0

I have a SQL DB that is populated with Consultants at our company and the Client Groups that they are associated with. I have a PowerShell Script that checks this database and adds or removes Consultants from corresponding O365 Security Groups. This script works fine. My problem is, I would like to move from usin O365 security groups, to Mail-Enabled Security Groups in Exchange Online.

I have changed a couple of groups to be Mail-Enabled and the script does not work because the PowerShell Cmdlets used in the current script are MSol cmdlets and do not know how to handle a Mail-Enabled Security Group. I have tried to edit the script to change the cmdlets. The new version kind of works, it adds a user like it is supposed to but it immediately removes the user after.

The Remove Function in the working script checks to see if the consultant user exists in the SQL DB in the CLient Group and if not, removes the user from the group, if so keeps the user and it looks like this:

# Perform group addition/removal only if the consultant exists in O365
if ($consultantUser)
{
    Write-Host "Found user " $consultantMember.EmailAddress
    # Check to see if authoritative SQL consultant table has this specific user
    if ($consultants -notcontains $consultantMember.EmailAddress)
    {
        Write-Host "Removing user " $consultantMember.EmailAddress
        Remove-MsoLGroupMember -groupObjectId $clientGroup.ObjectId -GroupMemberType "User" -groupmemberobjectid $consultantUser.ObjectId
    }
    else
    {
        Write-Host "Keeping user " $consultantMember.EmailAddress
    }
}

The new script (only removal portion is supposed to behave the same, but it removes the user every time. SO the user gets added to the group and then immediately removed. Looks like this

# Perform group addition/removal only if the consultant exists in O365
if ($consultantUser)
{
    Write-Host "Found user " $consultantMember.Name
    # Check to see if authoritative SQL consultant table has this specific user
    if ($consultant -notcontains $consultantMember.EmailAddresses)
    {
        Write-Host "Removing user " $consultantMember.Name
        Remove-DistributionGroupMember -Identity $clientGroup.Name -Member $consultantAdd.Name
    }
    else
    {
        Write-Host "Keeping user " $consultantMember.Name
    }
}

Here the original script (User/Servername/Passwords redacted) and the new script. I am hoping someone can point me in the right direction as to how I would make the second script behave the same as the first. Please let me know if you require more information

# Connect to O365
$User = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
$Pass = "XXXXXXXXXXX" # "XXXXXXXX"
$Cred = New-Object System.Management.Automation.PsCredential($User,(ConvertTo-SecureString $Pass -AsPlainText -Force))
Import-Module MSOnline
Connect-MsolService -Credential $Cred

# Loop through SQL Azure Master Client Table
foreach ($dbClient in Invoke-Sqlcmd -Query "SELECT ClientID, Value FROM [dbo].[clientMasterAttributes] WHERE Attribute = 'ClientName' ORDER BY ClientID;" -ServerInstance "XXXXXXXXXX.XXXXXXXX.XXXXXXX.net" -Database "XXXXXX" -Username "XXX" -Password "XXXXXXXXXX")
{
    # Load SQL Azure Consultant Table per ClientID
    $consultantQuery = "SELECT DISTINCT C.Email, E.employeeType FROM clientConsultantAttributes C INNER JOIN Employees E ON C.Email = E.Email WHERE C.ClientID = '{0}' AND C.Attribute = 'Current' AND C.Value = 'Y' AND E.employeeType IN (2,3,8);" -f $dbClient.ClientID
    $consultants = Invoke-Sqlcmd -Query $consultantQuery -ServerInstance "XXXXXXXXXX.XXXXXXXX.XXXXXXX.net" -Database "XXXXXX" -Username "XXX" -Password "XXXXXXXXXX" | select -Expand Email
    Write-Host $consultants
    $clientGroupName = "client{0}" -f $dbClient.ClientID
    # Query Azure AD to see if client security group exists
    $clientGroup = Get-MsolGroup | where-object { $_.DisplayName -eq $clientGroupName}
    if ($clientGroup)
    {
        # Add all users in SQL lookup to the group
        foreach ($consultant in $consultants)
        {
            $consultantAdd = Get-MsolUser -UserPrincipalName $consultant
            if ($consultantAdd)
            {
                Write-Host "Add User " $consultant
                Add-MsolGroupMember -groupObjectid $clientGroup.ObjectId -GroupMemberType "User" -GroupMemberObjectId $consultantAdd.ObjectId
            }
            else
            {
                Write-Host "Could not find " $consultant
            }
        }

        # Found client security group, now loop through all group members to see if they still belong
        foreach ($consultantMember in Get-MsolGroupMember -groupObjectid $clientGroup.ObjectId)
        {
            # Get individual consultant user object using email address from SQL table
            $consultantUser = Get-MsolUser -UserPrincipalName $consultantMember.EmailAddress

