Office 365, OneDrive for Business, Powershell, Sharepoint Online

Setting administrative permissions on all your Onedrive for Business accounts

12 Comments

Managing permissions on your user’s Onedrive for Business storage is a chore, there is no direct interface to do this in bulk, nor is the interface very easy to find. Plenty of articles explain how to do this for ONE user through the GUI, but few explain how to do this in bulk for several users at once.

And when you’re migrating, for example, hundreds or thousands of homedirectories to Onedrive For Business, you’ll want to automate setting permissions on all these users in bulk.

Fortunately, this can be scripted using Powershell, probably after you’ve bulk-provisioned your users in Onedrive for Business.

Download the following script and configure it, the requirements for the script are in the script header.

ODFB_RA_v0.1

Sourcecode:

########
#ODFB Rights Administration
#Copyright:     Free to use, please leave this header intact
#Author:        Jos Lieben (OGD)
#Company:       OGD (http://www.ogd.nl)
#Script help:   http://www.lieben.nu
#Purpose:       Give an administrator rights on all Onedrive for Business accounts
########
#Requirements:
########
<# Powershell 4 .NET 4.5 Sharepoint Online Management Shell (X64) http://www.microsoft.com/en-us/download/details.aspx?id=35588 Sharepoint Server 2013 Client Components https://www.microsoft.com/en-us/download/details.aspx?id=42038 run “Set-Executionpolicy Unrestricted” in an elevated powershell window Windows 7+ or Windows Server 2008+ #>

$o365login     = "admin@ogdemo1.onmicrosoft.com"           #Username of O365 Admin
$o365pw        = ""                                        #Password of O365 Admin
$logfile       = ($env:APPDATA + "\ODFB_RA.log")	       #Logfile in case of errors
$spAdminURL    = "https://ogdemo1-admin.sharepoint.com"    #URL to your SP Admin site
$spMyURL       = "https://ogdemo1-my.sharepoint.com"       #URL to your SP MySites


#Start script
ac $logfile "-----$(Get-Date) ODFB_RA v0.1 $($env:COMPUTERNAME) Session log-----`n"

#build Credential Object
$secpasswd = ConvertTo-SecureString $o365pw -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential ($o365login, $secpasswd)

#Load sharepoint module
try{
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client") | Out-Null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime") | Out-Null
    [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles") | Out-Null
}catch{
    $errorstring = "ERROR: Failed to load Sharepoint Libraries, exiting"
    ac $logfile $errorstring
    Write-Host $errorstring
    Pause
    Exit
}
#load SPOnline module
$env:PSModulePath += ";C:\Program Files\SharePoint Online Management Shell\"
try{
    Import-Module Microsoft.Online.SharePoint.PowerShell
}catch{
    $errorstring = "ERROR: Failed to load Sharepoint Online module, exiting"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring
    Pause
    Exit
}

#Build sP credential object
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($o365login,$secpasswd)

#build proxy
$proxyaddr = "$spAdminURL/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

$strAuthCookie = $creds.GetAuthenticationCookie($spAdminURL)
$uri = New-Object System.Uri($spAdminURL)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container
try{
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
}catch{
    $errorstring = "Critical error, unable to get profiles"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring $error[0]
    Pause
    Exit
}
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1
$ProfileURLs = @()

Write-Host "Begin discovery of $NumProfiles profiles"
While ($UserProfileResult.NextValue -ne -1) 
{
    Write-Host "Checking profile $i of $NumProfiles"
    $Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" } 
    $Url= $Prop.Values[0].Value
    if ($Url) {
        Write-Host "Adding $Url to the list"
        $ProfileURLs += $Url
    }
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
    $i++
}
Write-Host "Finished discovery of profiles"

Write-Host "Connecting to Sharepoint Online"
try{
    Connect-SPOService -Url $spAdminURL -Credential $Credentials
}catch{
    $errorstring = "Critical error, unable to Connect to Sharepoint Online"
    ac $logfile $errorstring
    ac $logfile $error[0]
    Write-Host $errorstring $error[0]
    Pause
    Exit
}

Write-Host "Start processing profiles"

foreach($profileURL in $ProfileURLs){
    $fullPath = "$spMyURL$profileURL".TrimEnd("/")
    Write-Host "Processing $fullPath"
    try{
        Set-SPOUser -Site $fullPath -LoginName $o365login -IsSiteCollectionAdmin $true
        Write-Host "$o365login permissions added to $fullPath"
    }catch{
        $errorstring = "Failed adding $o365login permissions to $fullPath"
        ac $logfile $errorstring
        ac $logfile $error[0]
        Write-Host $errorstring $error[0]      
    }
}

ac $logfile "Script finished"
Write-Host "Job Finished"
Pause
Exit
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

12 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Hendrik Hirsch
Hendrik Hirsch
7 years ago

Hey Jos, I wonder if there is a script to revoke the suer permissions again. In case anyone did it for the wrong user, or just wnat to change the user. Looking forward to hear from you. Cheers
Hendrik

4
Reply
View Replies (1)
trackback
Exporting ALL file info in O365 (Sharepoint, Teams, Onedrive, Groups) | Liebensraum
4 years ago

[…] that your admin account does have to have permissions on all sources the script […]

0
Reply
trackback
Max Path Length in Sharepoint Online, Onedrive for Business and Teams | Liebensraum
4 years ago

[…] If satisfied, set permissions for your admin account on the actual production sites your wish to fix (script for Onedrive Mass Permissions here) […]

0
Reply
Peter Mercer
Peter Mercer
5 years ago

This script is great almost 4 years later! Even after Microsoft released their SharePoint migration tool they didn’t give good guidance on setting these permissions. This script is very easy to use and makes migrations much easier.

0
Reply
Antoine
Antoine
5 years ago

Hi, I know it’s been a long time since you wrote this but I have problem using the script.
In our compagny we enable MFA and when I try to build the Proxy I get an error : The sign-in name or password does not match one in the Microsoft account system. I know I have the good password/username. I think this error came from the MFA authentification. Can you help ?

0
Reply
View Replies (2)
jaffer
jaffer
7 years ago

do we need to be a global administrator to accomplish the one drive provisioning ?

0
Reply
View Replies (1)
Steve
Steve
8 years ago

This works.
I consider this good practice for OFB admins, although you rarely need to enter staff and student areas. Being able to add documents or folders, bulk is worth it.
I had no errors. Run perfectly. 1400 clients.

0
Reply
trackback
Provisioning Onedrive for Business for all your users | Liebensraum
8 years ago

[…] forget to set administrative permissions on all accounts afterwards, if you intend to migrate data there for your […]

0
Reply