SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

Requirement: Add active directory security group to SharePoint Online site collection administrator group.

PowerShell to Add AD Security group as Site Collection Administrator:

Centralizing the management of all site collection administrators with an Active Directory group is a fair idea to simplify the SharePoint Online administration – So that you don’t have to add individuals to each site in your tenant. Follow these steps to add an Active Directory security group or Microsoft 365 groups as a site collection administrator for all sites.

Step 1: Get the AD Security Group’s ID

We need the ID of the AD group first. Use the PowerShell script to retrieve the ID, make sure you have the Azure AD module installed.

$GroupName = "Opera"

#Connect to Azure AD
Connect-AzureAD -Credential (Get-Credential)

#Get Security Group's SID
Get-AzureADGroup -SearchString $GroupName | Select DisplayName, ObjectId | Format-table

This script gets IDs of all AD security groups with the given name. Copy the ID for the group.

Step 2: Add Active Directory Group to SharePoint Online Site Collection Administrator’s Group

Now, Use this PowerShell script to add the AD group as site collection administrator

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
    Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
    $Site = Get-SPOSite $SiteURL
 
    Write-host -f Yellow "Adding AD Group as Site Collection Administrator..."
    Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True
    Write-host -f Green "Done!"
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Similarly, You can add AD group to all site collections in the tenant as:

#Import-Module Microsoft.Online.SharePoint.PowerShell

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
     Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
     #Get All Site Collections
     $Sites = Get-SPOSite -Limit ALL -IncludePersonalSite:$False
 
    Foreach ($Site in $Sites)
    {
        Write-host "Adding Site Collection Admin for:"$Site.URL
        Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True | Out-Null
    }
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}
add security group to sharepoint online

You can also use PowerShell CSOM script to add site collection administrators SharePoint Online: Add Site Collection Administrator using PowerShell

How about adding a Microsoft 365 Group as a Site Collection Administrator?

This time, let’s add a Microsoft 365 group as the site collection administrator to all sites in the tenant. Follow these steps:

Create a Microsoft 365 Group and add members to it as per your requirement

  • Login to Microsoft Admin Center at https://admin.microsoft.com, Navigate to Groups >> Active Teams & Groups
  • Under “Microsoft 365” tab, Click on “Add a group”
  • Name your Group accordingly >> Assign Owner and Members to the Group, Set an Email ID to it and then create a Group.add Microsoft 365 group as site collection administrators in sharepoint online

Obtain the “Object ID” of the group using Azure AD or PowerShell

  • Login to Azure AD from https://aad.portal.azure.com/
  • Click on “Azure Active Directory” from the Tree view and then “Groups”
  • Select your Microsoft 365 group created in the previous step. In my case, its “SharePoint Online Administrators” and copy the “Object ID”powershell to set office 365 group as site collection admin sharepoint online

Now, use this PowerShell script to add a Microsoft 365 Group as a site collection admin to SharePoint Online sites:

#Parameters
$TenantAdminURL="https://CrescentIntranet-admin.sharepoint.com"
$ObjectID = "0ddafc96-4e5a-4d3b-8067-ef7c8cfc349c"

#Get Credentials to Connect
$Cred = Get-Credential

#Connect to Tenant Admin
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred

#Get All Site Collections 
$Sites = Get-PnPTenantSite -IncludeOneDriveSites:$false
        
#Loop through each Site Collection
ForEach ($Site in $Sites)
{
    #Connect to the Site
    Connect-PnPOnline -Url $Site.Url -Credentials $Cred

    #Add Microsoft 365 group to Site Collection Admin
    Add-PnPSiteCollectionAdmin -Owners "c:0o.c|federateddirectoryclaimprovider|$ObjectID"
    Disconnect-PnPOnline
    Write-host "Added Microsoft 365 Group to the site:"$Site.URL -f Green
}

“SharePoint Online Administrators Members” will be added to all sites in the tenant.

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

One thought on “SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

  • I noticed that you didn’t include a PnP version of these commands. I found a PnP solution here that I adapted: https://sharepoint.stackexchange.com/a/268257.

    ——————————————————————-
    # Set mode
    $mode = ‘test’ # ‘execute’ #

    # Sites with permissions being changed
    $sitescsvfilepath = ‘fullpath1’
    $sites = Import-Csv -Path $sitescsvfilepath

    # Groups to be added with permissions to each site
    $groupscsvfilepath = ‘fullpath2’
    $groups = Import-Csv -Path $groupscsvfilepath

    foreach($site in $sites.siteurls){
    Write-host “Connecting to $site…”
    Connect-PNPOnline -Url $site -Interactive
    Get-PnPSiteCollectionAdmin
    $web = Get-PnPWeb

    foreach ($group in $groups.groupids) {
    Try {
    $azureADGroup = “c:0t.c|tenant|$group”
    $user = Get-PnPUser -Identity $azureADGroup
    If ($mode -eq ‘test’)
    {
    Write-host -f Yellow “Would add $($user.title) as site collection admin”
    }
    Elseif ($mode -eq ‘execute’)
    {
    Add-PnPSiteCollectionAdmin -Owners $user.LoginName
    Write-host -f Green “Added $($user.title) as site collection admin successfully”
    }
    }
    Catch {
    write-host -f Red “Error… $($_.Exception.Message)”
    }
    }
    }
    Write-Host ‘Done !’

    Reply

Leave a Reply