Archive

Archive for January, 2015

Office 365/WAAD: Use Powershell to provision/deprovision users based on an on-prem AD group

January 21, 2015 Leave a comment

Hello Everyone,

For some reasons (in short, not using any directory synchronization tool), I had to write a little script to provision/deprovision users in O365/WAAD based on an on-prem AD group.

The script is using the on-prem AD mail attribute to set-up the user’s unique Identifier (UPN) in O365/WAAD. (it can be changed to use the on-prem UPN if required)

It also fills the ‘immutableID’ attribute so that means the script can be used along with having the federation enabled for the on-prem domain in O365/WAAD.
Along with this, the DisplayName, GivenName and SurName and also provisioned from the on-prem AD (more can be added if required)
The script also output the activity in a log file and perform a count on the amount of users present in 0365/WAAD and in the on-prem AD group.

The scope here is only provisioning/deprovisioning but you can also imagine performing other actions too like assigning O365 licences,…
It does not perform updates on attributes changed in on-prem AD but if you start to think about that, better think about installing a directory synchronization tool 😉

Cheers!
Mitch

Sample Script:

(Requires Active Directory and Windows Azure Active Directory Modules to be installed on the machine the script is running)


#Log File Location
$logfile = "Path_To_Your_Log_File"

#Modules Import
Import-Module ActiveDirectory
Import-Module MSOnline

$credentials = Your_Credentials
$ErrorActionPreference = "Stop"

#Connect to WAAD
Try{
Connect-MSOLService -Credential $credentials
(Get-Date).ToString()+"|Connection to WAAD|OK" >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Connection to WAAD|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}

#Getting group member from AD
Try{
$usersList = Get-ADGroupMember Your_Group_Name
(Get-Date).ToString()+"|Getting group member from AD|OK|Number of members found: " + $usersList.count >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Getting group member from AD|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}

#Getting WAAD tenant users
Try{
$usersInCloudList = Get-MSOLUser | Where-Object {$_.UserPrincipalname -like "*@your_domain"}
(Get-Date).ToString()+"|Getting WAAD tenant users|OK|Number users found: " + $usersInCloudList.count >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|Getting WAAD tenant users|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}

#Provisioining
Foreach ($user in $usersList){
$userDetails = Get-ADUser $user.sAMAccountName -Property mail,DisplayName
$present =$false
Foreach($userInCloud in $usersInCloudList){
$match = $userInCloud.UserPrincipalName -eq $userDetails.mail
if ($match){
$present=$true}}
If (!$present){
$immutableID = [System.Convert]::ToBase64String(($userDetails.objectguid).toByteArray())
Try{
New-MSOLUser -DisplayName $userDetails.DisplayName -FirstName $userDetails.GivenName -LastName $userDetails.surname -UserPrincipalName $userDetails.mail -ImmutableId $immutableID
(Get-Date).ToString()+"|User Provisioning|OK|Provisioned User: " + $userDetails.mail >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|User Provisioning|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}
}

}

#Deprovisioning
Foreach ($userInCloud in $usersInCloudList){
$present =$false
Foreach ($user in $usersList){
$userDetails = Get-ADUser $user.sAMAccountName -Property mail
$match = $userInCloud.UserPrincipalName -eq $userDetails.mail
if ($match){
$present=$true}}
If ((!$present){
Try{
Remove-MSOLUser -UserPrincipalName $userInCloud.UserPrincipalName -force
(Get-Date).ToString()+"|User Deprovisioning|OK|Deprovisioned User: " + $userInCloud.UserPrincipalName >>$logfile}
Catch{
$ErrorMessage = $_.Exception.Message
(Get-Date).ToString()+"|User Deprovisioning|NOK|ERROR:"+$ErrorMessage >>$logfile
Break}
}
}

Categories: Active Directory, Office 365, Powershell, WAAD Tags: , , ,