Monday, December 21, 2015

Using PowerShell cmdlets to remove accounts in Azure Active Directory

I've been recently asked to perform cleanup in an Azure directory that had orphaned accounts that were left over from a previous DirSync.  What the client noticed was that the accounts that used to be associated with their on-prem domain were converted to Microsoft Azure Active Directory when the synchronization was removed.  













Most of the accounts that they wanted removed had the User Name format as:

@domain.onmicrosoft.com

The directory also had accounts with the format:

@domain.com

... which they did not want removed.

This particular directory did not have many accounts which meant manually remove them via the GUI was possible but I thought this would be a good opportunity to demonstrate how to use PowerShell cmdlets to filter and remove the accounts in bulk.

Begin by the launching WAAD (Windows Azure Active Directory) console execute Connect-MsolService and log in with the global or subscription admin account for the Azure Directory.

Once logged in, the cmdlet we'll be using to retrieve the set of users to be deleted is:

Get-MsolUser

https://msdn.microsoft.com/en-us/library/azure/dn194133.aspx

Note that every environment will be different so the following example will need to be tweaked accordingly.

The accounts I wanted to delete in this particular Azure directory all had the @domain.onmicrosoft.com format but within these accounts, there was 1 administrative account that I did not want to delete.  This account was:

o365admin@domain.onmicrosoft.com

With the above 2 requirements in mind, the 2 filters I needed for the Get-MsolUser cmdlet would be:

where-object {$_.UserPrincipalName -like "*domain.onmicrosoft.com"} 
where-object {$_.UserPrincipalName -notlike "o365admin*"}

Combining the two filters together will create the following cmdlet:

Get-MsolUser | where-object {$_.UserPrincipalName -like "*domain.onmicrosoft.com"} | where-object {$_.UserPrincipalName -notlike "o365admin*"}

As mentioned earlier, every directory is unique and even if your environment matched this example, it is important to execute this cmdlet and review the returned accounts to verify no mistakes were made:















One of the annoyances I come across when working with PowerShell is that outputs such as the above tend to get truncated because of the length of the records so if you experience this, simply include the following at the end of the cmdlet:

| Format-Table -Wrap -AutoSize

The cmdlet would look as such:

Get-MsolUser | where-object {$_.UserPrincipalName -like "*domain.onmicrosoft.com"} | where-object {$_.UserPrincipalName -notlike "o365admin*"} | Format-Table -Wrap -AutoSize

The output would look as such:















Note that if the output above fills the screen buffer, you can pipe it to a txt file to review with:

> C:\userAccounts.txt 

Once you have verified that the accounts retrieved are the ones that can be safely deleted, proceed with appending the following cmdlet to the end:

Remove-MsolUser


https://msdn.microsoft.com/en-us/library/dn194132.aspx

Get-MsolUser | where-object {$_.UserPrincipalName -like "*domain.onmicrosoft.com"} | where-object {$_.UserPrincipalName -notlike "o365admin*"} | Remove-MsolUser -Force





You should now see the accounts removed in the Azure GUI once the cmdlet successfully completes:




No comments: