Forum Discussion
Block owners in OneDrive
Every OneDrive for Business site is actually a SharePoint site collection provisioned for a user.
By default:
- The user is the site collection admin (owner).
- Global/SharePoint admins can also grant themselves access (that’s by design for compliance and recovery).
There is no way to stop global admins from assigning themselves permissions — Microsoft designed it that way.
What you can control?
- Default Ownership
- The OneDrive is automatically owned by the user who the license belongs to.
- No other “owner” is added unless done manually by an admin.
- Sharing Policies
- In the Microsoft 365 admin center → SharePoint admin center → Sharing policies, you can control:
- Who can share externally.
- Whether sharing is allowed with specific people/groups.
- Prevent others from granting access that would elevate someone effectively to “co-owner.”
- Prevent Admin Delegation
- Normal users (non-admins) cannot make themselves owners of someone else’s OneDrive.
- Only admins can elevate permissions.
- You can audit this in the Microsoft Purview audit log.
- Policies You Can Apply
- Block adding additional site collection admins automatically via PowerShell
You cannot completely stop global/SharePoint admins from taking ownership if needed. That’s a safeguard for legal, compliance, and recovery scenarios.
Recommended…
- Accept that the user + global admins are always “owners.”
- Use audit logging to detect if an admin adds themselves as an owner.
- Apply sensitivity labels or DLP policies to protect sensitive data, so even if someone gains access, policies control what they can do.
- Consider Customer Key or Double Key Encryption for high-security data.
My answers are voluntary and without guarantee!
Hope this will help you.
Was the answer useful? Mark as best response and like it!
This will help all forum participants.
Every OneDrive for Business site is actually a SharePoint site collection provisioned for a user.
By default:
- The user is the site collection admin (owner).
- Global/SharePoint admins can also grant themselves access (that’s by design for compliance and recovery).
There is no way to stop global admins from assigning themselves permissions — Microsoft designed it that way.
What you can control?
- Default Ownership
- The OneDrive is automatically owned by the user who the license belongs to.
- No other “owner” is added unless done manually by an admin.
- Sharing Policies
- In the Microsoft 365 admin center → SharePoint admin center → Sharing policies, you can control:
- Who can share externally.
- Whether sharing is allowed with specific people/groups.
- Prevent others from granting access that would elevate someone effectively to “co-owner.”
- Prevent Admin Delegation
- Normal users (non-admins) cannot make themselves owners of someone else’s OneDrive.
- Only admins can elevate permissions.
- You can audit this in the Microsoft Purview audit log.
- Policies You Can Apply
- Block adding additional site collection admins automatically via PowerShell
You cannot completely stop global/SharePoint admins from taking ownership if needed. That’s a safeguard for legal, compliance, and recovery scenarios.
Recommended…
- Accept that the user + global admins are always “owners.”
- Use audit logging to detect if an admin adds themselves as an owner.
- Apply sensitivity labels or DLP policies to protect sensitive data, so even if someone gains access, policies control what they can do.
- Consider Customer Key or Double Key Encryption for high-security data.
My answers are voluntary and without guarantee!
Hope this will help you.
Was the answer useful? Mark as best response and like it!
This will help all forum participants.
Thanks for information.
You have helped me a lot to have a clearer understanding of the OneDrive scenario, I really appreciate it.
A question for this comment:
- Block adding additional site collection admins automatically via PowerShell
You have command? to investigate how to do it.
Regards,
Here a working enforcement script (with reporting to CSV) that you can run weekly or on-demand to automatically strip out extra OneDrive admins and keep track of who was removed.
Ensure each OneDrive has only the licensed user as Site Collection Admin.
Removes any additional site collection admins.
Exports a CSV log showing what was changed.
# ====================================================================== # Script: Enforce-OneDriveOwnerOnly.ps1 # Purpose: Ensure only the OneDrive owner is site collection admin # Author: [Nikolino] # ====================================================================== # Connect to SharePoint Online Admin Center $AdminUrl = "https://YOURTENANT-admin.sharepoint.com" # <-- change YOURTENANT Connect-SPOService -Url $AdminUrl # Output CSV log $ReportPath = "C:\OneDriveAdminAudit.csv" $Results = @() # Get all OneDrive sites in the tenant $OneDriveSites = Get-SPOSite -IncludePersonalSite $true -Limit All | Where-Object { $_.Url -like "*-my.sharepoint.com/personal/*" } foreach ($site in $OneDriveSites) { Write-Host "Checking OneDrive: $($site.Url)" -ForegroundColor Cyan # Get current site admins $Admins = Get-SPOUser -Site $site.Url -Limit All | Where-Object { $_.IsSiteAdmin -eq $true } foreach ($admin in $Admins) { # If admin is not the site Owner, remove them if ($admin.LoginName -ne $site.Owner) { try { Write-Host " - Removing admin $($admin.LoginName) from $($site.Url)" -ForegroundColor Yellow Set-SPOUser -Site $site.Url -LoginName $admin.LoginName -IsSiteCollectionAdmin $false -ErrorAction Stop # Log result $Results += [PSCustomObject]@{ SiteUrl = $site.Url Owner = $site.Owner RemovedAdmin = $admin.LoginName Action = "Removed" Timestamp = (Get-Date) } } catch { Write-Host " ! Error removing $($admin.LoginName) from $($site.Url): $_" -ForegroundColor Red $Results += [PSCustomObject]@{ SiteUrl = $site.Url Owner = $site.Owner RemovedAdmin = $admin.LoginName Action = "Error: $($_.Exception.Message)" Timestamp = (Get-Date) } } } } } # Export results to CSV $Results | Export-Csv -Path $ReportPath -NoTypeInformation -Encoding UTF8 Write-Host "`n=== Completed. Report saved to $ReportPath ===" -ForegroundColor GreenRun this script as a SharePoint Admin or Global Admin.
This does not stop global admins from re-adding themselves later — Microsoft designed it that way.
You can schedule this script (Task Scheduler / Azure Automation) to enforce regularly.
For compliance, enable audit logs in Microsoft Purview to track admin access.
You can extend this script so it emails you a report after it runs (so you don’t have to manually check the CSV).
I hope I have understood (or translated) your request correctly and that this message will help you🙂.