External/powershell-scripts
1
0
Fork 0
mirror of https://github.com/admindroid-community/powershell-scripts.git synced 2025-12-17 08:25:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

M365 User Offboarding

Browse Source
This commit is contained in:
AdminDroid 2025-04-03 18:47:17 +05:30
parent 4b3aa101c5
commit c83cb0c206
1 changed files with 43 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
Automate M365 User Offboarding/M365UserOffBoarding.ps1
View File

@ -2,12 +2,22 @@
============================================================================================= =============================================================================================
Name: Automate Microsoft 365 User Offboarding with PowerShell Name: Automate Microsoft 365 User Offboarding with PowerShell
Description: This script can perform 14 Microsoft 365 offboarding activities. Description: This script can perform 14 Microsoft 365 offboarding activities.
website: blog.Admindroid.com Website: blog.Admindroid.com
Script by: AdminDroid Team Script by: AdminDroid Team
Version: 2.0
For detailed Script execution: https://blog.admindroid.com/automate-microsoft-365-user-offboarding-with-powershell For detailed Script execution: https://blog.admindroid.com/automate-microsoft-365-user-offboarding-with-powershell
==============================================================================================
Change Log
~~~~~~~~~~
V1.0 (Oct 14, 2023) - File created
V2.0 (Apr 02, 2025) - Removed beta version cmdlets
=========================================================================================
#>
param( param(
[string]$TenantId, [string]$TenantId,
[string]$ClientId, [string]$ClientId,
@ -17,20 +27,20 @@ param(
) )
Function ConnectModules Function ConnectModules
{ {
$MsGraphBetaModule = Get-Module Microsoft.Graph.Beta -ListAvailable $MsGraphModule = Get-Module Microsoft.Graph -ListAvailable
if($MsGraphBetaModule -eq $null) if($MsGraphModule -eq $null)
{ {
Write-host "Important: Microsoft Graph Beta module is unavailable. It is mandatory to have this module installed in the system to run the script successfully." Write-host "Important: Microsoft Graph module is unavailable. It is mandatory to have this module installed in the system to run the script successfully."
$confirm = Read-Host Are you sure you want to install Microsoft Graph Beta module? [Y] Yes [N] No $confirm = Read-Host Are you sure you want to install Microsoft Graph module? [Y] Yes [N] No
if($confirm -match "[yY]") if($confirm -match "[yY]")
{ {
Write-host "Installing Microsoft Graph Beta module..." Write-host "Installing Microsoft Graph module..."
Install-Module Microsoft.Graph.Beta -Scope CurrentUser -AllowClobber Install-Module Microsoft.Graph -Scope CurrentUser -AllowClobber
Write-host "Microsoft Graph Beta module is installed in the machine successfully" -ForegroundColor Magenta Write-host "Microsoft Graph module is installed in the machine successfully" -ForegroundColor Magenta
} }
else else
{ {
Write-host "Exiting. `nNote: Microsoft Graph Beta module must be available in your system to run the script" -ForegroundColor Red Write-host "Exiting. `nNote: Microsoft Graph module must be available in your system to run the script" -ForegroundColor Red
Exit Exit
} }
} }
@ -73,11 +83,11 @@ Function ConnectModules
Exit Exit
} }
} }
Connect-ExchangeOnline -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -Organization (Get-MgBetaDomain | Where-Object {$_.isInitial}).Id -ShowBanner:$false Connect-ExchangeOnline -AppId $ClientId -CertificateThumbprint $CertificateThumbprint -Organization (Get-MgDomain | Where-Object {$_.isInitial}).Id -ShowBanner:$false
} }
else else
{ {
Connect-MgGraph -ErrorAction SilentlyContinue -Errorvariable ConnectionError |Out-Null Connect-MgGraph -Scopes Directory.ReadWrite.All,AppRoleAssignment.ReadWrite.All,User.EnableDisableAccount.All,Directory.AccessAsUser.All,RoleManagement.ReadWrite.Directory -ErrorAction SilentlyContinue -Errorvariable ConnectionError |Out-Null
