Need some help walking through my thoughts for deprovisioning

There's a KB article that addresses much of your use case.

Here's some general pointers about the best practice around implementing a script using this feature:

1. Initiation connection - $Context.O365ImportModules("MSOnline") # Believe this should be ExchangeOnlineManagement for your use case

2. Build up all the lines of code you want to execute against your tenant into a CR/LF delimited string so something like:

$ScriptBlockString = "New-Mailbox -Shared -Name `"$mailboxName`" -DisplayName `"$mailboxDisplayName`" -Alias `"$mailboxAlias`" | Set-Mailbox -GrantSendOnBehalfTo `"$mailboxOwner`"" + [System.Environment]::NewLine + "Add-MailboxPermission -Identity `"$mailboxName`" -User `"$mailboxOwner`" -AccessRights FullAccess -InheritanceType All"

3. Pass this string to the $Context.O365ExecuteScriptCmd($ScriptBlockString)

4. Close the connection to the tenant:  $context.O365RemoveAllModulesSessions()

JohnnyQuest I know this is from a while ago but we finally are getting around to trying to use AR for deprovisioning.  I took what you wrote and created a script module:

function onDeprovision($Request)
{

$context.O365ImportModules("exchangeonlinemanagement")

$ScriptBlockString = "New-Mailbox -Shared -Name `"$mailboxName`" -DisplayName `"$mailboxDisplayName`" -Alias `"$mailboxAlias`" | Set-Mailbox -GrantSendOnBehalfTo `"$mailboxOwner`"" + [System.Environment]::NewLine + "Add-MailboxPermission -Identity `"$mailboxName`" -User `"$mailboxOwner`" -AccessRights FullAccess -InheritanceType All"

$Context.O365ExecuteScriptCmd($ScriptBlockString)

$context.O365RemoveAllModulesSessions()

}

I have debugging on and looking at the script log it errored trying to connect to exchange online. We are running 8.2.1 and I've have connected sync service to connect to our azure environment (web gui can see exchange online objects and all).  So I guess my question is for the script, do I need to declare creds somewhere for when it's connecting to o365 that I'm missing?  

Also is there anyway with AR to be able to test scripts (like with powershell you can execute one line and see the results to verify things are working)?

At line: 5 char:2. Exception calling "O365ImportModules" with "1" argument(s): "[O365PowerShellScriptExecution::ConnectExchangeOnlineWithModernAuth]: Error when trying to connect to Exchange Online with Modern Authentication. Please check login details. System.Management.Automation.RuntimeException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application. ---> System.InvalidOperationException: Showing a modal dialog box or form when the application is not running in UserInteractive mode is not a valid operation. Specify the ServiceNotification or DefaultDesktopOnly style to display a notification from a service application.


*SIDE NOTE* 
log had this part at the end.  Since I can't figure out how to run powershell scripts inside of active roles to get the approved verbs, I'm not sure how to see these.

WARNING: The names of some imported commands from the module 'ActiveRolesManagementShell' include unapproved verbs that might make them less discoverable. To find the commands with unapproved verbs, run the Import-Module command again with the Verbose parameter. For a list of approved verbs, type Get-Verb.

sean rogers said:

So I guess my question is for the script, do I need to declare creds somewhere for when it's connecting to o365 that I'm missing?  

Exactly.

If you are going to use Context.O365... stuff, you need to have a O365 script execution configuration Activity in your workflow.  This is where you select the tenant you want to talk to and confirm things like the Tenant ID, Tenant Name, Application (Client) ID etc.

You may find this content helpful.

Feel free to post further questions on this.

One other thing - in order to use the Content.O365... properties & methods in your script, you need to execute the script from a workflow rather than as a script policy from your deprovisioning policy.  Deprovisioning is an action that can be a trigger for a Change Workflow so no problem there.

Ok so let me get this straight, the order of operation would be that we could use either Active Roles web gui or the mmc, select the user, deprovision that user.  Then by doing so the tasks that we have set in the deprovisioning policy would kick off.  We would also have to set up a workflow that would kick off when a deprovision of a user was initiated in which the workflow would connect to o365 and then run the script that would convert the mailbox to a shared mailbox?

I was testing around a little bit today and when I made a copy of the Enabling Azure Roles workflow, it looks like this workflow is set as automation workflow, which I was thinking it should be a change (using the deprovision of a user to kick it off).  I don't see a way to change the copy to a change workflow.  And if I create a change workflow, I don't see how to add the o365 script execution configuration.  Basically when I click script and drag it in, then I get the menu to point to where the script is located instead of the options of select the tenant and the tenant values.  Hope that makes sense.