param ( [Parameter(Mandatory,ValueFromPipelineByPropertyname)] [ValidateNotNullOrEmpty()] [string]$FirstName, [Parameter(Mandatory,ValueFromPipelineByPropertyname)] [ValidateNotNullOrEmpty()] [string]$LastName, [Parameter(Mandatory,ValueFromPipelineByPropertyname)] [ValidateNotNullOrEmpty()] [string]$Email ) # Complete Custom Variables Below # Input the Active Directory NTFS group you created here $NTFSGroup = 'MWF-Guest' # Input the OU where you wish to store active directory guest user accounts here $Location = 'OU=Domain Guests' # Input desired Guest User title and description here $Title = 'MWD Guest User' $Description = 'MWD Guest User' # Input your azure ad domain here $AADomain = 'contoso.com' # Input your Cloud Based Azure AD Guest User Group here $AADGroup = 'MWD-Guest' # Input your MyWorkDrive SAML Web Address here $MWDURL = 'https://myworkdrive.yourdomain.com' # generate random password $bytes = New-Object Byte[] 32 $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create() $rand.GetBytes($bytes) $rand.Dispose() $DefaultPassword = [System.Convert]::ToBase64String($bytes) ## Next, I'll need to figure out what the username will be based on our defined company standard and verify the home folder doesn't exist yet. ## Find the distinguished name of the domain the current computer is a part of. $DomainDn = (Get-AdDomain).DistinguishedName ## Define the 'standard' username (first initial and last name) $Username = "$($FirstName.SubString(0, 1))$LastName" #region Check if an existing user already has the first initial/last name username taken Write-Verbose -Message "Checking if [$($Username)] is available" if (Get-ADUser -Filter "Name -eq '$Username'") { Write-Warning -Message "The username [$($Username)] is not available. Checking alternate..." ## If so, check to see if the first initial/middle initial/last name is taken. $Username = "$($FirstName.SubString(0, 1))$MiddleInitial$LastName" if (Get-ADUser -Filter "Name -eq '$Username'") { throw "No acceptable username schema could be created" } else { Write-Verbose -Message "The alternate username [$($Username)] is available." } } else { Write-Verbose -Message "The username [$($Username)] is available" } #endregion #region Ensure the OU the user's going into exists $ouDN = "$Location,$DomainDn" if (-not (Get-ADOrganizationalUnit -Filter "DistinguishedName -eq '$ouDN'")) { throw "The user OU [$($ouDN)] does not exist. Can't add a user there" } #endregion #region Create the new user $NewUserParams = @{ 'UserPrincipalName' = $email 'Name' = $Username 'GivenName' = $FirstName 'Surname' = $LastName 'Title' = $Title 'Description' = $Description 'SamAccountName' = $Username 'AccountPassword' = (ConvertTo-SecureString $DefaultPassword -AsPlainText -Force) 'Enabled' = $true 'Path' = "$Location,$DomainDn" 'ChangePasswordAtLogon' = $false 'SmartcardLogonRequired' = $true } Write-Verbose -Message "Creating the new user account [$($Username)] in OU [$($ouDN)]" New-AdUser @NewUserParams #endregion #region Add user to groups Write-Verbose -Message "Adding the user account [$($Username)] to the group [$($NTFSGroup)]" Add-ADGroupMember -Members $Username -Identity $NTFSGroup $GroupId = get-adgroup $NTFSGroup -properties @("primaryGroupToken") Set-ADUser -Identity $username -Replace @{primarygroupid=$groupId.primaryGroupToken} remove-adgroupmember -Identity "Domain Users" -Member $username -Confirm:$false #endregion #Begin Azure AD Guest user invite Connect-AzureAD -TenantDomain $AADomain New-AzureADMSInvitation -InvitedUserDisplayName "$Description $FirstName $LastName" -InvitedUserEmailAddress $email -InviteRedirectURL $MWDURL -SendInvitationMessage $true $userid = Get-AzureADUser -SearchString $email | select -ExpandProperty ObjectId $groupid = Get-AzureADGroup -SearchString $AADGroup | select -ExpandProperty ObjectId Add-AzureADGroupMember -ObjectId $groupid -RefObjectId $userid