Script Repository


Grant full access to user OneDrive

June 22, 2021
1715

The script grants full access to OneDrive of a user to their manager and additional trustees specified in a DN syntax property of the user. The script can be used in a business rule, custom command or scheduled task configured for User object type.

For the script to work you will need to install a certificate for connection to SharePoint Online on the computer where Adaxes service runs. To do so:

  1. Create a certificate using the New-PnPAzureCertificate cmdlet.
  2. Assign the certificate to the Azure application whose credentials were used to register your Microsoft 365 tenant in Adaxes.
  3. Grant Azure application access to SharePoint and corresponding users (i.e. Sites.FullControl.All and User.Read.All).
  4. Install the certificate on the computer where Adaxes service runs.

Parameters:

  • $attributeName - Specifies the LDAP name of the DN syntax property that stores accounts that will also gain permissions to user OneDrive.
  • $certificateThumbprint - Specifies the Thumbprint of the certificate that will be used to connect to SharePoint Online. For information on how to retrieve the Thumbprint, see How to: Retrieve the Thumbprint of a Certificate.
  • $usernameMicrosoft365PropertyName - Specifies the LDAP name of the property that stores the value used to sign in to Microsoft 365 (Office 365).
  • $tenantName - Specifies the name of the Microsoft 365 tenant associated with the user. For information on how to check the tenant, see View Microsoft 365 tenant for a user.
  • $adminURL - Specifies the URL of the SharePoint admin center.
Edit Remove
PowerShell
$attributeName = "seeAlso" # TODO: modify me
$certificateThumbprint = "9BCE7405DD63FD8DE7486FDD32D111667197BB8E" # TODO: modify me
$usernameMicrosoft365PropertyName = "userPrincipalName" # TODO: modify me
$tenantName = "MyTenant" # TODO: modify me
$adminURL = "https://$tenantName-admin.sharepoint.com" # TODO: modify me

# Get Microsoft 365 username
try
{
    $usernameMicrosoft365 = $Context.TargetObject.Get($usernameMicrosoft365PropertyName)
}
catch
{
    $Context.LogMessage("Property $usernameMicrosoft365PropertyName is empty for user %fullname%.", "Warning")
    return
}

$userDNs = @()
try
{
    # Get manager of the user
    $managerDN = $Context.TargetObject.Get("manager")
    $userDNs += $managerDN
}
catch
{
    $Context.LogMessage("The user %fullname% has no manager.", "Warning")
}

try
{
    # Get other users to gain permissions
    $values = $Context.TargetObject.GetEx($attributeName)
    $values | %%{$userDNs += $_}
}
catch
{
    $Context.LogMessage("No additional delegates are specified.", "Warning")
}

if ($userDNs.Length -eq 0)
{
    return
}

# Build OneDrive URL
$charsToReplace = @(".", "@")
$charsToReplace | %%{$usernameMicrosoft365 = $usernameMicrosoft365.Replace($_, "_")}
$oneDriveSiteURL = "https://$tenantName-my.sharepoint.com/personal/$usernameMicrosoft365"

# Connecto to SharePoint Online
$tenant = $Context.CloudServices.GetO365Tenant()
$credential = $tenant.GetCredential()

try
{
    $connection = Connect-PnPOnline -Url $adminURL -ClientId $credential.AppId -Thumbprint $certificateThumbprint -Tenant "$tenantName`.onmicrosoft.com" -ReturnConnection
    
    # Add permissions
    foreach ($dn in $userDNs)
    {
        $user = $Context.BindToObjectByDN($dn)
        try
        {
            $userID = $user.Get($usernameMicrosoft365PropertyName)
        }
        catch
        {
            $Context.LogMessage("Property $usernameMicrosoft365PropertyName is empty for user with DN '$dn'.", "Warning")
            continue
        }
        
        try
        {
            $profile = Get-PnPUserProfileProperty -Account $userID -ErrorAction Stop
        }
        catch
        {
            $Context.LogMessage("An error occured when getting profile for $userID. Error: " + $_.Exception.Message, "Warning")
            continue
        }
        
        try
        {
            Set-PnPTenantSite -Identity $oneDriveSiteURL -Owners $profile.AccountName -ErrorAction Stop
        }
        catch
        {
            $Context.LogMessage("An error occured when adding permission for $userName. Error: " + $_.Exception.Message, "Warning")
        }
    }
}
finally
{
    # Close the connection and release resources
    if ($connection) { Disconnect-PnPOnline -Connection $connection }
}

Comments ( 4 )
avatar
Adam
Nov 18, 2020
I don't quite get what $attributename is supposed to be?

I also get an unathenticated error when I try to run the script which is the same as what this site says https://www.sharepointdiary.com/2019/06/cannot-contact-website-url-web-site-does-not-support-sharepoint-online-credentials-response-status-code-unauthorized.html
avatar
Support
Nov 19, 2020
Hello Adam,

>I don't quite get what $attributename is supposed to be?

The $attributeName variable should contain the LDAP name of a DN-syntax attribute (e.g. seeAlso, secretary, or assistant). The attribute should store distinguished names (DNs) of the accounts that will also gain permissions over the user’s One Drive.

>I also get an unathenticated error when I try to run the script which is the same as what this site says https://www.sharepointdiary.com/2019/06/cannot-contact-website-url-web-site-does-not-support-sharepoint-online-credentials-response-status-code-unauthorized.html

Could you, please, confirm that access for applications that do not use modern authentication is allowed in the settings of your tenant? To do so:
  1. Open SharePoint admin center of your tenant.
  2. Expand Policies and click Access control.
  3. Click Apps that don't use modern authentication.
  4. Take a screenshot and send it to us (support[at]softerra.com).
avatar
Sheila
Nov 04, 2021
Attempts to run the script return the following error " Cannot bind argument to parameter "ClientID" because it is null. Stack trace: at <ScriptBlock>,<No file>: line 57.

In line 57 -ClientID is $credential.AppID
$credential = $tenant.GetCredential()

I am not sure what I am missing, but the script is not pulling the $tenant. The $attribute variable is set to "seeAlso", the $certificateThumprint is in place on the adaxes servers and assigned to the app in Azure AD with the permissions for Sharepoint online, the $usernameMicrosoft365Property name is set to the userprincipalname and the $tenantName is set to our domain name we use to connect to xxxxx-admin.sharepoint.com
avatar
Support
Nov 04, 2021
Hello Sheila,

The script can only work when your Microsoft 365 tenant is registered in Adaxes using an Azure app. For information on how to do that, see https://www.adaxes.com/help/RegisterAdaxesAsAppMicrosoftAzure. For your information, performing the changes will also require updating all the scripts that establish connection to Exchange Online or Microsoft 365.
Leave a comment

Related Scripts