SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell
Requirement: Add active directory security group to SharePoint Online site collection administrator group.
PowerShell to Add AD Security group as a Site Collection Administrator:
In SharePoint Online, it is possible to assign a security group from Active Directory as the Site Collection Administrator. This allows multiple users to manage the site collection and its content, reducing the burden on individual users and ensuring that there is always someone available to perform administrative tasks. Centralizing the management of all site collection administrators with an Active Directory group is a fair idea to simplify the SharePoint Online administration – So that you don’t have to add individuals to each site in your tenant. Follow these steps to add an Active Directory security group or Microsoft 365 group as a site collection administrator for all sites.
Step 1: Get the AD Security Group’s ID
We need the ID of the AD group first. Use the PowerShell script to retrieve the ID, and make sure you have the Azure AD module installed.
$GroupName = "Opera"
#Connect to Azure AD
Connect-AzureAD -Credential (Get-Credential)
#Get Security Group's SID
Get-AzureADGroup -SearchString $GroupName | Select DisplayName, ObjectId | Format-table
This script gets the IDs of all AD security groups with the given name. Copy the ID for the group.
You can also obtain the Group ID of the Active Directory security group from the Azure AD console.
Step 2: Add Active Directory Group to SharePoint Online Site Collection Administrator’s Group
Now, use this PowerShell script to add the AD group as site collection administrator:
#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"
$LoginName = "c:0t`.c`|tenant`|$ADGroupID"
Try {
#Connect to SharePoint Online
Connect-SPOService -url $AdminURL -Credential (Get-Credential)
$Site = Get-SPOSite $SiteURL
Write-host -f Yellow "Adding AD Group as Site Collection Administrator..."
Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True
Write-host -f Green "Done!"
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
Similarly, You can add an AD group to all site collections in the tenant as:
#Import-Module Microsoft.Online.SharePoint.PowerShell
#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"
$LoginName = "c:0t`.c`|tenant`|$ADGroupID"
Try {
#Connect to SharePoint Online
Connect-SPOService -url $AdminURL -Credential (Get-Credential)
#Get All Site Collections
$Sites = Get-SPOSite -Limit ALL -IncludePersonalSite:$False
Foreach ($Site in $Sites)
{
Write-host "Adding Site Collection Admin for:"$Site.URL
Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True | Out-Null
}
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
This gives the Active Directory group members the ability to manage all site collections within your tenancy.
PnP PowerShell to Add Active Directory Group as Site Collection Admin
The above script can be written in PnP PowerShell as well:
#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/retail"
$AzureADGroupID = "c:0t.c|tenant|f4e108b8-3294-4bc8-8792-6b28f32ffaa5"
#Connect to SharePoint Online
Connect-PnPOnline -url $SiteURL -Interactive
#Resolve the Group
$ADGroup = Get-PnPUser | Where-Object LoginName -eq $AzureADGroupID
If($ADGroup -eq $null) {
$ADGroup = New-PnPUser -LoginName $AzureADGroupID
}
#Add AD Security group as Site collection admin
Add-PnPSiteCollectionAdmin -Owners $ADGroup
You can also use PowerShell CSOM script to add site collection administrators SharePoint Online: Add Site Collection Administrator using PowerShell
How about adding a Microsoft 365 Group as a Site Collection Administrator?
This time, let’s add a Microsoft 365 group as the site collection administrator to all sites in the tenant. Follow these steps:
Create a Microsoft 365 Group and add members to it as per your requirement
- Login to Microsoft Admin Center at https://admin.microsoft.com, Navigate to Groups >> Active Teams & Groups
- Under the “Microsoft 365” tab, Click on “Add a group”
- Name your Group accordingly >> Assign Owner and Members to the Group, Set an Email ID to it and then create a Group.
Obtain the “Object ID” of the group using Azure AD or PowerShell
- Login to Azure AD from https://aad.portal.azure.com/
- Click on “Azure Active Directory” from the Tree view and then “Groups”.
- Select your Microsoft 365 group created in the previous step. In my case, it’s “SharePoint Online Administrators” and copy the “Object ID”.
While adding a Microsoft 365 Group under the site collection administrators group can be easily done through the web browser interface, What if you want to quickly add a group as a Site Collection Administrator for multiple sites in your tenant? Let’s script the process! Use this PnP PowerShell script to add a Microsoft 365 Group as a site collection admin to SharePoint Online sites:
#Parameters
$TenantAdminURL="https://Crescent-admin.sharepoint.com"
$ObjectID = "0ddafc96-4e5a-4d3b-8067-ef7c8cfc349c"
#Get Credentials to Connect
$Cred = Get-Credential
#Connect to Tenant Admin
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred
#Get All Site Collections
$Sites = Get-PnPTenantSite -IncludeOneDriveSites:$false
#Loop through each Site Collection
ForEach ($Site in $Sites)
{
#Connect to the Site
Connect-PnPOnline -Url $Site.Url -Credentials $Cred
#Add Microsoft 365 group to Site Collection Admin
Add-PnPSiteCollectionAdmin -Owners "c:0o.c|federateddirectoryclaimprovider|$ObjectID"
Write-host "Added Microsoft 365 Group to the site:"$Site.URL -f Green
}
“SharePoint Online Administrators Members” will be added to all sites in the tenant.
In summary, setting up an Active Directory security group as the Site Collection Administrator in SharePoint Online provides numerous benefits, including increased efficiency, better collaboration, and improved security. By using PowerShell, this process can be automated, reducing the risk of human error and saving time and effort.
Very nice write up. However I need to do this via Azure Automation with no user interaction required. How would I accomplish this?
You can save your credentials in Azure Automation. Refer: How to Schedule a PowerShell Script for SharePoint Online using Azure Automation?
I noticed that you didn’t include a PnP version of these commands. I found a PnP solution here that I adapted: https://sharepoint.stackexchange.com/a/268257.
——————————————————————-
# Set mode
$mode = ‘test’ # ‘execute’ #
# Sites with permissions being changed
$sitescsvfilepath = ‘fullpath1’
$sites = Import-Csv -Path $sitescsvfilepath
# Groups to be added with permissions to each site
$groupscsvfilepath = ‘fullpath2’
$groups = Import-Csv -Path $groupscsvfilepath
foreach($site in $sites.siteurls){
Write-host “Connecting to $site…”
Connect-PNPOnline -Url $site -Interactive
Get-PnPSiteCollectionAdmin
$web = Get-PnPWeb
foreach ($group in $groups.groupids) {
Try {
$azureADGroup = “c:0t.c|tenant|$group”
$user = Get-PnPUser -Identity $azureADGroup
If ($mode -eq ‘test’)
{
Write-host -f Yellow “Would add $($user.title) as site collection admin”
}
Elseif ($mode -eq ‘execute’)
{
Add-PnPSiteCollectionAdmin -Owners $user.LoginName
Write-host -f Green “Added $($user.title) as site collection admin successfully”
}
}
Catch {
write-host -f Red “Error… $($_.Exception.Message)”
}
}
}
Write-Host ‘Done !’
a big thanks to you ! Pnp rocks