-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmodify_user_membership.ps1
173 lines (167 loc) · 6.45 KB
/
modify_user_membership.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# This script will allow you to update the membership of multiple users that exist in Azure AD by reading the requirements from a .csv file
Function Main {
# The path to the user list CSV file
$Path = "C:\Automation\Powershell Scripts\Users.csv"
# Testing the path to ensure it exists and is accessible
$Check = Test-Path -Path $Path
# If we pass the test, verify that there's content in the file
if ($Check) {
$UseFile = (Get-ChildItem -Path $Path).Length -ne "0"
}
# If we have content, we read the file and loop through each user in the list
if ($UseFile) {
$UserList = Import-Csv -path $Path
Write-Host "[INFO] Looping through all the users listed in $Path" -ForegroundColor Yellow
# Asking whether we want to Add or Remove the user
$AddRemoveCheck = (Read-Host -prompt "The options are: Add | Remove | Check")
Switch ($AddRemoveCheck)
{
Add {
# Start of loop
foreach($User in $UserList) {
# Calling UserMembership function to confirm the user membership status and passing the Add switch
UserMembership -User $User.UPN -Group $User.AADGROUP -Add
}
}
Remove {
# Start of loop
foreach($User in $UserList) {
# Calling UserMembership function to confirm the user membership status and passing the Remove switch
UserMembership -User $User.UPN -Group $User.AADGROUP -Remove
}
}
Check {
foreach($User in $UserList) {
# Calling UserMembership function to confirm the user membership status and passing the Check switch
UserMembership -User $User.UPN -Group $User.AADGROUP -Check
}
}
}
}
else {
# We assume the user wants to check a single account
Write-Host "[INFO] The Users.csv file is empty or doesn't exist... Assuming you want to check a single user" -ForegroundColor Yellow
# Use the input field as the user parameter
[String]$User = Read-Host "Please enter a username"
# Use the input field as the group parameter
[String]$Group = Read-Host "Please enter a AAD group"
# Do we want to Add or Remove the users from the supplied AAD group?
$AddRemoveCheck = (Read-Host -prompt "The options are: Add | Remove | Check")
Switch ($AddRemoveCheck) {
Add {
# Calling UserMembership function to confirm the user membership status and passing the Add switch
UserMembership -User $User -Group $Group -Add
}
Remove {
# Calling UserMembership function to confirm the user membership status and passing the Remove switch
UserMembership -User $User -Group $Group -Remove
}
Check {
# Calling UserMembership function to confirm the user membership status and passing the Check switch
UserMembership -User $User -Group $Group -Check
}
}
}
}
# This function will check if the users are a member of the AAD groups found in the Halo Role Mapping document
Function UserMembership {
param
(
[Parameter(Mandatory = $true)] [string]$User,
[Parameter(Mandatory = $true)] [string]$Group,
[Parameter(Mandatory = $false)] [Switch]$Remove,
[Parameter(Mandatory = $false)] [Switch]$Add,
[Parameter(Mandatory = $false)] [Switch]$Check
)
# Check if the user is a member of the AAD Group supplied
$Member = (Get-AzureADUserMembership -ObjectId $User | Where-Object {$_.DisplayName -eq $Group})
try {
# Check if we want to remove the user
if ($Remove.IsPresent) {
if ($Member) {
# Call the ModifyUserGroup function and supply the Remove switch
ModifyUserGroup -User $User -Group $Group -Remove
}
else {
Write-Host "$User is not a member of $Group" -ForegroundColor Yellow
}
}
# Check if we want to add the user
if ($Add.IsPresent) {
if (!$Member) {
# Call the ModifyUserGroup function and supply the Add switch
ModifyUserGroup -User $User -Group $Group -Add
}
else {
Write-Host "$User is already a member of $Group" -ForegroundColor Yellow
}
}
# When we only want to verify the membership
if ($Check.IsPresent) {
if ($Member) {
Write-Host "$User is a member of $Group" -ForegroundColor Green
}
else {
Write-Host "$User is not a member of $Group" -ForegroundColor Red
}
}
}
catch {
Write-Host "`nError Message: " $_.Exception.Message -ForegroundColor Red
Write-Host "`nError Processing: " $_.Rolename -ForegroundColor Red
Write-Host "`nError in Line: " $_.InvocationInfo.Line -ForegroundColor Red
Write-Host "`nError in Line Number: "$_.InvocationInfo.ScriptLineNumber -ForegroundColor Red
Write-Host "`nError Item Name: "$_.Exception.ItemName -ForegroundColor Red
}
}
# This function will allow you to add or remove an AAD group from a user
Function ModifyUserGroup {
param
(
[Parameter(Mandatory = $true)] [string]$User,
[Parameter(Mandatory = $true)] [string]$Group,
[Parameter(Mandatory = $false)] [Switch]$Remove,
[Parameter(Mandatory = $false)] [Switch]$Add
)
try {
# Capturing the User ObjectID
$UserObjectID = $(Get-AzureADUser -ObjectId $User).ObjectId
# Capturing the Group ObjectID
$GroupObjectID = $(Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq $Group}).ObjectId
# Check is we want to remove the user
if($Remove.IsPresent) {
# Check if the user is a member
if($Member) {
# Only remove the user if they are currently a member
Remove-AzureADGroupMember -ObjectId $GroupObjectID -MemberId $UserObjectID
Write-Host "$User was removed from AAD Group $Group" -ForegroundColor Green
}
# When the user isn't a member at the time of checking we do nothing
else {
Write-Host "$User is not a member of $Group" -ForegroundColor Yellow
}
}
# Check if we want to add the user
if ($Add.IsPresent) {
# Check if the user isn't a member
if(!$Member) {
# Only add the user if they aren't currently a member
Add-AzureADGroupMember -ObjectId $GroupObjectID -RefObjectId $UserObjectID
Write-Host "$User was added to AAD Group $Group" -ForegroundColor Green
}
# When the user is already a member at the time of checking we do nothing
else {
Write-Host "$User is already a member of $Group" -ForegroundColor Yellow
}
}
}
catch
{
Write-Host "`nError Message: " $_.Exception.Message -ForegroundColor Red
Write-Host "`nError in Line: " $_.InvocationInfo.Line -ForegroundColor Red
Write-Host "`nError in Line Number: "$_.InvocationInfo.ScriptLineNumber -ForegroundColor Red
Write-Host "`nError Item Name: "$_.Exception.ItemName -ForegroundColor Red
}
}
# Calling the Main function
Main