Created
April 21, 2020 01:23
-
-
Save jhochwald/2b0f76f977a160aae71be3abaf2b310e to your computer and use it in GitHub Desktop.
Remove the access to Outlook for all Mailboxes in an Microsoft Office 365 Tenant
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#requires -Version 3.0 | |
<# | |
.SYNOPSIS | |
Remove the access to Outlook for all Mailboxes in an Microsoft Office 365 Tenant | |
.DESCRIPTION | |
Remove the access to Outlook for all Mailboxes in an Microsoft Office 365 Tenant | |
It will remove access to OWA (Outlook Web Application), Exchange Active Sync (EAS), Outlook App and Outlook (part of the Office Suite). | |
.PARAMETER CredentialUser | |
The UPN of the admin user | |
.PARAMETER CredentialFile | |
File where the credential will be stored | |
Make sure that this is secured! | |
.PARAMETER ProxyAccessType | |
Determines which mechanism is used to resolve the host name. The acceptable values for this parameter are: | |
- IEConfig | |
- WinHttpConfig | |
- AutoDetect | |
- NoProxyServer | |
- None | |
The default value is None. | |
For information about the values of this parameter, see the description of the System.Management.Automation.Remoting.ProxyAccessTypehttp://go.microsoft.com/fwlink/?LinkId=144756 (http://go.microsoft.com/fwlink/?LinkId=144756) enumeration in the Microsoft Developer Network (MSDN) library. | |
.EXAMPLE | |
PS C:\> .\Approve-CASMailboxSettings.ps1 | |
.EXAMPLE | |
PS C:\> .\Approve-CASMailboxSettings.ps1 -verbose | |
.NOTES | |
I created the script to run automated (via Windows scheduler) and it will save the password in a plain text file. | |
You might want to use another option to gain access to Exchaneg Online | |
Please check all values before using the script! | |
TODO: Run the script once before using it as scheduled task! This will create and save the credentials. | |
#> | |
[CmdletBinding(ConfirmImpact = 'None')] | |
param | |
( | |
[Parameter(ValueFromPipeline, | |
ValueFromPipelineByPropertyName)] | |
[ValidateNotNullOrEmpty()] | |
[Alias('Username', 'AdminUser')] | |
[string] | |
$CredentialUser = 'youradmin.user@contoso.com', | |
[Parameter(ValueFromPipeline, | |
ValueFromPipelineByPropertyName)] | |
[ValidateNotNullOrEmpty()] | |
[Alias('CredFile', 'SecretFile')] | |
[string] | |
$CredentialFile = ($env:LOCALAPPDATA + '\exocreds.txt'), | |
[Parameter(ValueFromPipeline, | |
ValueFromPipelineByPropertyName)] | |
[ValidateSet('IEConfig', 'WinHttpConfig', 'AutoDetect', 'NoProxyServer', 'None', IgnoreCase = $true)] | |
[ValidateNotNullOrEmpty()] | |
[Alias('PSSessionOptionProxy')] | |
[string] | |
$ProxyAccessType = 'None' | |
) | |
begin | |
{ | |
# Admin User (Global Admin or min. Exchange Online Admin role) | |
if (-not ($CredentialUser)) | |
{ | |
$CredentialUser = 'youradmin.user@contoso.com' | |
} | |
# Where to store the password? | |
if (-not ($CredentialFile)) | |
{ | |
$CredentialFile = ($env:LOCALAPPDATA + '\exocreds.txt') | |
} | |
} | |
process | |
{ | |
#region CredentialHandler | |
try | |
{ | |
if (-not (Test-Path -Path $CredentialFile -ErrorAction SilentlyContinue)) | |
{ | |
# Do we have any credentials in memory (variable) | |
if (-not ($ExoCreds)) | |
{ | |
# | |
$paramGetCredential = @{ | |
Message = 'Bitte mit einem Exchange Online Admin Benutzer anmelden' | |
UserName = $CredentialUser | |
ErrorAction = 'Stop' | |
} | |
$ExoCreds = (Get-Credential @paramGetCredential) | |
} | |
# Splat the parameters | |
$paramOutFile = @{ | |
