SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

Requirement: Add active directory security group to SharePoint Online site collection administrator group.

PowerShell to Add AD Security group as a Site Collection Administrator:

In SharePoint Online, it is possible to assign a security group from Active Directory as the Site Collection Administrator. This allows multiple users to manage the site collection and its content, reducing the burden on individual users and ensuring that there is always someone available to perform administrative tasks. Centralizing the management of all site collection administrators with an Active Directory group is a fair idea to simplify the SharePoint Online administration – So that you don’t have to add individuals to each site in your tenant. Follow these steps to add an Active Directory security group or Microsoft 365 group as a site collection administrator for all sites.

Step 1: Get the AD Security Group’s ID

We need the ID of the AD group first. Use the PowerShell script to retrieve the ID, and make sure you have the Azure AD module installed.

$GroupName = "Opera"

#Connect to Azure AD
Connect-AzureAD -Credential (Get-Credential)

#Get Security Group's SID
Get-AzureADGroup -SearchString $GroupName | Select DisplayName, ObjectId | Format-table

This script gets the IDs of all AD security groups with the given name. Copy the ID for the group.

You can also obtain the Group ID of the Active Directory security group from the Azure AD console.

get azure ad group id

Step 2: Add Active Directory Group to SharePoint Online Site Collection Administrator’s Group

Now, use this PowerShell script to add the AD group as site collection administrator:

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
    Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
    $Site = Get-SPOSite $SiteURL
 
    Write-host -f Yellow "Adding AD Group as Site Collection Administrator..."
    Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True
    Write-host -f Green "Done!"
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

Similarly, You can add an AD group to all site collections in the tenant as:

#Import-Module Microsoft.Online.SharePoint.PowerShell

#Variables
$AdminURL = "https://crescent-admin.sharepoint.com/"
$ADGroupID = "3645e787-4f3e-44da-8b60-4fe9e32c5a24"

$LoginName = "c:0t`.c`|tenant`|$ADGroupID"

Try {
    #Connect to SharePoint Online
     Connect-SPOService -url $AdminURL -Credential (Get-Credential)
 
     #Get All Site Collections
     $Sites = Get-SPOSite -Limit ALL -IncludePersonalSite:$False
 
    Foreach ($Site in $Sites)
    {
        Write-host "Adding Site Collection Admin for:"$Site.URL
        Set-SPOUser -site $Site -LoginName $LoginName -IsSiteCollectionAdmin $True | Out-Null
    }
}
Catch {
    write-host -f Red "Error:" $_.Exception.Message
}

This gives the Active Directory group members the ability to manage all site collections within your tenancy.

add security group to sharepoint online

PnP PowerShell to Add Active Directory Group as Site Collection Admin

The above script can be written in PnP PowerShell as well:

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/retail"
$AzureADGroupID = "c:0t.c|tenant|f4e108b8-3294-4bc8-8792-6b28f32ffaa5"

#Connect to SharePoint Online
Connect-PnPOnline -url $SiteURL -Interactive

#Resolve the Group
$ADGroup = Get-PnPUser | Where-Object LoginName -eq $AzureADGroupID
If($ADGroup -eq $null) {        
    $ADGroup = New-PnPUser -LoginName $AzureADGroupID
}

#Add AD Security group as Site collection admin
Add-PnPSiteCollectionAdmin -Owners $ADGroup

You can also use PowerShell CSOM script to add site collection administrators SharePoint Online: Add Site Collection Administrator using PowerShell

How about adding a Microsoft 365 Group as a Site Collection Administrator?

This time, let’s add a Microsoft 365 group as the site collection administrator to all sites in the tenant. Follow these steps:

Create a Microsoft 365 Group and add members to it as per your requirement

  1. Login to Microsoft Admin Center at https://admin.microsoft.com, Navigate to Groups >> Active Teams & Groups
  2. Under the “Microsoft 365” tab, Click on “Add a group”
  3. Name your Group accordingly >> Assign Owner and Members to the Group, Set an Email ID to it and then create a Group.add Microsoft 365 group as site collection administrators in sharepoint online

Obtain the “Object ID” of the group using Azure AD or PowerShell

  1. Login to Azure AD from https://aad.portal.azure.com/
  2. Click on “Azure Active Directory” from the Tree view and then “Groups”.
  3. Select your Microsoft 365 group created in the previous step. In my case, it’s “SharePoint Online Administrators” and copy the “Object ID”.powershell to set office 365 group as site collection admin sharepoint online

While adding a Microsoft 365 Group under the site collection administrators group can be easily done through the web browser interface, What if you want to quickly add a group as a Site Collection Administrator for multiple sites in your tenant? Let’s script the process! Use this PnP PowerShell script to add a Microsoft 365 Group as a site collection admin to SharePoint Online sites:

#Parameters
$TenantAdminURL="https://Crescent-admin.sharepoint.com"
$ObjectID = "0ddafc96-4e5a-4d3b-8067-ef7c8cfc349c"

#Get Credentials to Connect
$Cred = Get-Credential

#Connect to Tenant Admin
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred

#Get All Site Collections 
$Sites = Get-PnPTenantSite -IncludeOneDriveSites:$false
        
#Loop through each Site Collection
ForEach ($Site in $Sites)
{
    #Connect to the Site
    Connect-PnPOnline -Url $Site.Url -Credentials $Cred

    #Add Microsoft 365 group to Site Collection Admin
    Add-PnPSiteCollectionAdmin -Owners "c:0o.c|federateddirectoryclaimprovider|$ObjectID"
    Write-host "Added Microsoft 365 Group to the site:"$Site.URL -f Green
}

“SharePoint Online Administrators Members” will be added to all sites in the tenant.

In summary, setting up an Active Directory security group as the Site Collection Administrator in SharePoint Online provides numerous benefits, including increased efficiency, better collaboration, and improved security. By using PowerShell, this process can be automated, reducing the risk of human error and saving time and effort.

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

4 thoughts on “SharePoint Online: Set Active Directory Security Group as Site Collection Administrator using PowerShell

  • Very nice write up. However I need to do this via Azure Automation with no user interaction required. How would I accomplish this?

    Reply
  • I noticed that you didn’t include a PnP version of these commands. I found a PnP solution here that I adapted: https://sharepoint.stackexchange.com/a/268257.

    ——————————————————————-
    # Set mode
    $mode = ‘test’ # ‘execute’ #

    # Sites with permissions being changed
    $sitescsvfilepath = ‘fullpath1’
    $sites = Import-Csv -Path $sitescsvfilepath

    # Groups to be added with permissions to each site
    $groupscsvfilepath = ‘fullpath2’
    $groups = Import-Csv -Path $groupscsvfilepath

    foreach($site in $sites.siteurls){
    Write-host “Connecting to $site…”
    Connect-PNPOnline -Url $site -Interactive
    Get-PnPSiteCollectionAdmin
    $web = Get-PnPWeb

    foreach ($group in $groups.groupids) {
    Try {
    $azureADGroup = “c:0t.c|tenant|$group”
    $user = Get-PnPUser -Identity $azureADGroup
    If ($mode -eq ‘test’)
    {
    Write-host -f Yellow “Would add $($user.title) as site collection admin”
    }
    Elseif ($mode -eq ‘execute’)
    {
    Add-PnPSiteCollectionAdmin -Owners $user.LoginName
    Write-host -f Green “Added $($user.title) as site collection admin successfully”
    }
    }
    Catch {
    write-host -f Red “Error… $($_.Exception.Message)”
    }
    }
    }
    Write-Host ‘Done !’

    Reply
    • a big thanks to you ! Pnp rocks

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *