PS - Office 365 Admin Role Based on AD Group Script

Automatic Office 365 Role membership management

There's another great script on the TechNet Gallery by Benoit Hamet which you can use to assign Office 365 Role Membership based on AD group membership.

The script is located at - https://gallery.technet.microsoft.com/Automatic-Office-365-Role-433d5120#content

#region header

Script to automate Office 365 role assigment based on Active Directory groups membership

Prereqs Azure Active Directory PowerShell Modules v1

See https://docs.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles for all Office 365/Azure roles

See http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=864 for usage details

Provide feedbacks and comments on https://gallery.technet.microsoft.com/Automatic-Office-365-Role-433d5120

April 2017 - v1.0

April 2017 - v2.0 - Add MFA activation, bug correction in Office365Udpate role function

#endregion header

#region runasadmin

# Self Elevating Permission to run PowerShell in administrator context

# Get the ID and security principal of the current user account

$myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()

$myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

# Get the security principal for the Administrator role

$adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

# Check to see if we are currently running "as Administrator"

If ($myWindowsPrincipal.IsInRole($adminRole))

{

# We are running "as Administrator" - so change the title and background color to indicate this

$Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"

$Host.UI.RawUI.BackgroundColor = "DarkBlue"

Clear-Host

}

Else

{

# We are not running "as Administrator" - so relaunch as administrator

# Create a new process object that starts PowerShell

$newProcess = New-Object System.Diagnostics.ProcessStartInfo "PowerShell";

# Specify the current script path and name as a parameter

$newProcess.Arguments = $myInvocation.MyCommand.Definition;

# Indicate that the process should be elevated

$newProcess.Verb = "runas";

# Start the new process

[System.Diagnostics.Process]::Start($newProcess);

# Exit from the current, unelevated, process

Exit

}

#endregion runasadmin

#All functions

#region functions

#Function to check if credentials files exist

#region credfilescheck

Function CredsFilesCheck([string]$ExecStep,[string]$ConnectTo,[string]$LogonFile,[string]$PasswordFile,[string]$KeyFile)

{

#Check if password files exist; if not request for credentials

If (!(Test-Path $LogonFile -Verbose) -or !(Test-Path $PasswordFile -Verbose) -or !(Test-Path $KeyFile -Verbose))

{

#Ask if you want to save the credentials

$PopMsg = "Do you want to save the credentials to connect to " + $ConnectTo + "?"

$SaveCredentials = $WShell.Popup($PopMsg,0,"Save Credentials",0x24)

#If save credentials is true

If ($SaveCredentials -eq 6)

{

$SaveCredentialsReturn = Savecredentials $ExecStep $LogonFile $PasswordFile $KeyFile

If ($SaveCredentialsReturn.Result -eq "Success")

{

$Creds = CredentialsGeneration $ExecStep $LogonFile $PasswordFile $KeyFile

$Creds = $Creds.Credentials

}

Else

{

Break

}

#If save credentials is false

If ($SaveCredentials -eq 7)

{

Try

{

$Creds = Get-credential -ErrorAction Stop

}

#If user hits cancel quit

Catch

{

$ReturnResult = "Failure"

$ReturnError = "Get-Credential has been cancelled"

EmailBody $ExecStep $ReturnResult $ReturnError

LogFile $ExecStep $ReturnResult $ReturnError

Break

}

#Use existing credentials files

Else

{

$Creds = CredentialsGeneration $ExecStep $LogonFile $PasswordFile $KeyFile

$Creds = $Creds.Credentials

}

$Creds

}

#endregion credfilescheck

#Function to save credentials

#region savecredentials

Function SaveCredentials([string]$Step,[string]$AccountFile,[string]$PasswordFile,[string]$KeyFile)

{

[hashtable]$return = @{}

$ExecStep = "Save credentials - " + $Step

Try

{

$Key = New-Object Byte[] 24

[Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)