FilePath = $CredentialFile | |
Force = $true | |
Encoding = 'utf8' | |
ErrorAction = 'Stop' | |
Confirm = $false | |
} | |
# Save the file | |
$null = ($ExoCreds.Password | ConvertFrom-SecureString | Out-File @paramOutFile) | |
} | |
else | |
{ | |
# Splat the parameters | |
$paramGetContent = @{ | |
Path = $CredentialFile | |
Force = $true | |
ErrorAction = 'Stop' | |
} | |
$paramConvertToSecureString = @{ | |
ErrorAction = 'Stop' | |
} | |
# Read and convert the file wit the password | |
$PwdSecureString = (Get-Content @paramGetContent | ConvertTo-SecureString @paramConvertToSecureString) | |
# Splat the parameters | |
$paramNewObject = @{ | |
TypeName = 'System.Management.Automation.PSCredential' | |
ArgumentList = $CredentialUser, $PwdSecureString | |
} | |
# Create the credential object | |
$ExoCreds = (New-Object @paramNewObject) | |
# Remove the password string from memory | |
$PwdSecureString = $null | |
} | |
} | |
catch | |
{ | |
#region ErrorHandler | |
# get error record | |
[Management.Automation.ErrorRecord]$e = $_ | |
# retrieve information about runtime error | |
$info = [PSCustomObject]@{ | |
Exception = $e.Exception.Message | |
Reason = $e.CategoryInfo.Reason | |
Target = $e.CategoryInfo.TargetName | |
Script = $e.InvocationInfo.ScriptName | |
Line = $e.InvocationInfo.ScriptLineNumber | |
Column = $e.InvocationInfo.OffsetInLine | |
} | |
$info | Out-String | Write-Verbose | |
Write-Error -Message ($info.Exception) -ErrorAction Stop | |
# Only here to catch a global ErrorAction overwrite | |
break | |
#endregion ErrorHandler | |
} | |
#endregion CredentialHandler | |
#region ConnectExchangeOnline | |
try | |
{ | |
# Proxy Handling | |
<# | |
-ProxyAccessType <ProxyAccessType> | |
Determines which mechanism is used to resolve the host name. The acceptable values for this parameter are: | |
- IEConfig | |
- WinHttpConfig | |
- AutoDetect | |
- NoProxyServer | |
- None | |
The default value is None. | |
For information about the values of this parameter, see the description of the System.Management.Automation.Remoting.ProxyAccessTypehttp://go.microsoft.com/fwlink/?LinkId=144756 (http://go.microsoft.com/fwlink/?LinkId=144756) enumeration in the Microsoft Developer Network (MSDN) library. | |
Source: | |
Get-Help New-PSSessionOption -Detailed | |
#> | |
if ($ProxyAccessType) | |
{ | |
# Splat the parameters | |
$paramNewPSSessionOption = @{ | |
ProxyAccessType = $ProxyAccessType | |
ErrorAction = 'Stop' | |
} | |
# Do we need a proxy to access Office 365? | |
$ProxyOptions = (New-PSSessionOption @paramNewPSSessionOption) | |
} | |
# Cleanup | |
$ExoSession = $null | |
# Splat the parameters | |
$paramGetPSSession = @{ | |
ErrorAction = 'SilentlyContinue' | |
} | |
$paramRemovePSSession = @{ | |
ErrorAction = 'SilentlyContinue' | |
Confirm = $false | |
} | |
# Remove all existing Exchange Online Sessions | |
$null = (Get-PSSession @paramGetPSSession | Where-Object { | |
$_.ComputerName -eq 'outlook.office365.com' | |
} | Remove-PSSession @paramRemovePSSession) | |
# Splat the parameters | |
$paramNewPSSession = @{ | |
ConfigurationName = 'Microsoft.Exchange' | |
ConnectionUri = 'https://outlook.office365.com/powershell-liveid/' | |
Credential = $ExoCreds | |
Authentication = 'Basic' | |
AllowRedirection = $true | |
ErrorAction = 'Stop' | |
} | |
# Proxy settings needed? | |
if ($ProxyOptions) | |
{ | |
$paramNewPSSession.SessionOption = $ProxyOptions | |
} | |
