16 September 2022

Disable Exchange Online Remote PowerShell for users with PowerShell

 A regular user has no need for remote PowerShell access to Exchange Online.
So, we're going to disable it.

This is not as easy as you might think, I saw an article by "The Cloudtechnologist" (disable-exchange-online-remote-powershell-for-users-as-a-scheduled-task) but this is for Global admins only. What if you have roles assigned to Exchange Admins that are not Global admins?

This might help:

At line26; edit your username
At line 28 to 40 you disable all user accounts that are synced from on-premises
At line 44 to 56 you disable all guest users
At line 59 to 71 you disable all roommailboxes
At line 73 to 80 you can create a list with all account that are still enabled for remote PowerShell, go through the list manually and use that list to disable the access for the remaining users.

You might need to change the filters to something that works for you, and as always with stuff found on the interwebs, test test test.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
#region functions
<#
.SYNOPSIS
Script to disable Exchange Online RemotePowerShell access for users, guests and RoomMailboxes
.DESCRIPTION
Disables Exchange Online RemotePowerShell acces for users, guests and roommailboxes, and let's the remaining users be disabled by file list.
.PARAMETERS
None
.EXAMPLE
Disable-EXOPowerShellForUsers
.By
Edwin van Brenk
.For
Company
.Version
1.0
.Date
13-09-2022
.SOA
SOA-212
#>


Import-Module -Name ExchangeOnlineManagement

Connect-ExchangeOnline -UserPrincipalName username@company.com

# Dir synced users

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all dirsynced users from tenant"
$Users = Get-User -ResultSize unlimited | where-object {$_.isdirsynced -eq 'True'}

foreach ($User in $Users) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($User.WindowsEmailAddress)"
                Set-User -Identity $User.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($User.WindowsEmailAddress)"
                continue
            }
            $user = $null
        }

$number = $Users.Count
Write-host "$number of users have been updated"

# Guest users

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all guest users from tenant"
$GuestUsers = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'GuestMailUser'}

foreach ($GuestUser in $GuestUsers) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($GuestUser.Identity)"
                Set-User -Identity $GuestUser.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($GuestUser.WindowsLiveID)"
                continue
            }
            $GuestUser = $null
        }

$number = $GuestUsers.Count
Write-host "$number Guest users have been updated"

# Teams Rooms

Write-Host "Disable-EXOPowerShellForUsers: process: Getting all TeamRooms from tenant"
$TeamsRooms = Get-User -ResultSize unlimited | where-object {$_.RecipienttypeDetails -eq 'RoomMailbox'}

foreach ($TeamsRoom in $TeamsRooms) {
            try {
                Write-Host "Disable-EXOPowerShellForUsers: process: Updating $($TeamsRoom.WindowsEmailAddress)"
                Set-User -Identity $TeamsRoom.WindowsLiveID -RemotePowerShellEnabled $false -Confirm:$false
            }
            catch {
                Write-Warning "Something went wrong with $($TeamsRoom.WindowsLiveID)"
                continue
            }
            $TeamsRoom = $null
        }

$number = $TeamsRooms.Count
Write-host "$number TeamsRooms have been updated"

# Block for a list of users

$UserList = Get-Content "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\userlist.txt"
$UserList | foreach {Set-User -Identity $_ -RemotePowerShellEnabled $false}


Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true' | Select-Object Name, WindowsLiveID, WindowsEmailAddress, RecipientType, RecipientTypeDetails |` 
export-csv -Path "C:\Users\Username\OneDrive - Company\Security Optimization Assesment\2022\Scripts\AcceptedEnabledRemotePowerShellUserList.csv"

<#
-To display only those users who don't have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $false'

-To display only those users who have access to Exchange Online PowerShell, run the following command:

Get-User -ResultSize unlimited -Filter 'RemotePowerShellEnabled -eq $true'
#>

No comments:

Post a Comment