Managing Guest Users in Azure Active Directory with PowerShell – A Game Changer for IT Admins!

Are you tired of manually managing guest users in your Azure Active Directory (Azure AD)? Well, have no fear because with the power of PowerShell, we can automate this process and make it a breeze!

The script we’ll be discussing in this post uses the AzureAD PowerShell module to connect to Azure AD and retrieve guest users who have not accepted an invitation within 45 days or who have not logged in within 180 days. And get this – it then automatically removes those users from the organization!

No more manual labor, no more wasted time, and no more headaches – just pure efficiency and organization.

Here’s the script in its entirety, ready to revolutionize your guest user management.

<#
    .NOTES
    ===========================================================================
     Organization:  HDSupply
     Filename:      RB-AZ-RemovePendingGuest.ps1
     ScheduleFrequency: Weekly
    ===========================================================================
    .SYNOPSIS
    This script connects to Azure Active Directory, and then removes all guest users whose state is "PendingAcceptance" and whose refresh tokens were last valid 45 days ago or earlier, and all guest users whose state is "Accepted" and whose refresh tokens were last valid 180 days ago or earlier.
    .DESCRIPTION
    This script uses the AzureAD PowerShell module to connect to Azure AD and retrieve guest users who have not accepted an invitation within 45 days or who have not logged in within 180 days. The script then removes those users from the organization.
    This script is intended to be run on a schedule (e.g. Weekly) to keep the list of guest users in the organization up-to-date. It uses the "CloudAdmin" credentials to connect to Azure AD, which should be configured in the Automation service prior to running the script.
#>

# Variables to get Connected!
[PSCredential]$creds = Get-AutomationPSCredential -Name "ClientSecret"
[PSCredential]$cred = Get-AutomationPSCredential -Name "CloudAdmin"
[string]$clientID = $creds.UserName
[string]$clientSecret = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($creds.Password))
[string]$tenantName = "Enter TenantID or your TenantName"
[hashtable]$reqTokenBody = @{
    Grant_Type    = "client_credentials"
    Scope         = "https://graph.microsoft.com/.default"
    client_Id     = $clientID
    Client_Secret = $clientSecret
}
[string]$TokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$TenantName/oauth2/v2.0/token" -Method POST -Body $ReqTokenBody
[string]$TokenResponse | ConvertTo-Json
[string]$Token = $TokenResponse.access_token\

#Import Modules and Connect
Import-Module Microsoft.Graph.Users
Import-module AzureAD
Select-MgProfile -Name "beta"
Connect-MgGraph -AccessToken $Token
Connect-AzureAD -Credential $cred

# This line retrieves all guest users whose state is "PendingAcceptance" and whose refresh tokens were last valid 45 days ago or earlier
[Array]$PendingUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and UserState eq 'PendingAcceptance'" -all $true | where { $_.RefreshTokensValidFromDateTime -lt (Get-Date).AddDays(-45) }
foreach ($PendingUser in $PendingUsers)
{
    # This line assigns the object ID of the current user to a variable
    $PendingUserObjectID = $PendingUser.ObjectId
    # This line outputs a message indicating that the user is being removed
    Write-Output "Removing Pending User $($PendingUser.DisplayName)"
    # This line removes the user using their object ID
    Remove-AzureADUser -ObjectId $PendingUserObjectID
}

#Days
[int]$days = 180

# This line retrieves all guest users whose state is "Accepted"
[Array]$AcceptedUsers = Get-AzureADUser -Filter "UserType eq 'Guest' and UserState eq 'Accepted'" -all $true
Foreach ($acceptedUser in $acceptedUsers)
{
    # This line assigns the object ID of the current user to a variable
    [string]$acceptedUserObjectID = $acceptedUser.ObjectId
    # Get the last sign-in date for the guest
    [Nullable[datetime]]$lastSignInDate = (Get-MgUser -UserId $acceptedUserObjectID -Property 'SigninActivity').signinactivity.LastSignInDateTime
    If ($Null -eq $lastSignInDate -or $lastSignInDate -eq '01/01/0001 00:00:00')
    {
        # Get the Date they Accepted the invitation since they never signed in. 
        $lastSignInDate = $AcceptedUser.RefreshTokensValidFromDateTime
    }
    # Calculate the number of days since the last sign-in
    [int]$daysSinceLastSignIn = (New-TimeSpan -Start $lastSignInDate -End (Get-Date)).Days
    # Check if the guest hasn't signed in for the specified number of days
    if ($daysSinceLastSignIn -ge $days)
    {
        # Output a message indicating that the user is being removed
        Write-Output "Removing user $($acceptedUser.DisplayName) who hasn't signed in for $daysSinceLastSignIn  days"
        # Remove the user
        Remove-AzureADUser -ObjectId $acceptedUserObjectID
    }
    $Null = $lastSignInDate
}

Different ways I have automated Processes using Powershell.