$Key | Out-File $KeyFile

$ExecSubStep = $ExecStep + " - Save account"

$Account = [Microsoft.VisualBasic.Interaction]::InputBox("Enter the account to use", "Account", "")

#Check if user hits the cancel button or do not set the account

If ($Account)

{

Try

{

$Key = Get-Content $KeyFile -ErrorAction Stop

$Account = $Account | ConvertTo-SecureString -AsPlainText -Force

$Account | ConvertFrom-SecureString -key $Key | Out-File $AccountFile

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

EmailBody $ExecSubStep $ExecResult $ExecError

LogFile $ExecSubStep $ExecResult $ExecError

Return $return

}

$ExecSubStep = $ExecStep + " - Save password"

$Password = [Microsoft.VisualBasic.Interaction]::InputBox("Enter the account's password", "Password", "")

#Check if user hits the cancel button or do not set the password

If ($Password)

{

Try

{

$Key = Get-Content $KeyFile -ErrorAction Stop

$Password = $Password | ConvertTo-SecureString -AsPlainText -Force

$Password | ConvertFrom-SecureString -key $Key | Out-File $PasswordFile

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

EmailBody $ExecSubStep $ExecResult $ExecError

LogFile $ExecSubStep $ExecResult $ExecError

Return $return

}

Else

{

$ExecResult = "Failure"

$ExecError = "Password not defined"

EmailBody $ExecSubStep $ExecResult $ExecError

LogFile $ExecSubStep $ExecResult $ExecError

Return $return

}

Else

{

$ExecResult = "Failure"

$ExecError = "Account not defined"

$return.Step = $ExecStep

$return.Result = $ExecResult

$return.Error = $ExecError

EmailBody $return.Step $return.Result $return.Error

LogFile $return.Step $return.Result $return.Error

Return $return

}

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

}

#Return results

$return.Step = $ExecStep

$return.Result = $ExecResult

$return.Error = $ExecError

EmailBody $return.Step $return.Result $return.Error

LogFile $return.Step $return.Result $return.Error

Return $return

}

#endregion savecredentials

#Function to generate credentials using encrypted files

#region credentials

Function CredentialsGeneration([string]$Step,[string]$AccountFile,[string]$PasswordFile,[string]$KeyFile)

{

[hashtable]$return = @{}

#Use key file to decrypt password

Try

{

$Key = Get-Content $KeyFile

$Account = Get-Content $AccountFile | ConvertTo-SecureString -Key $Key

$BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Account)

$PlainAccount = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)

$Password = Get-Content $PasswordFile | ConvertTo-SecureString -Key $Key

$Cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $PlainAccount,$Password

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$Cred = @()

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

}

#Return results

$return.Step = $Step

$return.Result = $ExecResult

$return.Error = $ExecError

$return.Credentials = $Cred

EmailBody $return.Step $return.Result $return.Error

LogFile $return.Step $return.Result $return.Error

Return $return

}

#endregion credentials

#Function to send email

#region sendmail

Function SendMail ([string]$EmailFrom, [string]$EmailTo, [string]$EmailSubject, [string]$EmailBody, [string]$SMTPServer, [System.Management.Automation.CredentialAttribute()]$SMTPCred, [string]$SMTPPort, [string]$EmailAttachment)

{

Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -Body $EmailBody -BodyAsHtml -SmtpServer $SMTPServer -Credential $SMTPCred -Port $SMTPPort -UseSsl -Attachments $EmailAttachment

}

#endregion sendmail

#Function to check if folder exists

#region folderexist

Function FolderExist ([string]$Folder)

{

#If destination path is valid, create folder if it doesn't already exist

If (Test-Path $Folder -Verbose)

{

New-Item -ItemType Directory $Folder -ErrorAction SilentlyContinue

}

Else

{

#Creating log files directory target

New-Item $Folder -Type Directory

}

#endregion folderexist

#Function to update email body message with execution steps, results and details

#region updatebody

Function EmailBody([string]$Step,[string]$Result,[string]$Error)

