这是一个脚本,用于显示$User所属的所有Azure AD组。
$User = 'Compromised.UserAccount'
$UserToRemove = Get-AzureADUser -SearchString $User
$UserToRemove |
Get-AzureADUserMembership |
ForEach-Object { Get-AzureADObjectByObjectId -ObjectId $_.ObjectId | Get-AzureADGroup | Where-Object {$_.OnPremisesSecurityIdentifier -eq $null} | Select-Object DisplayName, ObjectType, MailEnabled, SecurityEnabled, ObjectId } |
Out-GridView -Title "$($User) account Cloud Only Group membership"
这里的目标是能够从所有AzureADGroup中删除$User,他/她在上面的Out-GridView列表中是成员。
Remove-AzureADGroupMember -ObjectId ... -MemberId $UserToRemove.ObjectId
我会把它分成更多不同的命令,而不是一个单一的管道:
$User = 'Compromised.UserAccount'
$AzUser = Get-AzureADUser -SearchString $user
$AzMemberships = $azUser | Get-AzureADUserMembership
$AzGroups = Get-AzureADObjectByObjectId -ObjectIds $AzMemberships.objectID
$CloudGroups = $AzMemberships | Where-Object {$_.OnPremisesSecurityIdentifier -eq $null}
# Display cloud groups
$CloudGroups | Select-Object DisplayName, ObjectType, MailEnabled, SecurityEnabled, ObjectId |
Out-GridView -Title "$($User) account Cloud Only Group membership"
# Remove user from all cloud groups
Foreach ($cloudGroup in $cloudGroups) {
Remove-AzureADGroupMember -ObjectId $cloudGroup.ObjectID -MemberId $AzUser.ObjectId
}