Adaxes

how to automatically grant a user's manager access to their network drive and onedrive during a user's deprovisioning

0 votes

how to automatically grant a user's manager access to their network drive and onedrive during a user's deprovisioning. I don't want to manually grant access to the user's network drive on an on-prem file server and onedrive. Can this be incorporated in the user deprovisioning script?

by (20 points)

1 Answer

0 votes
by (296k points)

Hello,

It should be possible using PowerShell scripts. Unfortunately, we do not have anything on OneDrive in our repository, but Script 1: Manager and additional delegates from the following article should be helpful: https://www.adaxes.com/script-repository/grant-access-to-user-s-home-folder-s15.htm.

0

I had similar request last week and wrote this PowerShell Script with ChatGPT.

You need to connect to SPO first (connect and disconnect commented out).

# Requires the SharePoint Online Management Shell
# Ensure you have the required permissions to manage OneDrive access

# Define logging function
Function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    $Timestamp = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
    Write-Host "$($Timestamp) [$($Level)] $($Message)"
    "$($Timestamp) [$($Level)] $($Message)" | Out-File -Append -FilePath "onedrive_access.log"
}

# Debug function
Function Debug-Mode {
    param (
        [switch]$Enable
    )
    $script:Debug = $Enable
}

# Grant Full Access to OneDrive
Function Grant-OneDriveAccess {
    param (
        [string]$AdminSiteUrl,  # SharePoint Admin Center URL
        [string]$TargetUserUPN, # User B's UPN
        [string]$AccessUserUPN  # User A's UPN
    )

    try {
        Write-Log "Connecting to SharePoint Admin Center..."
        #Connect-SPOService -Url $AdminSiteUrl

        Write-Log "Constructing OneDrive URL for $($TargetUserUPN)..."
        # Construct the OneDrive URL assuming standard tenant URL pattern
        $TenantName = ($AdminSiteUrl -split '-admin\.')[0] -replace 'https://', ''
        $OneDriveUrl = "https://$($TenantName)-my.sharepoint.com/personal/$($TargetUserUPN -replace '@', '_' -replace '.com','_com')/" # CHANGE IF NEEDED

        Write-Log "OneDrive URL constructed: $($OneDriveUrl)"

        Write-Log "Granting $($AccessUserUPN) full control to $($TargetUserUPN)'s OneDrive ($($OneDriveUrl))..."
        if ($Debug) {
            Write-Log "Debug mode enabled. Skipping permission assignment." "DBG"
        } else {
            Set-SPOUser -Site $OneDriveUrl -LoginName $AccessUserUPN -IsSiteCollectionAdmin $true -ErrorAction Stop
            Write-Log "$($AccessUserUPN) granted full control to $($TargetUserUPN)'s OneDrive." "INFO"
        }
    } catch {
        Write-Log "Error: $($_.Exception.Message)" "ERR"
    } finally {
        Write-Log "Disconnecting from SharePoint Online..."
        #Disconnect-SPOService
    }
}


# Main script
Function Main {
    param (
        [string]$AdminSiteUrl,  # Example: "https://tenant-admin.sharepoint.com"
        [string]$TargetUserUPN, # User B's UPN
        [string]$AccessUserUPN, # User A's UPN
        [switch]$EnableDebug
    )

    Debug-Mode -Enable:$EnableDebug

    Write-Log "Processing: Granting $($AccessUserUPN) access to $($TargetUserUPN)'s OneDrive..."
    Grant-OneDriveAccess -AdminSiteUrl $AdminSiteUrl -TargetUserUPN $TargetUserUPN -AccessUserUPN $AccessUserUPN

    Write-Log "Script execution completed." "INFO"
}

# Example usage
# Provide the SharePoint Admin Center URL and input UPNs
# Debug mode can be enabled to simulate actions without applying changes

$AdminSiteUrl = "https://YOURTENANT-admin.sharepoint.com"
$TargetUserUPN = "" # Replace with User B's UPN
$AccessUserUPN = "" # Replace with User A's UPN
$EnableDebug = $false

Main -AdminSiteUrl $AdminSiteUrl -TargetUserUPN $TargetUserUPN -AccessUserUPN $AccessUserUPN -EnableDebug:$EnableDebug
ago by (1.7k points)

Related questions

0 votes
1 answer
How to I delegate Send As permission and Full Access permission to a defined user during Deprovision?

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (240 points)
0 votes
1 answer
During the Deprovisioning process we want to clear a Extension Attribute and add one as well, is this possible?

Here is what i have been trying with Set-ADUser -Identity $user -Clear "extensionAttribute5" Set-ADUser -Identity $user -Add @{extensionAttribute5 = "NoLicenseNeeded"}

asked Nov 29, 2021 by Markh (20 points)
0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (100 points)
0 votes
1 answer
Can we script granting a manager access to a user's mailbox?

We are developing a process to mange mailboxes for terminated users. At the time of termination we would like to: convert the mailbox to a shared mailbox. Send an approval ... would run script to grant the manger access to the mailbox. Can this be done?

asked Oct 27, 2023 by mightycabal (1.0k points)
+1 vote
1 answer
How to have 2 Factor authentication ON or restrict the access to Web Configurator from internal network only ?

We know only service administrators by default are allowed to access the web configurator, however is there any way to restrict that the the web configurator is only available on ... ON 2FA on Web configurator website, like we can on other web interfaces ?

asked Feb 13, 2021 by rsaran (70 points)
3,614 questions
3,301 answers
8,366 comments
548,574 users