Assign eDiscovery permissions to OneDrive for Business sites

You can use the eDiscovery Center in SharePoint Online to search all OneDrive for Business sites in your organization for certain keywords, sensitive information, and other search criteria. Each user in your organization is the owner of their OneDrive for Business site, which is located in the site collection named https://domain-my.sharepoint.com. By default, an Office 365 global administrator or compliance manager can’t use the eDiscovery Center in SharePoint Online to search any OneDrive for Business sites. To search a OneDrive for Business site, administrators or compliance managers must be a site collection administrator for that OneDrive for Business site.

This topic guides you through the steps to make an administrator or compliance manager a site collection administrator for every OneDrive for Business site in your organization.

Step 1: Connect SharePointOnline Management Shell to your organization

Step 2: Collect a list of all OneDrive for Business sites

Step 3: Assign a user as a site collection administrator to OneDrive for Business sites

See the More information section at the end of this topic for tips about using these scripts, including revising the script in Step 3 to remove a user as a site collection administrator from OneDrive for Business sites.

Before you begin

  • Install the SharePoint Online Management Shell. For information, see Set up the SharePoint Online Management Shell Windows PowerShell environment.

  • Run the script in Step 3 each time you want to assign a user as a site collection administrator to any OneDrive for Business sites in your organization.

    Important: An administrator or compliance manager who is a site collection administrator for OneDrive for Business sites can open users’ OneDrive for Business document libraries and perform the same tasks as the owner. It's important to control and monitor who has been assigned eDiscovery permissions to OneDrive for Business sites in your organization.

  • The sample scripts provided in this topic aren’t supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Step 1: Connect SharePoint Online Management Shell to your organization

  1. On your local computer, open the SharePoint Online Management Shell, and run the following command:

    $credentials = Get-Credential

    In the Windows PowerShell Credential Request dialog box, type the user name and password for your Office 365 global administrator account, and then click OK.

  2. Run the following command to connect the Shell to your SharePoint Online organization:

    Connect-SPOService -Url https://<your organization name>-admin.sharepoint.com –credential $credentials
  3. To verify that you are connected to your SharePoint Online organization, run the following command to get a list of all the sites in your organization:

    Get-SPOSite

Return to top

Step 2: Collect a list of all OneDrive for Business sites

In this step, you run a Shell script to create a list of all OneDrive for Business sites in your organization. This list is saved to a text file. The script that you run in Step 3 assigns a specified user as a site collection administrator to each OneDrive for Business site listed in the text file that’s created in this step. You might want to edit this file by removing sites before you run the script in Step 3. See More information at the end of this topic for tips on assigning eDiscovery permissions to batches of users.

  1. Save the following text to a text file. For example, you could save it to a file named GetOD4BSites.txt.

    # URL for your organization's SharePoint Online admin service
    $AdminURI = "https://<your organization name>-admin.sharepoint.com"
    
    # User account for an Office 365 global admin in your organization
    $AdminAccount = "<global admin account>"
    $AdminPass = "<password for global admin account>"
    
    # Where should we save the list of MySites?
    $LogFile = 'C:\Users\youralias\Desktop\ListOfMysites.txt'
    
    
    # Begin the process
    
    $loadInfo1 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
    $loadInfo2 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.Runtime")
    $loadInfo3 = [System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")
    
    # Convert the Password to a secure string, then zero out the cleartext version ;)
    $sstr = ConvertTo-SecureString -string $AdminPass -AsPlainText –Force
    $AdminPass = ""
    
    # Take the AdminAccount and the AdminAccount password, and create a credential
    
    $creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($AdminAccount, $sstr)
    
    
    # Add the path of the User Profile Service to the SharePoint Online admin URL, then create a new webservice proxy to access it
    $proxyaddr = "$AdminURI/_vti_bin/UserProfileService.asmx?wsdl"
    $UserProfileService= New-WebServiceProxy -Uri $proxyaddr -UseDefaultCredential False
    $UserProfileService.Credentials = $creds
    
    # Take care of auth cookies
    $strAuthCookie = $creds.GetAuthenticationCookie($AdminURI)
    $uri = New-Object System.Uri($AdminURI)
    $container = New-Object System.Net.CookieContainer
    $container.SetCookies($uri, $strAuthCookie)
    $UserProfileService.CookieContainer = $container
    
    # Grab the first User profile, at index -1
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex(-1)
    
    Write-Host "Starting- This could take a while."
    
