Home > database >  I am looking to create a PowerShell script that revokes the user's Azure AD refresh tokens and
I am looking to create a PowerShell script that revokes the user's Azure AD refresh tokens and

Time:06-25

I am looking for some guidance on combining a PowerShell script that combines the following scripts:

Connect-AzureAD

Revoke-AzureADUserAllRefreshToken -ObjectId [email protected]

Get-AzureADUserRegisteredDevice -ObjectId [email protected] | Set-AzureADDevice -AccountEnabled $false

What I am hoping to achieve is to combine all three cmdlets to a single script that my staff can run, where it will prompt for the user name that we wish to run the script upon. Assuming I need to add $ObjectID = Read-Host -Promptsomewhere in this script.

Thank you in advance for any advice or guidance on how to do this.

CodePudding user response:

Assuming I understood your question and you just wanted a way to assemble all that together in the correct order, here it is.

# Use one or the other depending on if you want to use the username or objectID
$Username = Read-Host -Prompt
#$ObjectId = Read-Host -Prompt

Connect-AzureAD

# Use one or the other depending on if you want to use the username or objectID
$User = Get-AzureADUser -SearchString $Username
#$User = Get-AzureADUser -ObjectId $ObjectId

if ($null -ne $User) {
  Revoke-AzureADUserAllRefreshToken -ObjectId $User.ObjectId
  Get-AzureADUserRegisteredDevice -ObjectId $User.ObjectId | Set-AzureADDevice -AccountEnabled $false 
} else {
  Write-Warning "No user found with the specified criteria"
}

CodePudding user response:

Thank you for your help! I have tried your script but I am getting the following error:

Read-Host : Missing an argument for parameter 'Prompt'. Specificy a parameter of type 'System.Object' and try again

This is what I am hoping to do when staff run the script

  1. prompt for authenticate to Azure
  2. get prompted to enter a object ID for the departing staff that we wish to run the revoke commands to. Once entering the object ID, the script will then pass on the object ID to the the following:
  3. Revoke the user's Azure AD refresh tokens - refer to https://docs.microsoft.com/en-us/powershell/module/azuread/revoke-azureaduserallrefreshtoken
  4. Disable the user's device - refer to https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaduserregistereddevice

I am basically looking to combine steps 2 & 3 from the Azure Active Directory environment part of this MS doc - https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/users-revoke-access

It is to add to our current user account off-boarding process

  • Related