Forum Discussion

Fromelard's avatar
Fromelard
Iron Contributor
Mar 30, 2017

Office 365: Add accounts into the Site collection administrators list via PowerShell and CSOM

To add accounts (group or User) into the SPO SIte collection admin via code, there are 2 possible solutions:

 

Via PowerShell and SPO Admin

Really simple case ideal for one shot action, you need to know the exact User/group ID of the SPO account:

 

Set-SPOUser -Site https://tenant.sharepoint.com/sites/MyCollection -IsSiteCollectionAdmin $true –LoginName “c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111”

Via PowerShell and CSOM

This script is more generic and can be added into a provisionning script you will have to use for your own needs:

 

[string]$username = "AdminAccount@tenant.onmicrosoft.com" 
[string]$PwdTXTPath = "D:\ExportedPWD-$($username).txt" 
[string]$SPOSiteCollectionURLToSet = https://tenant.sharepoint.com/sites/MyCollection

#c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111 - Company Administrator 
[string]$CompanyAdministratorLogin = "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111"

# c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-22222- SharePoint Service Administrator 
[string]$SharePointServiceAdministratorLogin = "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-22222"

function Load-DLLandAssemblies 
{ 
    [string]$defaultDLLPath = ""

    # Load assemblies to PowerShell session

    $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll" 
    [System.Reflection.Assembly]::LoadFile($defaultDLLPath)

    $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll"
    [System.Reflection.Assembly]::LoadFile($defaultDLLPath)

    $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.Client.Tenant.dll"
    [System.Reflection.Assembly]::LoadFile($defaultDLLPath) 
}


Function Add-Group-In-SiteCollectionAdmin() 
{ 
    Param( 
        [Parameter(Mandatory=$true,Position=1)][Microsoft.SharePoint.Client.ClientContext]$Context, 
        [Parameter(Mandatory=$true,Position=2)][string]$SPUserOrGroupLogin 
    ) 
    Write-Host " ---------------------------------------------------------"

    $MyspUser = $Context.Web.EnsureUser($SPUserOrGroupLogin); 
    $MyspUser.IsSiteAdmin = $true; 
    $MyspUser.Update() 
    $Context.Load($MyspUser) 
    #send the request containing all operations to the server 
    try{ 
        $context.executeQuery() 
        write-host " >>> info: User or Group Name added in Site Collection admin: [$($MyspUser.Title)]" -foregroundcolor green 
    } 
    catch{ 
        write-host "info: $($_.Exception.Message)" -foregroundcolor red 
    }

    Write-Host " ---------------------------------------------------------" 
}

function SetGroupAsAdministrator([string]$MyRootWebURL) 
{ 
    [bool]$CreateSGSDocLibList = $false 
    
    $Myctx = New-Object Microsoft.SharePoint.Client.ClientContext($MyRootWebURL) 
    $secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath) 
    $creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd 
    $Myctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($creds.UserName,$creds.Password)
    $Myctx.RequestTimeout = 1000000 # milliseconds 
    $MyspoRootweb = $Myctx.Web 
    $Myctx.Load($MyspoRootweb) 
    $Myctx.ExecuteQuery()

Write-Host " " 
Write-Host " ---------------------------------------------------------" 
Write-Host "  >>>> # Server Version:" $Myctx.ServerVersion " # <<<<<<" -ForegroundColor Green 
Write-Host " ---------------------------------------------------------" 
Write-Host " "

    Add-Group-In-SiteCollectionAdmin -Context $Myctx -SPUserOrGroupLogin $CompanyAdministratorLogin 
    Add-Group-In-SiteCollectionAdmin -Context $Myctx -SPUserOrGroupLogin $SharePointServiceAdministratorLogin

} 
cls 
Load-DLLandAssemblies

SetGroupAsAdministrator $SPOSiteCollectionURLToSet

Fabrice Romelard [MVP]

 

Original article (in French):

 

Associated WebPages:

admin
Permissions
powershell
SharePoint Online

9 Replies

Sort By
  • Gabriel Smoljar's avatar
    Gabriel Smoljar
    Brass Contributor
    Jan 09, 2020

    Fromelard This method fails for me with the error "The user does not exist or is not unique". Same with Set-PnPTenantSite and Set-SPOUser as suggested by Mikael Svenson. I tested this on two tenants, one that automatically assigns these roles as site admins for new sites and one that don't and the behavior is the same.

     

    Example code:

     

    Connect-PnPOnline <a href="https://contoso-admin.sharepoint.com" target="_blank">https://contoso-admin.sharepoint.com</a>
Set-PnPTenantSite -Url <a href="https://contoso.sharepoint.com/project" target="_blank">https://contoso.sharepoint.com/project</a> -Owners "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111"

     

    • Fromelard's avatar
      Fromelard
      Iron Contributor
      Jan 09, 2020

      Gabriel Smoljar 

      Sorry for that, but as you can see into that publication created long time ago.

      > Microsoft is changing the SharePoint management way and CSOM is probably not anymore the best approach to manage Administrative permission.

      > Site Collection administrator is also now out of vision defined with TEAMS

       

      So all that strategical change define by Microsoft since years could explain why this kind of command/script/code could be not usable anymore.

       

      Can you check with PnP instead of ?

       

      Sorry for that

      Fab

      • Gabriel Smoljar's avatar
        Gabriel Smoljar
        Brass Contributor
        Jan 17, 2020

        Fromelard 

         

        I did some digging and found that the login names are no longer applicable. Now they are in the form "c:0t.c|tenant|32e1b7a8-foob-are8-8fb7-827c407110c0" where the guid at the end is the object id of the directory role you want to add. You can find these using Get-AzureADDirectoryRole PowerShell command. They are different for each tenancy unfortunately.

  • Harsha S's avatar
    Harsha S
    Copper Contributor
    Mar 26, 2018

    Is it possible to retrieve the Group ID using CSOM ? I dont find any attribute in the Group class for the same. There is id attribute however, it is just number.

    • Mikael Svenson's avatar
      Mikael Svenson
      Iron Contributor
      Mar 26, 2018
      If you get the Site object of the site, you can then get the group id from the .GroupId property.

      var site = context.Site;
      context.Load(site, s=>s.GroupId);
      context.ExecuteQuery();
    • Fromelard's avatar
      Fromelard
      Iron Contributor
      Apr 02, 2017
      Thanks for this comment
      It's another way, but from my side i prefer to be closed to the csom object model
      Fab
      • Mikael Svenson's avatar
        Mikael Svenson
        Iron Contributor
        Apr 02, 2017
        Anything PnP is close to the model, as it uses CSOM...just removes plumbing for you in many scenarios with extension methods.

Resources