Forum Discussion
List all Site Collection Admins Powershell
To run cmdlet Get-SPOUser, you must be a SharePoint Online global administrator and a site collection administrator. I am looking for something for which I don't have to grant site collection admin access to my account.
Since the secondary admins are available from SharePoint Admin console, the admin account should atleast be able to get them.
Also, we can grant a user site collection admin (using powershell) without granting site collection admin access to the admin account. So, I think there should be a way to fetch them without granting site collection admin access to the admin account.
These commands can be run with Sharepoint Administrator rights and do not require SiteCollectionAdmin permissions to the site you're modifying. Do not run this as a script -- this is a reference document for you to be able to implement functionality into your application. Use at your own risk and use context to understand what the commands do before you run them.
# ONEDRIVE SITE MANAGEMENT
# Assuming you have the SPO/PnP modules installed from MS already, found here:
# https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online?view=sharepoint-ps
# https://www.microsoft.com/en-us/download/details.aspx?id=35588
# Uncomment the "Install-Module"s if you haven't already installed the modules in PS after installing them to your machine using the links above.
# Install-Module -Name Microsoft.Online.SharePoint.PowerShell -ErrorAction Stop
Import-Module -Name Microsoft.Online.SharePoint.PowerShell
# Install-Module SharePointPnPPowerShellOnline -ErrorAction Stop
Import-Module SharePointPnPPowerShellOnline
$365cred = (Get-Credential)
# Get PersonalUrl of a OneDrive site
$upn = 'john.doe@domain.com'
$tenantName = 'domain-admin'
Connect-PnPOnline -Url "https://$($tenantname).sharepoint.com" -Credentials $365Cred
$url = (Get-PnPUserProfileProperty -Account $upn).PersonalUrl
Disconnect-PnPOnline
# or
# Manual override if siteUrl known
# $url = "https://$($tenantname).sharepoint.com/personal/john_doe_domain_com"
# Get information about a OneDrive site incl. SiteCollectionAdmins
# (requires personalUrl)
Connect-SPOService -URL "https://$($tenantname).sharepoint.com" -Credential $365Cred
Get-SPOSite -Identity $url -Detailed | Format-List
Get-SPOUser -Site $url -Limit all | Select-Object DisplayName, LoginName, IsSiteAdmin | Sort-Object IsSiteAdmin, DisplayName | Format-Table -GroupBy IsSiteAdmin -AutoSize
# Add a user to site owner access
Set-SPOUser -Site $url -LoginName "upnOfUserToAdd" -IsSiteCollectionAdmin $true
# Remove a user from site owner access
Set-SPOUser -Site $url -LoginName "upnOfUserToRemove" -IsSiteCollectionAdmin $false
bmartin921, Thanks for the details and the thoughts. Unfortunately, I'm in the same boat as @Bhavpreet Bains. The commands work to add and remove Site Collection Admins even if you're not a site collection admin, but they cannot VIEW the existing site collection admins unless you are also a site collection admin.
I'm surprised Microsoft hasn't updated the commands to allow that functionality for Office 365 Global Admins and SharePoint Admins. Another option is for MSFT to build in such an audit report into the Office 365 or SharePoint admin sites.
My next option is to write a script that does the following:
- Pull the list of admins
- If I get results, great
- If I get no results add myself as an admin
- Pull the list of admins
- Remove my admin access
It's messy, but it should do the trick.
Hello Alex Carlock were you able to get a script to get all the sites with site admins
- I only used the script I posted above. I never found or created another script that can do it without temporarily adding admin access and then removing it. It's a little messy, but it works.
Alex Carlock did you manage to get it work the way you wanted? I'm struggling with the same thing now and **bleep**, this is such a simple and basic thing that it must be somehow available...
Malgorzata_SITS, I ended up doing what I suggested above. That was the only workaround I could come up with.
Here's the last powershell script I ended up with (It was quick and dirty, so no warranties, use at your own risk, etc.) You'll need to update "domain" to be your own.
$username = "$env:username@domain.com" $Sites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like 'domain-my.sharepoint.com/personal/'" foreach ($Site in $sites) { $URL = $Site.URL $Admins = Get-SPOUser -Site $URL -Limit all | Where IsSiteAdmin -eq $True | Select-Object @{Label="Site";Expression={"$URL"}},@{Label="AdminName";Expression={$_.DisplayName}}, @{Label="AdminLogin";Expression={$_.LoginName}}, @{Label="RemoveNonOwnerAdmin";Expression={If ($URL.replace("https://domain-my.sharepoint.com/personal/","") -ne $_.LoginName.replace("@","_").replace(".","_")) {"Set-SPOUser -Site $URL -LoginName $($_.LoginName) -IsSiteCollectionAdmin `$False"} else {""}}} if ($Admins) { $Admins | export-csv c:\temp\OneDriveAdmins.csv -NoTypeInformation -append -encoding ASCII } else { Set-SPOUser -Site $URL -LoginName $username -IsSiteCollectionAdmin $true Get-SPOUser -Site $URL -Limit all | Where {$_.IsSiteAdmin -eq $True -and $_.LoginName -ne $username} | Select-Object @{Label="Site";Expression={"$URL"}},@{Label="AdminName";Expression={$_.DisplayName}}, @{Label="AdminLogin";Expression={$_.LoginName}}, @{Label="RemoveNonOwnerAdmin";Expression={If ($URL.replace("https://domain-my.sharepoint.com/personal/","") -ne $_.LoginName.replace("@","_").replace(".","_")) {"Set-SPOUser -Site $URL -LoginName $($_.LoginName) -IsSiteCollectionAdmin `$False"} else {""}}} | export-csv c:\temp\OneDriveAdmins.csv -NoTypeInformation -append -encoding ASCII Set-SPOUser -Site $URL -LoginName $username -IsSiteCollectionAdmin $false } }
