Recently I needed to get an overview of the group memerships for an user. More specifically the group memberships of all the online groups. I figured that it probably pretty easy to get an overview since for Active Directory you can use Get-ADPrincipalGroupMembership. So I my guess was that there would be a similar command for the online groups, something like Get-MsolPrincipalGroupMembership or maybe Get-AzureADPrinicpalGroupMembership. To my surprise it turned out that there is no similar command for Get-AdPrincipalGroupMembership for online groups.
Either way I still needed the overview and to remove to user from all of its groups. So I created a PowerShell script to scan all the groups for that user. If the user was a member in the group it would be removed.
I wanted to share the script since I think it can come in handy in a lot of occasions. So I put in a little bit of extra effort to create a script that can provide an overview of all the groups and remove the groups.
You can download the script here.
Before you can use the script you will need to connect to Exchange online.
You can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” to get an overview of all the groups that the user is a member of.
If you want to remove the user from all those groups you can use .\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” -Remove $true
If you have any questions about the script please leave a comment.
[cc lang=”powershell” height= “900”]
<#
.SYNOPSIS
This script will output all de distribtion and security groups a user is member of.
With the switch -Remove the script will remove the user from those groups.
.NOTES
Author: Stephan van de Kruis
First Creation Date: 2018-02-04
.EXAMPLE
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com”
.\REMOVE-User-From-Online-Groups.ps1 -UserPrincipalName “example@domain.com” -Remove $true
.PARAMETER UserPrincipalName
The UserPrincipalName of a user (e.g. ‘example@domain.com’)
#>
[CmdLetBinding()]
param(
[Parameter(Mandatory = $true)]
[String]$UserPrincipalName,
[Parameter(Mandatory = $false)]
[boolean]$Remove = $true
)
####
#Look for user in distribution and security groups
####
if(!$Remove){
try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}
foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Write-Output “Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)”
}
}
}
catch {
Write-Output “An error occurred”
Write-Output $_.Exception.Message
}
try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}
foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Write-Output “Info: Found $($OnlineUser.DisplayName) in group $($DistributionGroup.Name)”
}
}
}
catch {
Write-Output “An error occurred”
Write-Output $_.Exception.Message
}
}
####
#Removing user from distribition and security groups
####
if($Remove){
try {
$OnlineUser = Get-MsolUser -UserPrincipalName $UserPrincipalName
$DistributionGroups = Get-DistributionGroup -ResultSize 5000 | Where-Object {$_.IsDirSynced -eq $False}
foreach ($DistributionGroup in $DistributionGroups) {
if(Get-DistributionGroupMember -Identity $DistributionGroup.Name | Where-Object PrimarySmtpAddress -eq $UserPrincipalName) {
Remove-DistributionGroupMember -Identity $DistributionGroup.Name -Member $OnlineUser.UserPrincipalName -BypassSecurityGroupManagerCheck -Confirm:$false
Write-Output “Info: $($OnlineUser.DisplayName) removed from the online group $($DistributionGroup.Name)”
}
}
}
catch {
Write-Output “Error: Removing the user from the distribution group failed”
Write-Output $_.Exception.Message
}
try {
$SecurityGroups = Get-MsolGroup -GroupType Security -MaxResults 5000 | Where-Object {$_.LastDirSyncTime -eq $null}
foreach ($SecurityGroup in $SecurityGroups){
if (Get-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId | Where-Object ObjectId -eq $OnlineUser.ObjectId ){
Remove-MsolGroupMember -GroupObjectId $SecurityGroup.ObjectId -GroupMemberObjectId $OnlineUser.ObjectId -GroupMemberType User
Write-Output “Info: $($OnlineUser.DisplayName) removed from online group $($Securitygroup.DisplayName)”
}
}
}
catch {
Write-Output “Error: Removing the user from the security groups failed”
Write-Output $_.Exception.Message
}
}
[/cc]