Using AzureAutomate to replace all Scheduled Tasks.

I found that scheduled tasks just suck. You cannot go back and see what happened to the scheduled tasks. When you have to change a password to say a service account you have to change each scheduled task. It also can keep your SQL creds and other creds out of your code out of the box. I’ll post some examples

You can implement Source control with your Azure DevOps. So, when you push changes from your repository, it will add to your runbooks.
Scheduling can be very customized
So, you can store anything. I store SQL info, APPIDs / Secret, this can also store certificates which you can call with some commands I’ll show below.
As you can see here you can assign the Credential to a Variable.
You can drill down in a job and see what happens. Instead of Write-Host you will have to use a Write-Output. This will effectively show you what the script did.
You can use the All Logs tab to see more granular information. It will show you any errors or warnings. There is also an option to run everything in verbose.

There is so many things you can use with AzureAutomate, just explore. There is also a feature to have a run AS account for your hybrid worker / Azure worker. So, you can run all the scripts as a single user. I forget to talk about pricing but for the most part I run close to 4K jobs daily and the cost is around 20 dollars a month.

Using Microsoft Forms / PowerApps + Flow + To Azure Automate.

This allows you to quickly make a form you can hand to the helpdesk team that they can use quickly. You can make this external as well if needed. I do have a form for a vendor we work with so they can add users to a group from their end so they can SSO.

Kurt always breaks things
What the flow looks like on the backend. Basically, takes the information on the form and creates a Job in Azure Automate. If you need to run the command on prem make sure you click advanced under the create job and add the name of your hybrid worker.
What the job looks like on the intake side. Just give it parameters, so when you select it in the flow it will have the parameters already in there, as you can see in the above picture.

Powerapps uses the same concept as above, but you can customize it more than a form. It’s not the prettiest thing in the world since I suck at UI, but it does what you need to do. This PowerApp is mainly given to our helpdesk. I give them access to this instead of direct access to AD / Exchange / O365.

Some quick actions our field technicians have, and you can access this all via Mobile APP which is a cool thing.

Using Universal Dashboard

https://universaldashboard.io This allows you to basically create a website on the frontend but it is all programmed with Powershell which is amazing, and easy to work with. It can use SSO, you can also build API endpoints that you can invoke via rest which is amazing.

This is just an example of a webpage I created for our SOC team. It has a Password never expires, Built-in Admin Accounts, ServiceAccount with Domain Admin Tabs. The following is a modal that allows a helpdesk user build a Admin account, they have to put in the ticket number with the approvals and for the most part it keeps our compliance team happy as all of this info is logged into a SQL database.

There is much more you can do with Universal Dashboard. It is very fun to use but does cost 500 a year for a single website.

Powershell Studios

https://www.sapien.com/software/powershell_studio This is the way I used to build UI Apps with Powershell. It is still relevant, but windows forms / WPF is just old school. I have built 2 apps that our company uses.

The main purpose of this app was to give helpdesk access to perform tasks in a safe manner. So, at this company, we are a hosting provider which means we handle multiple companies. That means that all of the customers sit on the same AD Forest. So, if we were to give helpdesk access to AD / Exchange. They could do something like Get-Mailbox | Set-mailbox which would affect all customers instead of one, that would be a bad day.
We manage a big exchange environment. We also do not have SCCM, but this tool allows you to update Exchange on multiple nodes at the same time, and with exchange you need to properly fail it over before you reboot and turn off bitlocker. This app has been pretty huge to the team, and we use it on a daily basis. Anything that happens in the app writes to a teams channel so everyone in the team is notified if someone is working on a server.

There are soo many ways you can automate with Powershell and I wanted to share my experiences and how these apps have changed my life to make it much easier in the long run. Most of these apps take a very long time to build, but when it is finished, you get soo much relief from the day to day / busy work tasks. If you have any questions on how I used these apps feel free to contact me on LinkedIn.

https://www.linkedin.com/in/alvinerb/

Prepping Servers for Dell Open Managed Enterprise

So at one of my companies we lease servers from a large hosting company (we only purchase Dell). When they set them up for us, the default name for the Drac DNS name is the server tag. When using Open Manged Essentials it wasn’t a big deal. However, in Enterprise since it actually connects to DRAC (you have to put the DRAC subnet and password to manage with Enterprise) If you don’t know about Open Managed Enterprise give it a shot! It runs on CentOS and the install is pretty easy to use, you just load up the VHD in VMWare or Hyper-V and roll out. The firmware updates also can be staged to run on reboot, so if you need to do certain fail overs it won’t start until the machine is rebooting. It also utilizes the LifeCycle controller to update the box, which makes it more stable, because I ran into issues running Intel NIC Firmware updates causing blue screens. Anyways, here is the powershell Script, I made to Prep all my servers for Open Manage Enterprise.

