Connect Office365 PowerShell using Service Account

Copper Contributor

Hi All,

 

This is the first time I am starting a conversation in Office 365 forum and I hope someone could help me with below.

In my organisation, there is a hybrid exchange environment with Exchange 2010 and Office 365. We have an automated user offboarding process using scheduled PowerShell scripts. We already have scripts scheduled to run on leaving the user's final working day to remove access and all other required tasks.  We also would like to block the user's Azure AD authentication on the user's final working day using the same scheduled PowerShell Script.  The reasoning behind this is, we keep terminated user accounts as disabled users for 30 days before purging the account.  During this time period, the user can still access Yammer and Office 365 emails.  We reset the account password to prevent this at the moment. We would like this process to be cleaner by disabling online authentication. (Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false)

  In order to this, we need to connect Microsoft online PowerShell with provided credentials.( $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Creds -Authentication Basic -AllowRedirection ).

  The Scheduled task runs using a service account and we created this user in exchange online with below privileges. 

  • Helpdesk (Password) administrator
  • Service administrator
  • Exchange administrator
  • User management administrator

I can connect to exchange online PowerShell Module using this service account credentials. 

MY question is

  • Is there a way for the scheduled task to connect exchange online PowerShell module using the scheduled task credentials without storing credentials in a text file? I know these text file can be encrypted and secure; however, my organisation still does not like the idea of saving admin credentials a text file. 

I hope my explanation is clear enough for someone to help me with this.

 

Thank you very much!

 

6 Replies


If you use Set-AzureADUser, then you need to connect to AzureAD not Exchange.
Then you can use Azure Automation, here you have a credential manager to store the account you use to connect.

@Arjan Cornelissen  Thank you for your response and sorry for the late reply. Thanks for pointing me in the right direction. I tried to find documentation to accomplish this task and could not find anything fulfil this task. If you can give a few simple steps to achieve this would be highly appreciated.

 

Thanks

Don

@donnuwanto use the command "Set-AzureADUser -ObjectID <sign-in name of the user account> -AccountEnabled $false"
You should first use the command "Connect-AzureAD -Credential $O365Creds"

 

So if you use Azure Automation you can create a new "Automation Account". In there you can go to Credentials under Shared Resources.

The name you give the credential you can use in a runbook by calling

$O365Cred = Get-AutomationPSCredential -Name "<your credentials name>"

 

So the complete script can be something like this

 

param(
  [Parameter(Mandatory=$true)]
  [guid]
  $UserObjectId
)

$O365Cred = Get-AutomationPSCredential -Name "AzureADAdminCred"

Connect-AzureAD -Credential $O365Creds

Set-AzureADUser -ObjectID $UserObjectId -AccountEnabled $false

 

 

Then you can run this runbook and then you are asked to give the ObjectId of the user to run it.

Hope this helps.

@Arjan Cornelissen  Thanks for pointing me in the right direction.  I started reading on this avenue and will try to implement this. 

@donnuwanIf you need any help, contact me privately and I might help you 1 on 1

@Arjan Cornelissen  Thank you for your kind help. I will contact you privately to arrange some time to go through with this task.