Fixes to email-only and part time checks.

seatosky-chris · Mar 28, 2023 · b8971b1 · b8971b1
1 parent c2e8078
commit b8971b1
Show file tree

Hide file tree

Showing 3 changed files with 136 additions and 33 deletions.
diff --git a/User Audit.ps1 b/User Audit.ps1
@@ -4,7 +4,7 @@
 # Created Date: Tuesday, August 2nd 2022, 10:36:05 am
 # Author: Chris Jantzen
 # -----
-# Last Modified: Mon Mar 27 2023
+# Last Modified: Tue Mar 28 2023
 # Modified By: Chris Jantzen
 # -----
 # Copyright (c) 2023 Sea to Sky Network Solutions
@@ -14,6 +14,7 @@
 # HISTORY:
 # Date      	By	Comments
 # ----------	---	----------------------------------------------------------
+# 2023-03-27	CJ	Improvements to Part Time and Email Only alerts
 # 2023-03-27	CJ	Fixed bugs in MS Graph Beta API call to get Azure Users (they changed it to not allow pulling more than 120 users at a time)
 # 2023-03-24	CJ	Fixed bugs in new email-only checks.
 # 2023-03-20	CJ	Added proper support for email-only audits. If email-only, the script will now investigate a users O365 licenses and any assigned devices in O365 to determine if they are email only or a full employee.
@@ -2659,6 +2660,8 @@ if ($FullMatches) {
 		}
 
 		$PartTimeUsage = $false
+		$NoRecentUsage = $false
+		$UsageStats = $false
 		if ($PartTimeEmployeesByUsage) {
 			$UsageStats = $UserUsage | Where-Object { $_.User.ITG_ID -eq $MatchID }
 			if ($UsageStats) {
@@ -2669,7 +2672,16 @@ if ($FullMatches) {
 
 				if ($LastMonthUsage -and $LastMonthUsage -lt $PartTimePercentage -and $LastMonthUsage -gt 0 -and (!$TwoMonthsAgoUsage -or $TwoMonthsAgoUsage -lt $PartTimePercentage)) {
 					$PartTimeUsage = $true
+				} elseif ($LastMonthUsage -and $ContactType -like "*Part Time*" -and $LastMonthUsage -lt $PartTimePercentage) {
+					$PartTimeUsage = $true
+				} elseif (!$LastMonthUsage -and $TwoMonthsAgoUsage -and $TwoMonthsAgoUsage -lt $PartTimePercentage) {
+					$PartTimeUsage = $true
+				} elseif (!$LastMonthUsage -and !$TwoMonthsAgoUsage) {
+					$PartTimeUsage = $true
+					$NoRecentUsage = $true
 				}
+			} else {
+				$NoRecentUsage = $true
 			}
 		}
 
@@ -2699,6 +2711,7 @@ if ($FullMatches) {
 
 				# If email only accounts might have an associated AD account, lets check if the groups make this look like an email only user
 				$EmailOnly = $false
+				$EmailOnlyDetails = ""
 				if ($EmailOnlyHaveAD -and $HasEmail -and $EmailEnabled -and $O365Match.o365.RecipientTypeDetails -like 'UserMailbox' -and $ADMatch.PSObject.Properties.Name -contains "Groups") {
 					$EmployeeGroups = @()
 					foreach ($Group in $ADMatch.Groups) {
@@ -2707,6 +2720,7 @@ if ($FullMatches) {
 						}
 					}
 					if (($EmployeeGroups | Measure-Object).Count -eq 0) {
+						$EmailOnlyDetails = "Not in any employee AD groups."
 						$EmailOnly = $true
 					}
 