{

$Time = Get-Date -Format g

#Set color

If ($Result -eq "Success")

{

$color = "green"

$msg = "successful"

}

If ($Result -eq "Failure")

{

$color = "red"

$msg = "unsuccessful"

}

$EmailBody += " " + $Time + " - " + $Result + " - Execution of step: " + $Step + " has been " + $msg

$EmailBody

}

#endregion updatebody

#Function to update log file with execution steps, results and details

#region updatelog

Function LogFile([string]$Step,[string]$Result,[string]$Error)

{

$Time = Get-Date -Format g

#Set results

If ($Result -eq "Success")

{

$msg = "successful"

}

If ($Result -eq "Failure")

{

$msg = "unsuccessful"

}

$LogTxt = "`n" + $Time + " - " + $Result + " - Execution of step: " + $Step + " has been " + $msg

Add-Content $LogFile $LogTxt

#Add error details

If ($Result -eq "Failure")

{

$LogTxt = "`nError details: " + $Error

Add-Content $LogFile $LogTxt

}

#endregion updatelog

#Function to update Office 365 role membership

#region O365RoleUpdate

Function O365RoleUpdate($Compare,[string]$Office365Role)

{

[hashtable]$return = @{}

#No change are required

If ($Compare.SideIndicator -eq "==")

{

$ExecSubStep = "User " + $Compare.UserPrincipalName + " has been already granted " + $Office365Role + " role"

$ExecResult = "Success"

$ExecError = @()

}

#Add user into Office 365 role

If ($Compare.SideIndicator -eq "<=")

{

$ExecSubStep = "Granting " + $Office365Role + " role to " + $Compare.UserPrincipalName

Try

{

Add-MsolRoleMember -RoleMemberEmailAddress $Compare.UserPrincipalName -RoleName $Office365Role -ErrorAction Stop

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

}

#Revoke user into Office 365 role

If ($Compare.SideIndicator -eq "=>")

{

$ExecSubStep = "Revoking " + $Office365Role + " role to " + $Compare.UserPrincipalName

Try

{

Remove-MsolRoleMember -RoleMemberEmailAddress $Compare.UserPrincipalName -RoleName $Office365Role -ErrorAction Stop

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

}

#Return results

$return.step = $ExecSubStep

$return.result = $ExecResult

$return.error = $ExecError

Return $return

}

#endregion O365RoleUpdate

#region enableMFA

Function EnableAzureMFA($User,$MFASettings)

{

[hashtable]$return = @{}

$ExecStep = "Enabling MFA for user " + $User.UserPrincipalName

#Check if MFA already enabled

$MFAAlreadyEnabled = (Get-MsolUser -UserPrincipalName $User.UserPrincipalName).StrongAuthenticationRequirements

If ($MFAAlreadyEnabled.State -ne "Enabled")

{

Try

{

Set-MsolUser -UserPrincipalName $User.UserPrincipalName -StrongAuthenticationRequirements $MFASettings

$ExecResult = "Success"

$ExecError = @()

}

Catch

{

$ExecResult = "Failure"

$ExecError = $_.Exception.Message

}

Else

{

$ExecResult = "Success"

$ExecError = "MFA is already enabled for user " + $User.UserPrincipalName

}

#Return results

$return.step = $ExecStep

$return.result = $ExecResult

$return.error = $ExecError

Return $return

}

#endregion enableMFA

#endregion functions

#Set variables

#region setvariables

#Initialize Windows Forms for popup

$WShell = New-Object -ComObject Wscript.Shell

[void][Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

Add-Type -AssemblyName Microsoft.VisualBasic

#Import modules

#Import Azure AD PowerShell module v1

Import-Module MsOnline

#Get current date and time - format Year-Month-Day---Hour-Minute

$Now = Get-Date

$Date = $now.AddDays(0).ToString('MM-dd-yyyy_HH-mm')

