added removal of mailbox permissions

bstets1 · Oct 23, 2023 · d7c4b13 · d7c4b13
1 parent d1c9cfd
commit d7c4b13
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 9 deletions.
diff --git a/ExecOffboardUser/function.json b/ExecOffboardUser/function.json
@@ -5,15 +5,18 @@
       "type": "httpTrigger",
       "direction": "in",
       "name": "Request",
-      "methods": [
-        "get",
-        "post"
-      ]
+      "methods": ["get", "post"]
     },
     {
       "type": "http",
       "direction": "out",
       "name": "Response"
+    },
+    {
+      "type": "queue",
+      "direction": "out",
+      "name": "Msg",
+      "queueName": "offboardingmailbox"
     }
   ]
-}
+}
diff --git a/ExecOffboardUser/run.ps1 b/ExecOffboardUser/run.ps1
@@ -65,6 +65,15 @@ try {
         { $_."RemoveMobile" -eq 'true' } {
             Remove-CIPPMobileDevice -userid $userid -username $Username -tenantFilter $Tenantfilter -ExecutingUser $request.headers.'x-ms-client-principal' -APIName "ExecOffboardUser"
         }
+        { $_."RemovePermissions" } {
+            $object = [PSCustomObject]@{
+                TenantFilter  = $tenantFilter
+                User          = $username
+                executingUser = $request.headers.'x-ms-client-principal'
+            }
+            Push-OutputBinding -Name Msg -Value $object
+            "Removal of permissions queued. This task will run in the background and send it's results to the logbook."
+        }
 
     }
     $StatusCode = [HttpStatusCode]::OK

diff --git a/ExecOffboard_Mailboxpermissions/function.json b/ExecOffboard_Mailboxpermissions/function.json
@@ -0,0 +1,10 @@
+{
+  "bindings": [
+    {
+      "name": "QueueItem",
+      "type": "queueTrigger",
+      "direction": "in",
+      "queueName": "offboardingmailbox"
+    }
+  ]
+}
diff --git a/ExecOffboard_Mailboxpermissions/run.ps1 b/ExecOffboard_Mailboxpermissions/run.ps1
@@ -0,0 +1,8 @@
+# Input bindings are passed in via param block.
+param( $QueueItem, $TriggerMetadata)
+$APIName = $TriggerMetadata.FunctionName
+
+$Mailboxes = New-ExoRequest -tenantid $QueueItem.TenantFilter -cmdlet "get-mailbox"
+foreach ($Mailbox in $Mailboxes) {
+    Remove-CIPPMailboxPermissions -PermissionsLevel @("FullAccess", "SendAs", "SendOnBehalf") -userid $Mailbox.UserPrincipalName -AccessUser $QueueItem.User -TenantFilter $QueueItem.TenantFilter -APIName $APINAME -ExecutingUser $QueueItem.ExecutingUser
+}
diff --git a/Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1 b/Modules/CIPPCore/Public/Remove-CIPPMailboxPermissions.ps1
@@ -4,15 +4,32 @@ function Remove-CIPPMailboxPermissions {
         $userid,
         $AccessUser,
         $TenantFilter,
+        $PermissionsLevel,
         $APIName = "Manage Shared Mailbox Access",
         $ExecutingUser
     )
 
     try {
-        $permissions = New-ExoRequest -tenantid $TenantFilter -cmdlet "Remove-MailboxPermission" -cmdParams @{Identity = $userid; user = $AccessUser } -Anchor $userid
-        Write-LogMessage -user $ExecutingUser -API $APIName -message  "Removed $($AccessUser) from $($userid)'s mailbox." -Sev "Info" -tenant $TenantFilter
-        return "Removed $($AccessUser) from $($userid)'s mailbox."
-
+        $Results = $PermissionsLevel | ForEach-Object {
+            switch ($_) {
+             "SendOnBehalf" {
+                    $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Set-Mailbox" -cmdParams @{Identity = $userid; GrantSendonBehalfTo = @{'@odata.type' = '#Exchange.GenericHashTable'; remove = $AccessUser }; }
+                    Write-LogMessage -user $ExecutingUser -API $APIName -message "Removed SendOnBehalf permissions for $($AccessUser) from $($userid)'s mailbox." -Sev "Info" -tenant $TenantFilter
+                    "Removed SendOnBehalf permissions for $($AccessUser) from $($userid)'s mailbox." 
+                }
+                "SendAS" {
+                    $MailboxPerms = New-ExoRequest -Anchor $username -tenantid $Tenantfilter -cmdlet "Remove-RecipientPermission" -cmdParams @{Identity = $userid; Trustee = $AccessUser; accessRights = @("SendAs") }
+                    Write-LogMessage -user $ExecutingUser -API $APIName -message "Removed SendAs permissions for $($AccessUser) from $($userid)'s mailbox." -Sev "Info" -tenant $TenantFilter
+                    "Removed SendAs permissions for $($AccessUser) from $($userid)'s mailbox."
+                }
+             "FullAccess" {
+                    $permissions = New-ExoRequest -tenantid $TenantFilter -cmdlet "Remove-MailboxPermission" -cmdParams @{Identity = $userid; user = $AccessUser; accessRights = @("FullAccess") } -Anchor $userid
+                    Write-LogMessage -user $ExecutingUser -API $APIName -message  "Removed FullAcess permissions for $($AccessUser) from $($userid)'s mailbox." -Sev "Info" -tenant $TenantFilter
+                    "Removed FullAcess permissions for $($AccessUser) from $($userid)'s mailbox."
+                }
+            }
+        }
+        return $Results
     }
     catch {
         Write-LogMessage -user $ExecutingUser -API $APIName -message  "Could not remove mailbox permissions for $($userid). Error: $($_.Exception.Message)" -Sev "Error" -tenant $TenantFilter