Paul Farris's Blog

Home

Powershell to disable Office 365 user who leaves
Office 365 (Powershell) Thursday, 18 July 2019 by paul

The script below can be ran against an Office 365 synced user to disable their access immediately before ADconnect removes them when their onprem AD account is disabled.

# Disable Leaver
# Pass AD account username

param (
    [string]$user1 = $( Read-Host "Input user email address" )
)

Write-host "Looking up user "$user1" in AD..."
$user = Get-ADUser -Filter {EmailAddress -eq $user1} -ErrorAction SilentlyContinue -property mail,enabled
if($user -ne $Null) {
	Write-host "User $user1 found - "$user.DistinguishedName
}
else {
	Write-host "User $user1 not found. Aborting script." -foregroundcolor red
	Exit
}
If($user.Enabled -eq 1) {
	Write-host "Disabling AD user $user1."
	Disable-ADAccount -Identity $user.UserPrincipalName
}
else {
	Write-host "AD User $user1 already disabled."
}
Write-host "Remove from Office 365 licensing AD group."
Remove-ADGroupMember -Identity "Licensing_Office365" -Members $user.DistinguishedName -ErrorAction SilentlyContinue -Confirm:$false

$test=Get-MsolDomain -ErrorAction SilentlyContinue
if($?)
{
	Write-Host "Already connected to MSOL" -foregroundcolor green
}
else
{
	Write-Host "Not connected to MSOL. Connecting..." -foregroundcolor red
    Connect-MsolService
}

try 
{ $var = Get-AzureADTenantDetail } 
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
	Write-Host "Not connected to AzureAD. Connecting..." -foregroundcolor red
	Connect-AzureAD -credential $cred
}

Write-Host "Getting mailbox for "$user1
try 
{ $mailbox = Get-Mailbox -identity $user1 } 
catch  {
	Write-Host "Not connected to Exchange Online. Connecting..." -foregroundcolor red
	$LiveCred = Get-Credential
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
	Import-PSSession $Session
	$mailbox = Get-Mailbox -identity $user1
}

$mailbox
# Disable mailbox and set litigation hold
Write-Host "Disable mailbox and set litigation hold"
Set-Mailbox $user1 -AccountDisabled $true -LitigationHoldEnabled $true

# Set Out of Office
Write-Host "Setting Out of Office"
Set-MailboxAutoReplyConfiguration -identity $user1 -AutoReplyState Enabled -InternalMessage "Out of Office. Please contact manager with any queries." -ExternalMessage "Out of Office. Please contact manager with any queries."

# Revoke tokens
Write-Host "Revoking AzureAD tokens"
Get-AzureADUser -Searchstring $user1 | Revoke-AzureADUserAllRefreshToken

# Block access
Write-Host "Blocking Office 365 User"
Set-MsolUser -UserPrincipalName $user1 -BlockCredential $true 

# Disable Activesync etc
Write-Host "Disabling Mailbox features"
Set-CasMailbox -Identity $user1 -ActiveSyncEnabled $false -ImapEnabled $false -OWAEnabled $false -MAPIEnabled $false -PopEnabled $false -OWAforDevicesEnabled $false

Write-Host "Successfully completed script." -foregroundcolor green

Add Comment

No Comments.