$ExecTime = Get-Date -Format g

#Folder location where the script and encrypted password files are saved - always end the with \ for the folder location

$ScriptFolder = "C:\scripts\"

#OU where the O365 role groups are located - need to contain only role groups

#Groups name must match the Office 365 role

$GroupOU = "Office 365 Roles Management"

#Initiate arrays

$ADGroupsMembers = @()

$O365RolesMembers = @()

#Enable MFA

#Ask if you want to save the credentials - wait 20 s to detect if script executed interactively; if executed with scheduled task, apply default set to enable

$PopMsg = "Do you want to want to enable Azure MFA?"

$MFAEnabled = $WShell.Popup($PopMsg,20,"Enable Azure MFA",0x24)

If ($MFAEnabled -eq 7)

{

$MFAEnabled = $false

}

#Enable MFA if answer Yes or default - ie no answer to the request

Else

{

#Create the StrongAuthenticationRequirement object and insert required settings

$MFAObject = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement

$MFAObject.RelyingParty = "*"

$EnableMFA = @($MFAObject)

$MFAEnabled = $true

}

#Log files configuration

#region logfiles

#Define log files age for deletion - in days; default is 15 day old

$DelFileAge = "15"

$LogFileCreationDateToDelete = $now.AddDays(-$DelFileAge)

#Log files - always end the with \ for the folder location

$LogDir = $ScriptFolder + "Logs\"

$LogFile = $LogDir + $Date + "_o365_role_assigment.log"

#Check log directory exists and create it if not

FolderExist $LogDir

#Delete old log files

Get-ChildItem $LogDir -Include *_o365_role_assigment.log -Recurse | Where-Object CreationTime -LE $LogFileCreationDateToDelete | Remove-Item -Force -ErrorAction Stop -WarningAction Stop

#endregion logfiles

#Details for sending notification

#region smtpserver

$SMTPServer = "smtp.domain.com"

$SMTPPort = "25"

$From = "from@domain.com"

#If you want to define multiple recipient, separate each recipient with a coma like "recipient1@domain.com","recipient2@domain.com"

$To = "to@domain.com"

$Subject = "Automated Office 365 Roles Management Report - " + $exectime

#Encrypted account

$SMTPLogonFile = $ScriptFolder + "smtp_account.txt"

#Encrypted password

$SMTPPasswordFile = $ScriptFolder + "smtp_password.txt"

#Key file to decrypt password

$SMTPKeyFile = $ScriptFolder + "smtp_key.key"

#SMTP Credential

$ExecStep = "Getting SMTP Credentials"

$ConnectTo = "SMTP Server"

$SMTPCreds = CredsFilesCheck $ExecStep $ConnectTo $SMTPLogonFile $SMTPPasswordFile $SMTPKeyFile

#endregion smptserver

#Details to connect to Office 365 - needs to be global admin

#region connectoffice365

##Encrypted account

$O365LogonFile = $ScriptFolder + "o365_account.txt"

$O365PasswordFile = $ScriptFolder + "o365_password.txt"

#Use key file to decrypt password

$O365KeyFile = $ScriptFolder + "o365_key.key"

#Office 365 credentials

$ExecStep = "Getting Office 365 Credentials"

$ConnectTo = "Office 365"

$O365Creds = CredsFilesCheck $ExecStep $ConnectTo $O365LogonFile $O365PasswordFile $O365KeyFile

#endregion connectoffice365

#endregion setvariables

#Initiate email body

#region EmailBody

$EmailBody = "===================================================================================================================="

$EmailBody += " ====================================== Automated Office 365 Roles Management Report ====================================="

$EmailBody += " =============================================== " + $exectime + " =================================================="

$EmailBody += " ===================================================================================================================="

#endregion EmailBody

#region actions

#Connect to Office 365

$ExecStep = "Connecting to Office 365"

