Modify OneDrive Rights

Question

We have a set of commands in Adaxes that run when a user account is being deprovisioned because they have left us. These commands grant full rights to their Exchange mailbox to the individual listed as their manager, and we want to do the same with their OneDrive. Does anyone know how to get this to work for OneDrive?

Comments

I had a similar request to grant someone full access to a leavers OneDrive.

I solved it with a custom command and use PnP with Entra ID App. I run it on user objects and ask for the user who should get access.

We have two servers in use, therefore I am checking on which server the script is running and use the relevant file to get encrypted App ID and Certificate Password.

You need to install the PnP Module on each Adaxes server, but only version 1.12.0 is working at the moment. So use this command

install-module pnp.powershell -RequiredVersion 1.12.0

Custom Command

# Import required modules
Import-Module PnP.PowerShell

# Get input parameters
$AdminSiteUrl = "https://YOURDOMAIN-admin.sharepoint.com"
$TargetUserUPN = "%userPrincipalName%" #(Get-AdmUser "%param-targetUser%" -Properties UserPrincipalName).UserPrincipalName
$AccessUserUPN = (Get-AdmUser "%param-accessUser%" -Properties UserPrincipalName).UserPrincipalName

# Get machine name and determine server
$machine = $env:COMPUTERNAME
if ($machine.EndsWith(01)) {
    $server = "01"
} elseif ($machine.EndsWith(02)) {
    $server = "02"
} else {
    $Context.LogMessage("Invalid server", "Error")
    exit
}

$Context.LogMessage("DGB We use server $($server)", "Information")

# Construct OneDrive URL
$Context.LogMessage("Constructing OneDrive URL for $($TargetUserUPN)", "Information")
$TenantName = ($AdminSiteUrl -split '-admin\.')[0] -replace 'https://', ''
$OneDriveUrl = "https://$($TenantName)-my.sharepoint.com/personal/$($TargetUserUPN -replace '@', '_' -replace '.com','_com' -replace '\.', '_')/"
$Context.LogMessage("OneDrive URL constructed: $($OneDriveUrl)", "Information")

# Grant access
try {
    $Context.LogMessage("Granting $($AccessUserUPN) full control to $($TargetUserUPN)'s OneDrive ($($OneDriveUrl))", "Information")

    . "\\server\path\connect_PNP_global.ps1" $server $OneDriveUrl
    Add-PnPSiteCollectionAdmin -Owners $AccessUserUPN

    $Context.LogMessage("$($AccessUserUPN) granted full control to $($TargetUserUPN)'s OneDrive.", "Information")
} catch {
    $Context.LogMessage("Error: $($_.Exception.Message)", "Error")
} finally {
    $Context.LogMessage("Disconnecting from SharePoint Online", "Information")
    Disconnect-PnPOnline
}

$Context.LogMessage("Script execution completed.", "Information")

Function to connect PnP

$current_Folder = (get-item $PSScriptRoot ).FullName
. $current_folder\_FUNC.Global.ps1

$server = $args[0]
$url = $args[1]

$path = "\\server\path\"
$file_appID = $path + "PnP_AppID_$($env:USERNAME)$($server).txt"
$file_certPW = $path + "PnP_CertificatePassword_$($env:USERNAME)$($server).txt"
$file_PFX = $path + "PnP Management Shell v2.pfx"
$org = "MSDOMAIN.onmicrosoft.com"

$session_check = Get-PSSession | Where-Object { $_.ComputerName -eq "outlook.office365.com" -and $_.State -eq "Opened" }

$Context.LogMessage("SharePoint PNP ::: Checking Connection", "Information")
try {
    Get-PnPTenantSite -Filter "Url -like '$org'" -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null
    $Context.LogMessage("SharePoint PNP ::: Already connected", "Information")
}
catch {
    $Context.LogMessage("SharePoint PnP ::: Not connected", "Information")
    $Context.LogMessage("SharePoint PnP ::: Trying now ...", "Information")
    if( (Test-Path $file_appID) -and (Test-Path $file_certPW) -and (Test-Path $file_PFX) ){
        $appid = Get-Content $file_appID | ConvertTo-SecureString
        $appid = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($appid))
        $certpw = Get-Content $file_certPW | ConvertTo-SecureString

        try {
            Connect-PnPOnline -CertificatePath $file_PFX -ClientId $appid -Tenant $org -Url $url -ErrorAction Stop | Out-Null
            $Context.LogMessage("SharePoint PnP ::: Connected", "Information")
        } catch {
            $Context.LogMessage("SharePoint PnP ::: Connection failed due to: `r`n$($_.Exception.Message)", "Error")
        }
    } else {
        if(!(Test-Path $file_appID)) { 
            $Context.LogMessage("SharePoint PnP ::: Connection failed due to: File $($file_appID) is missing", "Error")
        }
        if(!(Test-Path $file_certPW)) { 
            $Context.LogMessage("SharePoint PnP ::: Connection failed due to: File $($file_certPW) is missing", "Error")
        }
        if(!(Test-Path $file_PFX)) { 
            $Context.LogMessage("SharePoint PnP ::: Connection failed due to: File $($file_PFX) is missing", "Error")
        }
    }
}

Hope this helps you. Feel free to use and adjust to your needs.

Answer 1

Hello,

Unfortunately, there is no such built-in functionality in Adaxes. It should be possible using a script, but we do not have anything like that in our repository.