@@ -2717,10 +2731,12 @@ if ($FullMatches) {
 						if (($O365Licenses_NotEmailOnly | Measure-Object).Count -gt 0) {
 							$O365Devices = Get-AzureADUserRegisteredDevice -ObjectId $O365Match.o365.AAD_ObjectID
 							if (($O365Devices | Measure-Object).Count -gt 0) {
+								$EmailOnlyDetails = "Has the following O365 Activated Devices: " + ($O365Devices.DisplayName -join ", ")
 								$EmailOnly = $false
 							} else {
 								$IntuneDevices = Get-AzureADUserOwnedDevice -ObjectId $O365Match.o365.AAD_ObjectID
 								if (($IntuneDevices | Measure-Object).Count -gt 0) {
+									$EmailOnlyDetails = "Has the following assigned InTune Devices: " + ($IntuneDevices.DisplayName -join ", ")
 									$EmailOnly = $false
 								}
 							}
@@ -2738,10 +2754,13 @@ if ($FullMatches) {
 							$AssignedDevices = $Existing_RelatedItems | Where-Object { $_.attributes.'asset-type' -eq 'configuration' -and $_.attributes.notes -like "*User*" -and !$_.attributes.archived }
 
 							if ($AssignedDevices -and ($AssignedDevices | Measure-Object).count -gt 0) {
+								$EmailOnlyDetails = "Has the following devices assigned in ITG: " + ($AssignedDevices.name -join ", ")
 								$EmailOnly = $false
 							}
 						}
 					}
+				} elseif ($O365Match.o365.RecipientTypeDetails -notlike 'UserMailbox') {
+					$EmailOnlyDetails = "Mailbox is not a UserMailbox"
 				}
 
