAlertHTML $NewMemberAlertHTML You have also been assigned ownership of the OneDrive for Business of the account. Please navigate to the following URL : $($OneDriveUrl.PersonalUrl) and save any important data within 30 days. If you have any questions, please contact the IT Department. Thank you! “@ Send-MailMessage -To $Manager.UserPrincipalName -from j.holder@thecodeasylum.com -Subject $Subject -Body ( $ManagerEmailBody | out-string ) -BodyAsHtml -smtpserver smtp.office365.com -usessl -Credential $cred -Port 587
COMMENTS