This Script will grab all the computers in AD (you can filter it how you want), Check to see if it can run racadm. If it can, it will run the following commands, I will explain what each one does. Each command has the legacy command also, I will keep it in there encase you aren’t running DRAC 7+

  • racadm config -g cfgLanNetworking -o cfgDNSRacName $computer;racadm set iDRAC.NIC.DNSRacName $computer Sets Name for DRAC
  • racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 1 supersecurepassword;racadm set iDRAC.Users.1.Password supersecurepassword Sets Admin password for index 1 and index 2 which should be root. I had issues with index 1 being root in the past, if anon is not there, so i just kept it there and let it error.
  • racadm racreset This just resets DRAC, takes about 10 minutes. 
$computers = Get-ADComputer -filter *

foreach($computer in $computers)
{
	$cn = $computer.name 

	$rac = Invoke-Command -ComputerName $cn -scriptblock {racadm getsysinfo} -ErrorAction SilentlyContinue
	
	if($rac)
	{
		Write-Host "Updating DRAC info for $cn" -ForegroundColor Yellow
		Invoke-Command -ComputerName $cn -ScriptBlock {$Computer = hostname; racadm config -g cfgLanNetworking -o cfgDNSRacName $computer;racadm set iDRAC.NIC.DNSRacName $computer}
		Invoke-Command -ComputerName $cn -scriptblock {racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 1 supersecurepassword;racadm set iDRAC.Users.1.Password supersecurepassword}
		Invoke-Command -ComputerName $cn -scriptblock {racadm config -g cfgUserAdmin -o cfgUserAdminPassword -i 2 supersecurepassword;racadm set iDRAC.Users.2.Password supersecurepassword}
		Invoke-Command -ComputerName $cn -scriptblock {racadm racreset}
	}
	else
	{
		Write-Host "DRAC is not Available on $CN" -ForegroundColor Red
	}
$rac = $null
}

Creating a Service with PowerShell Studios

So.. on my recent trip to Florida. Our Support team has a single login to make changes to settings for a server from a web page. So when the change is made, it changes a certain configuration file on the machine. But since they all use one login, they didn’t know who made the change. So I explored some options, and found that with PowerShell Studios you can compile a service and register it. It is very simple also. I am sure I can add more to my service to clean it up a little. I nulled all the variables at the end and found it saved me 2 MB of memory usage.. lol

So the service below detects changes to the file. Then does a netstat on port 8010 to get the users connected. (users have to use that port to connect to the webadmin) Does a NSLookup on what it finds, logs their IP, and creates a backup of the rule. Also, I added something to only keep 90 days of rules because these files are quite large on our side. I kept the write host in the code to help with commenting on the script. The code below uses .net FileWatcher service, and is pretty powerful. The file Watcher Service can watch for changes, deletions, and new.

To install the service you would just compile the Service into a EXE then just use command prompt or powershell to .\WatcherService.exe /i register the service and then start it. You can use the /u argument to uninstall the service. 

# Warning: Do not rename Start-MyService, Invoke-MyService and Stop-MyService functions

function Start-MyService
{
    # Place one time startup code here.
    # Initialize global variables and open connections if needed
    $global:bRunService = $true
    $global:bServiceRunning = $false
    $global:bServicePaused = $false
}

function Invoke-MyService
{
    $global:bServiceRunning = $true
    while ($global:bRunService)
    {
        try
        {
            if ($global:bServicePaused -eq $false) #Only act if service is not paused
            {
                #Checks for a Job, if a job is still open it just skip
                $JobCount = get-job
                If ($JobCount -eq $Null)
                {
                    $server = $env:computername
                    $folder = '\\' + $Server + '\d$\Admin\Settings' # Enter the root path you want to monitor.
                    $filter = 'Rules.*' # You can enter a wildcard filter here. You can use Extension also 
                    $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{ IncludeSubdirectories = $false; NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite' }
                    