 				if (($ADMatch.Enabled -eq $false -or $ADMatch.OU -like '*Disabled*') -and 'ToTerminated' -notin $IgnoreWarnings) {
@@ -2765,17 +2784,29 @@ if ($FullMatches) {
 						$WarnObj.reason += " (Last Login: Never)"
 					}
 					# If $InactivityO365Preference is $true, this gets skipped and will only be checked in the O365 section if the O365 account is inactive
+				} elseif ($NoRecentUsage -and (!$ADMatch.LastLogonDate -or $ADMatch.LastLogonDate -lt (Get-Date).AddDays(-60)) -and 
+							(!$EmailOnlyHaveAD -or ($ContactType -notlike "Employee - Email Only" -and !$EmailOnly)) -and 
+							$ContactType -ne "Employee - On Leave" -and $ContactType -ne "Terminated" -and 'MaybeTerminate' -notin $IgnoreWarnings -and !$InactivityO365Preference) {
+					# MaybeTerminate[NoRecentDeviceUsage]
+					$WarnObj.type = "MaybeTerminate[NoRecentDeviceUsage]"
+					$WarnObj.reason = "AD Account Unused. Maybe disable it? Please review."
+					if (!$UsageStats) {
+						$WarnObj.reason += " (No device usage found ever)"
+					} else {
+						$LastUse = $UsageStats.DaysActive.History.PSObject.Properties.Name | Sort-Object -Descending | Select-Object -First 1
+						$WarnObj.reason += " (No device usage over the past 2 months, last used: $LastUse)"
+					}
 				} elseif ($ContactType -eq 'Terminated' -and 'ToEnabled' -notin $IgnoreWarnings) {
 					# ToEnabled
 					$WarnObj.type = "ToEnabled"
 					$WarnObj.reason = "AD Account Enabled. IT Glue Contact should not be 'Terminated'."
 				} elseif ($ContactType -notlike "Employee - Part Time" -and $ContactType -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
 							($ADMatch.Description -like "*part?time*" -or $ADMatch.Description -like "*casual*" -or
-							$ADMatch.Title -like "*part?time*" -or $ADMatch.Title -like "*casual*" -or $PartTimeUsage) -and !$EmailOnly -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
+							$ADMatch.Title -like "*part?time*" -or $ADMatch.Title -like "*casual*" -or ($PartTimeUsage -and !$NoRecentUsage)) -and !$EmailOnly -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
 					# ToEmployeePartTime
 					$WarnObj.type = "ToEmployeePartTime"
 					$WarnObj.reason = "AD account appears to be part time. Consider changing the IT Glue Contact type to 'Employee - Part Time'."
-					if ($PartTimeUsage) { $WarnObj.reason += " (Last Months Usage: $($LastMonthUsage)% [$($UsageStats.DaysActive.LastMonth) days])" }
+					$WarnObj.reason += " (Last Months Usage: $($LastMonthUsage)% [$($UsageStats.DaysActive.LastMonth) days])"
 				} elseif ($ContactType -notlike "Contractor" -and ($ADMatch.Description -like "*contract*" -or $ADMatch.Title -like "*contract*") -and !$EmailOnly -and 'ToContractor' -notin $IgnoreWarnings) {
 					# ToContractor
 					$WarnObj.type = "ToContractor"
@@ -2795,17 +2826,25 @@ if ($FullMatches) {
 					#ToEmailOnly
 					$WarnObj.type = "ToEmailOnly"
 					$WarnObj.reason = "AD account has no groups but an email account is setup. Consider changing the IT Glue Contact type to 'Employee - Email Only'."
+					if ($EmailOnlyDetails) {
+						$WarnObj.reason += "(Reason: $EmailOnlyDetails)"
+					}
 				} elseif ($ContactType -like "Employee - Email Only" -and $ContactType -notlike "Employee - Part Time" -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
-							$ContactType -notlike "Contractor" -and !$EmailOnly -and 'ToEmployee' -notin $IgnoreWarnings) {
-					#ToEmployee
-					$WarnObj.type = "ToEmployee"
+							$ContactType -notlike "Contractor" -and !$EmailOnly -and $EmailOnlyDetails -notlike "Mailbox is not a UserMailbox" -and 'ToEmployee' -notin $IgnoreWarnings -and 'ToEmployee[FromEmailOnly]' -notin $IgnoreWarnings) {
+					#ToEmployee[FromEmailOnly]
+					$WarnObj.type = "ToEmployee[FromEmailOnly]"
 					$WarnObj.reason = "AD account appears to be a full employee but is currently set to email only. Consider changing the IT Glue Contact type to 'Employee'."
+					if ($EmailOnlyDetails) {
+						$WarnObj.reason += "(Reason: $EmailOnlyDetails)"
+					}
 				} elseif ($ContactType -like "Employee - Part Time" -and $ContactType -notlike "Employee - Email Only" -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
 							$ContactType -notlike "Contractor" -and ($ADMatch.Description -notlike "*part?time*" -and $ADMatch.Description -notlike "*casual*" -and
-							$ADMatch.Title -notlike "*part?time*" -and $ADMatch.Title -notlike "*casual*" -and !$PartTimeUsage) -and $PartTimeEmployeesByUsage -and !$EmailOnly -and 'ToEmployee' -notin $IgnoreWarnings) {
-					#ToEmployee
-					$WarnObj.type = "ToEmployee"
+							$ADMatch.Title -notlike "*part?time*" -and $ADMatch.Title -notlike "*casual*" -and !$PartTimeUsage) -and 
+							!$NoRecentUsage -and $PartTimeEmployeesByUsage -and !$EmailOnly -and 'ToEmployee' -notin $IgnoreWarnings -and 'ToEmployee[FromPartTime]' -notin $IgnoreWarnings) {
+					#ToEmployee[FromPartTime]
+					$WarnObj.type = "ToEmployee[FromPartTime]"
 					$WarnObj.reason = "AD account appears to be a full employee but is currently set to part time. Consider changing the IT Glue Contact type to 'Employee'."
+					$WarnObj.reason += " (Last Months Usage: $($LastMonthUsage)% [$($UsageStats.DaysActive.LastMonth) days])"
 				} elseif (!$ContactType) {
 					#ToEmployee
 					$WarnObj.type = "ToEmployee"
@@ -2854,6 +2893,7 @@ if ($FullMatches) {
 
 			# If email only accounts might have an associated AD account, lets check if the groups make this look like an email only user
 			$EmailOnly = $false
+			$EmailOnlyDetails = ""
 			if ($EmailOnlyHaveAD -and $HasAD -and $ADEnabled -and $O365Match.RecipientTypeDetails -like 'UserMailbox' -and $ADMatch.ad.PSObject.Properties.Name -contains "Groups") {
 				$EmployeeGroups = @()
 				foreach ($Group in $ADMatch.ad.Groups) {
@@ -2862,8 +2902,11 @@ if ($FullMatches) {
 					}
 				}
 				if (($EmployeeGroups | Measure-Object).Count -eq 0) {
+					$EmailOnlyDetails = "Not in any employee AD groups."
 					$EmailOnly = $true
 				}
+			} elseif ($O365Match.RecipientTypeDetails -notlike 'UserMailbox') {
+				$EmailOnlyDetails = "Mailbox is not a UserMailbox"
 			}
 
