Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
PowerShell: Set Office365 User Rights #Office365 #EmbededPost #PowerShell #ActiveDirectory
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2013-03-20T14:18:21.6393172</Date>
<Author>Janik von Rotz (www.janikvonrotz.ch)</Author>
<Description>Office365 Portal Access Rights</Description>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2013-01-01T03:30:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe</Command>
<Arguments>C:\Powershell-Profile\scripts\Set-O365UserRights.ps1</Arguments>
<WorkingDirectory>C:\Powershell-Profile\scripts</WorkingDirectory>
</Exec>
</Actions>
</Task>
<#
$Metadata = @{
   Title = "Set Office365 User Rights"
    Filename = "Set-O365UserRights.ps1"
    Description = @"
Manage Office365 portal access rights with ActiveDirectory groups.
Assign Administration roles to the members of specified AD groups or by a users userprincipalname.
"@
    Tags = "powershell, activedirectory, office365, user, rights"
    Project = ""
    Author = "Janik von Rotz"
    AuthorContact = "http://janikvonrotz.ch"
    CreateDate = "2013-08-13"
    LastEditDate = "2013-12-30"
    Url = "https://gist.github.com/janikvonrotz/6218401"
    Version = "3.3.0"
    License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>
try{
#--------------------------------------------------#
# settings
#--------------------------------------------------#
$MsolRoleConfig = @{
ADGroup = "S-1-5-21-1744926098-708661255-2033415169-37011" # SPOF_Billing Administrator
MsolRoleName = "Billing Administrator" # Get-MsolRole
},
@{
ADGroup = "S-1-5-21-1744926098-708661255-2033415169-37030" # SPOF_Company Administrator
MsolRoleName = "Company Administrator" # Get-MsolRole
},
@{
User = "admin@vbluzern.onmicrosoft.com" # O365F_Billing Administrator
MsolRoleName = "Company Administrator" # Get-MsolRole
},
@{
User = "su-o365admin@vbluzern.onmicrosoft.com" # O365F_Billing Administrator
MsolRoleName = "Company Administrator" # Get-MsolRole
},
@{
User = "urs.egli@vbluzern.onmicrosoft.com" # O365F_Billing Administrator
MsolRoleName = "Company Administrator" # Get-MsolRole
}
#--------------------------------------------------#
# modules
#--------------------------------------------------#
Import-Module MSOnline
Import-Module MSOnlineExtended
Import-Module ActiveDirectory
#--------------------------------------------------#
# main
#--------------------------------------------------#
# import credentials
$Credential = Import-PSCredential $(Get-ChildItem -Path $PSconfigs.Path -Filter "Office365.credentials.config.xml" -Recurse).FullName
# connect to office365
Connect-MsolService -Credential $Credential
$UserAndMsolRole = ($MsolRoleConfig | where{$_.ADGroup -ne $null} | %{
$MsolRole = $_.MsolRoleName;
$MsolRole = (Get-MsolRole | where{$_.Name -eq $MsolRole});
Get-ADGroupMember $_.ADGroup -Recursive | Get-ADUser | select UserPrincipalName, @{Name = "MsolRole"; Expression={$MsolRole}}
}) +
($MsolRoleConfig | where{$_.User -ne $null}| %{
$MsolRole = $_.MsolRoleName;
$_ | select @{L = "UserPrincipalName"; E = {$_.User}},@{L = "MsolRole"; E = {Get-MsolRole | where{$_.Name -eq $MsolRole}}}
})
$MsolRoleMembers = Get-MsolRole | %{$MsolRole = $_; Get-MsolRoleMember -RoleObjectId $_.ObjectID -MemberObjectTypes User | select @{L = "UserPrincipalName"; E = {$_.EmailAddress}},@{L = "MsolRole"; E = {$MsolRole}}}
Get-MsolUser -All | %{
$MsolUser = $_
$AlreadyAssigned = $MsolRoleMembers | where{$_.UserPrincipalName -eq $MsolUser.UserPrincipalName}
$Assign = $UserAndMsolRole | where{$_.UserPrincipalName -eq $MsolUser.UserPrincipalName}
if($AlreadyAssigned){
if(($Assign) -and ($AlreadyAssigned.MsolRole.ObjectId -ne $Assign.MsolRole.ObjectId)){
Write-PPEventLog "Replace role: $($AlreadyAssigned.MsolRole.Name) with: $($Assign.MsolRole.Name) for: $($MsolUser.UserPrincipalName)" -Source "Office365 Portal Access Rights" -WriteMessage
Remove-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $AlreadyAssigned.MsolRole.Name
Add-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $Assign.MsolRole.Name
}elseif($Assign -eq $null){
Write-PPEventLog "Remove role: $($AlreadyAssigned.MsolRole.Name) for: $($MsolUser.UserPrincipalName)" -Source "Office365 Portal Access Rights" -WriteMessage
Remove-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $AlreadyAssigned.MsolRole.Name
}else{
Write-Host "Role: $($AlreadyAssigned.MsolRole.Name) for: $($MsolUser.UserPrincipalName) is already assigned"
}
}elseif($Assign){
Write-PPEventLog "Assign role: $($Assign.MsolRole.Name) for: $($MsolUser.UserPrincipalName)" -Source "Office365 Portal Access Rights" -WriteMessage
Add-MsolRoleMember -RoleMemberEmailAddress $MsolUser.UserPrincipalName -RoleMemberType User -RoleName $Assign.MsolRole.Name
}
}
}catch{
Write-PPErrorEventLog -Source "Office365 Portal Access Rights" -ClearErrorVariable
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.