# Create the session | |
$ExoSession = (New-PSSession @paramNewPSSession) | |
# Splat the parameters | |
$paramImportPSSession = @{ | |
Session = $ExoSession | |
DisableNameChecking = $true | |
AllowClobber = $true | |
ErrorAction = 'Stop' | |
WarningAction = 'Continue' | |
} | |
# Create the Session | |
$null = (Import-PSSession @paramImportPSSession) | |
} | |
catch | |
{ | |
#region ErrorHandler | |
# get error record | |
[Management.Automation.ErrorRecord]$e = $_ | |
# retrieve information about runtime error | |
$info = [PSCustomObject]@{ | |
Exception = $e.Exception.Message | |
Reason = $e.CategoryInfo.Reason | |
Target = $e.CategoryInfo.TargetName | |
Script = $e.InvocationInfo.ScriptName | |
Line = $e.InvocationInfo.ScriptLineNumber | |
Column = $e.InvocationInfo.OffsetInLine | |
} | |
$info | Out-String | Write-Verbose | |
Write-Error -Message ($info.Exception) -ErrorAction Stop | |
# Only here to catch a global ErrorAction overwrite | |
break | |
#endregion ErrorHandler | |
} | |
#endregion ConnectExchangeOnline | |
#region SetCASMailbox | |
try | |
{ | |
# Check if the session is alive | |
if (-not (Get-Command -Name Get-CASMailbox)) | |
{ | |
# Splat the parameters | |
$paramWriteError = @{ | |
Exception = 'Es scheint ein Problem mit der Exchange Online Verbindung zu geben!' | |
Message = 'Die erforderlichen Exchnage Online Befehle wurden nicht gefunden!' | |
Category = 'ResourceUnavailable' | |
ErrorAction = 'Stop' | |
} | |
Write-Error @paramWriteError | |
# Make sure we are done! | |
throw | |
} | |
# Splat the parameters | |
$paramGetCASMailbox = @{ | |
ResultSize = 'unlimited' | |
Filter = { | |
(name -notlike 'DiscoverysearchMailbox*') | |
} | |
ErrorAction = 'Stop' | |
WarningAction = 'Continue' | |
} | |
$paramSetCASMailbox = @{ | |
ActiveSyncEnabled = $false | |
ImapEnabled = $false | |
MAPIEnabled = $false | |
OutlookMobileEnabled = $false | |
OWAEnabled = $false | |
OWAforDevicesEnabled = $false | |
PopEnabled = $false | |
SmtpClientAuthenticationDisabled = $false | |
UniversalOutlookEnabled = $false | |
Confirm = $false | |
ErrorAction = 'Continue' | |
WarningAction = 'Continue' | |
} | |
# Remove the outlook access from all mailboxes | |
$null = (Get-CASMailbox @paramGetCASMailbox | Set-CASMailbox @paramSetCASMailbox) | |
} | |
catch | |
{ | |
#region ErrorHandler | |
# get error record | |
[Management.Automation.ErrorRecord]$e = $_ | |
# retrieve information about runtime error | |
$info = [PSCustomObject]@{ | |
Exception = $e.Exception.Message | |
Reason = $e.CategoryInfo.Reason | |
Target = $e.CategoryInfo.TargetName | |
Script = $e.InvocationInfo.ScriptName | |
Line = $e.InvocationInfo.ScriptLineNumber | |
Column = $e.InvocationInfo.OffsetInLine | |
} | |
$info | Out-String | Write-Verbose | |
Write-Error -Message ($info.Exception) -ErrorAction Stop | |
# Only here to catch a global ErrorAction overwrite | |
break | |
#endregion ErrorHandler | |
} | |
#endregion SetCASMailbox | |
} | |
end | |
{ | |
# Cleanup | |
$ExoSession = $null | |
# Splat the parameters | |
$paramGetPSSession = @{ | |
ErrorAction = 'SilentlyContinue' | |
} | |
$paramRemovePSSession = @{ | |
ErrorAction = 'SilentlyContinue' | |
Confirm = $false | |
} | |
# Remove all existing Exchange Online Sessions | |
$null = (Get-PSSession @paramGetPSSession | Where-Object { | |
$_.ComputerName -eq 'outlook.office365.com' | |
} | Remove-PSSession @paramRemovePSSession) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment