Untitled

using Microsoft.Online.SharePoint.TenantAdministration;
using Microsoft.SharePoint.Client;
using OfficeDevPnP.Core.Entities;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security;
using System.Threading.Tasks;
using Microsoft.Azure.ActiveDirectory.GraphClient;
using Microsoft.Azure.ActiveDirectory.GraphClient.Extensions;
using Microsoft.Azure;

namespace SPUserRemover
{
    class Program
    {
        static void Main(string[] args)
        {
            try
            {
                //App-Only authentication does not work for SiteEntity
                var password = new SecureString();
                string userName = CloudConfigurationManager.GetSetting("UserName");
                string Mypassword = CloudConfigurationManager.GetSetting("Password");
                string tenantAdminUrl= CloudConfigurationManager.GetSetting("TenantAdminUrl");
                foreach (char c in Mypassword.ToCharArray()) password.AppendChar(c);
                var credentials = new SharePointOnlineCredentials(userName, password);
                ActiveDirectoryClient azureClient = AzureAdAuthentication.GetActiveDirectoryClientAsApplication();
                var aadUsers = GetUsers(azureClient);
                using (var clientContext = new ClientContext(tenantAdminUrl))
                {
                    clientContext.Credentials = credentials;
                    Tenant tenant = new Tenant(clientContext);
                    var prop = tenant.GetSiteCollections(0, 300, true, true);
                    clientContext.ExecuteQuery();

                    ClientContext context = null;
                    foreach (SiteEntity sp in prop)
                    {
                        context = new ClientContext(sp.Url);
                        context.Credentials = credentials;
                        Web web = context.Web;
                        UserCollection usercollection = web.SiteUsers;
                        context.Load(usercollection, usercols=>usercols.Include(userCol=>userCol.LoginName, userCol => userCol.Id));
                        context.ExecuteQuery();
                        foreach (Microsoft.SharePoint.Client.User user in usercollection)
                        {

                            string spUserLoginName = "";
                            //Check if an account is a user account or not
                            var isUserAccount = user.LoginName.Contains("i:0#.f|membership|");
                            if(isUserAccount )
                            {
                                spUserLoginName = DecodeClaim(clientContext, user.LoginName);
                            }

                            var userExist = aadUsers.Result.Contains(spUserLoginName.ToLower());

                            //if account is not in aad but exists on sp and it is an sp user, remove it.
                            if (!userExist && spUserLoginName != "")
                            {

                               web.SiteUsers.RemoveById(user.Id);
                                web.Update();
                            }

                        }

                        context.ExecuteQuery();
                    }


                    // Console.ReadLine();


                }
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex);
            }
        }


            //Decode encoded loginName i.e. strip the loginName of token i:0#.f|membership|
        public static string DecodeClaim(ClientRuntimeContext context, string encodedLoginName)
        {
            var tenant = new Tenant(context);
            var clientResult = tenant.DecodeClaim(encodedLoginName);
            context.ExecuteQuery();
            return clientResult.Value;
        }


        //Set the client Secret and Id to authenticate to AD.
        //You will need to give permission to read Azure directory using the following powershell commands
        //## Connect to the Microsoft Online tenant
        //        Connect-MsolService

        //## Set the app Client Id, aka AppPrincipalId, in a variable
        //$appId = "9a329aa2-01de-4248-8dc4-3187ed7e1c6c"

        //## get the App Service Principal
        //$appPrincipal = Get-MsolServicePrincipal -AppPrincipalId $appId

        //## Get the Directory Readers Role
        //$directoryReaderRole = Get-MsolRole -RoleName "Directory Readers" ##get the role you want to set

        //##Give the app the Directory Reader role
        //Add-MsolRoleMember -RoleMemberType ServicePrincipal -RoleObjectId $directoryReaderRole.ObjectId -RoleMemberObjectId $appPrincipal.ObjectId

        //##Confirm that the role has our app
        //Get-MsolRoleMember -RoleObjectId $directoryReaderRole.ObjectId
        private static async Task<List<string>> GetUsers(ActiveDirectoryClient azureClient)
        {
             List<IUser> Iusers = new List<IUser>();
            IPagedCollection<IUser> pagedCollection = await azureClient.Users.ExecuteAsync();

            if (pagedCollection != null)
            {
                do //append pages to the list
                {
                    Iusers.AddRange(pagedCollection.CurrentPage.ToList());
                    pagedCollection = await pagedCollection.GetNextPageAsync();
                } while (pagedCollection != null && pagedCollection.MorePagesAvailable);
            }

            List<string> users = new List<string>();
            foreach (var user in Iusers)
            {
                users.Add(user.UserPrincipalName.ToLower());
            }

            return users;
        }
    }

}