Try

{

Connect-MsolService -Credential $O365Creds -ErrorAction Stop

#Connection to Office 365 successful

#Office 365 roles array

#region geto365roles

$ExecStep = "Getting Office 365 Roles"

Try

{

#Get Office 365 roles

$O365Roles = Get-MsolRole -ErrorAction Stop

$O365RolesReturnResult = "Success"

$ReturnError = @()

}

#Failed to get O365 roles

Catch

{

$O365RolesReturnResult = "Failure"

$ReturnError = $_.Exception.Message

}

$EmailBody += EmailBody $ExecStep $O365RolesReturnResult $ReturnError

LogFile $ExecStep $O365RolesReturnResult $ReturnError

#endregion geto365roles

#Getting AD groups used to manage O365 roles membership

#region getadgroups

$ExecStep = "Getting AD groups role"

Try

{

$ADRolesGroups = Get-ADGroup -Filter '*' -ErrorAction Stop | Select-Object * | Where-Object {$_.distinguishedname -like "*$GroupOU*"} -ErrorAction Stop

$ADRolesGroupsResult = "Success"

$ReturnError = @()

}

#Failed to get AD groups

Catch

{

$ADRolesGroupsResult = "Failure"

$ReturnError = $_.Exception.Message

}

$EmailBody += EmailBody $ExecStep $ADRolesGroupsResult $ReturnError

LogFile $ExecStep $ADRolesGroupsResult $ReturnError

#endregion getadgroups

#Compare both AD groups and O365 roles membership to grant/revoke role - applies oly with synched users

#region comparegroups

If (($ADRolesGroupsResult -eq "Success") -and ($O365RolesReturnResult -eq "Success"))

{

#If corresponding AD group does not exist to match Office 365 role, do nothing

$CompareGroupsRoles = $O365Roles.Name | Where {$ADRolesGroups.Name -contains $_} | Sort-Object $_.Name

ForEach ($CompareGroupsRole in $CompareGroupsRoles)

{

#Get AD group members

#region adgroupmembers

$ExecStep = "Getting AD Group - " + $CompareGroupsRole + " - members"

Try

{

$ADGroupsMembers = Get-ADGroupMember $CompareGroupsRole -ErrorAction Stop | ForEach {Get-ADUser $_.DistinguishedName}

$ADMemberResult = "Success"

$ReturnError = @()

}

#Failed to get AD group members

Catch

{

$ADMemberResult = "Failure"

$ReturnError = $_.Exception.Message

}

$EmailBody += EmailBody $ExecStep $ADMemberResult $ReturnError

LogFile $ExecStep $ADMemberResult $ReturnError

#endregion adgroupmembers

#Get Office 365 role members - only if they are synched

#region office365rolemembers

$ExecStep = "Getting Office 365 Roles - " + $CompareGroupsRole + " - members"

Try

{

#Get only members which are synched with AD

$O365RolesMembers = Get-MsolRoleMember -RoleObjectId (Get-MsolRole -RoleName $CompareGroupsRole).ObjectId -ErrorAction Stop | Where {$_.RoleMemberType -eq "User"} | ForEach {Get-MsolUser -ObjectId $_.ObjectId | Where ImmutableID -ne $Null}

$O365RoleMemberResult = "Success"

$ReturnError = @()

}

Catch

{

$O365RoleMemberResult = "Failure"

$ReturnError = $_.Exception.Message

}

$EmailBody += EmailBody $ExecStep $O365RoleMemberResult $ReturnError

LogFile $ExecStep $O365RoleMemberResult $ReturnError

#endregion office365rolemembers

#Compare both membership getting membership for both is success

#region comparemembers

If (($ADMemberResult -eq "Success") -and ($O365RoleMemberResult -eq "Success"))

{

$ExecStep = "Comparing members between AD Group and Office 365 Role - " + $CompareGroupsRole

