# BG Builders - Disable Lesley Roth + Wipe Email from Device # Employee: Lesley Roth (lesley@bgbuildersllc.com) # Date: 2026-03-09 # Actions: # 1. Block sign-in # 2. Revoke all sessions # 3. Reset password # 4. Wipe email data from mobile devices (selective wipe + EAS wipe) $ErrorActionPreference = "Stop" $tenantId = "ededa4fb-f6eb-4398-851d-5eb3e11fab27" $lesleyUPN = "lesley@bgbuildersllc.com" Write-Output "=========================================" Write-Output " BG Builders - Disable Lesley Roth" Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-Output "=========================================" # --- STEP 1: Connect to Microsoft Graph --- Write-Output "`n[STEP 1] Connecting to Microsoft Graph..." Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Users Import-Module Microsoft.Graph.Users.Actions Connect-MgGraph -TenantId $tenantId -Scopes 'User.ReadWrite.All','Directory.ReadWrite.All','DeviceManagementManagedDevices.ReadWrite.All','DeviceManagementManagedDevices.PrivilegedOperations.All' -NoWelcome Write-Output "[OK] Connected to Graph" $lesley = Get-MgUser -UserId $lesleyUPN -Property Id,DisplayName,AccountEnabled,AssignedLicenses Write-Output "[INFO] Current state: AccountEnabled=$($lesley.AccountEnabled)" # --- STEP 2: Block sign-in --- Write-Output "`n[STEP 2] Blocking sign-in..." Update-MgUser -UserId $lesley.Id -AccountEnabled:$false Write-Output "[OK] Sign-in blocked" # --- STEP 3: Revoke all sessions --- Write-Output "`n[STEP 3] Revoking all active sessions..." Revoke-MgUserSignInSession -UserId $lesley.Id Write-Output "[OK] All sessions revoked" # --- STEP 4: Reset password --- Write-Output "`n[STEP 4] Resetting password..." $newPassword = -join ((65..90) + (97..122) + (48..57) + (33,35,36,37,38) | Get-Random -Count 24 | ForEach-Object {[char]$_}) $params = @{ passwordProfile = @{ forceChangePasswordNextSignIn = $true password = $newPassword } } Update-MgUser -UserId $lesley.Id -BodyParameter $params Write-Output "[OK] Password reset to random value" # --- STEP 5: Wipe email from devices (Intune managed) --- Write-Output "`n[STEP 5] Checking for Intune-managed devices..." Import-Module Microsoft.Graph.DeviceManagement $devices = Get-MgDeviceManagementManagedDevice -Filter "userPrincipalName eq '$lesleyUPN'" 2>$null if ($devices) { foreach ($device in $devices) { Write-Output " Found: $($device.DeviceName) ($($device.OperatingSystem)) - ID: $($device.Id)" Write-Output " Initiating selective wipe (company data only)..." Invoke-MgRetireDeviceManagementManagedDevice -ManagedDeviceId $device.Id Write-Output " [OK] Selective wipe queued for $($device.DeviceName)" } } else { Write-Output "[INFO] No Intune-managed devices found" } # --- STEP 6: Wipe email from devices (Exchange ActiveSync) --- Write-Output "`n[STEP 6] Connecting to Exchange Online..." Import-Module ExchangeOnlineManagement Connect-ExchangeOnline -UserPrincipalName "sysadmin@bgbuildersllc.com" -ShowBanner:$false Write-Output "[OK] Connected to Exchange Online" Write-Output "Checking for ActiveSync devices..." $easDevices = Get-MobileDevice -Mailbox $lesleyUPN 2>$null if ($easDevices) { foreach ($eas in $easDevices) { Write-Output " Found EAS device: $($eas.FriendlyName) ($($eas.DeviceOS))" Clear-MobileDevice -Identity $eas.Identity -AccountOnly -Confirm:$false Write-Output " [OK] Account-only wipe initiated for $($eas.FriendlyName)" } Write-Output "[OK] All EAS devices queued for account wipe" } else { Write-Output "[INFO] No EAS mobile devices found" } # --- DONE --- Write-Output "`n=========================================" Write-Output " DISABLE + DEVICE WIPE COMPLETE" Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-Output "=========================================" Write-Output "" Write-Output "Summary:" Write-Output " [OK] Sign-in blocked" Write-Output " [OK] Sessions revoked" Write-Output " [OK] Password reset" Write-Output " [OK] Device email wipe initiated (Intune + EAS)" Write-Output "" Write-Output "[INFO] Mailbox is still accessible - run full termination script" Write-Output " when ready to convert to shared, remove license, etc." Disconnect-ExchangeOnline -Confirm:$false Disconnect-MgGraph