Forum Discussion

ShaneGibson's avatar
ShaneGibson
Copper Contributor
Sep 28, 2023
Solved

Microsoft Graph PowerShell SDK Module OneDrive Folder Permissions Assignment

As an M365 Global Admin, I have been tasked with creating a new folder in other users OneDrive root folder (Documents) we can call that folder 'myFolder', then I need to assign a Microsoft Azure Secu...
admin
api
Authentication
Azure AD
Identity
microsoft 365 admin center
Microsoft 365 Groups
Microsoft Graph
onedrive
powershell
  • Tristan999's avatar
    Tristan999
    Oct 06, 2023

    It would be helpful if you posted some code snippets for the Graph request.

    I am not sure if you are stuck with Microsoft Graph PowerShell, but I was able to do what you needed to do with PnP PowerShell:

    $url = "<ONEDRIVEURL>"
    Connect-PnPOnline -Url $url -Interactive
    $oneDriveDefaultListName = "Documents"
    $folderToCreate = "myFolder"
    $securityGroupToAdd = "Group1"
    $permission = "Contribute"
    Add-PnPFolder -Name $folderToCreate -Folder $oneDriveDefaultListName
    Set-PnPFolderPermission -List $oneDriveDefaultListName -Identity "$oneDriveDefaultListName/$folderToCreate" -User $securityGroupToAdd -AddRole $permission

    If you are stuck with Graph API (and Azure Security Groups), maybe take a look at these links:

     

    Send an invite to access an item - Microsoft Graph v1.0 | Microsoft Learn


    https://learn.microsoft.com/en-us/graph/api/resources/driverecipient?view=graph-rest-1.0#properties

ShaneGibson's avatar
ShaneGibson
Copper Contributor
Oct 09, 2023

Tristan999 

Thank you for your reply, I greatly appreciate it! 

 

I will have to check into PnP I guess but here is what I have so far it is failing exactly at the invoke call as you pointed out, in your url for invite, that is where I have made it too!

These are the permissions that the connection has in Azure App:
GENERIC APP REG Permissions (Application)
TeamSettings.ReadWrite.All
Mail.ReadWrite
User.ReadWrite.All
Directory.ReadWrite.All
TeamsActivity.Send
Team.Create
Group.ReadWrite.All
User.Invite.All
Files.ReadWrite.All
TeamMember.ReadWrite.All
ServicePrincipalEndpoint.ReadWrite.All
Team.ReadBasic.All
Calendars.ReadWrite
Mail.Send
RoleManagement.ReadWrite.Directory
GroupMember.ReadWrite.All
Sites.FullControl.All
TeamsTab.ReadWriteForTeam.All

The file "myFolder" already exists in this test scenario, here is my code:

Import-Module Microsoft.Graph.Files

Connect-MgGraph `
	-ClientId "{Some long GUID from when you created the Azure App}" # Get in Registered App Settings in Azure Portal `
	-TenantId "{Some long GUID of your Microsoft 365 Tenant}" # Can get in Azure Portal or in Registered App Settings in Azure Portal `
	-CertificateThumbprint "{Some long passphrase of letters and numbers}" Get when you created the Registered Azure App

#The Admin user that needs access to migrate files over from on-prem 2013 to online OneDrive4B
$adminUserUPN = "email address removed for privacy reasons"
$adminUser = Get-MgUser -Filter "UserPrincipalName eq '$adminUserUPN'"
$adminUserId = $adminUser.Id

#User selected for the test run
$userUPN = "email address removed for privacy reasons"
$user = Get-MgUser -Filter "UserPrincipalName eq '$userUPN'"
$userId = $user.Id

$userOneDrive = Get-MgUserDrive -UserId $userId
$userDriveId = $userOneDrive.Id
$userDriveItems = Get-MgUserDriveListItem -DriveId $userDriveId  -UserId $userId
$userFolder = Get-MgUserDriveListItem -DriveId $userDriveId -UserId $userId -Search "Documents" | Where-Object { $_.WebUrl -like "*myFolder*" }
$userFolderId = $userFolder.Id

$params = @{
	recipients = @(
		@{
			email = $userUPN
		}
	)
	message = "it worked"
	requireSignIn = $true
	sendInvitation = $true
	retainInheritedPermissions = $true
	roles = @(
		"write"
	)
}

Invoke-MgInviteDriveItem -DriveId $userDriveId -DriveItemId $userFolderId  -UserId $userId -BodyParameter $params

#I have also tried these and fail, I wonder given the error at times if the DriveItemId is correct or not
#New-MgUserDriveItemPermission -DriveId $userDriveId -DriveItemId $userFolderId  -UserId $userId -BodyParameter $params
#Grant-MgUserDriveItemPermission -DriveId $userDriveId -DriveItemId $userFolderId  -UserId $userId -BodyParameter $params
Tristan999's avatar
Tristan999
Iron Contributor
Oct 09, 2023

ShaneGibson 

 

Can you post the error that you get from running the command?

Invoke-MgInviteDriveItem

 Also, your original post talked about using a Security Group. Is it a mail-enabled group? 

 

I posted the link for the drive recipient just in case it is not a mail-enabled group. In which case, you may want to use something like the alias or objectid instead of email:

 

 

 

 

$params = @{
recipients = @(
@{
alias = $userAlias
}
)
message = "it worked"
requireSignIn = $true
sendInvitation = $true
retainInheritedPermissions = $true
roles = @(
"write"
)
}

 

Here are some additional resources, you may want to look at 

 

Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph

 

I'll take a look at your code later and test it out on my end. 

 

Resources