Mar 30 2017 04:00 AM
To add accounts (group or User) into the SPO SIte collection admin via code, there are 2 possible solutions:
Via PowerShell and SPO Admin
Really simple case ideal for one shot action, you need to know the exact User/group ID of the SPO account:
Set-SPOUser -Site https://tenant.sharepoint.com/sites/MyCollection -IsSiteCollectionAdmin $true –LoginName “c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111”
Via PowerShell and CSOM
This script is more generic and can be added into a provisionning script you will have to use for your own needs:
[string]$username = "AdminAccount@tenant.onmicrosoft.com" [string]$PwdTXTPath = "D:\ExportedPWD-$($username).txt" [string]$SPOSiteCollectionURLToSet = https://tenant.sharepoint.com/sites/MyCollection #c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111 - Company Administrator [string]$CompanyAdministratorLogin = "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111" # c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-22222- SharePoint Service Administrator [string]$SharePointServiceAdministratorLogin = "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-22222" function Load-DLLandAssemblies { [string]$defaultDLLPath = "" # Load assemblies to PowerShell session $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.dll" [System.Reflection.Assembly]::LoadFile($defaultDLLPath) $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.SharePoint.Client.Runtime.dll" [System.Reflection.Assembly]::LoadFile($defaultDLLPath) $defaultDLLPath = "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.Client.Tenant.dll" [System.Reflection.Assembly]::LoadFile($defaultDLLPath) } Function Add-Group-In-SiteCollectionAdmin() { Param( [Parameter(Mandatory=$true,Position=1)][Microsoft.SharePoint.Client.ClientContext]$Context, [Parameter(Mandatory=$true,Position=2)][string]$SPUserOrGroupLogin ) Write-Host " ---------------------------------------------------------" $MyspUser = $Context.Web.EnsureUser($SPUserOrGroupLogin); $MyspUser.IsSiteAdmin = $true; $MyspUser.Update() $Context.Load($MyspUser) #send the request containing all operations to the server try{ $context.executeQuery() write-host " >>> info: User or Group Name added in Site Collection admin: [$($MyspUser.Title)]" -foregroundcolor green } catch{ write-host "info: $($_.Exception.Message)" -foregroundcolor red } Write-Host " ---------------------------------------------------------" } function SetGroupAsAdministrator([string]$MyRootWebURL) { [bool]$CreateSGSDocLibList = $false $Myctx = New-Object Microsoft.SharePoint.Client.ClientContext($MyRootWebURL) $secureStringPwd = ConvertTo-SecureString -string (Get-Content $PwdTXTPath) $creds = New-Object System.Management.Automation.PSCredential -ArgumentList $username, $secureStringPwd $Myctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($creds.UserName,$creds.Password) $Myctx.RequestTimeout = 1000000 # milliseconds $MyspoRootweb = $Myctx.Web $Myctx.Load($MyspoRootweb) $Myctx.ExecuteQuery() Write-Host " " Write-Host " ---------------------------------------------------------" Write-Host " >>>> # Server Version:" $Myctx.ServerVersion " # <<<<<<" -ForegroundColor Green Write-Host " ---------------------------------------------------------" Write-Host " " Add-Group-In-SiteCollectionAdmin -Context $Myctx -SPUserOrGroupLogin $CompanyAdministratorLogin Add-Group-In-SiteCollectionAdmin -Context $Myctx -SPUserOrGroupLogin $SharePointServiceAdministratorLogin } cls Load-DLLandAssemblies SetGroupAsAdministrator $SPOSiteCollectionURLToSet
Fabrice Romelard [MVP]
Original article (in French):
Associated WebPages:
Mar 31 2017 10:10 AM
Apr 02 2017 03:17 AM
Apr 02 2017 05:47 AM
Apr 02 2017 08:26 AM
Mar 26 2018 04:13 AM
Is it possible to retrieve the Group ID using CSOM ? I dont find any attribute in the Group class for the same. There is id attribute however, it is just number.
Mar 26 2018 04:23 AM
Jan 09 2020 02:07 AM - edited Jan 10 2020 12:05 AM
@Fabrice Romelard This method fails for me with the error "The user does not exist or is not unique". Same with Set-PnPTenantSite and Set-SPOUser as suggested by @Mikael Svenson. I tested this on two tenants, one that automatically assigns these roles as site admins for new sites and one that don't and the behavior is the same.
Example code:
Connect-PnPOnline <a href="https://contoso-admin.sharepoint.com" target="_blank">https://contoso-admin.sharepoint.com</a>
Set-PnPTenantSite -Url <a href="https://contoso.sharepoint.com/project" target="_blank">https://contoso.sharepoint.com/project</a> -Owners "c:0-.f|rolemanager|s-1-1-11-11111111-111111-111111-1111"
Jan 09 2020 07:50 AM
Sorry for that, but as you can see into that publication created long time ago.
> Microsoft is changing the SharePoint management way and CSOM is probably not anymore the best approach to manage Administrative permission.
> Site Collection administrator is also now out of vision defined with TEAMS
So all that strategical change define by Microsoft since years could explain why this kind of command/script/code could be not usable anymore.
Can you check with PnP instead of ?
Sorry for that
Fab
Jan 17 2020 01:39 AM
I did some digging and found that the login names are no longer applicable. Now they are in the form "c:0t.c|tenant|32e1b7a8-foob-are8-8fb7-827c407110c0" where the guid at the end is the object id of the directory role you want to add. You can find these using Get-AzureADDirectoryRole PowerShell command. They are different for each tenancy unfortunately.