OneDrive for Business Admin Tool

OneDrive for Business Admin Tool

  •  
  •  
  •  
  •  
  •  
  •  
Rate this post

Update: I’ve also added some new features, detailed in https://www.undocumented-features.com/2017/10/16/recovering-from-crypto-or-ransomware-attacks-with-the-onedrive-for-business-admin-tool/.

While updating a script I wrote to remove the “Shared with Everyone” folder in OneDrive for business, it dawned on me that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don’t have specific guidance on, or only have little bits of information scattered around the interwebs.

So, to help alleviate some of the headache in managing large OneDrive for Business collections, I’ve put together a general management tool that I’ll be adding more features to in the coming days and weeks.

The core features of the tool at this point:

  • Grant secondary site admin permission to a user or group
  • Revoke secondary site admin permission from a user or group
  • Provision a new folder in the ‘Documents’ library
  • Delete a folder from the ‘Documents’ library
  • Block access to log into a OneDrive site

To use the tool, you’ll need the SharePoint Client Components SDK as well as the SharePoint Online Management Shell.  I’ve included a basic check in the script to download and install those components if you don’t already have them, but you can save yourself some time by making sure you already have them installed.

Now, on to the tool!

Like most of the scripts and tools I develop, I try to add comment-based help, so that if I don’t get to the point where I make a blog about the tool, at least you’ll be able to figure it out.  There are a bunch of parameters, so we’ll just dive right into them.

BlockAccess

The BlockAccess parameter enables you to block or unblock access to an already-provisioned OneDrive for Business site.  It’s a validated parameter, and translates to -AccessState NoAccess for Block and -AccessState Unlock for Unblock.

Confirm

This switch parameter is only used with the FolderToDelete parameter, since it involves potential deletion of data.

Credential

This is a credential object that will be used for one or more parts: connecting to SharePoint Online, granting permissions (if no value is specified in GrantPermissionsTo), and revoking permissions (if no value is specified in RevokePermissionsFor).

FolderToAdd

If you want to deploy a particular folder to OneDrive for Business sites, you can do this using the FolderToAdd parameter.  The folder is created under the Documents root.

FolderToDelete

If you want to delete a particular folder from OneDrive for Business sites, you can do this using the FolderToDelete parameter.  It was originally implemented for a customer that wanted to remove the “Shared with Everyone” default folder.

GrantPermissions

If you are tasked with administering or delegating eDiscovery rights, you’ll find that you need to delegate secondary site administrator permission to eDiscovery users.  You can do this for all new OneDrive sites going forward by changing the defaults in the SharePoint Online Admin Center, but what do you do if all of your OneDrive sites have already been provisioned?

This. This is what you do.

This parameter uses the value in GrantPermissionsTo if present; otherwise, it uses the value stored in the credential.

GrantPermissionsTo

Use this parameter to specify the user or group to whom you want to grant secondary site administrator permissions.

Identity

The identity parameter allows you to specify an address of a user whose OneDrive site you want to modify.

InputFile

The InputFile parameter can be used to specify a list of users whose OneDrive sites will be modified.  If no users are specified, then the script will enumerate all provisioned users.

Logfile

You should already know what this does.

RevokePermissions

If you need to revoke secondary site administrator privileges, you can use this parameter.  If no value is specified in RevokePermissionsFor, then the value in the credential is used.

RevokePermissionsFor

Use this parameter to specify an address whose secondary site collection administrator permissions you want to remove.

Tenant

Specify the tenant name (either as ‘contoso’ or ‘contoso.onmicrosoft.com’) to use for connecting to SharePoint online and creating the My Sites and Admin Sites URLs.  It’s required.

If you missed the link earlier, you can get it here: https://gallery.technet.microsoft.com/OneDrive-for-Business-Tools-dfb52a4c.

Reader Comments

  1. Hello, wonderful tool. Working on corporate scale i face issues with the SharePoint Online list view limitation:
    “Exception calling “ExecuteQuery” with “0” argument(s): “The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator.” I saw that there is no workaround for this as its cloud based setting that is not going to be change. There is guy (http://www.sharepointdiary.com/2017/10/sharepoint-online-fix-attempted-operation-is-prohibited-because-it-exceeds-list-view-threshold.html) that use batches to workaround this issue. Can you include this in your wonderful tool ? Thanks !

  2. Hi,
    Would this script be able to remove the EveryoneExceptExternalUsers group from all files and folders in the tenant (OneDrives)?
    Also is it able to report on the number or list files / folders that currently have EveryoneExceptExternalUsers set to have permissions?
    We have noticed a lost of users had been using this group to set permissions (now the claim has been disabled) so we are wanting to report on its use and potentially remove it.

    Kind Regards,

    1. This script by itself doesn’t currently have the capability to remove a security principal from the ACL (only site collection administrator).

      I don’t think it would be too hard to add. I’ll start looking into it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.