Adaxes

Ways to remove all O365 Exchange delegates, and reset a users MFA in Adaxes.

0 votes

Hi All,

I am looking for a script i can use in adaxes, that removes all delegates for an exchange O365 mailbox, and reset their MFA tokens as well. I want the script to run against the user specified in the activity scope.

I have custom scripts that work in powershell for each of these things, but i am getting tripped up when importing them into Adaxes. I will list the script i have below to do this, however it requires a login to O365 and utilizes the Exchange powershell module which confuses me. Thanks for any and all help. 

# Import the Exchange Online module
Import-Module ExchangeOnlineManagement

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName <AdminUPN> -ShowProgress $true

# Read users from the text file
$users = Get-Content "\\path\to\\users.txt"

foreach ($user in $users) {
    # Revoke Azure MFA tokens
    # $objectid = Get-AzureADUser -ObjectId $user | select objectid -ExpandProperty ObjectId
    Revoke-AzureADUserAllRefreshToken -ObjectId $user

    # Remove all Exchange delegates
    Get-Mailbox -Identity $user | ForEach-Object {
        $mailbox = $_
        $delegates = Get-MailboxPermission -Identity $mailbox.Identity | Where-Object { $_.IsInherited -eq $false -and $_.User -ne "NT AUTHORITY\SELF" -and $_.AccessRights -like "*FullAccess*" }

        foreach ($delegate in $delegates) {
            Remove-MailboxPermission -Identity $mailbox.Identity -User $delegate.User -AccessRights FullAccess -Confirm:$false
            Write-Output "Removed delegate $($delegate.User) from $($mailbox.Identity)"
        }
    }
}

# Disconnect from Exchange Online
Disconnect-ExchangeOnline -Confirm:$false
by (20 points)

1 Answer

0 votes
by (288k points)

Hello,

For an example on how to connect to Exchange Online in Adaxes scripts, see https://www.adaxes.com/script-repository/connect-to-exchange-with-powershell-s506.htm. Also, Write-Output does not work in Adaxes. You need to use $Context.LogMessage instead. Finally, you should have something like the following:

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline() 

# Read users from the text file
$users = Get-Content "\\path\to\\users.txt"

foreach ($user in $users)
{
    # Revoke Azure MFA tokens
    # $objectid = Get-AzureADUser -ObjectId $user | select objectid -ExpandProperty ObjectId
    Revoke-AzureADUserAllRefreshToken -ObjectId $user

    # Remove all Exchange delegates
    Get-Mailbox -Identity $user | ForEach-Object {
        $mailbox = $_
        $delegates = Get-MailboxPermission -Identity $mailbox.Identity | Where-Object { $_.IsInherited -eq $false -and $_.User -ne "NT AUTHORITY\SELF" -and $_.AccessRights -like "*FullAccess*" }

        foreach ($delegate in $delegates)
        {
            Remove-MailboxPermission -Identity $mailbox.Identity -User $delegate.User -AccessRights FullAccess -Confirm:$false
            $Context.LogMessage("Removed delegate $delegate.User from $mailbox.Identity", "Information")
        }
    }
}
0

Thanks for the answer! I appreciate the help. How can i replace the use of the text file in this script to instead use the users / OU we specify in the activity scope?

Thanks.

by (20 points)
0

Hello,

We do not have information on your CSV file, but most probably using value references should do the trick. Also, the following article should be helpful: https://adaxes.com/sdk/ServerSideScripting.

by (288k points)
0

Thanks for the response. I am not sure you understood my question fully.

My question is that i want to remove the userx.txx / .csv file completley. I want the script to run against the user i specify in the ADAXES activity scope, as shown below.

image.png

by (20 points)
0

Hello,

That is exactly what we meant. When the script is executed, it will be done separately for each user in the Activity Scope. As such, at each execution, the user will be the target object. There is no need to do anything specific for that to work. At the same time, the approaches we suggested provide information on obtaining information on the target user in the script itself. The following SDK article might also be helpful: https://adaxes.com/sdk/CloudServicesScriptContextClass.

by (288k points)
0

Ah ok, understood. Thanks so much for your help.

by (20 points)
0

Hi, i am now getting an error on the Reset MFA step. It states i need to connect to AzureAD, which makes sense, however using the command $Context.CloudServices.AzureAD() gives me the error(s) shown in the screenshot. Thanks for any and all help. image.png

by (20 points)
0

Hello,

First of all, the AzureAD PowerShell module is deprecated and you should not use it. You should do the lot via MgGraph. For an example, have a look at the following scripts from our repository: https://www.adaxes.com/script-repository/sign-out-from-all-microsoft-365-services-s597.htm. For your information, $Context.CloudServices.AzureAD() just does not exist.

by (288k points)

Related questions

0 votes
1 answer
Is there a way to get all AD Users, in powershell, and include custom attributes?

I am wanting to export a list of users including the properties of a specific custom attribute. Ideally, I would be able to run a get-admuser and filter on a custom attribute, but even an excel report with the custom attributes would work. Is this possible?

asked Sep 9, 2021 by ggallaway (300 points)
0 votes
1 answer
Is there a way to integrate sharepoint sites in adaxes to create a web facing interface for users to see all sites?

We get Sharepoint Online requests for access to sites/folder/content. Is there a way to automate this task?

asked Jul 10, 2023 by dharry (20 points)
0 votes
1 answer
In Adaxes can you apply a powershell script to all users in a specific group?

For instance to execute a powershell script that enable MFA for all member in that group?

asked Jan 27, 2023 by samuel.anim-addo (20 points)
0 votes
1 answer
Is there a way to remove all users accounts with exceptions?

Like remove all users from full access other than User1, User 2, &amp; User3?

asked Oct 29, 2019 by hgletifer (1.3k points)
0 votes
1 answer
Need a script to add users who are enrolled in MFA to an AD group.

I'm trying to automate adding users who are enrolled in MFA to an AD group. The scripts I found elsewhere here that do not work so I believe they may have been written against a prior Adaxes version or referencing a report that does not meet our needs.

asked May 31 by neal (50 points)
3,541 questions
3,232 answers
8,225 comments
547,806 users