Adaxes

Disabling EXO PowerShell Access via Scheduled Task

0 votes

We have a security initiative to disable the default Exchnage Online (EXO) PowerShell access for users, while retaining access for Admins. I would like to implement this using a scheduled task inside Adaxes and have the scope target the OUs of our normal user accounts. Ideally, we would like to use a PS script to return a true/false condition (i.e.: is it already disabled?) before the change is made, but I am not sure what would be the best approach for this would be in terms of the code used in the script(s).

This is the article that we've been referencing from Microsoft: https://learn.microsoft.com/en-us/powershell/exchange/disable-access-to-exchange-online-powershell?view=exchange-ps

by (40 points)

1 Answer

0 votes
by (300k points)

Hello Mark,

According to the article you referenced, you can disable the access by just using the below script.

try
{
    # Get the object ID in Microsoft 365
    $objectId = [Guid]$Context.TargetObject.Get("adm-AzureId")
}
catch
{
    return # The user doesn't have a Microsoft 365 account
}

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline() 

# Disable Exchange Online PowerShell access
Set-User -Identity $objectId -EXOModuleEnabled $false
Copy code

Unfortunately, there does not seem to be an easy way to check the status for a single user. The command provided in the article returns a bunch of formatted text and trying to parse it in the script is nearly impossible.

As for the OUs you want to target, they should just be added to the Activity Scope of the scheduled task. For details on how to create those in Adaxes, see https://www.adaxes.com/help/ScheduleTasksForDirectoryManagement.

0

Thank you. I will give this script a shot and will let you know if I run into any issues.

by (40 points)
0

So, the first issue that I ran into is that the last line of the script had a specific user account called out in it and was set to enable EXO PowerShell (not disable). Therefore, I swapped that line out to: Set-User -Identity %userPrincipalName% -EXOModuleEnabled $false.

However, I now have the following error when testing it out: image.png

by (40 points)
0

Hello Mark,

Sorry for the mistake in the script. Please, try using the below one. We also updated the script accordingly in the previous post.

try
{
    # Get the object ID in Microsoft 365
    $objectId = [Guid]$Context.TargetObject.Get("adm-AzureId")
}
catch
{
    return # The user doesn't have a Microsoft 365 account
}

# Connect to Exchange Online
$Context.CloudServices.ConnectExchangeOnline() 

# Disable Exchange Online PowerShell access
Set-User -Identity $objectId -EXOModuleEnabled $false
Copy code
by (300k points)
0

So, the error message (from my previous screenshot) appears to be generated as a result of the command wanting a confirmation. Therefore, the last line would need to be modified to: Set-User -Identity $objectId -EXOModuleEnabled $false -Confirm:$false

by (40 points)

Related questions

0 votes
1 answer
Powershell: Removing a user from one group and adding to another via Scheduled Task

I have a scheduled task that runs a Powershell script against an AD group, "Group 1". I need to get all of the members of Group 1, and add them to Group 2. The ... identity in the error message start with 'user;'? What is the correct way to accomplish this?

asked Aug 27, 2019 by ngb (360 points)
0 votes
1 answer
Disabling Individual Custom Action/Scheduled Task Actions

Is it possible to disable a specific action and/or condition block in a custom command or scheduled task? The main use case would be to make troubleshooting easier without ... as well as the ability to disable an entire condition block from the context menu.

asked Jan 4, 2023 by ngb (360 points)
0 votes
0 answers
User creation via scheduled Task

We are currently using Adaxes Web interface for user provisioning and would like to add back-end fully automated process in addition to Web interface. If I have csv file ... Note: csv user data and header can be modified to meet import user data requirement

asked Oct 11, 2016 by wiser15 (20 points)
0 votes
1 answer
How can I use PowerShell code to get a list of scheduled task whose name match a partial search?

Using the powershell module, I know how to create a scheduled task, and also how to bind to a scheduled task that is already known. I also have used code to try creating ... same time as another. These are all one-time tasks and will be removed once executed.

asked Jan 19, 2024 by aweight (60 points)
0 votes
1 answer
Is there a way to have 4 different Scheduled Task run a Powershell script in different days?

Is there a way to have a Scheduled Task with 4 different condition? I want to create a scheduled task start every Monday and the condition see: The next Saturday of the week ... of the week is the fifth of the month then no action Thanks in advance, Simone

asked Jan 18, 2022 by Simone.Vailati (480 points)
3,664 questions
3,349 answers
8,453 comments
549,145 users