How to Add Administrator and Grant Permission to Service Applications using PowerShell?

By default, the Farm administrators group has the right to manage all service applications. Often, you may need to add administrators or grant permissions to SharePoint service applications. Say,

  • Do you want to delegate service application administration to other users
  • The SharePoint farm admin account isn’t added as a service application administrator or does not have permission to access the service application.

SharePoint allows us to delegate permissions and distribute administration of Service applications to multiple users by granting access as either Service Application Administrator or Feature administrator. These service application administrators cannot create/delete any service application, but they can perform actions within their service application that don’t affect the farm. E.g., A Search service application administrator can make any change to the search service application, But They cannot make changes to the search topology.

How to Add Service Application Administrator in SharePoint 2016?

To add a Service Application administrator, navigate to:

  1. SharePoint 2016 Central Admin >> Manage Service Applications.
  2. Select the target service application from the list of available Service Applications, such as “Managed Metadata service application”, by clicking the respective row.
    sharepoint 2016 service application add administrator grant permission
  3. In the Ribbon, click on the “Administrators” button. Enter the user name you wish to have admin rights to the SharePoint service application >> Click the “Add” button.
  4. From the permissions section, select “Full Control”. Commit your changes by clicking the OK button.
    powershell to add service application administrator in SharePoint 2016
  5. Similarly, to add permission, click on the “Permissions” button from the ribbon, Enter the user, and add appropriate permission to the user.
    How to grant permission to service application using PowerShell

The same steps apply to adding SharePoint 2013 search service application administrators or user profile service application administrators. Once added, these delegated service application administrators can configure settings for a specific service application in a farm. However, these administrators cannot create new service applications or perform farm-level operations, including topology changes.

When these permission delegations are repeated, let’s use PowerShell to add administrator and grant permissions to service applications, say: Managed Metadata Service Application.

PowerShell to Add Service Application Administrator 

Here is the PowerShell to add an Administrator to a service application in SharePoint:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$ServiceAppName="Managed Metadata Service Application"
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Control"

#Get the service application
$ServiceApp = Get-SPServiceApplication -Name $ServiceAppName
#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the Service Application Security collection
$ServiceAppSecurity = Get-SPServiceApplicationSecurity $ServiceApp -Admin
#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppSecurity -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppSecurity -Admin 

Add Permission to a Service Application using PowerShell

How about granting permission to service applications? Granting a subset of permissions in any Service Application is also possible. A similar code goes for providing permission to the service applications, except for the “-Admin” switch. Here is an example:

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$ServiceAppName="Managed Metadata Service Application"
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Access to Term Store"

#Get the service application
$ServiceApp = Get-SPServiceApplication -Name $ServiceAppName
#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the Service Application Security collection
$ServiceAppSecurity = Get-SPServiceApplicationSecurity $ServiceApp
#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppSecurity -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppSecurity

Add User Profile Service Application Administrator and Grant Permissions:

Let’s combine both scripts by adding administrator and setting permission to the user profile service application in SharePoint 2016 to avoid the “No User Profile Application available to service the request. Contact your farm administrator.” error.

Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue

#Configuration Variables
$UserAccount="Crescent\Salaudeen"
$AccessRights = "Full Control"

#Convert user account to claims
$UserPrincipal = New-SPClaimsPrincipal -Identity $UserAccount -IdentityType WindowsSamAccountName

#Get the user profile service application
$ServiceApp =  Get-SPServiceApplication | ? { $_.TypeName -eq "User Profile Service Application" }

Write-host "Adding Administrator to User Profile Service Application..."
#Get the Service Application Administrators Security collection
$ServiceAppAdmins = Get-SPServiceApplicationSecurity $ServiceApp -Admin

#Add user to the collection
Grant-SPObjectSecurity $ServiceAppAdmins -Principal $UserPrincipal -Rights $AccessRights

#Apply the new Security to service application
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppAdmins -Admin

Write-host "Granting permission to User Profile Service Application..."
#Get the Service Application Permissions Security collection
$ServiceAppPermission = Get-SPServiceApplicationSecurity $ServiceApp

#Add user & rights to the collection
Grant-SPObjectSecurity $ServiceAppPermission -Principal $UserPrincipal -Rights $AccessRights

#Apply the Security changes
Set-SPServiceApplicationSecurity $ServiceApp $ServiceAppPermission

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

One thought on “How to Add Administrator and Grant Permission to Service Applications using PowerShell?

Leave a Reply

Your email address will not be published. Required fields are marked *