Have you ever found yourself managing an on-prem Active Directory hybrid environment alongside Office 365? If so, you’ve likely encountered the task of offboarding employee accounts promptly. As organizations evolve to become more intricate and demand stricter security protocols, automation becomes indispensable to ensure consistent execution of offboarding procedures.
The aim of this article is to showcase a comprehensive automated offboarding solution I’ve developed, with the hope of inspiring others to devise their own innovative solutions. Throughout the article, I’ll provide a brief description of each component of the offboarding script, explaining its functionality, integration, and overall coherence. By doing so, I aim to offer newcomers a holistic view of the capabilities of PowerShell, illustrating how various services and modules can seamlessly collaborate together to create one coherent solution. Please note that this will be an overview and will not go into detailed step by step instructions.
Review the Current Offboarding Process
The first thing that we want to begin doing is writing out the businesses current offboarding process so we can define clear goals for our script. The current offboarding outline for our business looks like this:
- The expiration date in Active Directory for the user’s account is set when HR informs the offboarding team of the employee(s) termination date.
- The following day, employees ensure that the account is disabled and begin the formal offboarding process.
- The users Active Directory groups and properties are saved and manually uploaded to a SharePoint folder before the AD groups are removed to ensure there’s an accurate record for documentation purposes. Some groups must remain as the business is utilizing on-prem groups that are synced to Office 365/Azure to apply various Office licenses, Exchange email being the most noteworthy.
- The organization works with affiliate accounts which means with these AD accounts, they’re different in that some affiliates have a 3rd party mail contact (they do not have an organizational email). The mail contact information attributes must be removed to ensure that users are not emailing affiliates that aren’t cleared to work with the org. This removal includes various Exchange attributes in AD tied to the user(s) as well as hiding them from the Global Address List.
Define Script Goals / Pseudocoding
- Import the modules and functions necessary for the script to function (we will be using one custom function).
- Import credentials securely to connect to SharePoint via PowerShell PnP Module (some offboarding data will be uploaded to SharePoint).
- Create user variables for processing and logging.
- Disable the user(s) Active Directory account.
- Exclude the necessary groups from the automated removal of groups processing.
- Copy the AD users groups and properties as an easy to read txt file report to SharePoint (using PnPOnline).
- Remove the groups afterwards, create a check to only remove the groups if the SharePoint copy is successful. Log any errors during this process.
- Hide the user(s) from the Exchange Global Address List, remove additional Exchange attributes.
- Disconnect PnPOnline session after the script has completed.
- Email the offboarding team letting them know what users have been disabled & automatically offboarded. Attach an Excel spreadsheet.
The Script
Now for the fun part, we actually get to begin developing our scripting solution! While following along, please note that there is always ways to improve your script. A perfect script is one that performs what you want it to do every single time you run it with zero interaction from you. How you get there, that’s on you and your process. That being said, even with this developed solution, it will be undergoing many improvements throughout it’s life to ensure it’s updated to improve functionality and purpose.
Throughout this script development process, I will be utilizing Visual Studio Code. If you are interested in setting up a VSC environment similar to mine please review my article here that explains my current setup: https://greenetech.org/my-powershell-scripting-setup/
PowerShell 7 is also utilized, for more information on PowerShell 7 and the installation process please visit the official Microsoft documentation here: Installing PowerShell on Windows – PowerShell | Microsoft Learn
The following PowerShell modules will be utilized (please review the attached links for setup instructions for these modules).
- ActiveDirectory -Info/installation instructions: ActiveDirectory Module | Microsoft Learn
- ImportExcel – Installation instructions: PowerShell Gallery | ImportExcel 7.8.5
- PnPOnline – Installation instructions & base setup: Installing PnP PowerShell | PnP PowerShell
Now we’re to the core functions of the script, this will be the longest section as there are a lot of items. This section will begin the processing of each expired user that is stored in the $expiredUsers variable. This is the beginning of the foreach statement, there will be another paragraph later confirming when the foreach statement is finished.
Whew! That concludes our process. An important thing to note when employing ‘Connect-PnPOnline’ with SharePoint, it’s crucial to have an Azure Conditional Access policy in place to enhance security measures for the service account you’re utilizing. Now that we’ve completed this setup, our script will run daily (after midnight), automatically sending an email to the offboarding team. This email will include a report detailing user disablement and any encountered issues that require attention.
Wrapping Up
Please remember that this article doesn’t delve into every intricate step required to configure a similar solution from scratch. Its primary objective is to serve as an illustration of PowerShell’s potential with automated offboarding, with the hope of inspiring readers to devise their own solutions. Thank you for taking the time to read!