            # Perform group addition/removal only if the consultant exists in O365
            if ($consultantUser)
            {
                Write-Host "Found user " $consultantMember.EmailAddress
                # Check to see if authoritative SQL consultant table has this specific user
                if ($consultants -notcontains $consultantMember.EmailAddress)
                {
                    Write-Host "Removing user " $consultantMember.EmailAddress
                    Remove-MsoLGroupMember -groupObjectId $clientGroup.ObjectId -GroupMemberType "User" -groupmemberobjectid $consultantUser.ObjectId
                }
                else
                {
                    Write-Host "Keeping user " $consultantMember.EmailAddress
                }
            }
        }
    }
}

New script:

Import-Module MSOnline
Connect-MsolService -Credential $Cred

# Loop through SQL Azure Master Client Table
foreach ($dbClient in Invoke-Sqlcmd -Query "SELECT ClientID, Value FROM [dbo].[clientMasterAttributes] WHERE Attribute = 'ClientName' ORDER BY ClientID;" -ServerInstance "XXXXXXXXXX.XXXXXXXX.XXXXXXX.net" -Database "XXXXXX" -Username "XXX" -Password "XXXXXXXXXX")
{
    # Load SQL Azure Consultant Table per ClientID
    $consultantQuery = "SELECT DISTINCT C.Email, E.employeeType FROM clientConsultantAttributes C INNER JOIN Employees E ON C.Email = E.Email WHERE C.ClientID = '{0}' AND C.Attribute = 'Current' AND C.Value = 'Y' AND E.employeeType IN (2,3,8);" -f $dbClient.ClientID
    $consultants = Invoke-Sqlcmd -Query $consultantQuery -ServerInstance "XXXXXXXXXX.XXXXXXXX.XXXXXXX.net" -Database "XXXXXX" -Username "XXX" -Password "XXXXXXXXXX" | select -Expand Email
    Write-Host $consultants
    $clientGroupName = "client{0}" -f $dbClient.ClientID
    # Query Azure AD to see if client security group exists
    $clientGroup = Get-DistributionGroup | where-object { $_.DisplayName -eq $clientGroupName}
    if ($clientGroup)
    {
        # Add all users in SQL lookup to the group
        foreach ($consultant in $consultants)
        {
            $consultantAdd = Get-User -Identity $consultant
            if ($consultantAdd)
            {
                Write-Host "Add User " $consultant
                Add-DistributionGroupMember -Identity $clientGroup.Name -Member $consultantAdd.Name
            }
            else
            {
                Write-Host "Could not find " $consultant
            }
        }

        # Found client security group, now loop through all group members to see if they still belong
        foreach ($consultantMember in Get-DistributionGroupMember -Identity $clientGroup.Name)
        {
            # Get individual consultant user object using email address from SQL table
            $consultantUser = Get-User -Identity $consultantMember.Email

            # Perform group addition/removal only if the consultant exists in O365
            if ($consultantUser)
            {
                Write-Host "Found user " $consultantMember.Name
                # Check to see if authoritative SQL consultant table has this specific user
                if ($consultant -notcontains $consultantMember.EmailAddresses)
                {
                    Write-Host "Removing user " $consultantMember.Name
                    Remove-DistributionGroupMember -Identity $clientGroup.Name -Member $consultantAdd.Name
                }
                else
                {
                    Write-Host "Keeping user " $consultantMember.Name
                }
            }
        }
    }
}
Mathias R. Jessen
  • 157,619
  • 12
  • 148
  • 206
Patrick Olson
  • 57
  • 5
  • 1
    `$consultant -notcontains $consultantMember.EmailAddresses` seems odd. `$consultant` only has context in an earlier loop and is not an array which is what `-notcontains` would be expecting. I think that it is null and there for would not contain anything making that statement always true. Perhaps you are just missing the s in `$consultants` – Matt Oct 20 '15 at 16:21
  • I think it's supposed to be $consultants -notcontains That's the way it is in the old script. But written that way it still removes the user. – Patrick Olson Oct 20 '15 at 16:25
  • 1
    There is a lot to read though here and may not be able to replicate. That was the obvious thing I saw. I think you should look at the contents of `$consultants` while it is looping to see what is going on. – Matt Oct 20 '15 at 16:29
  • Thanks Matt! I know it's a lot. I appreciate the advice. I'll take a look. – Patrick Olson Oct 20 '15 at 16:38
  • +1 on what @Matt said, also note the difference `$consultantMember.EmailAddresses` vs `$consultantMember.EmailAddress` to go with that. – notjustme Oct 20 '15 at 16:45
  • I figured it out, with your help! Not sure if this will be useful to anyone but me but the answer was ($consultants -notcontains $consultantMember.PrimarySmtpAddress) the ($consultants -notcontains $consultantMember.EmailAddresses) was returning all email addresses, including aliases and I think that was what was screwing everything up. – Patrick Olson Oct 20 '15 at 18:30

0 Answers0