if($ConnectionError -ne $null) if($ConnectionError -ne $null)
{ {
Write-Host $ConnectionError -Foregroundcolor Red Write-Host $ConnectionError -Foregroundcolor Red
@ -91,14 +101,14 @@ Function ConnectModules
Write-Host $_.Exception.message -ForegroundColor Red Write-Host $_.Exception.message -ForegroundColor Red
Exit Exit
} }
Write-Host "Microsoft Graph Beta PowerShell module is connected successfully" -ForegroundColor Cyan Write-Host "Microsoft Graph PowerShell module is connected successfully" -ForegroundColor Cyan
Write-Host "Exchange Online module is connected successfully" -ForegroundColor Cyan Write-Host "Exchange Online module is connected successfully" -ForegroundColor Cyan
} }
Function DisableUser Function DisableUser
{ {
try{ try{
Update-MgBetaUser -UserId $UPN -AccountEnabled:$false Update-MgUser -UserId $UPN -AccountEnabled:$false
$Script:DisableUserAction = "Success" $Script:DisableUserAction = "Success"
} }
catch catch
@ -119,7 +129,7 @@ Function ResetPasswordToRandom
forceChangePasswordNextSignIn = $true forceChangePasswordNextSignIn = $true
password = $Pwd password = $Pwd
} }
Update-MgBetaUser -UserId $UPN -PasswordProfile $Passwordprofile Update-MgUser -UserId $UPN -PasswordProfile $Passwordprofile
$log>>$PasswordLogFile $log>>$PasswordLogFile
$Script:ResetPasswordToRandomAction = "Success" $Script:ResetPasswordToRandomAction = "Success"
} }
@ -133,7 +143,7 @@ Function ResetPasswordToRandom
Function ResetOfficeName Function ResetOfficeName
{ {
try{ try{
Update-MgBetaUser -UserId $UPN -OfficeLocation "EXD" Update-MgUser -UserId $UPN -OfficeLocation "EXD"
$Script:ResetOfficeNameAction = "Success" $Script:ResetOfficeNameAction = "Success"
} }
catch catch
@ -147,7 +157,7 @@ Function ResetOfficeName
Function RemoveMobileNumber Function RemoveMobileNumber
{ {
try{ try{
Update-MgBetaUser -UserId $UPN -MobilePhone ' ' Update-MgUser -UserId $UPN -MobilePhone null
$Script:RemoveMobileNumberAction = "Success" $Script:RemoveMobileNumberAction = "Success"
} }
catch catch
@ -161,11 +171,11 @@ Function RemoveMobileNumber
Function RemoveGroupMemberships Function RemoveGroupMemberships
{ {
#Remove memberships from group #Remove memberships from group
$groupMemberships = $Memberships|?{$_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group'} $groupMemberships = $Memberships|?{($_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group') -and ($_.AdditionalProperties.'groupTypes' -notcontains 'DynamicMembership')}
foreach($Membership in $groupMemberships) foreach($Membership in $groupMemberships)
{ {
try{ try{
Remove-MgBetaGroupMemberByRef -GroupId $Membership.Id -DirectoryObjectId $UserId -ErrorAction SilentlyContinue -ErrorVariable MemberRemovalErr Remove-MgGroupMemberByRef -GroupId $Membership.Id -DirectoryObjectId $UserId -ErrorAction SilentlyContinue -ErrorVariable MemberRemovalErr
if($MemberRemovalErr) if($MemberRemovalErr)
{ {
Remove-DistributionGroupMember -Identity $Membership.Id -Member $UserId -BypassSecurityGroupManagerCheck -Confirm:$false Remove-DistributionGroupMember -Identity $Membership.Id -Member $UserId -BypassSecurityGroupManagerCheck -Confirm:$false
@ -178,20 +188,20 @@ Function RemoveGroupMemberships
} }
} }
#Remove ownerships from group #Remove ownerships from group
$UserOwnerships = Get-MgBetaUserOwnedObject -UserId $UPN|?{$_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group'} $GroupOwnerships = Get-MgUserOwnedObject -UserId $UPN|?{$_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.group'}
foreach($UserOwnership in $UserOwnerships) foreach($GroupOwnership in $GroupOwnerships)
{ {
try{ try{
Remove-MgBetaGroupOwnerByRef -GroupId $UserOwnership.Id -DirectoryObjectId $UserId -ErrorAction SilentlyContinue -ErrorVariable OwnerRemovalErr Remove-MgGroupOwnerByRef -GroupId $GroupOwnership.Id -DirectoryObjectId $UserId -ErrorAction SilentlyContinue -ErrorVariable OwnerRemovalErr