    $NumProfiles = $UserProfileService.GetUserProfileCount()
    $i = 1
    
    # As long as the next User profile is NOT the one we started with (at -1)...
    While ($UserProfileResult.NextValue -ne -1) 
    {
    Write-Host "Examining profile $i of $NumProfiles"
    
    # Look for the Personal Space object in the User Profile and pull it out
    # (PersonalSpace is the name of the path to a user's mysite)
    $Prop = $UserProfileResult.UserProfile | Where-Object { $_.Name -eq "PersonalSpace" } 
    $Url= $Prop.Values[0].Value
    
    # If "PersonalSpace" (which we've copied to $Url) exists, log it to our file...
    if ($Url) {
    $Url | Out-File $LogFile -Append -Force
    }
    
    # And now we check the next profile the same way...
    $UserProfileResult = $UserProfileService.GetUserProfileByIndex($UserProfileResult.NextValue)
    $i++
    }
    
    Write-Host "Done!"
  2. Edit the following variables in the beginning of the script file, and use the information that’s specific to your organization. The following examples assume that your organization name is Contoso. Be sure to surround the values for the variables with double-quotation marks (" ").

    • $AdminURI   This specifies the URI for your SharePoint Online admin service, for example, "https://contoso-admin.sharepoint.com".

    • $AdminAccount   This specifies a global administrator account in your Office 365 organization, for example, "admin@contoso.onmicrosoft.com".

    • $AdminPass   This specifies the password for the account that’s specified by $AdminAccount, for example, "J$P1ter1".

    • $LogFile   This specifies the full path of the text file that’s created and contains a list of all the OneDrive for Business sites in your organization. For example, to save this file to the desktop, use 'C:\Users\<youralias>\Desktop\ListOfMysites.txt'. Be sure to surround the value for this variable with single-quotation marks (' '). Note that you specify this same location in the script that you run in Step 3.

  3. Save the text file as a PowerShell script file by changing the file name suffix to .ps1. For example, save the file GetOD4BSites.txt as GetOD4BSites.ps1.

  4. In SharePoint Online Management Shell, go to the folder where the script that you created in the previous step is located, and then run the script, for example:

    .\GetOD4BSites.ps1

After the script successfully completes, a text file is created in the location specified by the $LogFile variable in the script. This file contains a list of all OneDrive for Business sites in your SharePoint Online organization. The following text provides an example of how the list of sites in this file should be formatted. You can remove sites from this file if necessary.

/personal/annb_contoso_onmicrosoft_com/
/personal/carolt_contoso_onmicrosoft_com/
/personal/esterv_contoso_onmicrosoft_com/
/personal/hollyh_contoso_onmicrosoft_com/
/personal/jeffl_contoso_onmicrosoft_com/
/personal/joeh_contoso_onmicrosoft_com/
/personal/kaia_contoso_onmicrosoft_com/

Return to top

Step 3: Assign a user as a site collection administrator to OneDrive for Business sites

The next step is to run another script that assigns a specified user as a site collection administrator in every OneDrive for Business site in your organization. This script uses the list of OneDrive for Business sites that was created when you ran the script in Step 2. As previously stated, you have to run this script each time that you want to assign a user as a site collection administrator to OneDrive for Business sites.

  1. Save the following text to a text file. For example, you could save it to a file named OD4BAssignSCA.txt.

    #Start logging, so if this script fails, you can look at the last successful change,
    # remove any OneDrive for Business paths that worked it from the input file, and then rerun the script.
    
    Start-Transcript
    
    # URL for your organization's SPO admin service
    $AdminURI = "https://<your organization name>-admin.sharepoint.com"
    
    # User account for an Office 365 global admin in your organization
    $AdminAccount = "<global admin account>"
    
    # Compliance manager to be made site collection admin on each MySite
    $eDiscoveryUser = "<eDiscovery user account>"
    
    # URL for your tenant's MySite domain
    $MySitePrefix = "https://<your organization name>-my.sharepoint.com"
    
    # Where should we read the list of MySites?
    # This file should contain partial MySite paths formatted as follows, one per line; for example
    # /personal/junminh_contoso_onmicrosoft_com/
    $MySiteListFile = 'C:\Users\<youralias>\Desktop\ListOfMysites.txt'
    