                    Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action {
                        $name = $Event.SourceEventArgs.Name
                        $changeType = $Event.SourceEventArgs.ChangeType
                        $timeStamp = $Event.TimeGenerated
                        Write-Host "The file '$name' was $changeType at $timeStamp" -fore white
                        $GetIP = Get-NetTCPConnection -LocalPort 8010 | ?{ $_.LocalAddress -ne "127.0.0.1" -and $_.LocalAddress -ne "0.0.0.0" } | select-object Remoteaddress -Unique
                        
                        Foreach ($IP in $GetIP)
                        {
                            $IPAddress = $IP.RemoteAddress
                            $NameofUser = (Resolve-DnsName $IPAddress).NameHost
                            #this might be different than your enviornment, in ours we cannot nslookup a VPN adddress. 
                            If ($IPaddress -like "192*")
                            {
                                Write-Host "A VPN User most likely Changed the rules files With IP of $IPAddress"
                                Out-File -FilePath 'D:\WatcherService\Logs\Changelog.txt' -Append -InputObject "$timeStamp A VPN User most likely Changed the rules files With IP of $IPAddress"
                            }
                            Else
                            {
                                Write-Host "$NameofUser most likely Changed the rules files With IP of $IPAddress"
                                If ($NameofUser -eq $null)
                                {
                                    Out-File -FilePath 'D:\WatcherService\Logs\Changelog.txt' -Append -InputObject "$timeStamp Could not find User, but their IP is $IPAddress and RuleFile Was Changed"
                                }
                                Else
                                {
                                    Out-File -FilePath 'D:\WatcherService\Logs\Changelog.txt' -Append -InputObject "$timeStamp $NameofUser most likely Changed the rules files With IP of $IPAddress"
                                }
                            }
                            
                        }
                        $TimeforFile = get-date -Format M.dd.y.H.mm.s
                        $FilePath = "D:\WatcherService\RulesBackup\" + $TimeforFile + ".txt"
                        get-content D:\Admin\Settings\rules.settings | Add-Content $FilePath
                        sleep 10
                        $GetIP = $Null
                        $TimeforFile = $Null
                        $FilePath = $Null
                        $changeType = $Null
                        $timeStamp = $Null
                        $name = $Null
                    }
                    $today = Get-Date
                    $90Days = $today.adddays(-90)
                    #Gather all files other than 90 days and deletes them. 
                    $RulesLogFile = Get-ChildItem "D:\WatcherService\RulesBackup" -Include *.filter -ErrorAction SilentlyContinue | where { $_.lastwritetime -le $90Days -and $_.psIsContainer -eq $false }
                    
                    if ($RulesLogFile -ne $null)
                    {
                        foreach ($Rule in $RulesLogFile)
                        {
                            [string]$Rulefullfilename = $Rule.fullname
                            Remove-Item $Rulefullfilename -ErrorAction SilentlyContinue | out-null
                        }
                    }
                    
                    $RulesLogFile = $Null
                    $today = $Null
                    $90Days = $Null
                    $server = $Null
                    $folder = $Null
                    $filter = $Null
                    $fsw = $Null
                    
                }
            }
        }
        catch
        {
            # Log exception in application log
            Write-Host $_.Exception.Message
        }
        # Adjust sleep timing to determine how often your service becomes active
        if ($global:bServicePaused -eq $true)
        {
            Start-Sleep -Seconds 45 # if the service is paused we sleep longer between checks
        }
        else
        {
            Start-Sleep -Seconds 30 # a lower number will make your service active more often and use more CPU cycles
        }
    }
    $global:bServiceRunning = $false
}

function Stop-MyService
{
    $global:bRunService = $false # Signal main loop to exit
    $CountDown = 30 # Maximum wait for loop to exit
    while ($global:bServiceRunning -and $Countdown -gt 0)
    {
        Start-Sleep -Seconds 1 # wait for your main loop to exit
        $Countdown = $Countdown - 1
    }
    Get-Job | Stop-Job
    Unregister-Event FileChanged
}

function Pause-MyService
{
    # Service is being paused
    # Save state 
    $global:bServicePaused = $true
    # Note that the thread your PowerShell script is running on is not suspended on 'pause'.
    # It is your responsibility in the service loop to pause processing until a 'continue' command is issued.
    # It is recommended to sleep for longer periods between loop iterations when the service is paused.
    # in order to prevent excessive CPU usage by simply waiting and looping.
}

function Continue-MyService
{
    # Service is being continued from a paused state
    # Restore any saved states if needed
    $global:bServicePaused = $false
}

Creating an On Call Calendar Rotation with Powershell

Our company was using a Sharepoint Calendar for all of the on call stuff. Which was very hard to manage especially if we got a new employee, swap on call weeks, etc. So I came up with an idea to create a webpage as well as sending an email every Tuesday (Our swap day) to notify everyone who is on call. It also provided the accurate dates on when you would be on call.

