Add/Remove Secondary Site Collection Admin to all OneDrive for Business users

 Office 365, OneDrive for Business, Perumal
Mar 24 2016

There are many situations in which we need to Add / Remove Secondary Site Collection Admin or Secondary Site Collection Owner in SharePoint to gain access to users documents stored in their OneDrive for Business when the users are terminated or when students gets graduated in schools. In such a situation Admin needs to add Secondary Site Collection admin or Secondary Site Collection Owner to many users. So when the user is marked for deletion the secondary Admin / Owner will be granted with the permissions to access that OneDrive. Adding them one by one is really complicated in such scenarios and PowerShell is the helping hand in such situations as always.

In this blog, we shall check how to Add Secondary Site Collection Admin for all OD4B Users and to Remove Secondary Site Collection Admin for all OD4B Users.

Prerequisites:
  • SharePoint Online PowerShell module
  • This script users 'Set-SPOUser' cmdlet. You must have the SharePoint Online global administrator permission to run the cmdlet.
Add Secondary Site Collection Admin for all OD4B Users:

Using the below Powershell script you can add the secondary site collection admin for all OD$B users.

In the script, replace the $AdminURI, $AdminAccount, $AdminPass, $secondaryadmin, $siteURI with correct values.

# Specify your organization admin central url 
$AdminURI = "https://tenant-admin.sharepoint.com"
# Specify the User account for an Office 365 global admin in your organization
$AdminAccount = "admin@tenant.com"
$AdminPass = "password"

# Specify the secondary admin account and the url for the onedrive site
$secondaryadmin = "secondary-admin@tenant.com"
$siteURI = "https://tenant-my.sharepoint.com" 

$loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
$loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
$loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

$sstr = ConvertTo-SecureString -string $AdminPass -AsPlainText -Force
$AdminPass = ""
$creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $sstr)
$UserCredential = New-Object System.Management.Automation.PSCredential -argumentlist $AdminAccount, $sstr

# Add the path of the User Profile Service to the SPO admin URL, then create a new webservice proxy to access it
$proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"
$UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
$UserProfileService.Credentials = $creds

# Set variables for authentication cookies
$strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)
$uri = New-Object System.Uri($AdminURI)
$container = New-Object System.Net.CookieContainer
$container.SetCookies($uri, $strAuthCookie)
$UserProfileService.CookieContainer = $container

# Sets the first User profile, at index -1
$UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
Write-Host "Starting- This could take a while."
$NumProfiles = $UserProfileService.GetUserProfileCount()
$i = 1

Connect-SPOService -Url $AdminURI -Credential $UserCredential

# As long as the next User profile is NOT the one we started with (at -1)...
While ($UserProfileResult.NextValue -ne -1) 
{
Write-Host "Examining profile $i of $NumProfiles"
# Look for the Personal Space object in the User Profile and retrieve it 
# (PersonalSpace is the name of the path to a user's OneDrive for Business site. Users who have not yet created a  
# OneDrive for Business site might not have this property set.)
$Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" } 
$Url= $Prop.Values[0].Value

# If OneDrive is activated for the user, then set the secondary admin
if ($Url) {
$sitename = $siteURI + $Url
$temp = Set-SPOUser -Site $sitename -LoginName $secondaryadmin -IsSiteCollectionAdmin $true -ErrorAction SilentlyContinue
Write-Host "Added secondary admin to the site $($sitename)" 
}

# And now we check the next profile the same way...
$UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
$i++
}
Remove Secondary Site Collection Admin for all OD4B Users:

To remove the secondary site collection admin, in the above script, just change the Set-SPOUser cmdlet's parameter "IsSiteCollectionAdmin" value to $false.