Powershell to disable Office 365 user who leaves
Published: Thursday, 18 July 2019 | Categories: Office365 | Keywords: Powershell | Status: Posted | Created: Thursday, 18 July 2019 | Author: paul

The script below can be ran against an Office 365 synced user to disable their access immediately before ADconnect removes them when their onprem AD account is disabled.

# Disable Leaver
# Pass AD account username

param (
    [string]$user1 = $( Read-Host "Input user email address" )

Write-host "Looking up user "$user1" in AD..."
$user = Get-ADUser -Filter {EmailAddress -eq $user1} -ErrorAction SilentlyContinue -property mail,enabled
if($user -ne $Null) {
	Write-host "User $user1 found - "$user.DistinguishedName
else {
	Write-host "User $user1 not found. Aborting script." -foregroundcolor red
If($user.Enabled -eq 1) {
	Write-host "Disabling AD user $user1."
	Disable-ADAccount -Identity $user.UserPrincipalName
else {
	Write-host "AD User $user1 already disabled."
Write-host "Remove from Office 365 licensing AD group."
Remove-ADGroupMember -Identity "Licensing_Office365" -Members $user.DistinguishedName -ErrorAction SilentlyContinue -Confirm:$false

$test=Get-MsolDomain -ErrorAction SilentlyContinue
	Write-Host "Already connected to MSOL" -foregroundcolor green
	Write-Host "Not connected to MSOL. Connecting..." -foregroundcolor red

{ $var = Get-AzureADTenantDetail } 
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
	Write-Host "Not connected to AzureAD. Connecting..." -foregroundcolor red
	Connect-AzureAD -credential $cred

Write-Host "Getting mailbox for "$user1
{ $mailbox = Get-Mailbox -identity $user1 } 
catch  {
	Write-Host "Not connected to Exchange Online. Connecting..." -foregroundcolor red
	$LiveCred = Get-Credential
	$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
	Import-PSSession $Session
	$mailbox = Get-Mailbox -identity $user1

# Disable mailbox and set litigation hold
Write-Host "Disable mailbox and set litigation hold"
Set-Mailbox $user1 -AccountDisabled $true -LitigationHoldEnabled $true

# Set Out of Office
Write-Host "Setting Out of Office"
Set-MailboxAutoReplyConfiguration -identity $user1 -AutoReplyState Enabled -InternalMessage "Out of Office. Please contact manager with any queries." -ExternalMessage "Out of Office. Please contact manager with any queries."

# Revoke tokens
Write-Host "Revoking AzureAD tokens"
Get-AzureADUser -Searchstring $user1 | Revoke-AzureADUserAllRefreshToken

# Block access
Write-Host "Blocking Office 365 User"
Set-MsolUser -UserPrincipalName $user1 -BlockCredential $true 

# Disable Activesync etc
Write-Host "Disabling Mailbox features"
Set-CasMailbox -Identity $user1 -ActiveSyncEnabled $false -ImapEnabled $false -OWAEnabled $false -MAPIEnabled $false -PopEnabled $false -OWAforDevicesEnabled $false

Write-Host "Successfully completed script." -foregroundcolor green


Add Comment
No Comments.