Skip to content

Managing OneDrive Permissions with PowerShell: Detecting and Removing Extra Owners

Managing OneDrive Permissions with PowerShell

Section titled “Managing OneDrive Permissions with PowerShell”

Managing access to users’ OneDrive accounts is crucial for maintaining security, ensuring that sensitive information is not improperly shared or accessed by unauthorized users. This PowerShell script automates the process of detecting and removing extra owners from OneDrive accounts using the Microsoft Graph API.


The script connects to Microsoft Graph using application permissions, retrieves users with assigned licenses, and checks if any additional (unauthorized) owners have been granted access to their OneDrive accounts. It then removes these extra owners to ensure that only the rightful owner maintains full control.

FeatureCapabilityBusiness Value
Automated DetectionScans all licensed OneDrive accountsIdentifies security risks automatically
Permission AnalysisAnalyzes owner-level access patternsEnsures proper access control
RemediationRemoves unauthorized ownersMaintains data security
Audit TrailExports results to CSVProvides compliance documentation

Before running this script, the following prerequisites must be met:

Permission TypeRequired PermissionsPurpose
Microsoft Graph APIFiles.ReadRead OneDrive file metadata
Microsoft Graph APIFiles.Read.AllAccess all OneDrive files
Microsoft Graph APISites.Read.AllRead SharePoint site information
Authentication TypeApplication permissionsService-to-service authentication

Important: Application permissions are required, not delegated permissions.


1. Authentication and Microsoft Graph API Connection

Section titled “1. Authentication and Microsoft Graph API Connection”

The script starts by connecting to Microsoft Graph using Connect-MgGraph, authenticating via a certificate. This ensures secure communication between the script and Microsoft Graph.

Terminal window
Connect-MgGraph -NoWelcome -ClientId $ClientId -TenantId $TenantId -CertificateThumbprint $CertificateThumbprint

This connection provides access to the required Graph API resources, enabling the script to retrieve user information and OneDrive details.

2. Retrieving Users with Assigned Licenses

Section titled “2. Retrieving Users with Assigned Licenses”

The script retrieves all users who have assigned licenses using the Get-MgUser cmdlet. It filters out users who do not have any licenses.

Terminal window
$Users = Get-MgUser -All -Property Id,UserPrincipalName,AssignedLicenses | Where-Object {($_.AssignedLicenses).count -gt 0}

This ensures that only licensed users with active OneDrive accounts are processed.

For each user, the script attempts to retrieve their OneDrive instance and permissions. It checks if any additional users have been granted “owner” roles, which would indicate improper access.

Terminal window
$Drive = Get-MgUserDefaultDrive -UserId $DriveUserUPN -Property Owner,Id,WebUrl -ErrorAction Stop
$Permission = Get-MgUserDriveRootPermission -DriveId $Drive.Id -UserId $DriveUserUPN -Property GrantedTo,Id,Roles
$ExtraOwner = $Permission | Where-Object {$_.GrantedTo.User.Id -ne $DriveUserId -and $_.Roles -ccontains 'owner'}

If additional owners are detected, they are logged for removal.

The script stores information about OneDrive instances with extra owners and exports the data to a CSV file for review.

Terminal window
$output | Export-Csv -Path "C:\Users\YourUsername\Downloads\onedrive-extraneous-owners.csv"

This step ensures that administrators can review the list of OneDrive accounts that require attention.

Once the extra owners have been identified, the script connects to each user’s OneDrive site using PnP PowerShell and removes the unauthorized owners from the Site Collection Administrators list.

Terminal window
Connect-PnPOnline -ClientId $ClientId -TenantId $TenantId -Thumbprint $CertificateThumbprint -Url $_.WebUrl
$Admin = Get-PnPSiteCollectionAdmin
$AdminToRemove = $Admin | Where-Object {$MainUser -ne $_.Email}
if($AdminToRemove){
Remove-PnPSiteCollectionAdmin -Owners $AdminToRemove
}

This step ensures that only authorized individuals remain as owners of the user’s OneDrive account.


PracticeDescriptionImplementation
Backup PermissionsExport current OneDrive owners before removalCreate audit trail
Test EnvironmentVerify script functionality before productionReduce deployment risks
Regular AutomationSchedule periodic permission auditsMaintain ongoing security

Ensuring proper OneDrive ownership is essential for data security. Unauthorized users with owner-level access could modify or delete files, leading to potential data loss or security breaches.

Risk TypePrevention MethodImpact
Data BreachAutomated owner removalReduces unauthorized access
Data LossPermission validationPrevents accidental deletions
Compliance ViolationRegular auditsMaintains regulatory compliance

Key Takeaway: This PowerShell script provides a valuable tool for managing OneDrive ownership, ensuring that unauthorized users are removed from key permissions in users’ OneDrive accounts. By automating the detection and remediation of extra owners, you can ensure that only authorized individuals have full control, reducing the risk of data breaches and ensuring compliance with your organization’s security policies.

By integrating this script with tools like Intune or Azure Automation, administrators can streamline the process of monitoring and enforcing proper OneDrive permissions across the entire organization.