Mar 11 2019
04:06 PM
- last edited on
Feb 10 2023
02:31 PM
by
TechCommunityAP
Mar 11 2019
04:06 PM
- last edited on
Feb 10 2023
02:31 PM
by
TechCommunityAP
Hi All,
This is the first time I am starting a conversation in Office 365 forum and I hope someone could help me with below.
In my organisation, there is a hybrid exchange environment with Exchange 2010 and Office 365. We have an automated user offboarding process using scheduled PowerShell scripts. We already have scripts scheduled to run on leaving the user's final working day to remove access and all other required tasks. We also would like to block the user's Azure AD authentication on the user's final working day using the same scheduled PowerShell Script. The reasoning behind this is, we keep terminated user accounts as disabled users for 30 days before purging the account. During this time period, the user can still access Yammer and Office 365 emails. We reset the account password to prevent this at the moment. We would like this process to be cleaner by disabling online authentication. (Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false)
In order to this, we need to connect Microsoft online PowerShell with provided credentials.( $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Creds -Authentication Basic -AllowRedirection ).
The Scheduled task runs using a service account and we created this user in exchange online with below privileges.
I can connect to exchange online PowerShell Module using this service account credentials.
MY question is
I hope my explanation is clear enough for someone to help me with this.
Thank you very much!
Mar 14 2019 09:05 AM - edited Mar 14 2019 09:06 AM
If you use Set-AzureADUser, then you need to connect to AzureAD not Exchange.
Then you can use Azure Automation, here you have a credential manager to store the account you use to connect.
Mar 24 2019 01:48 AM
@Arjan Cornelissen Thank you for your response and sorry for the late reply. Thanks for pointing me in the right direction. I tried to find documentation to accomplish this task and could not find anything fulfil this task. If you can give a few simple steps to achieve this would be highly appreciated.
Thanks
Don
Mar 24 2019 09:20 AM
@donnuwanto use the command "Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false"
You should first use the command "Connect-AzureAD -Credential $O365Creds"
So if you use Azure Automation you can create a new "Automation Account". In there you can go to Credentials under Shared Resources.
The name you give the credential you can use in a runbook by calling
$O365Cred = Get-AutomationPSCredential -Name "<your credentials name>"
So the complete script can be something like this
param(
[Parameter(Mandatory=$true)]
[guid]
$UserObjectId
)
$O365Cred = Get-AutomationPSCredential -Name "AzureADAdminCred"
Connect-AzureAD -Credential $O365Creds
Set-AzureADUser -ObjectID $UserObjectId -AccountEnabled $false
Then you can run this runbook and then you are asked to give the ObjectId of the user to run it.
Hope this helps.
Apr 04 2019 08:34 PM
@Arjan Cornelissen Thanks for pointing me in the right direction. I started reading on this avenue and will try to implement this.
Apr 05 2019 01:22 AM
@donnuwanIf you need any help, contact me privately and I might help you 1 on 1
Apr 08 2019 04:11 PM
@Arjan Cornelissen Thank you for your kind help. I will contact you privately to arrange some time to go through with this task.