Remove disables users from azure access groups using powershell script

Tejaswi Dwarapureddy 1 Reputation point
2022-11-17T07:13:23.057+00:00

By using this script I'm able to fetch all the users but not able to fetch disable users. Can anyone please help me here

$start = Get-Date

connect using the managed identity to access the key vault

Connect-AzAccount -Identity | Out-Null

Connect to Azure

$clientSecretSecure = ConvertTo-SecureString $env:client_secret -AsPlainText -Force
$pscredential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList($env:client_id, $clientSecretSecure)

try {
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant $env:tenant_id -ErrorAction Stop | Out-Null
} catch {
Write-Host "Failed to connect to Azure due to $_"
exit 1
}

Disable PowerShell breaking changes warnings

Set-Item Env:\SuppressAzurePowerShellBreakingChangeWarnings "true"

$ErrorActionPreference = "Stop"

$keyVaultName = 'it-akv-002'
$servicePrincipalId = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name h -ErrorAction Stop).SecretValue
$servicePrincipalSecret = (Get-AzKeyVaultSecret -VaultName $keyVaultName -Name BHPLandingZoneClientSecret -ErrorAction Stop).SecretValue

convert servicePrincipalId secure string to clear text

$Credential = New-Object System.Management.Automation.PSCredential ($([System.Net.NetworkCredential]::new("", $servicePrincipalId).Password), $servicePrincipalSecret)

Connect with a Service Principal that has access to Azure AD

Connect-AzAccount -ServicePrincipal -Credential $Credential -Tenant 4f6e1565-c2c7-43cb-8a4c-0981d022ce20 | Out-Null

$subscriptionGroups = Get-AzADGroup -DisplayNameStartsWith "azure-" | Select-Object -ExpandProperty DisplayName

Uncomment the below if AWS groups are to be included

$subscriptionGroups += Get-AzADGroup -DisplayNameStartsWith "aws-" | Select-Object -ExpandProperty DisplayName

$managementGroups = Get-Content "$PSScriptRoot\management_azuread_groups.txt"

$allGroups = $managementGroups
$count = 1 # for dispalying group count in the output message

foreach ($group in $allGroups) {
Write-Host "[$('{0:d3}' -f $count) of $($allGroups.Count)] Validating '$group' group"
try {
Write-Host "try 1"
$members = Get-AzADGroupMember -GroupDisplayName "Non-Production Management Group-Reader" | Where-Object {$.OdataType -eq '#microsoft.graph.user'}
Write-Host $members
foreach ($member in $members) {
try {
Write-Host "try 2"
$user = Get-AzADUser -ObjectId $member.id
Write-Host $user
if ($.accountenabled -eq $false) {
try {
#Remove-AzADGroupMember -MemberUserPrincipalName $user.UserPrincipalName -GroupDisplayName $group
Write-Host "'$($user.UserPrincipalName)' is disabled, successfully removed from '$group' group"
} catch {
Write-Host "'$($user.UserPrincipalName)' is disabled, failed to remove from '$group' group"
}
}
} catch {
Write-Host "Could not retrieve details for the user $($member.UserPrincipalName)"
}
}
} catch {
if ($_ -like "More than one group found*") {
Write-Host "Multiple groups found with the same name for '$group', validating each group"

        $groups = Get-AzADGroup -DisplayName $group  

        foreach ($grp in $groups) {  
            $members = Get-AzADGroupMember -GroupObject $grp | Where-Object {$_.ObjectType -eq 'User'}  

            foreach ($member in $members) {  
                try {  
                    $user = Get-AzADUser -UserPrincipalName $member.UserPrincipalName  
                    if (-not $user.AccountEnabled) {  
                        try {  
                            #Remove-AzADGroupMember -MemberUserPrincipalName $user.UserPrincipalName -GroupObject $grp  
                            Write-Host "'$($user.UserPrincipalName)' is disabled, successfully removed from '$group - $($grp.Id)' group"  
                        } catch {  
                            Write-Host "'$($user.UserPrincipalName)' is disabled, failed to remove from '$group - $($grp.Id)' group"  
                        }  
                    }  
                } catch {  
                    Write-Host "Could not retrieve details for the user $($member.UserPrincipalName)"  
                }  
            }  
        }  
    } else {  
        Write-Host "'$group' not found $_"  
    }  
}  
$count++

}

$end = Get-Date
$timeTaken = New-TimeSpan -Start $start -End $end

Write-Host "Script execution time: $($timeTaken.Hours) Hours $($timeTaken.Minutes) Minutes $($timeTaken.Seconds) Seconds"

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,665 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
4,886 questions