OneDrive for Business Admin Tool

  • Article

Update: I've also added some new features, detailed in https://blogs.technet.microsoft.com/undocumentedfeatures/2017/10/16/recovering-from-crypto-or-ransomware-attacks-with-the-onedrive-for-business-admin-tool/.

While updating a script I wrote to remove the "Shared with Everyone" folder in OneDrive for business, it dawned on me that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don't have specific guidance on, or only have little bits of information scattered around the interwebs.

So, to help alleviate some of the headache in managing large OneDrive for Business collections, I've put together a general management tool that I'll be adding more features to in the coming days and weeks.

The core features of the tool at this point:

  • Grant secondary site admin permission to a user or group
  • Revoke secondary site admin permission from a user or group
  • Provision a new folder in the 'Documents' library
  • Delete a folder from the 'Documents' library
  • Block access to log into a OneDrive site

To use the tool, you'll need the SharePoint Client Components SDK as well as the SharePoint Online Management Shell.  I've included a basic check in the script to download and install those components if you don't already have them, but you can save yourself some time by making sure you already have them installed.

Now, on to the tool!

Like most of the scripts and tools I develop, I try to add comment-based help, so that if I don't get to the point where I make a blog about the tool, at least you'll be able to figure it out.  There are a bunch of parameters, so we'll just dive right into them.

BlockAccess

The BlockAccess parameter enables you to block or unblock access to an already-provisioned OneDrive for Business site.  It's a validated parameter, and translates to -AccessState NoAccess for Block and -AccessState Unlock for Unblock.

Confirm

This switch parameter is only used with the FolderToDelete parameter, since it involves potential deletion of data.

Credential

This is a credential object that will be used for one or more parts: connecting to SharePoint Online, granting permissions (if no value is specified in GrantPermissionsTo), and revoking permissions (if no value is specified in RevokePermissionsFor).

FolderToAdd

If you want to deploy a particular folder to OneDrive for Business sites, you can do this using the FolderToAdd parameter.  The folder is created under the Documents root.

FolderToDelete

If you want to delete a particular folder from OneDrive for Business sites, you can do this using the FolderToDelete parameter.  It was originally implemented for a customer that wanted to remove the "Shared with Everyone" default folder.

GrantPermissions

If you are tasked with administering or delegating eDiscovery rights, you'll find that you need to delegate secondary site administrator permission to eDiscovery users.  You can do this for all new OneDrive sites going forward by changing the defaults in the SharePoint Online Admin Center, but what do you do if all of your OneDrive sites have already been provisioned?

This. This is what you do.

This parameter uses the value in GrantPermissionsTo if present; otherwise, it uses the value stored in the credential.

GrantPermissionsTo

Use this parameter to specify the user or group to whom you want to grant secondary site administrator permissions.

Identity

The identity parameter allows you to specify an address of a user whose OneDrive site you want to modify.

InputFile

The InputFile parameter can be used to specify a list of users whose OneDrive sites will be modified.  If no users are specified, then the script will enumerate all provisioned users.

Logfile

You should already know what this does.

RevokePermissions

If you need to revoke secondary site administrator privileges, you can use this parameter.  If no value is specified in RevokePermissionsFor, then the value in the credential is used.

RevokePermissionsFor

Use this parameter to specify an address whose secondary site collection administrator permissions you want to remove.

Tenant

Specify the tenant name (either as 'contoso' or 'contoso.onmicrosoft.com') to use for connecting to SharePoint online and creating the My Sites and Admin Sites URLs.  It's required.

If you missed the link earlier, you can get it here: https://gallery.technet.microsoft.com/OneDrive-for-Business-Tools-dfb52a4c.