This is a simple script to remove a users permissions on additional mailboxes within the organizations 365 domain. Also can be configured to block login in 365 for those specific users. Is setup to use an OU of users but can be edited quickly to setup for a single user as well. Or a OU with a single user could be used. Requires Office 365 powershell modules and pre-requisites to be loaded ahead of time. Script should be downloaded and variables set in ISE or notepad before execution.
#######################################################################
################### Variables #########################################
#######################################################################
$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ################ Who to revoke ##
$Cred = Get-Credential ########### Credentials for connecting to 365 ##
$FromAddress = "From@who.com" ########################## for logging ##
$ToAddress = "To@who.com" ############################## for logging ##
$LogPath = "\\FOLDER.TO.STORE\LOG\" #################### for logging ##
$SMTP = "SMTP.RELAY.FORLOG" ############################ for logging ##
$BlockLogin = $False ######## Change to true to also block 365 login ##
#######################################################################
### Requires Modules and pre-requisites for Office 365 Powershell #####
#######################################################################
$date = Get-Date -format o
$date = $date -replace('/','--')
$date = $date -replace(':','-')
Import-Module ActiveDirectory
$filename = -join("$date","___RevokeFolderPermsLog.csv")
$termlog = -join("$logpath","$filename")
$blk = ".",".",".","."
[System.Collections.ArrayList]$emaillog = $blk
$br="<br>"
$emaillog.add("$br")
$emaillog.add("$br")
$found = $false
$ms = ''
$i = 1
$j = 0
Import-Module MSOnline
Connect-MsolService –Credential $Cred
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange `
-ConnectionUri https://ps.outlook.com/powershell `
-Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session -AllowClobber
Write-Progress -activity "Getting Users: $OU"
Write-Host "Getting Users: $OU"
$users = Get-ADUser -SearchBase $OU -Filter * -properties *
foreach ($user in $users)
{
$upn=$user.userprincipalname
$username = $user.samaccountname
if ($blocklogin = $true)
{
Set-MsolUser -UserPrincipalName $upn -blockcredential $true
write-host "Blocked 365 login: $upn"
}
$permissions = Get-MailboxPermission -Identity * -User "$upn"
foreach ($mbx in $permissions)
{
$mbxname = $mbx.identity
if ($mbxname -ne $username)
{
Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false
Add-MailboxPermission $mbxname -User $upn -AccessRights FullAccess -InheritanceType All -AutoMapping $False
Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false
$MS = -join("Removed: ","$upn"," permissions from:","$mbxname")
$MS | out-file $termlog -Append
$emaillog.add("$MS")
$emaillog.add("$br")
Write-Progress -activity "Removed: $upn permissions from: $mbxname"
Write-Host "Removed: $upn permissions from: $mbxname"
$found = $true
}
}
}
if ($found = $true)
{
send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog' <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer$SMTP
}
if ($found = $false)
{
send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "No permissions found for users. <br> Log: '$termlog' <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer $SMTP
}
Comments