Powershell to disable Office 365 user who leaves
Office 365 (Powershell) Thursday, 18 July 2019 by paul

The script below can be ran against an Office 365 synced user to disable their access immediately before ADconnect removes them when their onprem AD account is disabled.

# Disable Leaver
# Pass AD account username

param (
    [string]$user1 = $( Read-Host "Input user email address" )

Write-host "Looking up user "$user1" in AD..."
$user = Get-ADUser -Filter {EmailAddress -eq $user1} -ErrorAction SilentlyContinue -property mail,enabled
if($user -ne $Null) {
	Write-host "User $user1 found - "$user.DistinguishedName
else {
	Write-host "User $user1 not found. Aborting script." -foregroundcolor red
If($user.Enabled -eq 1) {
	Write-host "Disabling AD user $user1."
	Disable-ADAccount -Identity $user.UserPrincipalName
else {
	Write-host "AD User $user1 already disabled."
Write-host "Remove from Office 365 licensing AD group."
Remove-ADGroupMember -Identity "Licensing_Office365" -Members $user.DistinguishedName -ErrorAction SilentlyContinue -Confirm:$false

$test=Get-MsolDomain -ErrorAction SilentlyContinue
	Write-Host "Already connected to MSOL" -foregroundcolor green
	Write-Host "Not connected to MSOL. Connecting..." -foregroundcolor red

{ $var = Get-AzureADTenantDetail } 
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
	Write-Host "Not connected to AzureAD. Connecting..." -foregroundcolor red
	Connect-AzureAD -credential $cred

Write-Host "Getting mailbox for "$user1
{ $mailbox = Get-Mailbox -identity $user1 } 
catch  {
	Write-Host "Not connected to Exchange Online. Connecting..." -foregroundcolor red
	$LiveCred = Get-Credential
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
	Import-PSSession $Session
	$mailbox = Get-Mailbox -identity $user1

# Disable mailbox and set litigation hold
Write-Host "Disable mailbox and set litigation hold"
Set-Mailbox $user1 -AccountDisabled $true -LitigationHoldEnabled $true

# Set Out of Office
Write-Host "Setting Out of Office"
Set-MailboxAutoReplyConfiguration -identity $user1 -AutoReplyState Enabled -InternalMessage "Out of Office. Please contact manager with any queries." -ExternalMessage "Out of Office. Please contact manager with any queries."

# Revoke tokens
Write-Host "Revoking AzureAD tokens"
Get-AzureADUser -Searchstring $user1 | Revoke-AzureADUserAllRefreshToken

# Block access
Write-Host "Blocking Office 365 User"
Set-MsolUser -UserPrincipalName $user1 -BlockCredential $true 

# Disable Activesync etc
Write-Host "Disabling Mailbox features"
Set-CasMailbox -Identity $user1 -ActiveSyncEnabled $false -ImapEnabled $false -OWAEnabled $false -MAPIEnabled $false -PopEnabled $false -OWAforDevicesEnabled $false

Write-Host "Successfully completed script." -foregroundcolor green


Add Comment
No Comments.