CreateNewAADUser&DuplicateGroups_v2.ps1

1. #Requires -Modules Microsoft.Graph.Authentication, Microsoft.Graph.Users
2. using namespace System.Web.Security
3.  
4. [CmdletBinding(SupportsShouldProcess, ConfirmImpact="High")]
5. param (
6.     [Parameter(Mandatory, ValueFromPipelineByPropertyName, HelpMessage="Enter username@domain to copy from:")]
7.         [ValidateScript({
8.             if(Get-MgUser -Filter "UserPrincipalName eq '$_'"){
9.                 return $true
10.             }
11.             throw "Could not find a user '$_' by UserPrincipalName"
12.         })]
13.         [string]$UserTemplate,
14.     [Parameter(Mandatory, ValueFromPipelineByPropertyName, HelpMessage="Enter the new staff FIRST name:")]
15.         [Alias('fName')]
16.         [AllowEmptyString()][string]$FirstName,
17.     [Parameter(Mandatory, ValueFromPipelineByPropertyName, HelpMessage="Enter the new staff LAST name:")]
18.         [Alias('lName')][string]$LastName
19. )
20.  
21. begin {
22.     Add-Type -AssemblyName "System.Web"
23.    
24.     [string[]]$CurrentScopes = (Get-MgContext).Scopes
25.     [string[]]$RequiredScopes = @(
26.         "User.ReadWrite.All"
27.         "Organization.Read.All"
28.     )
29.     if($RequiredScopes | Where-Object { $CurrentScopes -notcontains $_ }){
30.         Connect-MgGraph -Scopes $RequiredScopes
31.     }
32.    
33.     function Get-RandomPassword {
34.         [CmdletBinding()]
35.         param (
36.             [Parameter(Mandatory, Position=0)][int]$Length,
37.             [int]$NonAlphanumericCharacters = 1
38.         )
39.    
40.         [Membership]::GeneratePassword($Length, $NonAlphanumericCharacters)
41.     }
42. }
43.  
44. process {
45.     $TemplateUserObject = Get-MgUser -UserId $UserTemplate -Property @(
46.         "Id"
47.         "JobTitle"
48.         "Department"
49.         "AssignedLicenses"
50.     )
51.     $NewUserName = "$($FirstName[0])$LastName"
52.     $NewUserEmail = "$NewUserName@domain"
53.  
54.     if($PSCmdlet.ShouldProcess("Create new user $NewUserEmail based on $UserTemplate?", $NewUserEmail, "Create")){
55.         $RandomPassword = Get-RandomPassword -Length 12
56.         $CreateUserParameters = @{
57.             DisplayName = "$FirstName $LastName"
58.             PasswordProfile = @{
59.                 Password = $RandomPassword
60.             }
61.             UserPrincipalName = $NewUserEmail
62.             AccountEnabled = $true
63.             MailNickname = $NewUserName
64.             JobTitle = $TemplateUserObject.JobTitle
65.             ShowInAddressList = $TemplateUserObject.JobTitle -ne "<dept>"
66.         }
67.         $NewUser = New-MgUser @CreateUserParameters
68.  
69.         $Manager = Get-MgUserManagerByRef -UserId $TemplateUserObject.Id
70.         Set-MgUserManagerByRef -UserId $NewUser.Id -BodyParameter $Manager
71.  
72.         # Assign groups excluding dynamic
73.         $MembershipGroups = Get-MgUserMemberOfAsGroup -UserId $TemplateUserObject.Id -Property "id", "displayName", "GroupTypes"
74.         foreach($Group in $MembershipGroups){
75.             foreach($Gtype in $Group.GroupTypes){
76.                  if($Gtype -eq "DynamicMembership"){
77.                         Write-Host "Skipping dynamic group $($Group.DisplayName)..."
78.                         continue
79.                     }
80.                 Write-Host "Adding $NewUserEmail to $($Group.DisplayName)..."
81.                 New-MgGroupMember -GroupId $Group.Id -DirectoryObjectId $NewUser.Id
82.             }
83.         }
84.        
85.         #Assign the same licenses
86.         Set-MgUserLicense -UserId "$($NewUserEmail)" -AddLicenses $TemplateUserObject.AssignedLicenses -RemoveLicenses @()
87.        
88.         # Do use Write-Host here, we don't want to hide this message.
89.         Write-Host "The temporary password for user: $NewUserEmail is: $RandomPassword"
90.     }
91. }