Above is the sample HTML file created by my script. I created a scheduled task to run this script nightly to keep the remote days updated. It also will rotate the user when Tuesday comes around to the bottom. You can change it to what ever you need. To run this, just create a CSV with the headers “Name”,”Email”,”Cell”,”Area” in the folder you are running the Powershell Script. If you have any problems just let me know!

[int]$DateCounter = 0
[int]$StartDateCounter = 0
[int]$CycleCount = 0
[String]$DayofWeek = (get-date).DayOfWeek
[Switch]$SendMail = $False
[String]$Runtime = get-date -Format g

Set-Location $PSScriptRoot

If ($DayOfWeek -ne "Tuesday")
{
    $DoNotRotate = $True
}

$Website = @()
$NewList = @()

$Website += "<html>"
$Website += "<head>"
$Website += "   <title>IT Engineering Schedule</title>"
$Website += "<style>"
$Website += "body {"
$Website += "   color: #666;"
$Website += '   font-family: /*"Open Sans", */Arial, Helvetica, sans-serif;'
$Website += "   line-height: 1.5;"
$Website += "   font-size: 16px;"
$Website += "}"
$Website += ".container {"
$Website += "   max-width: 800px;"
$Website += "   width: 80%;"
$Website += "   margin: 50px auto 0;"
$Website += "}"
$Website += ""
$Website += "a {"
$Website += "   color: #0053a0;"
$Website += "   text-decoration: none;"
$Website += ""
$Website += "}"
$Website += ".notice {"
$Website += "   display: block;"
$Website += "   font-weight: bold;"
$Website += "   color: rgb(177, 39, 39);"
$Website += "   border: 1px solid #ccc;"
$Website += "   border-radius: 2px;"
$Website += "   padding: .5em 5%;"
$Website += "   background-color: #f1f1f1;"
$Website += "   text-align: center;"
$Website += "   font-size: 1.2em;"
$Website += "}"
$Website += ".calendar {"
$Website += "   display:block;"
$Website += "   text-align: left;"
$Website += "   font-size: 1.5em;"
$Website += "   font-weight: bold;"
$Website += "   color: black;"
$Website += "   background-color: #FFFFFFF;"
$Website += "   -webkit-transition: background-color .1s ease-in-out;"
$Website += "   -moz-transition: background-color .1s ease-in-out;"
$Website += "   -o-transition: background-color .1s ease-in-out;"
$Website += "   transition: background-color .1s ease-in-out;"
$Website += "}"
$Website += ".calendar:hover {"
$Website += "   color: white;"
$Website += "   background-color: #6F94B6;"
$Website += "   cursor: pointer;"
$Website += "   -webkit-transition: background-color .1s ease-in-out;"
$Website += "   -moz-transition: background-color .1s ease-in-out;"
$Website += "   -o-transition: background-color .1s ease-in-out;"
$Website += "   transition: background-color .1s ease-in-out;"
$Website += "}"
$Website += ".calendar:active {"
$Website += "   background-color: #A7BED2;"
$Website += "   color: white;"
$Website += "}"
$Website += ""
$Website += "p, h3 span {"
$Website += "   color: #989898;"
$Website += "   font-size: 80%;"
$Website += "}"
$Website += ""
$Website += "@media all and (max-width: 600px) and (min-width: 0px) {"
$Website += "   body {"
$Website += "       font-size: 14px;"
$Website += "   }"
$Website += "   .container {"
$Website += "       margin: 0 auto;"
$Website += "       width: 95%;"
$Website += "   }"
$Website += "   .notice {"
$Website += "       padding: .5em .5em;"
$Website += "   }"
$Website += "   .calendar {"
$Website += "       font-size: 1em;"
$Website += "       padding: 2%;"
$Website += "   }"
$Website += "}"
$Website += ""
$Website += "li { background:white; }"
$Website += "li.odd { background: #f1f1f1; }"
$Website += "table {"
$Website += "   width:100%;"
$Website += "}"
$Website += "table, th, td {"
$Website += "   border-collapse: collapse;"
$Website += "}"
$Website += "th, td {"
$Website += "   padding: 1px;"
$Website += "   text-align: left;"
$Website += "}"
$Website += "table#t01 tr:nth-child(even)"
$Website += "{"
$Website += "   background-color: #eee;"
$Website += "}"
$Website += "table#t01 tr:nth-child(odd)"
$Website += "{"
$Website += "   background-color: #fff;"
$Website += "}"
$Website += "table#t01 th {"
$Website += '   background-color: #989898;'
$Website += "   color: white;"
$Website += "}"
$Website += "</style>"
$Website += "</head>"
$Website += "<body>"
$Website += '<div class="container">'
$Website += '<p class="notice">IT Engineering Schedule. If you are Highlighted you are On Call :)</p>'
$Website += ""
$Website += "<h3>On Call List</h3>"
$Website += "<table>"


