Using PnP.PowerShell to Manage OneDrive Account Ownership: A Complete Guide

Leave a Comment / IT Automation, O365 Administration, Offce 365, PowerShell Best Practices / By

Welcome to our PowerShell blog! In the world of cloud storage, OneDrive stands out as a key service for personal and professional file management. For administrators managing Office 365, the ability to programmatically adjust ownership of OneDrive accounts is essential. This is where the PnP.PowerShell module shines, offering a suite of cmdlets specifically for Office 365 administrators. Let’s explore how to use this module to add an owner to an existing OneDrive account.

What is PnP.PowerShell?

PnP.PowerShell is an open-source module that provides PowerShell cmdlets for SharePoint Patterns and Practices (PnP). These practices are aimed at facilitating tasks related to SharePoint and OneDrive, such as site provisioning, content management, and, importantly, security and permissions management.

Prerequisites

Before you begin, ensure you have the following:

  1. Admin Rights: You need administrative privileges on the Office 365 tenant.
  2. PnP.PowerShell Module: Install the module using Install-Module -Name PnP.PowerShell.
  3. OneDrive URL: The URL of the OneDrive account where you want to add an owner. It will be in the form “https://yourtenant-my.sharepoint.com/personal/username_yourtenant_com”, where it says username_yourtenant_com is basically the user’s UserPrincipalName like j.doe@yourtenant.com and all periods and the @ symbol are replaced with underscores (_), so it would be j_doe_yourtenant_com.

Examples

Connecting to SharePoint Online

To interact with OneDrive, you first need to connect to SharePoint Online, as OneDrive for Business is essentially a specialized SharePoint site.

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Credentials (Get-Credential)

This cmdlet establishes a connection to SharePoint Online at the root of the tenancy, prompting you for credentials. Modify “yourtenant” with you your tenant name. You can find out what it would be by accessing the Sharepoint Admin site for your tenant in Office 365. Go to the Office 365 Admin Center (https://admin.microsoft.com) and under Admin centers click Show all and click the Sharepoint admin center. In the resultant URL you will see https://[your tenant name]-admin.sharepoint.com. To actually perform an ownership change on a OneDrive for Business SharePoint site you will need to connect to that user’s SharePoint site.

Connect-PnPOnline -Url "https://yourtenant-my.sharepoint.com/personal/username_yourtenant_com" -Credentials (Get-Credential)

Another way to connect to your SharePoint Online is to use a Application registration in Azure and use a Certificate.

Adding an Owner to an Existing OneDrive Account

You need to actually connect to that user’s OneDrive account using Connect-PnPOnline then use Add-PnPSiteCollectionAdmin.

#Requires -Version 7

$oneDriveUrl = "https://yourtenant-my.sharepoint.com/personal/username_yourtenant_com"
$newOwners = @("user@yourtenant.com","user2@yourtenant.com") # must be an array and must be the UserPrincipalName for each account in O365.

Connect-PnPOnline -Url $oneDriveUrl -Credentials (Get-Credential)

<#
  If you are using an automated connection with an Application Registration and Certificate 
  then use those parameters instead

$ConnectParams = @{
  Thumbprint = 0000000000000000000000000 # thumbprint of the certificate.
  Tenant = 00000000000000000000000000000 # Tenant ID of your tenant.
  ClientId = 00000000000000000000000 # Application Id in Azure under Application Registrations
}
Connect-PnPOnline @ConnectParams -Url $oneDriveUrl
#>

# Add new owners, must be in an array.
Add-PnPSiteCollectionAdmin -Owners $newOwners

# Obtain the current owners of the OneDrive Site.
Get-PnPSiteCollectionAdmin | Select-Object Title, Email, IsSiteAdmin | Format-Table -AutoSize

# Remove owners
Remove-PnPSiteCollectionAdmin -Owners $newOwners

This example sets a new owner for the specified OneDrive account. It also includes the code to display current owners and to remove the new owners that were added.

OneDrive Ownership Defaults

If a user’s manager is specified in Microsoft Entra Id then that manager will automatically given access to the user’s OneDrive when that user is disabled. However you can configure automatic access delegation by modifying your site’s settings. See https://learn.microsoft.com/en-us/sharepoint/retention-and-deletion and go to Configure automatic access delegation to find out how. Short method to get to the tenant settings are as follows.

  • Sign in to O365 Admin: https://admin.microsoft.com
  • On left menu, under Admin centers click … Show all
  • Click the Sharepoint admin center
  • You may have to click More features then click the Open button under User Profiles
  • Click the link to Setup My Sites under My Site Settings.
  • Next to My Site Cleanup click the Enable access delegation checkbox.
  • You can also specify any of the other settings at this point.

Best Practices

  1. Validation: Always validate the OneDrive URL and user identities before making changes.
  2. Logging: Implement logging for all changes made, ensuring you have an audit trail.
  3. Error Handling: Use try/catch blocks to manage errors and provide clear messages if something goes wrong.
  4. Least Privilege: Only assign ownership to users who genuinely need it.
  5. Testing: Test scripts in a controlled environment before applying them to production.
  6. Batch Processing: When updating multiple accounts, consider batch processing and throttling to avoid service interruptions.
  7. Documentation: Document the purpose of the script and each operation within it for future reference.
  8. Secure Credentials: Use secure methods for handling credentials, such as Azure Key Vault or Windows Credential Manager.

Conclusion

The PnP.PowerShell module is an invaluable tool for Office 365 administrators, enabling efficient and automated management of OneDrive account permissions. By following the steps and best practices outlined above, you can seamlessly add owners to OneDrive accounts, ensuring the right people have the appropriate level of access.

Disclaimer: Modifying account ownership can have significant security and privacy implications. Ensure you have the proper authorization before proceeding with any changes.

Stay tuned for more PowerShell tips and tutorials that help streamline your administrative tasks in Office 365!

Related Posts

Automating Tasks with PowerShell: Triggering Scripts via Group Policy

Development

Discover the power of automating PowerShell scripts with Group Policy Objects in our latest blog post. We guide you through the process of scheduling PowerShell scripts to run across your network via GPO user preferences and task schedules. From the initial script preparation to GPO configuration and task triggering, our post is packed with examples,…

Basic Functions in PowerShell: A Guide to Best Practices

Development, Functions, IT Automation

Unlock the power of PowerShell scripting with our comprehensive guide on creating and using functions. Learn essential tips and best practices for code modularity, parameter handling, and error management in PowerShell. Perfect for beginners and seasoned scripters alike, this post is your go-to resource for mastering PowerShell functions and elevating your scripting skills.

Elevating Your PowerShell Scripts with Advanced Functions: Best Practices and Techniques

Development, Functions, IT Automation, Language, System Administration

Dive into the art of PowerShell scripting with our comprehensive guide on the complex task of implementing advanced functions. Learn essential tips and best practices for code modularity, parameter handling, and error management in PowerShell. Perfect for beginners and seasoned scripters alike, this post is your go-to resource for mastering PowerShell functions and elevating your…

Leave a Comment