SharePoint Diary » PowerShell » SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

October 29, 2022 Salaudeen Rajack 4 Comments add ad group to sharepoint site collection administrators, sharepoint online site collection administrator ad group

Requirement: Add active directory security group to SharePoint Online site collection administrator group.

PowerShell to Add AD Security group as a Site Collection Administrator:

Centralizing the management of all site collection administrators with an Active Directory group is a fair idea to simplify the SharePoint Online administration – So that you don’t have to add individuals to each site in your tenant. Follow these steps to add an Active Directory security group or Microsoft 365 group as a site collection administrator for all sites.

Step 1: Get the AD Security Group’s ID

We need the ID of the AD group first. Use the PowerShell script to retrieve the ID, and make sure you have the Azure AD module installed.

$GroupName = "Opera"

#Connect to Azure AD
Connect-AzureAD -Credential (Get-Credential)

#Get Security Group's SID
Get-AzureADGroup -SearchString $GroupName | Select DisplayName, ObjectId | Format-table

This script gets the IDs of all AD security groups with the given name. Copy the ID for the group.

You can also obtain the Group ID of the Active Directory security group from the Azure AD console.

Step 2: Add Active Directory Group to SharePoint Online Site Collection Administrator’s Group

Now, use this PowerShell script to add the AD group as site collection administrator:

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
    Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
    $Site = Get-SPOSite $SiteURL
 
    Write-host -f Yellow "Adding AD Group as Site Collection Administrator..."
    Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True
    Write-host -f Green "Done!"
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Similarly, You can add an AD group to all site collections in the tenant as:

#Import-Module Microsoft.Online.SharePoint.PowerShell

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
     Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
     #Get All Site Collections
     $Sites = Get-SPOSite -Limit ALL -IncludePersonalSite:$False
 
    Foreach ($Site in $Sites)
    {
        Write-host "Adding Site Collection Admin for:"$Site.URL
        Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True | Out-Null
    }
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

This gives the Active Directory group members the ability to manage all site collections within your tenancy.

PnP PowerShell to Add Active Directory Group as Site Collection Admin

The above script can be written in PnP PowerShell as well:

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/retail"
$AzureADGroupID = "c:0t.c|tenant|f4e108b8-3294-4bc8-8792-6b28f32ffaa5"

#Connect to SharePoint Online
Connect-PnPOnline -url $SiteURL -Interactive

#Resolve the Group
$ADGroup = Get-PnPUser | Where-Object LoginName -eq $AzureADGroupID
If($ADGroup -eq $null) {        
    $ADGroup = New-PnPUser -LoginName $AzureADGroupID
}

#Add AD Security group as Site collection admin
Add-PnPSiteCollectionAdmin -Owners $ADGroup

You can also use PowerShell CSOM script to add site collection administrators SharePoint Online: Add Site Collection Administrator using PowerShell

How about adding a Microsoft 365 Group as a Site Collection Administrator?

This time, let’s add a Microsoft 365 group as the site collection administrator to all sites in the tenant. Follow these steps:

Create a Microsoft 365 Group and add members to it as per your requirement

Login to Microsoft Admin Center at https://admin.microsoft.com, Navigate to Groups >> Active Teams & Groups
Under the “Microsoft 365” tab, Click on “Add a group”
Name your Group accordingly >> Assign Owner and Members to the Group, Set an Email ID to it and then create a Group.

Obtain the “Object ID” of the group using Azure AD or PowerShell

Login to Azure AD from https://aad.portal.azure.com/
Click on “Azure Active Directory” from the Tree view and then “Groups”.
Select your Microsoft 365 group created in the previous step. In my case, it’s “SharePoint Online Administrators” and copy the “Object ID”.

While adding a Microsoft 365 Group under the site collection administrators group can be easily done through the web browser interface, What if you want to quickly add a group as a Site Collection Administrator for multiple sites in your tenant? Let’s script the process! Use this PnP PowerShell script to add a Microsoft 365 Group as a site collection admin to SharePoint Online sites:

#Parameters
$TenantAdminURL="https://Crescent-admin.sharepoint.com"
$ObjectID = "0ddafc96-4e5a-4d3b-8067-ef7c8cfc349c"

#Get Credentials to Connect
$Cred = Get-Credential

#Connect to Tenant Admin
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred

#Get All Site Collections 
$Sites = Get-PnPTenantSite -IncludeOneDriveSites:$false
        
#Loop through each Site Collection
ForEach ($Site in $Sites)
{
    #Connect to the Site
    Connect-PnPOnline -Url $Site.Url -Credentials $Cred

    #Add Microsoft 365 group to Site Collection Admin
    Add-PnPSiteCollectionAdmin -Owners "c:0o.c|federateddirectoryclaimprovider|$ObjectID"
    Write-host "Added Microsoft 365 Group to the site:"$Site.URL -f Green
}

“SharePoint Online Administrators Members” will be added to all sites in the tenant.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

4 thoughts on “SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell”

Carlos
September 7, 2022 at 8:13 PM
Permalink

Very nice write up. However I need to do this via Azure Automation with no user interaction required. How would I accomplish this?
Reply
- Salaudeen RajackPost author
  September 7, 2022 at 10:52 PM
  Permalink
  
  You can save your credentials in Azure Automation. Refer: How to Schedule a PowerShell Script for SharePoint Online using Azure Automation?
  Reply
Anonymous
May 27, 2021 at 6:21 PM
Permalink

I noticed that you didn’t include a PnP version of these commands. I found a PnP solution here that I adapted: https://sharepoint.stackexchange.com/a/268257.

——————————————————————-
# Set mode
$mode = ‘test’ # ‘execute’ #

# Sites with permissions being changed
$sitescsvfilepath = ‘fullpath1’
$sites = Import-Csv -Path $sitescsvfilepath

# Groups to be added with permissions to each site
$groupscsvfilepath = ‘fullpath2’
$groups = Import-Csv -Path $groupscsvfilepath

foreach($site in $sites.siteurls){
Write-host “Connecting to $site…”
Connect-PNPOnline -Url $site -Interactive
Get-PnPSiteCollectionAdmin
$web = Get-PnPWeb

foreach ($group in $groups.groupids) {
Try {
$azureADGroup = “c:0t.c|tenant|$group”
$user = Get-PnPUser -Identity $azureADGroup
If ($mode -eq ‘test’)
{
Write-host -f Yellow “Would add $($user.title) as site collection admin”
}
Elseif ($mode -eq ‘execute’)
{
Add-PnPSiteCollectionAdmin -Owners $user.LoginName
Write-host -f Green “Added $($user.title) as site collection admin successfully”
}
}
Catch {
write-host -f Red “Error… $($_.Exception.Message)”
}
}
}
Write-Host ‘Done !’
Reply
- Anonymous
  October 25, 2022 at 7:38 PM
  Permalink
  
  a big thanks to you ! Pnp rocks
  Reply

SharePoint Diary