if($OwnerRemovalErr) if($OwnerRemovalErr)
{ {
$ErrorLog = "$($UPN) - GroupId($($UserOwnership.Id)) - Remove Group Memberships Action - "+$OwnerRemovalErr.Exception.Message $ErrorLog = "$($UPN) - GroupId($($GroupOwnership.Id)) - Remove Group Memberships Action - "+$OwnerRemovalErr.Exception.Message
$ErrorLog>>$ErrorsLogFile $ErrorLog>>$ErrorsLogFile
} }
} }
catch catch
{ {
$ErrorLog = "$($UPN) - GroupId($($UserOwnership.Id)) - Remove Group Memberships Action - "+$Error[0].Exception.Message $ErrorLog = "$($UPN) - GroupId($($GroupOwnership.Id)) - Remove Group Memberships Action - "+$Error[0].Exception.Message
$ErrorLog>>$ErrorsLogFile $ErrorLog>>$ErrorsLogFile
} }
} }
@ -209,7 +219,7 @@ Function RemoveGroupMemberships
{ {
$Script:RemoveGroupMembershipsAction = "Success" $Script:RemoveGroupMembershipsAction = "Success"
} }
elseif($groupMemberships -eq $null -and $UserOwnerships -eq $null -and $DistributionGroupOwnerships -eq $null) elseif($groupMemberships -eq $null -and $GroupOwnerships -eq $null -and $DistributionGroupOwnerships -eq $null)
{ {
$Script:RemoveGroupMembershipsAction = "No group memberships" $Script:RemoveGroupMembershipsAction = "No group memberships"
} }
@ -232,7 +242,7 @@ Function RemoveAdminRoles
foreach($AdminRole in $AdminRoles) foreach($AdminRole in $AdminRoles)
{ {
try{ try{
Remove-MgBetaDirectoryRoleMemberByRef -DirectoryObjectId $UserId -DirectoryRoleId $AdminRole.Id Remove-MgDirectoryRoleMemberByRef -DirectoryObjectId $UserId -DirectoryRoleId $AdminRole.Id
} }
catch catch
{ {
@ -252,12 +262,12 @@ Function RemoveAdminRoles
} }
Function RemoveAppRoleAssignments Function RemoveAppRoleAssignments
{ {
$AppRoleAssignments = Get-MgBetaUserAppRoleAssignment -UserId $UPN $AppRoleAssignments = Get-MgUserAppRoleAssignment -UserId $UPN
if($AppRoleAssignments -ne $null) if($AppRoleAssignments -ne $null)
{ {
$AppRoleAssignments | ForEach-Object { $AppRoleAssignments | ForEach-Object {
try{ try{
Remove-MgBetaUserAppRoleAssignment -AppRoleAssignmentID $_.Id -UserId $UPN Remove-MgUserAppRoleAssignment -AppRoleAssignmentID $_.Id -UserId $UPN
} }
catch catch
{ {
@ -384,10 +394,10 @@ Function ConvertToSharedMailbox
Function RemoveLicense Function RemoveLicense
{ {
$Licenses = Get-MgBetaUserLicenseDetail -UserId $UPN $Licenses = Get-MgUserLicenseDetail -UserId $UPN
if($Licenses -ne $null) if($Licenses -ne $null)
{ {
Set-MgBetaUserLicense -UserId $UPN -RemoveLicenses @($Licenses.SkuId) -AddLicenses @() -ErrorAction SilentlyContinue -ErrorVariable LicenseError | Out-Null Set-MgUserLicense -UserId $UPN -RemoveLicenses @($Licenses.SkuId) -AddLicenses @() -ErrorAction SilentlyContinue -ErrorVariable LicenseError | Out-Null
if($LicenseError) if($LicenseError)
{ {
$Script:RemoveLicenseAction = "Failed" $Script:RemoveLicenseAction = "Failed"
@ -407,7 +417,7 @@ Function RemoveLicense
Function SignOutFromAllSessions Function SignOutFromAllSessions
{ {
Revoke-MgBetaUserSignInSession -UserId $UPN | Out-Null Revoke-MgUserSignInSession -UserId $UPN | Out-Null
$Script:SignOutFromAllSessionsAction = "Success" $Script:SignOutFromAllSessionsAction = "Success"
} }
@ -494,7 +504,7 @@ Function main
$UPN = $UPN.Trim() $UPN = $UPN.Trim()
Write-Progress "Processing $UPN" Write-Progress "Processing $UPN"
$Script:Status = "$UPN - " $Script:Status = "$UPN - "
$User = Get-MgBetaUser -UserId $UPN -ErrorAction SilentlyContinue $User = Get-MgUser -UserId $UPN -ErrorAction SilentlyContinue
$UserId = $User.Id $UserId = $User.Id
if($User -eq $null) if($User -eq $null)
{ {
@ -517,7 +527,7 @@ Function main
} }
if($Actions -contains 5 -or $Actions -contains 6) # To get memberships of the user (group and roles) if($Actions -contains 5 -or $Actions -contains 6) # To get memberships of the user (group and roles)
{ {
$Memberships = Get-MgBetaUserMemberOf -UserId $UPN $Memberships = Get-MgUserMemberOf -UserId $UPN
} }
foreach($Action in $Actions) foreach($Action in $Actions)
{ {