未加星标

Clean Azure AD Groups for Disabled Users

字体大小 | |
[系统(windows) 所属分类 系统(windows) | 发布者 店小二04 | 时间 2018 | 作者 红领巾 ] 0人收藏点击收藏
Root Cause

Imagine you have on-premises Active Directory synced to AzureAD through ADConnect. You do not delete users during leave process. Those account are disabled cause of various reasons (Jira, I’m looking at you). Now you need to clean up any Office Online groups user belongs to, like Exchange Groups, Teams etc.

How

This is rather simple task.

First get all disabled users from given OUs Export them into CSV for further processing/change management/ whatever reason Connect to Azure AD Loop through each user, get their group membership and return a custom object with data also for further processing/change management/whatever reason Loop through the data and remove user membership from any online groups.

We could remove user’s membership in step 4 in one loop but reporting and executing are two different tasks, so I prefer to keep it that way.

Things to remember Online account needs to have proper permissions! We require AzureAD module to perform online operations! We will be enumerating only online groups. That is why we’re looking at DirSyncEnabled attribute being empty (not present). We also want to process only if the user really does belong to any online group. We will create a custom object to export the data. We will export into two different files json and csv. CSV is a flat file, meaning we cannot store arrays in one column. Those arrays (of groups) will be flattened into one string with coma separator. To allow further processing we will use JSON file which handles nested arrays perfectly! The Code

First let’s get all disabled Users from an array of OUs:

Now let’s connect to AzureAD and get each user’s group membership. To do that we will use Get-AzureADUserMembership cmdlet which requires ObjectID of a user. We want to proceed only if any online group was found (-not {$_.DirSyncEnabled})

Then we will create custom object with all the information we require.

Export time.

JSON is easy. Depth parameter will make sure nothing gets lost in translation.

Before exporting to excel we need to flatten arrays of group (name and Mail).

本文系统(windows)相关术语:三级网络技术 计算机三级网络技术 网络技术基础 计算机网络技术

代码区博客精选文章
分页:12
转载请注明
本文标题:Clean Azure AD Groups for Disabled Users
本站链接:https://www.codesec.net/view/621322.html


1.凡CodeSecTeam转载的文章,均出自其它媒体或其他官网介绍,目的在于传递更多的信息,并不代表本站赞同其观点和其真实性负责;
2.转载的文章仅代表原创作者观点,与本站无关。其原创性以及文中陈述文字和内容未经本站证实,本站对该文以及其中全部或者部分内容、文字的真实性、完整性、及时性,不作出任何保证或承若;
3.如本站转载稿涉及版权等问题,请作者及时联系本站,我们会及时处理。
登录后可拥有收藏文章、关注作者等权限...
技术大类 技术大类 | 系统(windows) | 评论(0) | 阅读(76)