Example User onboarding & offboarding Scripts
From Lucca's Wiki
Jump to navigationJump to search
USE THESE AT YOUR OWN RISK! My scripts include a lot of pauses to make sure you don't make big mistakes with them though. Hit ctrl+c to kill the script if its doing wrong things! :)
User Onboarding
#onboarding script
# v put the MSP's info here v # $MSPName = "Example Company" # ^ put the MSP's info here ^ #
# v put the client company's info here v # $tenantID = "31537af4-6d77-4bb9-a681-d2394888ea26" $clientCompanyEmailDomain = "contoso.onmicrosoft.com" $clientCompanyName = "Contoso Corp" # ^ put the client company's info here ^ #
# v put the user's info here v # $userFirstName = "" $userLastName = "" $userMobilePhone = "" $userState = "New Jersey" $userDepartment = "" $userUsageLocation = "US" # ^ put their info here ^ #
$userMailNickname = $userFirstName.ToLower()[0]+$userLastName.ToLower() $userDisplayName = "$userFirstName $userLastName" $userEmail = "$userMailNickname@$clientCompanyEmailDomain"
Add-Type -AssemblyName System.Web $password = [System.Web.Security.Membership]::GeneratePassword((Get-Random -Minimum 20 -Maximum 32), 3)
$PasswordProfile = @{
Password = $password
ForceChangePasswordNextSignIn = $true
ForceChangePasswordNextSignInWithMfa = $true
}
#connect to graph Connect-MgGraph -NoWelcome -TenantId $tenantID
New-MgUser -AccountEnabled -GivenName $userFirstName -Surname $userLastName -MailNickname $userMailNickname -DisplayName $userDisplayName -UserPrincipalName $userEmail -PasswordProfile $PasswordProfile -Department $userDepartment -UsageLocation $userUsageLocation
$businesspremiumlicense = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPB'
Set-MgUserLicense -UserId $userEmail -AddLicenses @{SkuId = $businesspremiumlicense.SkuId} -RemoveLicenses @()
$fullName = ((Get-ItemProperty "HKCU:\\Software\\Microsoft\\Office\\Common\\UserInfo\\").UserName)
$firstName = $fullName.Split(' ')[0]
cls
echo "Hello, this is $firstName with $MSPName."
echo "`nI just created your Microsoft login information for $clientCompanyName:`n"
echo "Email: $userEmail"
echo "Temporary Password: $password"
echo "`nYou can sign in using the outlook or teams apps, or from portal.office.com"
echo "`nPlease let me know if you have any issues signing in, we’re happy to help!`n"
echo "Thank you and have a wonderful rest of your day,"
echo $fullName
User Offboarding
#offboarding script
$tenantAdminUsername = "admin@example.com" $tenantID = "31537af4-6d77-4bb9-a681-d2394888ea26" $userEmail = "example@example.com" $forwardingAddress = "example2@example.com"
echo "Connecting to 365..." Connect-MgGraph -NoWelcome -TenantId $tenantID Pause
echo "Connecting to exchange online..." Connect-ExchangeOnline -UserPrincipalName $tenantAdminUsername Pause
echo "Connecting to MSOnline..." Connect-MsolService Pause
$user = Get-MgUser -UserId $userEmail echo "Making user a shared mailbox..." Set-Mailbox $userEmail -Type Shared
echo "Waiting 60 seconds for the changes to apply..." Start-Sleep -Seconds 60
Get-Mailbox -Identity $userEmail | Format-Table Name, RecipientTypeDetails echo "Made user a shared mailbox, make sure this applied by reading the above. If not, hit ctrl+C, because the script is about to remove their 365 license next" Pause
echo "Setting up email forwarding..." Set-Mailbox -Identity $userEmail -DeliverToMailboxAndForward $true -ForwardingSMTPAddress $forwardingAddress Pause
echo "Continuing after making shared mailbox..."
$businesspremiumlicense = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPB'
Set-MgUserLicense -UserId $userEmail -RemoveLicenses @($businesspremiumlicense.SkuId) -AddLicenses @{}
echo "Revoking sign-in sessions..." Revoke-MgUserSignInSession -UserId $userEmail Pause
echo "Blocking sign-in..." Update-Mguser -UserId $userEmail -AccountEnabled:$false
echo "Resetting MFA..." $userMfaAccount = Get-MsolUser -UserPrincipalName $userEmail Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName $userMfaAccount.Userprincipalname
