forked from OfficeDev/O365-InvestigationTooling
-
Notifications
You must be signed in to change notification settings - Fork 1
/
RemediateEmployeeLeaving.ps1
274 lines (191 loc) · 8.45 KB
/
RemediateEmployeeLeaving.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
###########################################################################
###########################################################################
### Authors: Office 365 security (O365whitehat@microsoft.com) ####
### Remediate an employee leaving your company ####
### Reference: https://support.office.com/en-US/ ####
### article/How-to-block-employee-access-to-Office-365- ####
### data-44d96212-4d90-4027-9aa9-a95eddb367d1?ui=en-US&rs=en-US&ad=US ####
###########################################################################
#######################################################################
######################### Functions ##################################
######################################################################
#This function reviews the execution policy setting to make sire it meets the requirement to run our script.
#Returns value of 0 if policy is correctly setup, otherwise it returns -1
Function ReviewExecutionPolicy()
{
#Blocking 1 user access to Office 365 data
#verifies Execution policies
$adminExePol = Get-ExecutionPolicy
#If execution policies are NOT SUPPORTED
if(($adminExePol -eq "Restricted") -or ($adminExePol -eq "AllSigned"))
{
Write-Host "Your Execution policy does not allow to run this script."
Write-Host "Please open a new PowerShell window (Run as Administrator) and Set-ExecutionPolicy RemoteSigned."
return -1
}
else
{
return 0
}
}
#Initiates Session for AAD/Azure, EXO & SPO
Function InitiateSession($domainName)
{
##Connect to Exchange
#Office 365 credentials prompt
$UserCredential = Get-Credential
#Start new session to start using Exchange cmdlets
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session
##connect to Azure
Connect-MsolService
##Connect to SPO
if($domainName -ne $null)
{
Connect-SPOService -Url https://$domainName-admin.sharepoint.com -credential $UserCredential
}
return $UserCredential;
}
Function BlockUser($upn)
{
Set-MsolUser –UserPrincipalName $upn –blockcredential $true
}
#Disable connections (OWA, ActiveSync, MAPI, IMAP & POP) of targeted user
Function DisableUserConnections($upn)
{
Set-CASMailbox $upn -OWAEnabled $False -ActiveSyncEnabled $False –MAPIEnabled:$false -IMAPEnabled:$false -PopEnabled:$false
}
Function GetUserDevices($upn)
{
###Device Management###
##Need to be tested##
#Get list of user devices
$userMobileDevice = Get-MobileDevice -Mailbox $upn
return $userMobileDevice
}
Function RemoveDevices($usermobileDevice)
{
if($userMobileDevice -eq $null)
{
return 0;
}
else
{
$i = 0
while($i -lt $userMobileDevice.length)
{
Remove-MobileDevice -Identity $userMobileDevice[$i]
$i++
}
return $1
}
}
#Using c classic arrays, not best performance, should change to better implementation
Function GetUrlsOwned($upn)
{
$sites = Get-SPOSite
$urlsOwned = New-Object System.Collections.ArrayList
for($i = 0; $i -lt $sites.length; $i++)
{
if($sites[$i].Owner -eq $upn)
{
$urlsOwned.Add($sites[$i].url) > $null
}
}
return $urlsOwned
}
Function AddNewOwnerToSiteCollection($collectionUrl,$newOwner)
{
Set-SPOSite -Identity $collectionUrl -Owner $newOner -NoWait
}
Function RedirectEmail($redirectFrom, $redirectTo)
{
$currentDate = (Get-Date)
$rulename = "ForwardingEmail_"+$currentDate.Year+"-"+$currentDate.Month+"-"+$currentDate.Day+"_"+$currentDate.Hour+"-"+$currentDate.Minute+"-"+$currentDate.Second+"-"+$currentDate.Millisecond;
New-TransportRule -Name $ruleName -SentTo $redirectFrom -RedirectMessageTo $redirectTo
}
Function RemoveLicences($upn)
{
$licenseObj = Get-MsolAccountSku
$license = $licenseObj.AccountSkuId
Set-MsolUserLicense -UserPrincipalName $upn -RemoveLicenses $license
}
Function RemoveUser($upn)
{
Remove-MsolUser -UserPrincipalName $upn
}
############################################################################
################ Main Script ##########################################
###########################################################################
Write-Host "This PowerShell script was created by the Office 365 security team to help customers remediate the risk of an employee leaving the company."