#If one of the results is empty

If ((!$ADGroupsMembers) -or (!$O365RolesMembers))

{

#If AD group result is empty

If(!$ADGroupsMembers)

{

#Generate result to remove users from Office 365 role

$CompareResults = $O365RolesMembers | ForEach {$_ | Add-Member -MemberType NoteProperty -Name "SideIndicator" -Value "=>" -PassThru -Force}

$CompareResult = "Success"

$ReturnError = @()

}

#If Office 365 role result is empty

Else

{

#Generate result to add users into Office 365 role

$CompareResults = $ADGroupsMembers | ForEach {$_ | Add-Member -MemberType NoteProperty -Name "SideIndicator" -Value "<=" -PassThru -Force}

$CompareResult = "Success"

$ReturnError = @()

}

#If none of the results is empty

Else

{

Try

{#problem with empty array

$CompareResults = Compare-Object -ReferenceObject $ADGroupsMembers -DifferenceObject $O365RolesMembers -Property "UserPrincipalName" -IncludeEqual -ErrorAction Stop

$CompareResult = "Success"

$ReturnError = @()

}

Catch

{

$CompareResult = "Failure"

$ReturnError = $_.Exception.Message

}

$EmailBody += EmailBody $ExecStep $CompareResult $ReturnError

LogFile $ExecStep $CompareResult $ReturnError

}

#endregion comparemembers

#Update Office 365 Role membership if there is any change required

#region o365roleupdate

#If comparaison is successfull and empty - meaning there is no member in both AD group and Office 365 role

If (($CompareResult -eq "Success") -and (!$CompareResults))

{

$ExecStep = "No update for the " + $Office365Role + " role; both AD group and Office 365 role have no members"

$ExecResult = "Success"

$ExecError = @()

$EmailBody += EmailBody $ExecStep $ExecResult $ExecError

LogFile $ExecStep $ExecResult $ExecError

}

#If comparaison is successfull and empty - meaning there is no member in both AD group and Office 365 role

If (($CompareResult -eq "Success") -and ($CompareResults))

{

$ExecStep = "Updating Office 365 role: " + $CompareGroupsRole

$ExecResult = "Success"

$ExecError = @()

$EmailBody += EmailBody $ExecStep $ExecResult $ExecError

LogFile $ExecStep $ExecResult $ExecError

ForEach ($Row in $CompareResults)

{

$O365RoleUpdateResult = O365RoleUpdate $Row $CompareGroupsRole

$EmailBody += EmailBody $O365RoleUpdateResult.step $O365RoleUpdateResult.result $O365RoleUpdateResult.error

LogFile $O365RoleUpdateResult.step $O365RoleUpdateResult.result $O365RoleUpdateResult.error

#Enable MFA if required

If (($O365RoleUpdateResult.result -eq "Success") -and ($MFAEnabled -eq $true))

{

$MFAEnableResult = EnableAzureMFA $Row $EnableMFA

$EmailBody += EmailBody $MFAEnableResult.step $MFAEnableResult.result $MFAEnableResult.error

LogFile $MFAEnableResult.step $MFAEnableResult.result $MFAEnableResult.error

}

$EmailBody += " ===================================================================================================================="

#endregion o365roleupdate

}

#endregion comparegroups

}

#Failed to connect to Office 365, send notification and quit

Catch

{

$ReturnResult = "Failure"

$ReturnError = $_.Exception.Message

$EmailBody += EmailBody $ExecStep $ReturnResult $ReturnError

LogFile $ExecStep $ReturnResult $ReturnError

}

#endregion actions

#Execution compeleted, sending notification email and quit

SendMail $From $To $Subject $EmailBody $SMTPServer $SMTPCreds $SMTPPort $LogFile

Break

Neil Petersen - This is my Blog

Search This Blog

PS - Office 365 Admin Role Based on AD Group Script

Automatic Office 365 Role membership management

Comments

Post a Comment