SharePoint

“Decommissioning” a O365 User

decommissioning

If you’re using Office 365 for your business of any size, you’re going to need to add and remove users with some regularity. It’s good practice to have a standard procedure for this. And if you have a standard procedure, why not automate it?

PowerShell for Office 365 allows you to do just that. If you have a Windows machine, you have the Windows PowerShell ISE (Integrated Scripting Environment) already. Just ask Cortana – she’ll tell you. It looks like this:

Windows PowerShell ISE

Details on PowerShell and some useful sample scripts can be found here.

For “decommissioning” a user that has resigned or otherwise left the organization, we want a script that performs 9 steps. Credit to Robert Crane of CIAOPS for this script.

Step 1: Change the user password

Set-MsolUserPassword
-UserPrincipalName firstname.lastname@mydomain.com
-NewPassword MyPwd123!
-ForceChangePassword $false

Step 2: Check the size of the mailbox (you want it under 10GB for archiving)

Get-Mailbox -identity firstname.lastname
-ResultSize Unlimited | Get-MailboxStatistics | Select DisplayName, StorageLimitStatus, TotalItemSize

Step 3: Set limits to avoid the mailbox growing out of control

Set-Mailbox firstname.lastname
-ProhibitSendReceiveQuota 10GB
-ProhibitSendQuota 9.75GB
-IssueWarningQuota 9.5GB

Step 4: Convert to a shared mailbox

Set-Mailbox firstname.lastname -Type shared

Step 5: Hide the mailbox from the Global Address List (GAL)

Set -Mailbox firstname.lastname -HiddenFromAddressListsEnabled $true

Step 6: Set up a forward

Set -Mailbox -Identity firstname.lastname
-DeliverToMailboxAndForward $true
-ForwardingSMTPAddress destination@mydomain.com

Step 7: Setup full “Send As” permissions

Add-MailboxPermission firstname.lastname
-user destination
-AccessRights FullAccess
-InheritanceType All

Add-RecipientPermission firstname.lastname
-AccessRights SendAs
-Trustee destination

Step 8: Check that the mailbox is now a shared mailbox

Get-Recipient
-Resultsize unlimited | where {$_.RecipientTypeDetails -eq “SharedMailbox”}

Step 9: Remove licenses

set-msoluserlicense
-userprinciplename firstname.lastname@mydomain.com
-removelicenses “<tenant>:<SKU>”

In the ISE, the complete script will look like:

ISE with Script.PNG

Now you can decommission a user with a few clicks and perform consistent, automated steps each time.

What PowerShell scripts to you find most useful for administering O365?

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s