Write-Host "To learn more about to perform the same manually please take a look at:"
Write-Host "https://support.office.com/en-US/article/How-to-block-employee-access-to-Office-365-data-44d96212-4d90-4027-9aa9-a95eddb367d1?ui=en-US&rs=en-US&ad=US"
Write-Host " "
Write-Host "Please enter your name of your domain without the Top Level Domain (.com, .org, .net, etc.). "
Write-Host "For example if you work at contoso.com, please enter only Contoso"
$domainName = Read-Host -Prompt 'Domain Name (Without Top Level Domain)'
Write-Host "Enter your Admin Credentials, please note you will be prompted twice (One for O365 Exchange and one for AAD)"
#MyStart -domainName $domainName
ReviewExecutionPolicy
$adminCreds = InitiateSession -domainName $domainName
Write-Host "Please enter the User Principal Name (UPN) or Email of the target user (employee leaving)"
$upn = Read-Host -Prompt 'Target UPN/Email'
######## 1. ("Block employee access to Office 365 data") ###########################
#Blocking User
Write-Host "Blocking User..."
BlockUser -upn $upn
Write-Host "Done"
#Disabling user connections
Write-Host "Disabling user connections (OWA, ACtiveSync, MAPI, IMAP & POP)..."
DisableUserConnections -upn $upn
Write-Host "Done"
#Blocking user's devices (Important: this does not wipe their devices)
Write-Host "Removing User's devices..."
$userdevices = GetUserDevices -upn $upn
$numberOfDevicesRemoved = RemoveDevices -usermobileDevice $userdevices
Write-Host "$numberOfDevicesRemoved devices found"
Write-Host "Done"
########## 2. ("Get access to the data of the former employee") ##############
####### 2.1 (Part 1 – Get access to the former employee’s OneDrive for Business documents) #######
Write-Host "Looking for SharePoint Site Collection owned by target user..."
$collectionUrls = GetUrlsOwned -upn $upn
Write-Host $collectionUrls
Write-Host "Adding your admin account as an owner..."
if($collectionUrls.length -gt 0)
{
for($i=0;$i -lt $collectionUrls.length; $i++)
{
AddNewOwnerToSiteCollection -collectionUrl $collectionUrls[$i] -newOwner $adminCreds.username
}
}
else
{
Write-Host "No SharePoint Site Collection found for the user"
}
Write-Host "Done"
#Note need to review if the previous step also identifies the personal user collection
##Identify personal users collection? my https://<company_name>-my.sharepoint.com/personal/<employee>_<company name>_onmicrosoft_com.
#Steps 2.2 - 2.4 are not available through any of the existing powershell cmdlets.
#### 3. Optional Send the former employee's new email to another employee
Write-Host "Redirecting all future emails to your account..."
RedirectEmail -redirectFrom $upn -redirectTo $adminCreds.username
Write-Host "Done"
#### 4 Remove license from employee
Write-Host "Removing former employee licences ..."
RemoveLicences -upn $upn
Write-Host "Done"
#### 5. Delete the former employee's user account
Write-Host "Removing/Deleting user..."
RemoveUser -upn $upn
Write-Host "Done"
#####Done
## Provide user summary of actions taken by script
Write-Host "Below is a summary of all the actions provided by this script:"
Write-Host "1. Blocked target user"
Write-Host "2. Disabled user connections to OWA, ActiveSync, MAPI, IMAP and POP"
Write-Host "3. Blocked and removed user's mobile devices"
Write-Host "4. Got access to the former employee’s OneDrive for Business documents"
Write-Host "5. Future emails to former employees will be redirected to your account"
Write-Host "6. Remove Licenses of former employee"
Write-Host "7. Delete/Remove user account"
Write-Host "All Done!"