how to automatically grant a user's manager access to their network drive and onedrive during a user's deprovisioning

how to automatically grant a user's manager access to their network drive and onedrive during a user's deprovisioning. I don't want to manually grant access to the user's network drive on an on-prem file server and onedrive. Can this be incorporated in the user deprovisioning script?

by (20 points)

1 Answer

by (307k points)
0 votes

Hello,

It should be possible using PowerShell scripts. Unfortunately, we do not have anything on OneDrive in our repository, but Script 1: Manager and additional delegates from the following article should be helpful: https://www.adaxes.com/script-repository/grant-access-to-user-s-home-folder-s15.htm.

by (2.4k points)
0

I had similar request last week and wrote this PowerShell Script with ChatGPT.

You need to connect to SPO first (connect and disconnect commented out).

# Requires the SharePoint Online Management Shell
# Ensure you have the required permissions to manage OneDrive access

# Define logging function
Function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    $Timestamp = (Get-Date -Format "yyyy-MM-dd HH:mm:ss")
    Write-Host "$($Timestamp) [$($Level)] $($Message)"
    "$($Timestamp) [$($Level)] $($Message)" | Out-File -Append -FilePath "onedrive_access.log"
}

# Debug function
Function Debug-Mode {
    param (
        [switch]$Enable
    )
    $script:Debug = $Enable
}

# Grant Full Access to OneDrive
Function Grant-OneDriveAccess {
    param (
        [string]$AdminSiteUrl,  # SharePoint Admin Center URL
        [string]$TargetUserUPN, # User B's UPN
        [string]$AccessUserUPN  # User A's UPN
    )

    try {
        Write-Log "Connecting to SharePoint Admin Center..."
        #Connect-SPOService -Url $AdminSiteUrl

        Write-Log "Constructing OneDrive URL for $($TargetUserUPN)..."
        # Construct the OneDrive URL assuming standard tenant URL pattern
        $TenantName = ($AdminSiteUrl -split '-admin\.')[0] -replace 'https://', ''
        $OneDriveUrl = "https://$($TenantName)-my.sharepoint.com/personal/$($TargetUserUPN -replace '@', '_' -replace '.com','_com')/" # CHANGE IF NEEDED

        Write-Log "OneDrive URL constructed: $($OneDriveUrl)"

        Write-Log "Granting $($AccessUserUPN) full control to $($TargetUserUPN)'s OneDrive ($($OneDriveUrl))..."
        if ($Debug) {
            Write-Log "Debug mode enabled. Skipping permission assignment." "DBG"
        } else {
            Set-SPOUser -Site $OneDriveUrl -LoginName $AccessUserUPN -IsSiteCollectionAdmin $true -ErrorAction Stop
            Write-Log "$($AccessUserUPN) granted full control to $($TargetUserUPN)'s OneDrive." "INFO"
        }
    } catch {
        Write-Log "Error: $($_.Exception.Message)" "ERR"
    } finally {
        Write-Log "Disconnecting from SharePoint Online..."
        #Disconnect-SPOService
    }
}


# Main script
Function Main {
    param (
        [string]$AdminSiteUrl,  # Example: "https://tenant-admin.sharepoint.com"
        [string]$TargetUserUPN, # User B's UPN
        [string]$AccessUserUPN, # User A's UPN
        [switch]$EnableDebug
    )

    Debug-Mode -Enable:$EnableDebug

    Write-Log "Processing: Granting $($AccessUserUPN) access to $($TargetUserUPN)'s OneDrive..."
    Grant-OneDriveAccess -AdminSiteUrl $AdminSiteUrl -TargetUserUPN $TargetUserUPN -AccessUserUPN $AccessUserUPN

    Write-Log "Script execution completed." "INFO"
}

# Example usage
# Provide the SharePoint Admin Center URL and input UPNs
# Debug mode can be enabled to simulate actions without applying changes

$AdminSiteUrl = "https://YOURTENANT-admin.sharepoint.com"
$TargetUserUPN = "" # Replace with User B's UPN
$AccessUserUPN = "" # Replace with User A's UPN
$EnableDebug = $false

Main -AdminSiteUrl $AdminSiteUrl -TargetUserUPN $TargetUserUPN -AccessUserUPN $AccessUserUPN -EnableDebug:$EnableDebug

Related questions

How to I delegate Send As permission and Full Access permission to a defined user during Deprovision?

Using the built in 'Deprovision' Custom Command, I would like the person that is trying to Deprovision a user (Help Desk member) be asked who (from a list of existing active ... to leave the question 'blank', which means that no one gets access to the mailbox.

asked Apr 22, 2020 by RayBilyk (260 points)
0 votes
1 answer
During the Deprovisioning process we want to clear a Extension Attribute and add one as well, is this possible?

Here is what i have been trying with Set-ADUser -Identity $user -Clear "extensionAttribute5" Set-ADUser -Identity $user -Add @{extensionAttribute5 = "NoLicenseNeeded"}

asked Nov 29, 2021 by Markh (20 points)
0 votes
1 answer
Add users to full access to a shared mailbox based on their state

I would like to grab all users in a US state and add them with full access rights to a shared mailbox. Is there a script already in the repository for this? I checked but ... each user. I don't think there is any way to do this with the interface. Thanks!

asked Mar 4 by msheppard (880 points)
0 votes
1 answer
Is it better to grant access via multiple OU and group assignments in the security role or use a business unit?

I have 18 domains managed by Adaxes and have noticed that Admin (full access) t all objects acts normally, but for piecemeal scopes like Service Desk that scopes to individual ... role (including 16 denies) and expect it to grow as we add more domains.

asked Sep 20, 2022 by DA-symplr (120 points)
0 votes
1 answer
Can we script granting a manager access to a user's mailbox?

We are developing a process to mange mailboxes for terminated users. At the time of termination we would like to: convert the mailbox to a shared mailbox. Send an approval ... would run script to grant the manger access to the mailbox. Can this be done?

asked Oct 27, 2023 by mightycabal (1.2k points)
0 votes
1 answer