The script grants full access to OneDrive of a user to their manager and additional trustees specified in a DN syntax property of the user. The script can be used in a business rule, custom command or scheduled task configured for User object type.
For the script to work you will need to install a certificate for connection to SharePoint Online on the computer where Adaxes service runs. To do so:
- Create a certificate using the New-PnPAzureCertificate cmdlet.
- Assign the certificate to the Azure application whose credentials were used to register your Microsoft 365 tenant in Adaxes.
- Grant Azure application access to SharePoint and corresponding users (i.e. Sites.FullControl.All and User.Read.All).
- Install the certificate on the computer where Adaxes service runs.
Parameters:
- $attributeName - Specifies the LDAP name of the DN syntax property that stores accounts that will also gain permissions to user OneDrive.
- $certificateThumbprint - Specifies the Thumbprint of the certificate that will be used to connect to SharePoint Online. For information on how to retrieve the Thumbprint, see How to: Retrieve the Thumbprint of a Certificate.
- $usernameMicrosoft365PropertyName - Specifies the LDAP name of the property that stores the value used to sign in to Microsoft 365 (Office 365).
- $tenantName - Specifies the name of the Microsoft 365 tenant associated with the user. For information on how to check the tenant, see View Microsoft 365 tenant for a user.
- $adminURL - Specifies the URL of the SharePoint admin center.
PowerShell
$attributeName = "seeAlso" # TODO: modify me
$certificateThumbprint = "9BCE7405DD63FD8DE7486FDD32D111667197BB8E" # TODO: modify me
$usernameMicrosoft365PropertyName = "userPrincipalName" # TODO: modify me
$tenantName = "MyTenant" # TODO: modify me
$adminURL = "https://$tenantName-admin.sharepoint.com" # TODO: modify me
# Get Microsoft 365 username
try
{
$usernameMicrosoft365 = $Context.TargetObject.Get($usernameMicrosoft365PropertyName)
}
catch
{
$Context.LogMessage("Property $usernameMicrosoft365PropertyName is empty for user %fullname%.", "Warning")
return
}
$userDNs = @()
try
{
# Get manager of the user
$managerDN = $Context.TargetObject.Get("manager")
$userDNs += $managerDN
}
catch
{
$Context.LogMessage("The user %fullname% has no manager.", "Warning")
}
try
{
# Get other users to gain permissions
$values = $Context.TargetObject.GetEx($attributeName)
$values | %%{$userDNs += $_}
}
catch
{
$Context.LogMessage("No additional delegates are specified.", "Warning")
}
if ($userDNs.Length -eq 0)
{
return
}
# Build OneDrive URL
$charsToReplace = @(".", "@")
$charsToReplace | %%{$usernameMicrosoft365 = $usernameMicrosoft365.Replace($_, "_")}
$oneDriveSiteURL = "https://$tenantName-my.sharepoint.com/personal/$usernameMicrosoft365"
# Connecto to SharePoint Online
$tenant = $Context.CloudServices.GetO365Tenant()
$credential = $tenant.GetCredential()
try
{
$connection = Connect-PnPOnline -Url $adminURL -ClientId $credential.AppId -Thumbprint $certificateThumbprint -Tenant "$tenantName`.onmicrosoft.com" -ReturnConnection
# Add permissions
foreach ($dn in $userDNs)
{
$user = $Context.BindToObjectByDN($dn)
try
{
$userID = $user.Get($usernameMicrosoft365PropertyName)
}
catch
{
$Context.LogMessage("Property $usernameMicrosoft365PropertyName is empty for user with DN '$dn'.", "Warning")
continue
}
try
{
$profile = Get-PnPUserProfileProperty -Account $userID -Connection $connection -ErrorAction Stop
}
catch
{
$Context.LogMessage("An error occured when getting profile for $userID. Error: " + $_.Exception.Message, "Warning")
continue
}
try
{
Set-PnPTenantSite -Identity $oneDriveSiteURL -Owners $profile.AccountName -Connection $connection -ErrorAction Stop
}
catch
{
$Context.LogMessage("An error occured when adding permission for $userName. Error: " + $_.Exception.Message, "Warning")
}
}
}
finally
{
# Close the connection and release resources
if ($connection) { Disconnect-PnPOnline -Connection $connection }
}
I also get an unathenticated error when I try to run the script which is the same as what this site says https://www.sharepointdiary.com/2019/06/cannot-contact-website-url-web-site-does-not-support-sharepoint-online-credentials-response-status-code-unauthorized.html
>I don't quite get what $attributename is supposed to be?
The $attributeName variable should contain the LDAP name of a DN-syntax attribute (e.g. seeAlso, secretary, or assistant). The attribute should store distinguished names (DNs) of the accounts that will also gain permissions over the user’s One Drive.
>I also get an unathenticated error when I try to run the script which is the same as what this site says https://www.sharepointdiary.com/2019/06/cannot-contact-website-url-web-site-does-not-support-sharepoint-online-credentials-response-status-code-unauthorized.html
Could you, please, confirm that access for applications that do not use modern authentication is allowed in the settings of your tenant? To do so:
In line 57 -ClientID is $credential.AppID
$credential = $tenant.GetCredential()
I am not sure what I am missing, but the script is not pulling the $tenant. The $attribute variable is set to "seeAlso", the $certificateThumprint is in place on the adaxes servers and assigned to the app in Azure AD with the permissions for Sharepoint online, the $usernameMicrosoft365Property name is set to the userprincipalname and the $tenantName is set to our domain name we use to connect to xxxxx-admin.sharepoint.com
The script can only work when your Microsoft 365 tenant is registered in Adaxes using an Azure app. For information on how to do that, see https://www.adaxes.com/help/RegisterAdaxesAsAppMicrosoftAzure. For your information, performing the changes will also require updating all the scripts that establish connection to Exchange Online or Microsoft 365.