Forum Discussion

ShaneGibson's avatar
ShaneGibson
Copper Contributor
Sep 28, 2023
Solved

Microsoft Graph PowerShell SDK Module OneDrive Folder Permissions Assignment

As an M365 Global Admin, I have been tasked with creating a new folder in other users OneDrive root folder (Documents) we can call that folder 'myFolder', then I need to assign a Microsoft Azure Secu...
admin
api
Authentication
Azure AD
Identity
microsoft 365 admin center
Microsoft 365 Groups
Microsoft Graph
onedrive
powershell
  • Tristan999's avatar
    Tristan999
    Oct 06, 2023

    It would be helpful if you posted some code snippets for the Graph request.

    I am not sure if you are stuck with Microsoft Graph PowerShell, but I was able to do what you needed to do with PnP PowerShell:

    $url = "<ONEDRIVEURL>"
    Connect-PnPOnline -Url $url -Interactive
    $oneDriveDefaultListName = "Documents"
    $folderToCreate = "myFolder"
    $securityGroupToAdd = "Group1"
    $permission = "Contribute"
    Add-PnPFolder -Name $folderToCreate -Folder $oneDriveDefaultListName
    Set-PnPFolderPermission -List $oneDriveDefaultListName -Identity "$oneDriveDefaultListName/$folderToCreate" -User $securityGroupToAdd -AddRole $permission

    If you are stuck with Graph API (and Azure Security Groups), maybe take a look at these links:

     

    Send an invite to access an item - Microsoft Graph v1.0 | Microsoft Learn


    https://learn.microsoft.com/en-us/graph/api/resources/driverecipient?view=graph-rest-1.0#properties

Tristan999's avatar
Tristan999
Iron Contributor
Oct 06, 2023

It would be helpful if you posted some code snippets for the Graph request.

I am not sure if you are stuck with Microsoft Graph PowerShell, but I was able to do what you needed to do with PnP PowerShell:

$url = "<ONEDRIVEURL>"
Connect-PnPOnline -Url $url -Interactive
$oneDriveDefaultListName = "Documents"
$folderToCreate = "myFolder"
$securityGroupToAdd = "Group1"
$permission = "Contribute"
Add-PnPFolder -Name $folderToCreate -Folder $oneDriveDefaultListName
Set-PnPFolderPermission -List $oneDriveDefaultListName -Identity "$oneDriveDefaultListName/$folderToCreate" -User $securityGroupToAdd -AddRole $permission

If you are stuck with Graph API (and Azure Security Groups), maybe take a look at these links:

 

Send an invite to access an item - Microsoft Graph v1.0 | Microsoft Learn


https://learn.microsoft.com/en-us/graph/api/resources/driverecipient?view=graph-rest-1.0#properties

ShaneGibson's avatar
ShaneGibson
Copper Contributor
Oct 19, 2023

In the PnP Online code example, I had a question for the $securityGroupToAdd = "Group1" parameter, was this an AzureAD classic security group, a Microsoft 365 security group, or a SharePoint Site Collection Security Group?

I used the script above for one project they are wanting to adapt it to add an AzureAD classic security group that has no email, so just curious if you got that to work or not because my attempts fail and there is no -group attribute on Set-PnPFolderPermission function.

Thanks again for all your help!

  • Tristan999's avatar
    Tristan999
    Iron Contributor
    Oct 20, 2023
    Group1 is an Azure AD Security Group (in all the examples). The Set-PnPFolderPermission User parameter does not distinguish between an Azure Security Group and a user (email address removed for privacy reasons). I haven't tried using a SharePoint group with that command, but according to the documentation here https://pnp.github.io/powershell/cmdlets/Set-PnPFolderPermission.html, the -Group parameter seems to be used if you want assign permissions to a SharePoint group.

    FYI. In the case, of the Graph example, even though the group was not mail-enabled, the group members still received emails since those accounts have emails tied to them.

    Hopefully that helps!

Resources