Add an Azure AD Security Group to sub webs under root site with PowerShell

%3CLINGO-SUB%20id%3D%22lingo-sub-2782091%22%20slang%3D%22en-US%22%3EAdd%20an%20Azure%20AD%20Security%20Group%20to%20sub%20webs%20under%20root%20site%20with%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2782091%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20been%20knocking%20up%20a%20small%20PowerShell%20script%20to%20assign%20a%20security%20group%20to%20all%20sub%20webs%20with%20unique%20permissions%20under%20a%20root%20site.%26nbsp%3B%20Building%20a%20list%20of%20sub%20web%20urls%20is%20straighforward.%20However%2C%26nbsp%3B%20%26nbsp%3BI%20have%20looked%20though%20the%20various%20PnP%20or%20SharePoint%20online%20commands%2C%20but%26nbsp%3B%20still%20can't%20see%20how%20I%20can%20add%20either%20the%20security%20group%20say%20with%20%22Full%20control%22%20permissions%20or%20simple%20add%20the%20security%20group%20as%20a%20member%20to%20the%20web%20owners%20group.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20we%20could%20do%20this%20historically%20with%20on%20premise%20SharePoint%20using%20local%20AD%20groups.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2782091%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2791275%22%20slang%3D%22en-US%22%3ERe%3A%20Add%20an%20Azure%20AD%20Security%20Group%20to%20sub%20webs%20under%20root%20site%20with%20PowerShell%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2791275%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5701%22%20target%3D%22_blank%22%3E%40Daniel%20Westerdale%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBizarely%2C%20after%20watching%20the%20film%20Fight%20Club%2C%20the%20answer%20cam%20really%20quickly%20%3Abeaming_face_with_smiling_eyes%3A.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20get%20locate%20your%20Azure%20AD%20group%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%24adGroupToAddtoWeb%20%3D%20Get-PnPAzureADGroup%20-Identity%20%22YOUR_SG_GROUP_NAME%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20in%20your%20Foreach%20loop%20of%20sites%20you%20connect%20to%20%2C%20locate%20the%20owner%20group%20and%20then%20add%20the%20above%20AD%20group%26nbsp%3B%3C%2FP%3E%3CP%3Ebut%20make%20sure%20you%20you%20use%20the%20client%20creation%20into%20syntax%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Etry%0A%7B%0A%0AownerGroup%20%3D%20Get-PnPGroup%20-AssociatedOwnerGroup%0A%0A%0A%20%20%20%20%20%20Add-PnPGroupMember%20-LoginName%20%20(%22c%3A0t.c%7Ctenant%7C%22%20%2B%20%24adGroupToAddtoWeb.Id.ToString())%20%20%20-Group%20%24ownerGroup%0A%0A%20%20%20%20%20%23%20write%20output%0A%20%20%20%20%20%24message%20%3D'your%20chosen%20SG%20now%20added%20to%20Owners%20group'%0A%0A%20%20%20%7D%0A%20%20%20catch%20%7B%0A%20%20%20%20%20%20%24message%20%3D%20'AD%20group%20not%20added'%0A%20%20%20%20%20%20Write-Error%20%24Error%5B0%5D%0A%20%20%20%7D%0A%20%20%20%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20someone%20finds%20this%20useful.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Regular Contributor

 

I have been knocking up a small PowerShell script to assign a security group to all sub webs with unique permissions under a root site.  Building a list of sub web urls is straighforward. However,   I have looked though the various PnP or SharePoint online commands, but  still can't see how I can add either the security group say with "Full control" permissions or simple add the security group as a member to the web owners group.  

 

I think we could do this historically with on premise SharePoint using local AD groups. 

 

 

 

 

 

1 Reply

@Daniel Westerdale 

 

 

Bizarely, after watching the film Fight Club, the answer cam really quickly :beaming_face_with_smiling_eyes:.

 

1) get locate your Azure AD group

 

$adGroupToAddtoWeb = Get-PnPAzureADGroup -Identity "YOUR_SG_GROUP_NAME"

 

 

2) in your Foreach loop of sites you connect to , locate the owner group and then add the above AD group 

but make sure you you use the client creation into syntax

 

 

try
{

$ownerGroup = Get-PnPGroup -AssociatedOwnerGroup


      Add-PnPGroupMember -LoginName  ("c:0t.c|tenant|" + $adGroupToAddtoWeb.Id.ToString())   -Group $ownerGroup

     # write output
     $message ='your chosen SG now added to Owners group'

   }
   catch {
      $message = 'AD group not added'
      Write-Error $Error[0]
   }
   

 

 

Hope someone finds this useful.