365TUNE

1.9.1

Public/Permissions/Invoke-365TuneRevokeExchange.ps1

                                function Invoke-365TuneRevokeExchange {

    <#

    .SYNOPSIS

        Revokes Exchange Online View-Only Configuration role from the 365TUNE Enterprise App.

    .DESCRIPTION

        Removes the View-Only Configuration role assignment and Service Principal

        registration from Exchange Online. Safe to re-run — exits cleanly if

        nothing is found.

        Run from local PowerShell only (not Cloud Shell).

        Your account must have Global Administrator and Exchange Administrator rights.

    .EXAMPLE

        Invoke-365TuneRevokeExchange

    .NOTES

        Author  : Metawise Consulting LLC

        Module  : 365TUNE

        Version : 1.9.0

    #>

    [CmdletBinding()]

    param(

        [switch]$SkipAuth

    )

    $displayName = "365TUNE - Security and Compliance"

    Write-Host "`n══════════════════════════════════════════════════════" -ForegroundColor Cyan

    Write-Host "  365TUNE — Revoke Exchange Online Permissions" -ForegroundColor Cyan

    Write-Host "══════════════════════════════════════════════════════`n" -ForegroundColor Cyan

    # Step 1 — Check modules

    Write-Host "[1/4] Checking required modules..." -ForegroundColor Cyan

    foreach ($module in @("Az.Accounts", "ExchangeOnlineManagement")) {

        if (-not (Get-Module -ListAvailable -Name $module)) {

            Write-Host "      Installing $module..." -ForegroundColor Yellow

            Install-Module -Name $module -Force -Scope CurrentUser

        }

    }

    Import-Module Az.Accounts, ExchangeOnlineManagement

    Write-Host "      ✅ All modules ready." -ForegroundColor Green

    # Step 2 — Authenticate

    Write-Host "`n[2/4] Authenticating..." -ForegroundColor Cyan

    if (-not $SkipAuth) {

        Disconnect-AzAccount -ErrorAction SilentlyContinue | Out-Null

        Connect-AzAccount -WarningAction SilentlyContinue | Out-Null

    }

    $context = Get-AzContext

    if (-not $context) { throw "Not authenticated. Run without -SkipAuth or log in manually first." }

    Write-Host "      Tenant  : $($context.Tenant.Id)" -ForegroundColor Gray

    Write-Host "      Account : $($context.Account.Id)" -ForegroundColor Gray

    Write-Host "      ✅ Authenticated." -ForegroundColor Green

    # Step 3 — Connect to Exchange Online and check assignments

    Write-Host "`n[3/4] Connecting to Exchange Online..." -ForegroundColor Cyan

    Connect-ExchangeOnline -ShowBanner:$false

    Write-Host "      ✅ Connected." -ForegroundColor Green

    $existingAssignment = Get-ManagementRoleAssignment -ErrorAction SilentlyContinue |

        Where-Object { $_.RoleAssigneeName -eq $displayName -and $_.Role -eq "View-Only Configuration" }

    $existingSP = Get-ServicePrincipal -ErrorAction SilentlyContinue |

        Where-Object { $_.DisplayName -eq $displayName }

    if (-not $existingAssignment -and -not $existingSP) {

        Write-Host "`n══════════════════════════════════════════════════════" -ForegroundColor Cyan

        Write-Host "  No Exchange permissions found — nothing to revoke. ✅" -ForegroundColor Green

        Write-Host "══════════════════════════════════════════════════════`n" -ForegroundColor Cyan

        Disconnect-ExchangeOnline -Confirm:$false

        return

    }

    # Step 4 — Remove role and Service Principal

    Write-Host "`n[4/4] Removing role and Service Principal..." -ForegroundColor Cyan

    if ($existingAssignment) {

        try {

            Remove-ManagementRoleAssignment -Identity "$($existingAssignment.Name)" -Confirm:$false -ErrorAction Stop

            Write-Host "      ✅ View-Only Configuration role removed." -ForegroundColor Green

        } catch {

            if ($_.Exception.Message -like "*couldn't be found*" -or $_.Exception.Message -like "*NotFound*") {

                Write-Warning "      ⚠️  Role assignment not found — already removed"

            } else { throw }

        }

    } else {

        Write-Warning "      ⚠️  No role assignment found — already removed"

    }

    if ($existingSP) {

        try {

            Remove-ServicePrincipal -Identity $existingSP.Identity -Confirm:$false -ErrorAction Stop

            Write-Host "      ✅ Service Principal removed from Exchange Online." -ForegroundColor Green

        } catch {

            if ($_.Exception.Message -like "*couldn't be found*" -or $_.Exception.Message -like "*NotFound*") {

                Write-Warning "      ⚠️  Service Principal not found — already removed"

            } else { throw }

        }

    } else {

        Write-Warning "      ⚠️  No Service Principal found — already removed"

    }

    Disconnect-ExchangeOnline -Confirm:$false

    Write-Host "      Exchange Online session closed." -ForegroundColor Gray

    Write-Host "`n══════════════════════════════════════════════════════" -ForegroundColor Cyan

    Write-Host "  365TUNE Exchange Online permissions revoked. ✅" -ForegroundColor Green

    Write-Host "  Tenant  : $($context.Tenant.Id)" -ForegroundColor Green

    Write-Host "  Account : $($context.Account.Id)" -ForegroundColor Green

    Write-Host "══════════════════════════════════════════════════════`n" -ForegroundColor Cyan

}