If ($DonotRotate)
{
    $NewList = Import-Csv ".\OnCallList.csv"
}
Else
{
    #Check if Already Rotated this Tuesday
    [string]$TuesdayDate = get-date -Format MM.dd.y
    $TuesdayCheck = Get-Content ".\rotatecheck.txt"
    $CheckTuesday = $TuesdayCheck | Select-String $tuesdaydate
    If ($CheckTuesday)
    {
        $NewList = Import-Csv ".\OnCallList.csv"
    }
    Else
    {
        #Append Date to File
        Out-File -FilePath ".\rotatecheck.txt" -Append -InputObject $TuesdayDate
        #Gather List of users
        $ListofUsers = Import-Csv ".\OnCallList.csv"
        
        foreach ($User in $ListofUsers)
        {
            #Move Top of the list to bottom
            If ($User -eq $ListofUsers[0])
            {
                #Skip the user  
            }
            Else
            {
                $NewList += $User
            }
        }
        #Add the First user to bottom
        $NewList += $ListofUsers[0]
        $NewList | Export-Csv -path ".\OnCallList.csv" -NoTypeInformation -Force
        $SendMail = $True
        $OnCallUser = $NewList[0].Name
        $Subject = "$OnCallUser is on call this week"
        $OnCallEmail = $NewList[0].Email
        
    }
}
Foreach ($OnCall in $NewList)
{
    $Website += "<tr>"
    if ($DonotRotate -and $CycleCount -eq 0)
    {
        $i = 0
        do { $LastTuesday = (Get-Date).AddDays(--$i).Date }
        until ($LastTuesday.DayofWeek -eq 'Tuesday')
        $StartDate = $LastTuesday.ToString('MM-dd-yyyy')
        $Plus6Days = $LastTuesday.AddDays(6).ToString('MM-dd-yyyy')     
        $Website += '<td> <font color="Red">' + "$($OnCall.Name)" + "</td>"
        $Website += '<td> <font color="Red">' + "$($OnCall.Cell)" + "</td>"
        $Website += '<td> <font color="Red">' + "$($OnCall.Area)" + "</td>"
        $Website += '<td> <font color="Red">' + "$StartDate - $Plus6Days" + "</td></font>"
        [int]$Math = 7 + $i
        $StartDateCounter = $StartDateCounter + $Math
    }
    Else
    {
        $DateCounter = $StartDateCounter + 6
        $StartDate = (Get-Date).AddDays($StartDateCounter).ToString('MM-dd-yyyy')
        $Plus6Days = (Get-Date).AddDays($DateCounter).ToString('MM-dd-yyyy')
        If ($CycleCount -eq 0)
        {
            $Website += '<td> <font color="Red">' + "$($OnCall.Name)" + "</td>"
            $Website += '<td> <font color="Red">' + "$($OnCall.Cell)" + "</td>"
            $Website += '<td> <font color="Red">' + "$($OnCall.Area)" + "</td>"
            $Website += '<td> <font color="Red">' + "$StartDate - $Plus6Days" + "</td></font>"
        }
        Else
        {
            $Website += "<td> $($OnCall.Name) </td>"
            $Website += "<td> $($OnCall.Cell) </td>"
            $Website += "<td> $($OnCall.Area) </td>"
            $Website += "<td> $StartDate - $Plus6Days </td>"
        }
        $StartDateCounter = $StartDateCounter + 7
    }
    $Website += "</tr>"
    $CycleCount++
}
$Website += ""
$Website += "   </ul>"
$Website += "   </table>"

$Website2 = $Website
$Website2 += ""
$Website2 += "<h3>Who's Remote Today?</h3>"
$Website2 += "  <ul>"
$Website2 += ""

