Help CenterManaging access to users' OneDrive accounts is crucial for maintaining security, ensuring that sensitive information is not improperly shared or accessed by unauthorized users. This PowerShell script automates the process of detecting and removing extra owners from OneDrive accounts using the Microsoft Graph API.
Script Overview
The script connects to Microsoft Graph using application permissions, retrieves users with assigned licenses, and checks if any additional (unauthorized) owners have been granted access to their OneDrive accounts. It then removes these extra owners to ensure that only the rightful owner maintains full control.
Requirements:
Before running this script, the following prerequisites must be met:
- App registration in Azure AD with the following Microsoft Graph API permissions:
- Files.Read
- Files.Read.All
- Sites.Read.All
- Application permissions are required, not delegated permissions.
PowerShell Script Breakdown
1. Authentication and Microsoft Graph API Connection:
The script starts by connecting to Microsoft Graph using Connect-MgGraph, authenticating via a certificate. This ensures secure communication between the script and Microsoft Graph.
Connect-MgGraph -NoWelcome -ClientId $ClientId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint
This connection provides access to the required Graph API resources, enabling the script to retrieve user information and OneDrive details.
2. Retrieving Users with Assigned Licenses:
The script retrieves all users who have assigned licenses using the Get-MgUser cmdlet. It filters out users who do not have any licenses.
$Users = Get-MgUser -All -Property Id,UserPrincipalName,AssignedLicenses |
Where-Object {($_.AssignedLicenses).count -gt 0}
This ensures that only licensed users with active OneDrive accounts are processed.
3. Checking OneDrive for Extra Owners:
For each user, the script attempts to retrieve their OneDrive instance and permissions. It checks if any additional users have been granted "owner" roles, which would indicate improper access.
$Drive = Get-MgUserDefaultDrive -UserId $DriveUserUPN -Property Owner,Id,WebUrl -ErrorAction Stop
$Permission = Get-MgUserDriveRootPermission -DriveId $Drive.Id -UserId $DriveUserUPN -Property GrantedTo,Id,Roles
$ExtraOwner = $Permission | Where-Object {$_.GrantedTo.User.Id -ne $DriveUserId -and $_.Roles -ccontains 'owner'}
If additional owners are detected, they are logged for removal.
4. Exporting the Results:
The script stores information about OneDrive instances with extra owners and exports the data to a CSV file for review.
$output | Export-Csv -Path "C:\Users\YourUsername\Downloads\onedrive-extraneous-owners.csv"
This step ensures that administrators can review the list of OneDrive accounts that require attention.
5. Removing Unauthorized Owners:
Once the extra owners have been identified, the script connects to each user's OneDrive site using PnP PowerShell and removes the unauthorized owners from the Site Collection Administrators list.
Connect-PnPOnline -ClientId $ClientId -TenantId $TenantId -Thumbprint $CertificateThumbprint -Url $_.WebUrl
$Admin = Get-PnPSiteCollectionAdmin
$AdminToRemove = $Admin | Where-Object {$MainUser -ne $_.Email}
if($AdminToRemove){
Remove-PnPSiteCollectionAdmin -Owners $AdminToRemove
}
This step ensures that only authorized individuals remain as owners of the user's OneDrive account.
Best Practices for Running the Script:
- Backup Permissions: Before running the removal process, export the list of current OneDrive owners to keep a backup for auditing purposes.
- Test the Script: Run the script in a test environment or for a small group of users to verify that it works as expected before deploying it to a large-scale production environment.
- Automate Regularly: Consider scheduling this script to run at regular intervals to ensure that OneDrive permissions are regularly audited and cleaned up.
Why Is This Important?
Ensuring proper OneDrive ownership is essential for data security. Unauthorized users with owner-level access could modify or delete files, leading to potential data loss or security breaches. This script helps organizations maintain a high level of security by regularly auditing and enforcing correct OneDrive permissions.
Conclusion
This PowerShell script provides a valuable tool for managing OneDrive ownership, ensuring that unauthorized users are removed from key permissions in users' OneDrive accounts. By automating the detection and remediation of extra owners, you can ensure that only authorized individuals have full control, reducing the risk of data breaches and ensuring compliance with your organization's security policies.
By integrating this script with tools like Intune or Azure Automation, administrators can streamline the process of monitoring and enforcing proper OneDrive permissions across the entire organization.