Disable Exchange Online Remote PowerShell for users as a scheduled task

This PowerShell script can run unattended as a scheduled task and will enumerate the global administrators, then remove remote PowerShell access for any user who is not a global administrator. #See Prerequisites section below to create these two certificate connection scripts below Invoke-Expression -Command C:\scripts\connect-certificate.ps1 Invoke-Expression -Command C:\scripts\connect-azureadcertificate.ps1 $GlobalAdmins = Get-AzureADDirectoryRoleMember -ObjectId $(Get-AzureADDirectoryRole -filter "displayname eq 'Global Administrator'").ObjectID $AllUsers = get-user -resultsize unlimited $UserswithPowerShell = $AllUsers | where {$_.RemotePowerShellEnabled -eq $true} $UsersWhoAreNotGlobalAdmins = $UserswithPowerShell | where {$_.userprincipalname -notin $GlobalAdmins.userprincipalname} $counter = ($UsersWhoAreNotGlobalAdmins).count $current = 1 if ($UsersWhoAreNotGlobalAdmins) { write-host "Users who currently have remote powershell access" ($UserswithPowerShell).count foreach ($user in $UsersWhoAreNotGlobalAdmins) { write-host "Removing PowerShell access from user " $current " of " $counter "(" $user.userprincipalname ")" set-user -identity $user.userprincipalname -RemotePowerShellEnabled $false #Optional, the next statement can also apply a authentication policy to block basic auth #Set-User -identity $user.userprincipalname -AuthenticationPolicy "Block Basic Auth" $current = $current + 1 } } else { write-host "there are no non-global admin users with PowerShell access" } Download the script (here). Prerequisites: Create two Azure AD Applications (1) Exchange and (2) Azure AD TIP: When creating the Scheduled Task,  the account must have the Logon as a service right assigned. Then the 'action' to start a program points to c:\windows\system32\windowspowershell\v1.0\powershell.exe then the arguments are: -File "c:\scripts\scriptname.ps1"