 			# If not doing an AD check, lets use the O365 licenses and any devices assigned in O365 to device if this is an email only user
@@ -2875,6 +2918,7 @@ if ($FullMatches) {
 					if (($O365Devices | Measure-Object).Count -eq 0) {
 						$IntuneDevices = Get-AzureADUserOwnedDevice -ObjectId $O365Match.AAD_ObjectID
 						if (($IntuneDevices | Measure-Object).Count -eq 0) {
+							$EmailOnlyDetails = "No devices activated in O365 or assigned in InTune."
 							$EmailOnly = $true
 						}
 					}
@@ -2886,10 +2930,12 @@ if ($FullMatches) {
 				if (($O365Licenses_NotEmailOnly | Measure-Object).Count -gt 0) {
 					$O365Devices = Get-AzureADUserRegisteredDevice -ObjectId $O365Match.AAD_ObjectID
 					if (($O365Devices | Measure-Object).Count -gt 0) {
+						$EmailOnlyDetails = "Has the following O365 Activated Devices: " + ($O365Devices.DisplayName -join ", ")
 						$EmailOnly = $false
 					} else {
 						$IntuneDevices = Get-AzureADUserOwnedDevice -ObjectId $O365Match.AAD_ObjectID
 						if (($IntuneDevices | Measure-Object).Count -gt 0) {
+							$EmailOnlyDetails = "Has the following assigned InTune Devices: " + ($IntuneDevices.DisplayName -join ", ")
 							$EmailOnly = $false
 						}
 					}
@@ -2907,6 +2953,7 @@ if ($FullMatches) {
 					$AssignedDevices = $Existing_RelatedItems | Where-Object { $_.attributes.'asset-type' -eq 'configuration' -and $_.attributes.notes -like "*User*" -and !$_.attributes.archived }
 
