SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell
Requirement: Add active directory security group to SharePoint Online site collection administrator group.
PowerShell to Add AD Security group as a Site Collection Administrator:
Centralizing the management of all site collection administrators with an Active Directory group is a fair idea to simplify the SharePoint Online administration – So that you don’t have to add individuals to each site in your tenant. Follow these steps to add an Active Directory security group or Microsoft 365 groups as a site collection administrator for all sites.
Step 1: Get the AD Security Group’s ID
We need the ID of the AD group first. Use the PowerShell script to retrieve the ID, make sure you have the Azure AD module installed.
$GroupName = "Opera"
#Connect to Azure AD
Connect-AzureAD -Credential (Get-Credential)
#Get Security Group's SID
Get-AzureADGroup -SearchString $GroupName | Select DisplayName, ObjectId | Format-table
This script gets IDs of all AD security groups with the given name. Copy the ID for the group.
Step 2: Add Active Directory Group to SharePoint Online Site Collection Administrator’s Group
Now, use this PowerShell script to add the AD group as site collection administrator:
#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"
$LoginName = "c:0t`.c`|tenant`|$ADGroupID"
Try {
#Connect to SharePoint Online
Connect-SPOService -url $AdminURL -Credential (Get-Credential)
$Site = Get-SPOSite $SiteURL
Write-host -f Yellow "Adding AD Group as Site Collection Administrator..."
Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True
Write-host -f Green "Done!"
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
Similarly, You can add AD group to all site collections in the tenant as:
#Import-Module Microsoft.Online.SharePoint.PowerShell
#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"
$LoginName = "c:0t`.c`|tenant`|$ADGroupID"
Try {
#Connect to SharePoint Online
Connect-SPOService -url $AdminURL -Credential (Get-Credential)
#Get All Site Collections
$Sites = Get-SPOSite -Limit ALL -IncludePersonalSite:$False
Foreach ($Site in $Sites)
{
Write-host "Adding Site Collection Admin for:"$Site.URL
Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True | Out-Null
}
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
This gives the Active Directory group members the ability to manage all site collections within your tenancy.
You can also use PowerShell CSOM script to add site collection administrators SharePoint Online: Add Site Collection Administrator using PowerShell
How about adding a Microsoft 365 Group as a Site Collection Administrator?
This time, let’s add a Microsoft 365 group as the site collection administrator to all sites in the tenant. Follow these steps:
Create a Microsoft 365 Group and add members to it as per your requirement
- Login to Microsoft Admin Center at https://admin.microsoft.com, Navigate to Groups >> Active Teams & Groups
- Under “Microsoft 365” tab, Click on “Add a group”
- Name your Group accordingly >> Assign Owner and Members to the Group, Set an Email ID to it and then create a Group.
Obtain the “Object ID” of the group using Azure AD or PowerShell
- Login to Azure AD from https://aad.portal.azure.com/
- Click on “Azure Active Directory” from the Tree view and then “Groups”
- Select your Microsoft 365 group created in the previous step. In my case, its “SharePoint Online Administrators” and copy the “Object ID”
While adding a Microsoft 365 Group under the site collection administrators group can be easily done through the web browser interface, What if you want to quickly add a group as a Site Collection Administrator for multiple sites in your tenant? Let’s script the process! Use this PnP PowerShell script to add a Microsoft 365 Group as a site collection admin to SharePoint Online sites:
#Parameters
$TenantAdminURL="https://Crescent-admin.sharepoint.com"
$ObjectID = "0ddafc96-4e5a-4d3b-8067-ef7c8cfc349c"
#Get Credentials to Connect
$Cred = Get-Credential
#Connect to Tenant Admin
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred
#Get All Site Collections
$Sites = Get-PnPTenantSite -IncludeOneDriveSites:$false
#Loop through each Site Collection
ForEach ($Site in $Sites)
{
#Connect to the Site
Connect-PnPOnline -Url $Site.Url -Credentials $Cred
#Add Microsoft 365 group to Site Collection Admin
Add-PnPSiteCollectionAdmin -Owners "c:0o.c|federateddirectoryclaimprovider|$ObjectID"
Disconnect-PnPOnline
Write-host "Added Microsoft 365 Group to the site:"$Site.URL -f Green
}
“SharePoint Online Administrators Members” will be added to all sites in the tenant.
I noticed that you didn’t include a PnP version of these commands. I found a PnP solution here that I adapted: https://sharepoint.stackexchange.com/a/268257.
——————————————————————-
# Set mode
$mode = ‘test’ # ‘execute’ #
# Sites with permissions being changed
$sitescsvfilepath = ‘fullpath1’
$sites = Import-Csv -Path $sitescsvfilepath
# Groups to be added with permissions to each site
$groupscsvfilepath = ‘fullpath2’
$groups = Import-Csv -Path $groupscsvfilepath
foreach($site in $sites.siteurls){
Write-host “Connecting to $site…”
Connect-PNPOnline -Url $site -Interactive
Get-PnPSiteCollectionAdmin
$web = Get-PnPWeb
foreach ($group in $groups.groupids) {
Try {
$azureADGroup = “c:0t.c|tenant|$group”
$user = Get-PnPUser -Identity $azureADGroup
If ($mode -eq ‘test’)
{
Write-host -f Yellow “Would add $($user.title) as site collection admin”
}
Elseif ($mode -eq ‘execute’)
{
Add-PnPSiteCollectionAdmin -Owners $user.LoginName
Write-host -f Green “Added $($user.title) as site collection admin successfully”
}
}
Catch {
write-host -f Red “Error… $($_.Exception.Message)”
}
}
}
Write-Host ‘Done !’