AuditUser365.ps1

<#
    This script is for auditing users in Office/Microsoft 365 given a users UPN or Object ID. 
#>

#Connect to Microsoft Graph with the scope of User.Read.All and GroupMember.Read.All, and connect to the SharePoint Online Service using the account that you used to Interactivly connect to the Microsoft Graph. 

Connect-MgGraph -Scopes "User.Read.All" , "GroupMember.Read.All"
$tenantInfo = Get-MgOrganization
$tenantName = ($tenantInfo.DisplayName -replace ' ', '' -replace '[^a-zA-Z0-9]', '').ToLower()
$sharePointAdmin = (Get-MgUser -UserId (Get-MgContext).Account).UserPrincipalName
Connect-SPOService -Url "https://$tenantName-admin.sharepoint.com"
get-spoSite -Limit All | ForEach-Object { Set-SPOUser -Site $_.Url -LoginName $sharePointAdmin -IsSiteCollectionAdmin $true }

#Initialize Date variable with correct format
$date = Get-Date -Format "MM-dd-yy"

#Ask for ObjectID or UPN
$ObjectId = Read-Host "Enter Object ID or User Principal Name of user that you want to check"

# Setup array of properties to gather
$userProperties = @(
    'Id',
    'UserPrincipalName',
    'DisplayName',
    'Mail',
    'AccountEnabled',
    'UserType',
    'ExternalUserState'
)
<#
    Gather properties for the user. This will also include the following
     per user MFA status of Disabled, Enabled, or Enforced
     check if the user only has the password method registered
     get last interactive sign in
#>
$user = Get-MgUser -UserId $ObjectId -Property $userProperties
$passwordAuthMethodId = "28c10230-6103-485e-b985-444c60001490"
$pumfa = Invoke-MgGraphRequest -Method GET -Uri "/beta/users/$($user.id)/authentication/requirements" -OutputType PSObject
$authMethods = $authMethods = Get-MgUserAuthenticationMethod -UserId $user.Id
$onlyPasswordMethod = $false
if ($authMethods.Count -eq 1 -and $authMethods.Id -eq $passwordAuthMethodId) {
    $onlyPasswordMethod = $true
}
$signInLog = Get-MgUser -UserId $user.Id -Property SignInActivity | Select-Object -ExpandProperty SignInActivity

# Setup array for results to be dumped into a csv, and gives the columns readable names. 
$userInfo = [PSCustomObject]@{
    "UPN" = $user.UserPrincipalName
    "Display Name" = $user.DisplayName
    "Email" = $user.Mail
    "UserName on Prem" = $user.OnPremisesSamAccountName
    "Per-user MFA State" = $pumfa.PerUserMfaState
    "Enabled" = $user.AccountEnabled
    "User Type" = $user.UserType
    "Guest User State" = $user.ExternalUserState
    "Only Password Method" = if ($onlyPasswordMethod) { "Yes" } else { "No" }
    "Last Interactive Sign In" = $signInLog.LastSignInDateTime
}
$userInfo | Format-Table
$name = $user.DisplayName
$UPN = $user.UserPrincipalName

#Get groups a user is a part of
$groups = Get-MgUserMemberOf -UserId $user.Id
$groupMembership = @()
foreach ($groupId in $groups.Id)
{
    $group = Get-MgGroup -GroupId $groupId
    $group
    $groupProperties = @{'Display Name'=$group.DisplayName}
    $groupMembership += New-Object -TypeName PSObject -Property $groupProperties
}

$groupMembership | Format-Table

#Gets sites a user has access to. This will exclude certain URLs like OneDrive URLs and the search and root sites to speed up the search. 
$siteURLs = Get-SPOSite -Limit All | Select-Object -ExpandProperty Url
$siteMembership = @()
$excludedURLs = @("https://$tenantName-my.sharepoint.com/", "https://$tenantName.sharepoint.com/", "https://$tenantName.sharepoint.com/search")
foreach ($url in $siteURLs)
{
    $siteAccess = Get-SPOUser -Site $url | Where-Object {$_.DisplayName -like $user.DisplayName} | Select-Object -Property DisplayName
    Start-Sleep -Seconds 1

    # Skip the URL if it's in the exclusion list
    if ($excludedURLs -contains $url) {
        continue
    }
    
    if ($null -ne $siteAccess)
    {
        $siteProperties = @{'URL'=$url}
        $siteMembership += New-Object -TypeName PSObject -Property $siteProperties
    }
}
$siteMembership | Format-Table


# This is the file path of exports. Put a folder path in $exportFilePath variable.
$exportGroupsFile = "${name}_Groups_${date}.csv"
$exportSitesFile = "${name}_Sites_${date}.csv"
$exportUserFile = "${name}_Info_${date}.csv"
$exportFilePath = "Some Folder Path"

$exportUser = Read-Host "Do you wish to export the user info to a CSV file? (y/n)"
if ($exportUser.ToLower() -eq "y") {
    $userInfo | Export-Csv -NoTypeInformation -Path "$exportFilePath/$exportUserFile"
}

$exportGroups = Read-Host "Do you wish to export the groups to a CSV file? (y/n)"
if ($exportGroups.ToLower() -eq "y") {
    $groupMembership | Export-Csv -NoTypeInformation -Path "$exportFilePath/$exportGroupsFile"
}

$exportSites = Read-Host "Do you wish to export the sites to a CSV file? (y/n)"
if ($exportSites.ToLower() -eq "y") {
    $siteMembership | Export-Csv -NoTypeInformation -Path "$exportFilePath/$exportSitesFile"
}

<#
    Everything below here will make changes to the account. 
#>
$Removal = Read-Host "Do you want to remove this user from groups and SharePoint Sites. (y/n)"
if ($Removal.ToLower() -eq "y") {
        foreach ($groupId in $groups.Id)
    {
        $groupName = Get-MgGroup -GroupId $groupId -Property DisplayName
        Remove-MgGroupMemberDirectoryObjectByRef -GroupId $groupId -DirectoryObjectId $user.Id
        Write-Output "$($user.DisplayName) has been removed from the group: $($groupName.DisplayName)"
    }

    foreach ($url in $siteMembership) 
    {
        Remove-SPOUser -Site $url.URL -LoginName $UPN
        Write-Output "$($user.DisplayName) has been removed from the group: $($url.URL)"
    }
}
else {
    Write-Host "See list of exports"
    Exit
}
$disableAccount = Read-Host "Do you want to disable this account? (y/n)"
if ($disableAccount.ToLower() -eq "y") {
    Update-MgUser -UserId $user.Id -AccountEnabled:$false
    Write-Host "Account has been disabled."
}
elseif ($disableAccount.ToLower() -eq "n") {
    Write-Host "Account will not be disabled."
}
else {
    Write-Host "Invalid input. Account will not be disabled."
}


Disconnect-Graph
Disconnect-SPOService