Office 365/WAAD: Use Powershell to provision/deprovision users based on an on-prem AD group
Hello Everyone,
For some reasons (in short, not using any directory synchronization tool), I had to write a little script to provision/deprovision users in O365/WAAD based on an on-prem AD group.
The script is using the on-prem AD mail attribute to set-up the user’s unique Identifier (UPN) in O365/WAAD. (it can be changed to use the on-prem UPN if required)
It also fills the ‘immutableID’ attribute so that means the script can be used along with having the federation enabled for the on-prem domain in O365/WAAD.
Along with this, the DisplayName, GivenName and SurName and also provisioned from the on-prem AD (more can be added if required)
The script also output the activity in a log file and perform a count on the amount of users present in 0365/WAAD and in the on-prem AD group.
The scope here is only provisioning/deprovisioning but you can also imagine performing other actions too like assigning O365 licences,…
It does not perform updates on attributes changed in on-prem AD but if you start to think about that, better think about installing a directory synchronization tool 😉
Cheers!
Mitch
Sample Script:
(Requires Active Directory and Windows Azure Active Directory Modules to be installed on the machine the script is running)
#Log File Location
$logfile = "Path_To_Your_Log_File"#Modules Import
Import-Module ActiveDirectory
Import-Module MSOnline$credentials = Your_Credentials
$ErrorActionPreference = "Stop"#Connect to WAAD
Try{
Connect-MSOLService -Credential $credentials
(Get-Date).ToString()+"|Connection to WAAD|OK" >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Connection to WAAD|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}#Getting group member from AD
Try{
$usersList = Get-ADGroupMember Your_Group_Name
(Get-Date).ToString()+"|Getting group member from AD|OK|Number of members found: " + $usersList.count >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Getting group member from AD|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}#Getting WAAD tenant users
Try{
$usersInCloudList = Get-MSOLUser | Where-Object {$_.UserPrincipalname -like "*@your_domain"}
(Get-Date).ToString()+"|Getting WAAD tenant users|OK|Number users found: " + $usersInCloudList.count >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Getting WAAD tenant users|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}#Provisioining
Foreach ($user in $usersList){
$userDetails = Get-ADUser $user.sAMAccountName -Property mail,DisplayName
$present =$false
Foreach($userInCloud in $usersInCloudList){
$match = $userInCloud.UserPrincipalName -eq $userDetails.mail
if ($match){
$present=$true}}
If (!$present){
$immutableID = [System.Convert]::ToBase64String(($userDetails.objectguid).toByteArray())
Try{
New-MSOLUser -DisplayName $userDetails.DisplayName -FirstName $userDetails.GivenName -LastName $userDetails.surname -UserPrincipalName $userDetails.mail -ImmutableId $immutableID
(Get-Date).ToString()+"|User Provisioning|OK|Provisioned User: " + $userDetails.mail >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|User Provisioning|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}
}}
#Deprovisioning
Foreach ($userInCloud in $usersInCloudList){
$present =$false
Foreach ($user in $usersList){
$userDetails = Get-ADUser $user.sAMAccountName -Property mail
$match = $userInCloud.UserPrincipalName -eq $userDetails.mail
if ($match){
$present=$true}}
If ((!$present){
Try{
Remove-MSOLUser -UserPrincipalName $userInCloud.UserPrincipalName -force
(Get-Date).ToString()+"|User Deprovisioning|OK|Deprovisioned User: " + $userInCloud.UserPrincipalName >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|User Deprovisioning|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}
}
}