Managing OneDrive Permissions with PowerShell: Detecting and Removing Extra Owners
Managing OneDrive Permissions with PowerShell
Section titled “Managing OneDrive Permissions with PowerShell”Managing access to users’ OneDrive accounts is crucial for maintaining security, ensuring that sensitive information is not improperly shared or accessed by unauthorized users. This PowerShell script automates the process of detecting and removing extra owners from OneDrive accounts using the Microsoft Graph API.
Script Overview
Section titled “Script Overview”The script connects to Microsoft Graph using application permissions, retrieves users with assigned licenses, and checks if any additional (unauthorized) owners have been granted access to their OneDrive accounts. It then removes these extra owners to ensure that only the rightful owner maintains full control.
Key Capabilities
Section titled “Key Capabilities”| Feature | Capability | Business Value |
|---|---|---|
| Automated Detection | Scans all licensed OneDrive accounts | Identifies security risks automatically |
| Permission Analysis | Analyzes owner-level access patterns | Ensures proper access control |
| Remediation | Removes unauthorized owners | Maintains data security |
| Audit Trail | Exports results to CSV | Provides compliance documentation |
Prerequisites and Requirements
Section titled “Prerequisites and Requirements”Before running this script, the following prerequisites must be met:
Azure AD App Registration
Section titled “Azure AD App Registration”| Permission Type | Required Permissions | Purpose |
|---|---|---|
| Microsoft Graph API | Files.Read | Read OneDrive file metadata |
| Microsoft Graph API | Files.Read.All | Access all OneDrive files |
| Microsoft Graph API | Sites.Read.All | Read SharePoint site information |
| Authentication Type | Application permissions | Service-to-service authentication |
Important: Application permissions are required, not delegated permissions.
PowerShell Script Architecture
Section titled “PowerShell Script Architecture”1. Authentication and Microsoft Graph API Connection
Section titled “1. Authentication and Microsoft Graph API Connection”The script starts by connecting to Microsoft Graph using Connect-MgGraph, authenticating via a certificate. This ensures secure communication between the script and Microsoft Graph.
Connect-MgGraph -NoWelcome -ClientId $ClientId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprintThis connection provides access to the required Graph API resources, enabling the script to retrieve user information and OneDrive details.
2. Retrieving Users with Assigned Licenses
Section titled “2. Retrieving Users with Assigned Licenses”The script retrieves all users who have assigned licenses using the Get-MgUser cmdlet. It filters out users who do not have any licenses.
$Users = Get-MgUser -All -Property Id,UserPrincipalName,AssignedLicenses | Where-Object {($_.AssignedLicenses).count -gt 0}This ensures that only licensed users with active OneDrive accounts are processed.
3. Checking OneDrive for Extra Owners
Section titled “3. Checking OneDrive for Extra Owners”For each user, the script attempts to retrieve their OneDrive instance and permissions. It checks if any additional users have been granted “owner” roles, which would indicate improper access.
$Drive = Get-MgUserDefaultDrive -UserId $DriveUserUPN -Property Owner,Id,WebUrl -ErrorAction Stop$Permission = Get-MgUserDriveRootPermission -DriveId $Drive.Id -UserId $DriveUserUPN -Property GrantedTo,Id,Roles$ExtraOwner = $Permission | Where-Object {$_.GrantedTo.User.Id -ne $DriveUserId -and $_.Roles -ccontains 'owner'}If additional owners are detected, they are logged for removal.
4. Exporting the Results
Section titled “4. Exporting the Results”The script stores information about OneDrive instances with extra owners and exports the data to a CSV file for review.
$output | Export-Csv -Path "C:\Users\YourUsername\Downloads\onedrive-extraneous-owners.csv"This step ensures that administrators can review the list of OneDrive accounts that require attention.
5. Removing Unauthorized Owners
Section titled “5. Removing Unauthorized Owners”Once the extra owners have been identified, the script connects to each user’s OneDrive site using PnP PowerShell and removes the unauthorized owners from the Site Collection Administrators list.
Connect-PnPOnline -ClientId $ClientId -TenantId $TenantId -Thumbprint $CertificateThumbprint -Url $_.WebUrl$Admin = Get-PnPSiteCollectionAdmin$AdminToRemove = $Admin | Where-Object {$MainUser -ne $_.Email}if($AdminToRemove){ Remove-PnPSiteCollectionAdmin -Owners $AdminToRemove}This step ensures that only authorized individuals remain as owners of the user’s OneDrive account.
Best Practices for Implementation
Section titled “Best Practices for Implementation”| Practice | Description | Implementation |
|---|---|---|
| Backup Permissions | Export current OneDrive owners before removal | Create audit trail |
| Test Environment | Verify script functionality before production | Reduce deployment risks |
| Regular Automation | Schedule periodic permission audits | Maintain ongoing security |
Security and Compliance Importance
Section titled “Security and Compliance Importance”Ensuring proper OneDrive ownership is essential for data security. Unauthorized users with owner-level access could modify or delete files, leading to potential data loss or security breaches.
Risk Mitigation
Section titled “Risk Mitigation”| Risk Type | Prevention Method | Impact |
|---|---|---|
| Data Breach | Automated owner removal | Reduces unauthorized access |
| Data Loss | Permission validation | Prevents accidental deletions |
| Compliance Violation | Regular audits | Maintains regulatory compliance |
Conclusion
Section titled “Conclusion”Key Takeaway: This PowerShell script provides a valuable tool for managing OneDrive ownership, ensuring that unauthorized users are removed from key permissions in users’ OneDrive accounts. By automating the detection and remediation of extra owners, you can ensure that only authorized individuals have full control, reducing the risk of data breaches and ensuring compliance with your organization’s security policies.
By integrating this script with tools like Intune or Azure Automation, administrators can streamline the process of monitoring and enforcing proper OneDrive permissions across the entire organization.