 					if ($AssignedDevices -and ($AssignedDevices | Measure-Object).count -gt 0) {
+						$EmailOnlyDetails = "Has the following devices assigned in ITG: " + ($AssignedDevices.name -join ", ")
 						$EmailOnly = $false
 					}
 				}
@@ -2979,25 +3026,31 @@ if ($FullMatches) {
 				$WarnObj.type = "ToEmailOnly"
 				if ($EmailOnly) {
 					$WarnObj.reason = "$EmailType account has an associated AD account but it appears to be email-only. Consider changing the IT Glue Contact type to 'Employee - Email Only'. Alternatively: 'External User' or 'Internal / Shared Mailbox'."
+					if ($EmailOnlyDetails) {
+						$WarnObj.reason += "(Reason: $EmailOnlyDetails)"
+					}
 				} else {	
 					$WarnObj.reason = "$EmailType account has no associated AD account. Consider changing the IT Glue Contact type to 'Employee - Email Only'. Alternatively: 'External User' or 'Internal / Shared Mailbox'."
 				}
 			} elseif (!$CheckAD -and $ContactType -notlike "Employee - Email Only" -and $ContactType -notlike "External User" -and $ContactType -notlike "Internal / Shared Mailbox" -and $EmailOnly -and $O365Match.RecipientTypeDetails -like 'UserMailbox' -and 'ToEmailOnly' -notin $IgnoreWarnings) {
 				# ToEmailOnly (without AD)
 				$WarnObj.type = "ToEmailOnly"
 				$WarnObj.reason = "$EmailType account appears to be email-only based on O365 licenses and assigned devices. Consider changing the IT Glue Contact type to 'Employee - Email Only'. Alternatively: 'External User' or 'Internal / Shared Mailbox'."
+				if ($EmailOnlyDetails) {
+					$WarnObj.reason += "(Reason: $EmailOnlyDetails)"
+				}
 			} elseif ($ContactType -notlike "Employee - Part Time" -and $ContactType -notlike "Employee - Email Only" -and $ContactType -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
 						($O365Match.DisplayName -like "*part?time*" -or $O365Match.DisplayName -like "*casual*" -or
-						$O365Match.Title -like "*part?time*" -or $O365Match.Title -like "*casual*" -or $PartTimeUsage) -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
+						$O365Match.Title -like "*part?time*" -or $O365Match.Title -like "*casual*" -or (!$CheckAD -and !$NoRecentUsage -and $PartTimeUsage)) -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
 				# ToEmployeePartTime
 				$WarnObj.type = "ToEmployeePartTime"
 				$WarnObj.reason = "$EmailType account appears to be part time. Consider changing the IT Glue Contact type to 'Employee - Part Time'."
-				if ($PartTimeUsage) { $WarnObj.reason += " (Last Months Usage: $($LastMonthUsage)% [$($UsageStats.DaysActive.LastMonth) days])" }
-			} elseif ($ContactType -like "Employee - Part Time" -and $ContactType -notlike "Employee - Email Only" -and $ContactType -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
+				$WarnObj.reason += " (Last Months Usage: $($LastMonthUsage)% [$($UsageStats.DaysActive.LastMonth) days])"
+			} elseif (!$CheckAD -and $ContactType -like "Employee - Part Time" -and $ContactType -notlike "Employee - Email Only" -and $ContactType -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
 						$ContactType -notlike "Contractor" -and ($O365Match.DisplayName -notlike "*part?time*" -and $O365Match.DisplayName -notlike "*casual*" -and
 						$O365Match.Title -notlike "*part?time*" -and $O365Match.Title -notlike "*casual*" -and !$PartTimeUsage) -and $PartTimeEmployeesByUsage -and 'ToEmployee' -notin $IgnoreWarnings) {
-				#ToEmployee
-				$WarnObj.type = "ToEmployee"
+				#ToEmployee[FromPartTime]
+				$WarnObj.type = "ToEmployee[FromPartTime]"
 				$WarnObj.reason = "AD account appears to be a full employee but is currently set to part time. Consider changing the IT Glue Contact type to 'Employee'."
 			} elseif ($ContactType -notlike "Contractor" -and $ContactType -notlike "Employee - Email Only" -and 
 						($O365Match.DisplayName -like "*contract*" -or $O365Match.Title -like "*contract*") -and 'ToContractor' -notin $IgnoreWarnings) {
@@ -3014,7 +3067,7 @@ if ($FullMatches) {
 
 			if ($WarnObj.type) {
 				$Existing = $WarnContacts | Where-Object { $_.id -eq $MatchID }
-				if (!$Existing -or ($Existing -and $Existing.type -notlike $WarnObj.type)) {
+				if (!$Existing -or ($Existing -and ($Existing.type -replace "\[|\]", "") -notlike ($WarnObj.type -replace "\[|\]", ""))) {
 					if ($Existing -and ($WarnObj.type -eq 'MaybeTerminate' -or $WarnObj.type -eq 'ToTerminated')) {
 						if ($WarnObj.type -eq 'ToTerminated' -and $Existing.type -eq 'MaybeTerminate') {
 							$WarnContacts = [System.Collections.ArrayList] ($WarnContacts | Where-Object { $_.id -ne $MatchID })
@@ -3063,7 +3116,7 @@ if ($FullMatches) {
 				$WarnObj.reason = "ITG contact notes list 'Disabled', yet this account is not terminated. Please review and fix."
 			} elseif ($ContactType -notlike "Employee - Part Time" -and $ContactType -notlike "Shared Account" -and $ContactType -notlike "Employee - Multi User" -and 
 						($Contact.notes -like "*part?time*" -or $Contact.notes -like "*casual*" -or
-						$Contact.title -like "*part?time*" -or $Contact.title -like "*casual*" -or $PartTimeUsage) -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
+						$Contact.title -like "*part?time*" -or $Contact.title -like "*casual*" -or ($PartTimeUsage -and !$NoRecentUsage)) -and 'ToEmployeePartTime' -notin $IgnoreWarnings) {
 				# ToEmployeePartTime
 				$WarnObj.type = "ToEmployeePartTime"
 				$WarnObj.reason = "ITG account appears to be part time. Consider changing the IT Glue Contact type to 'Employee - Part Time'."