Setting administrative permissions on all your Onedrive for Business accounts

Managing permissions on your user’s Onedrive for Business storage is a chore, there is no direct interface to do this in bulk, nor is the interface very easy to find. Plenty of articles explain how to do this for ONE user through the GUI, but few explain how to do this in bulk for several users at once.

And when you’re migrating, for example, hundreds or thousands of homedirectories to Onedrive For Business, you’ll want to automate setting permissions on all these users in bulk.

Fortunately, this can be scripted using Powershell, probably after you’ve bulk-provisioned your users in Onedrive for Business.

Download the following script and configure it, the requirements for the script are in the script header.

ODFB_RA_v0.1

Sourcecode:

########
#ODFB Rights Administration
#Copyright:     Free to use, please leave this header intact
#Author:        Jos Lieben (OGD)
#Company:       OGD (http://www.ogd.nl)
#Script help:   http://www.lieben.nu
#Purpose:       Give an administrator rights on all Onedrive for Business accounts
########
#Requirements:
########
<# Powershell 4 .NET 4.5 Sharepoint Online Management Shell (X64) http://www.microsoft.com/en-us/download/details.aspx?id=35588 Sharepoint Server 2013 Client Components https://www.microsoft.com/en-us/download/details.aspx?id=42038 run “Set-Executionpolicy Unrestricted” in an elevated powershell window Windows 7+ or Windows Server 2008+ #>

$o365login     = "admin@ogdemo1.onmicrosoft.com"           #Username of O365 Admin
$o365pw        = ""                                        #Password of O365 Admin
$logfile       = ($env:APPDATA + "\ODFB_RA.log")	       #Logfile in case of errors
$spAdminURL    = "https://ogdemo1-admin.sharepoint.com"    #URL to your SP Admin site
$spMyURL       = "https://ogdemo1-my.sharepoint.com"       #URL to your SP MySites


#Start script
ac $logfile "-----$(Get-Date) ODFB_RA v0.1 $($env:COMPUTERNAME) Session log-----`n"

#build Credential Object
$secpasswd = ConvertTo-SecureString $o365pw -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential ($o365login, $secpasswd)

#Load sharepoint module
try{
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") | Out-Null
}catch{
    $errorstring = "ERROR: Failed to load Sharepoint Libraries, exiting"
    ac $logfile $errorstring
    Write-Host $errorstring
    Pause
    Exit
}
#load SPOnline module
$env:PSModulePath += ";C:\Program Files\SharePoint Online Management Shell\"
try{
    Import-Module Microsoft.Online.SharePoint.PowerShell
}catch{
    $errorstring = "ERROR: Failed to load Sharepoint Online module, exiting"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring
    Pause
    Exit
}

#Build sP credential object
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365login,$secpasswd)

#build proxy
$proxyaddr = "$spAdminURL/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

$strAuthCookie = $creds.GetAuthenticationCookie($spAdminURL)
$uri = New-Object System.Uri($spAdminURL)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container
try{
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
}catch{
    $errorstring = "Critical error, unable to get profiles"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring $error[0]
    Pause
    Exit
}
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1
$ProfileURLs = @()

Write-Host "Begin discovery of $NumProfiles profiles"
While ($UserProfileResult.NextValue -ne -1) 
{
    Write-Host "Checking profile $i of $NumProfiles"
    $Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" } 
    $Url= $Prop.Values[0].Value
    if ($Url) {
        Write-Host "Adding $Url to the list"
        $ProfileURLs += $Url
    }
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
    $i++
}
Write-Host "Finished discovery of profiles"

Write-Host "Connecting to Sharepoint Online"
try{
    Connect-SPOService -Url $spAdminURL -Credential $Credentials
}catch{
    $errorstring = "Critical error, unable to Connect to Sharepoint Online"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring $error[0]
    Pause
    Exit
}

Write-Host "Start processing profiles"

foreach($profileURL in $ProfileURLs){
    $fullPath = "$spMyURL$profileURL".TrimEnd("/")
    Write-Host "Processing $fullPath"
    try{
        Set-SPOUser -Site $fullPath -LoginName $o365login -IsSiteCollectionAdmin $true
        Write-Host "$o365login permissions added to $fullPath"
    }catch{
        $errorstring = "Failed adding $o365login permissions to $fullPath"
        ac $logfile $errorstring
        ac $logfile $error[0]
        Write-Host $errorstring $error[0]      
    }
}

ac $logfile "Script finished"
Write-Host "Job Finished"
Pause
Exit

10
Leave a Reply

avatar
6 Comment threads
4 Thread replies
3 Followers
 
Most reacted comment
Hottest comment thread
6 Comment authors
Peter MercerAntoineJosHendrik Hirschjaffer Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Hendrik Hirsch
Guest
Hendrik Hirsch

Hey Jos, I wonder if there is a script to revoke the suer permissions again. In case anyone did it for the wrong user, or just wnat to change the user. Looking forward to hear from you. Cheers
Hendrik

Peter Mercer
Guest
Peter Mercer

This script is great almost 4 years later! Even after Microsoft released their SharePoint migration tool they didn’t give good guidance on setting these permissions. This script is very easy to use and makes migrations much easier.

Antoine
Guest
Antoine

Hi, I know it’s been a long time since you wrote this but I have problem using the script.
In our compagny we enable MFA and when I try to build the Proxy I get an error : The sign-in name or password does not match one in the Microsoft account system. I know I have the good password/username. I think this error came from the MFA authentification. Can you help ?

jaffer
Guest
jaffer

do we need to be a global administrator to accomplish the one drive provisioning ?

Steve
Guest
Steve

This works.
I consider this good practice for OFB admins, although you rarely need to enter staff and student areas. Being able to add documents or folders, bulk is worth it.
I had no errors. Run perfectly. 1400 clients.

trackback

[…] forget to set administrative permissions on all accounts afterwards, if you intend to migrate data there for your […]