This is a simple script to remove a users permissions on additional mailboxes within the organizations 365 domain. Also can be configured to block login in 365 for those specific users. Is setup to use an OU of users but can be edited quickly to setup for a single user as well. Or a OU with a single user could be used. Requires Office 365 powershell modules and pre-requisites to be loaded ahead of time. Script should be downloaded and variables set in ISE or notepad before execution.


#######################################################################

################### Variables #########################################

#######################################################################

$OU = "OU=YOUROU,DC=DOMAIN,DC=DOMAIN" ################ Who to revoke ##

$Cred = Get-Credential ########### Credentials for connecting to 365 ##

$FromAddress = "From@who.com" ########################## for logging ##

$ToAddress = "To@who.com" ############################## for logging ##

$LogPath = "\\FOLDER.TO.STORE\LOG\" #################### for logging ##

$SMTP = "SMTP.RELAY.FORLOG" ############################ for logging ##

$BlockLogin = $False ######## Change to true to also block 365 login ##

#######################################################################

### Requires Modules and pre-requisites for Office 365 Powershell #####

#######################################################################
 

$date = Get-Date -format o

$date = $date -replace('/','--')

$date = $date -replace(':','-')

Import-Module ActiveDirectory

$filename = -join("$date","___RevokeFolderPermsLog.csv")

$termlog =  -join("$logpath","$filename")

$blk = ".",".",".","."

[System.Collections.ArrayList]$emaillog = $blk

$br="<br>"

$emaillog.add("$br")

$emaillog.add("$br")

$found = $false

$ms = ''

$i = 1

$j = 0
 

Import-Module MSOnline

Connect-MsolService –Credential $Cred

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange `

-ConnectionUri https://ps.outlook.com/powershell `

-Credential $Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session -AllowClobber

Write-Progress -activity "Getting Users: $OU"

Write-Host "Getting Users: $OU"

$users = Get-ADUser -SearchBase $OU -Filter * -properties *
 

foreach ($user in $users)

 {

 $upn=$user.userprincipalname

$username = $user.samaccountname

if ($blocklogin = $true)

{

Set-MsolUser -UserPrincipalName $upn -blockcredential $true

write-host "Blocked 365 login: $upn"

}

$permissions = Get-MailboxPermission -Identity * -User "$upn"

    foreach ($mbx in $permissions)

        {

        $mbxname = $mbx.identity

        if ($mbxname -ne $username)

            {

            Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false

            Add-MailboxPermission $mbxname -User $upn -AccessRights FullAccess -InheritanceType All -AutoMapping $False

            Remove-MailboxPermission -Identity $mbxname -User $upn -AccessRightsFullAccess -InheritanceType All -Confirm:$false

    $MS = -join("Removed: ","$upn"," permissions from:","$mbxname")

    $MS | out-file $termlog -Append

    $emaillog.add("$MS")  

    $emaillog.add("$br")

    Write-Progress -activity "Removed: $upn permissions from: $mbxname"

    Write-Host "Removed: $upn permissions from: $mbxname"

    $found = $true

 

            }

        }

}
 

if ($found = $true)

{

send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "The following actions have been taken and logged.<br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer$SMTP

}

if ($found = $false)

{

send-mailmessage -from "$FromAddress" -to "$ToAddress" -subject "365 Mailbox Permissions Revocation Log" -body "No permissions found for users. <br> Log: '$termlog'  <font color='blue'><b><br> $emaillog </b></font>" –BodyasHtml -smtpServer $SMTP

}