OneDrive for Business Admin Tool
Update: I've also added some new features, detailed in https://blogs.technet.microsoft.com/undocumentedfeatures/2017/10/16/recovering-from-crypto-or-ransomware-attacks-with-the-onedrive-for-business-admin-tool/.
While updating a script I wrote to remove the "Shared with Everyone" folder in OneDrive for business, it dawned on me that there are a number of bulk management tasks for OneDrive that are not easy to do, that we don't have specific guidance on, or only have little bits of information scattered around the interwebs.
So, to help alleviate some of the headache in managing large OneDrive for Business collections, I've put together a general management tool that I'll be adding more features to in the coming days and weeks.
The core features of the tool at this point:
- Grant secondary site admin permission to a user or group
- Revoke secondary site admin permission from a user or group
- Provision a new folder in the 'Documents' library
- Delete a folder from the 'Documents' library
- Block access to log into a OneDrive site
To use the tool, you'll need the SharePoint Client Components SDK as well as the SharePoint Online Management Shell. I've included a basic check in the script to download and install those components if you don't already have them, but you can save yourself some time by making sure you already have them installed.
Now, on to the tool!
Like most of the scripts and tools I develop, I try to add comment-based help, so that if I don't get to the point where I make a blog about the tool, at least you'll be able to figure it out. There are a bunch of parameters, so we'll just dive right into them.
BlockAccess
The BlockAccess parameter enables you to block or unblock access to an already-provisioned OneDrive for Business site. It's a validated parameter, and translates to -AccessState NoAccess for Block and -AccessState Unlock for Unblock.
Confirm
This switch parameter is only used with the FolderToDelete parameter, since it involves potential deletion of data.
Credential
This is a credential object that will be used for one or more parts: connecting to SharePoint Online, granting permissions (if no value is specified in GrantPermissionsTo), and revoking permissions (if no value is specified in RevokePermissionsFor).
FolderToAdd
If you want to deploy a particular folder to OneDrive for Business sites, you can do this using the FolderToAdd parameter. The folder is created under the Documents root.
FolderToDelete
If you want to delete a particular folder from OneDrive for Business sites, you can do this using the FolderToDelete parameter. It was originally implemented for a customer that wanted to remove the "Shared with Everyone" default folder.
GrantPermissions
If you are tasked with administering or delegating eDiscovery rights, you'll find that you need to delegate secondary site administrator permission to eDiscovery users. You can do this for all new OneDrive sites going forward by changing the defaults in the SharePoint Online Admin Center, but what do you do if all of your OneDrive sites have already been provisioned?
This. This is what you do.
This parameter uses the value in GrantPermissionsTo if present; otherwise, it uses the value stored in the credential.
GrantPermissionsTo
Use this parameter to specify the user or group to whom you want to grant secondary site administrator permissions.
Identity
The identity parameter allows you to specify an address of a user whose OneDrive site you want to modify.
InputFile
The InputFile parameter can be used to specify a list of users whose OneDrive sites will be modified. If no users are specified, then the script will enumerate all provisioned users.
Logfile
You should already know what this does.
RevokePermissions
If you need to revoke secondary site administrator privileges, you can use this parameter. If no value is specified in RevokePermissionsFor, then the value in the credential is used.
RevokePermissionsFor
Use this parameter to specify an address whose secondary site collection administrator permissions you want to remove.
Tenant
Specify the tenant name (either as 'contoso' or 'contoso.onmicrosoft.com') to use for connecting to SharePoint online and creating the My Sites and Admin Sites URLs. It's required.
If you missed the link earlier, you can get it here: https://gallery.technet.microsoft.com/OneDrive-for-Business-Tools-dfb52a4c.