Switch ($DayofWeek)
{
    "Tuesday"
    {
        $Website2 += "<li>Joe Shmoe</li>"
        $Website2 += "<li>Jon Smith</li>"
        $Website2 += "<li>Michael Jackson</li>"
    }
    "Wednesday"
    {
        $Website2 += "<li>R Kelly</li>"
        $Website2 += "<li>Alejandro Perez</li>"
        $Website2 += "<li>Anthony P</li>"
        $Website2 += "<li>Lewis Clarke</li>"
        $Website2 += "<li>Larry Bird</li>"
        $Website2 += "<li>Michael Jordan</li"
    }
    "Thursday"
    {
        $Website2 += "<li>Ken Streetfighter</li>"
        $Website2 += "<li>Cool Guy</li>"
        $Website2 += "<li>Funny Alvarez</li>"
    }
    "Friday"
    {
        $Website2 += "<li>R Kelly</li>"
        $Website2 += "<li>Alejandro Perez</li>"
        $Website2 += "<li>Anthony P</li>"
    }
    default { $Website2 += "<li> None </li>" }
}



$Website2 += ""
$Website2 += "  </ul>"

$Website2 += "<p><span>Note: The List rotates every Tuesday Morning. If you need to swap with anyone ask a person close to your rotation.<br>"
$Website2 += "An Email is Generated every Tuesday Morning. Script was Last Ran at $RunTime </span></p>"
$Website2 += ""
$Website2 += ""
$Website2 += "<br>"
$Website2 += "</body>"
$Website2 += "</html>"

$Website += "<p><span>Note: The List rotates every Tuesday Morning. If you need to swap with anyone ask a person close to your rotation.<br>"
$Website += "An Email is Generated every Tuesday Morning. Script was Last Ran at $RunTime </span></p>"
$Website += ""
$Website += ""
$Website += "<br>"
$Website += "</body>"
$Website += "</html>"

$website2 | Out-File ".\index.html" -Force

if ($SendMail)
{
    $Body = $website | Out-String
    Send-MailMessage -From ITEngineeringoncall@contoso.com -To "itengineering@contoso.com" -BodyAsHtml -Body $Body -SmtpServer smtp.wellstar.org -Subject $Subject
}

Shared Mailboxes in Hybrid Exchange

So, when I started my 2nd Job one of the main tasks was to migrate all the users from Exchange 2010 to the O365. Once all of that was completed, I planned on removing Exchange, however I found that it is recommended to keep at least 1 Exchange server to run Exchange commands to if you plan to keep your AD on Prem. If you live on the wild side. You can edit AD attributes manually / script to create users, and have DIRSync/ADConnect pick it up. But that would be a hassle, instead of just doing a New-RemoteMailbox command. So I built an Exchange 2016 Box using the Hybrid License, and decommed the others. At the time I was on CU7. The problem I was having is that the New-RemoteMailbox command did not have an option to create shared mailboxes directly to the cloud. So I had to create a normal mailbox and convert it or create the SharedMailbox on Prem and migrate it. However, I found out in the later CUs they added a parameter to allow Creation of Shared Mailbox directly to the cloud.

Note: This switch is available only in Exchange 2013 CU21 or later and Exchange 2016 CU10 or later. To use this switch, you also need to run setup.exe /PrepareAD. For more information, see KB4133605.

This is a Function I created for our O365 Admins to quickly create a mailbox, and also a group to assign the users that need Full/SendAS access to the mailbox. I might have some other proprietary code such as removing the internal domain, but you can comment that stuff out if needed, but it shouldn’t hurt if it stayed in there. 


Function New-SharedMailbox
{
    Param
    (
        [Parameter(Mandatory = $true)]
        [String]$Name,
        [Parameter(Mandatory = $true)]
        [String]$DisplayName,
        [Parameter(Mandatory = $true)]
        [String]$OwnerEmail
    )
    
    $EmailAddress = $Name + '@Tenant.org'
    
    $MBCheck = Get-Recipient $EmailAddress -ErrorAction SilentlyContinue
    $Replace = '@tenant.int'
    
    If ($MBCheck)
    {
        Write-Host "EmailAddress Is already in Use Please use a different Name"
    }
    Else
    {
        
        $RoutingAddress = $EmailAddress -replace ("Tenant.org", "Tenant.mail.onmicrosoft.com")
        
        Do
        {
            $RoutingAddressCheck = Get-Recipient $RoutingAddress -ErrorAction SilentlyContinue
            if ($RoutingAddressCheck)
            {
                [String]$RandomNumber = (10 .. 100) | Get-Random
                [String]$RoutingAddress = $Name + $RandomNumber + '@Tenant.mail.onmicrosoft.com'
            }
            $RoutingAddressCheck = Get-Recipient $RoutingAddress -ErrorAction SilentlyContinue
        }
        Until($RoutingAddressCheck -eq $Null)

        
        Write-Host "Enabling $Name to Cloud"
        New-RemoteMailbox -Alias $Name -OnPremisesOrganizationalUnit "OU=Email,OU=Accounts,DC=tenant,DC=int" -shared -RemoteRoutingAddress $RoutingAddress -userprincipalname $EmailAddress -PrimarySmtpAddress $EmailAddress -DisplayName $DisplayName -name $Name
        Write-Host "waiting on AD Replication 30 Seconds"
        Sleep 30
        
        $ProxyAddresses = (Get-ADUser $Name -Properties ProxyAddresses).ProxyAddresses
        
        Foreach ($ProxyAddress in $ProxyAddresses)
        {
            If ($ProxyAddress -like "*tenant.int*")
            {
                Write-Host "Removing $Replace from $Name"
                Set-ADUser $Name -Remove @{ Proxyaddresses = $ProxyAddress }
            }
        }
        
        $GroupName = $Name + '-OW'
        $GroupEmail = $GroupName + '@Tenant.org'
        
        Write-Host "Creating Group $GroupName"
        New-DistributionGroup -Name $GroupName -PrimarySmtpAddress $GroupEmail -ManagedBy $OwnerEmail -RequireSenderAuthenticationEnabled:$True -CopyOwnerToMember:$True -OrganizationalUnit "OU=USG,OU=Email,OU=Accounts,DC=tenant,DC=int" -Type Security
        Write-Host "Hiding From Address List"
        Sleep 15
        Set-DistributionGroup $GroupName -HiddenFromAddressListsEnabled:$True
        Write-Host "All Done.. Make sure to add the group with full / sendas on O365 after 30 min Sync" -ForegroundColor Green
    }
}

Creation of Contacts, for Email to Text on Phone

At my healthcare organization a nursing leader needed to push alerts via email, to users Cell Phones. She had a list of phone numbers and names of the users (around 100). So when she sent me the list I asked if she could make another column with the providers next to them so I can automate it. Below is a script I created to create the Contacts. I also added comments on everything, to help a novice powershell user to better understand how everything works. Remember to Change the OU Location at the bottom of the script, Could probably make a new Parameter for that. Also, to run the command you would just copy and paste the function in Exchange Powershell then Run New-CellContact -FirstName John -LastName Doe -Provider Cricket -CellNumber 8774878777 

Function New-CellContact
{
    Param (
        [parameter(Mandatory = $true)]
        #This means if you run New-CellContact, It will need this value to Continue
        [String]$FirstName,
        [parameter(Mandatory = $true)]
        [String]$LastName,
        [parameter(Mandatory = $true)]
        [ValidateSet("ATT", "Sprint", "Cricket", "Tmobile", "Verizon", "StraightTalk", "MetroPCS")]
        #Validating Set means, when providing the cmdlet the data you will need to give it the one listed or it will fail
        [String]$Provider,
        [parameter(Mandatory = $true)]
        [ValidatePattern("\d{10}")]
        #Validating Pattern Uses RegEx This RegEx is saying there needs to be 10 Digits \d is Numbers anything more or less or with a letter will fail.
        [String]$CellNumber
    )
    
    #This switch is a faster IF statement Basically if $Provider = ATT then $CarrierEmail = @mms.att.net
    Switch ($Provider)
    {
        "ATT" { $CarrierEmail = "@mms.att.net" }
        "Sprint" { $CarrierEmail = "@messaging.sprintpcs.com" }
        "Cricket" { $CarrierEmail = "@mms.mycricket.com" }
        "Tmobile" { $CarrierEmail = "@tmomail.net" }
        "Verizon" { $CarrierEmail = "@vtext.com" }
        "StraightTalk" { $CarrierEmail = "@vtext.com" }
        "MetroPCS" { $CarrierEmail = "@mymetropcs.com" }
    }
    
    #This builds out the Alias for the AD Object
    $Alias = 'Cell-Alerts-' + $FirstName + "-" + $LastName
    #This builds out the email address so 7708278377@vtext.com
    $ForwardingEmail = $CellNumber + $CarrierEmail
    #Write-Host "Testing $Alias $ForwardingEmail" this is for testing
    #This is the command to actually build the object using the parameters given and throw it in the correct OU
    New-MailContact -Alias $Alias -DisplayName $Alias -Name $Alias -FirstName $FirstName -LastName $LastName -ExternalEmailAddress $ForwardingEmail -OrganizationalUnit "Contoso.int/Contacts"
}