    # Begin by connecting to the service
    Connect-SPOService -Url $AdminURI -Credential $AdminAccount
    
    # Make a reader for our list of MySites
    $reader = [System.IO.File]::OpenText($MySiteListFile)
    
    try {
        for(;;) {
    # Read a line
            $line = $reader.ReadLine()
    
    # Stop if it doesn't exist
            if ($line -eq $null) { break }
    
            # Turn the line into a complete SharePoint site path by merging $MySitePrefix
    # Formatted like this: "https://contoso-my.sharepoint.com"
    # ...with each partial MySite path in the file, formatted like this:
    # "/personal/junminh_contoso_onmicrosoft_com/"
            $fullsitepath = "$MySitePrefix$line"
    Write-Host "Operating on $fullsitepath "
    
    # We need to remove the last "/" to work around an issue.
    # "/personal/junminh_contoso_onmicrosoft_com/"
    # becomes "/personal/junminh_contoso_onmicrosoft_com"
    $fullsitepath = $fullsitepath.trimend("/")
    
    # Make the specified eDiscovery user a site collection admin on the OneDrive for Business site
    Write-Host "Making $eDiscoveryUser a Site Collection Admin"
    Set-SPOUser -Site $fullsitepath -LoginName $eDiscoveryUser -IsSiteCollectionAdmin $true
    
        }
    }
    finally {
        $reader.Close()
    }
    
    Write-Host "Done!"
    Stop-Transcript
    Write-Host "Log written."
  2. Edit the following variables in the beginning of the script file, and use information that’s specific to your organization. The following examples assume that the domain name of your organization is contoso.onmicrosoft.com. Be sure to surround the values for the variables with double-quotation marks (" ").

    • $AdminURIThis specifies the URI for your SharePoint Online admin service, for example, "https://contoso-admin.sharepoint.com".

    • $AdminAccountThis specifies a global administrator account in your Office 365 organization, for example, "admin@contoso.onmicrosoft.com".

    • $eDiscoveryUserThis specifies the user account of an administrator or compliance manager who will be assigned as a site collection administrator for every OneDrive for Business site in your organization, for example, "annb@contoso.onmicrosoft.com".

      Note: Change the user account specified by the $eDiscoveryUser variable and re-run the script to assign a different user as a site collection administrator to the OneDrive for Business sites that are specified by the $MySiteListFile variable.

    • $MySitePrefixThis specifies the URL for your organization’s MySite domain. This is the domain that contains all the OneDrive for Business sites in your organization, for example, "https://contoso-my.sharepoint.com".

    • $MySiteListFileThis specifies the full path of the text file that was created in Step 2. This file contains a list of OneDrive for Business sites in your organization, for example, 'C:\Users\<youralias>\Desktop\ListOfMysites.txt'. Be sure to surround the value for this variable with single-quotation marks (' '). Note that you should specify the same location as you did in the script that you ran in Step 2.

  3. Save the text file as a PowerShell script file by changing the file name suffix to .ps1. For example, save the file OD4BAssignSCA.txt as OD4BAssignSCA.ps1.

  4. In SharePoint Online Management Shell, go to the folder that contains the PowerShell script that you created in the previous step, and then run the script, for example:

    .\OD4BAssignSCA.ps1

    You will be prompted to enter the password for the administrator account that you specified in the script. If the script runs successfully, the message "Making <user specified by $eDiscoveryUser> a Site Collection Admin" is displayed for each OneDrive for Business site that’s listed in the input file specified by $MySiteListFile.

Return to top

More information

  • The script that you ran in Step 3 uses the Set-SPOUser cmdlet to assign the specified user as a site collection administrator to every OneDrive for Business that’s listed in the file specified by the $MySiteListFile variable. If you have a very large organization with thousands of users, consider doing the following to make it easier to manage assigning eDiscovery permissions.

    • Edit the file created by the script in Step 2 that contains the list of OneDrive for Business sites so that it includes only the sites for users are that are involved in active legal cases.

    • Assign permissions to no more than 2,500 OneDrive for Business sites per day. For example, let’s say you have 10,000 OneDrive for Business sites in your organization. You could run the script in Step 2 to collect all the sites. Then you could use that file to create four files that each contain 2,500 users. On the first day, you would run the script in Step 3 to assign permissions to the first 2,500 OneDrive for Business sites. On the second day, you would run the script for the next 2,500 OneDrive for Business sites, and so on.

  • Keep a record of the OneDrive for Business sites that were assigned eDiscovery permissions and the user who is assigned as the site collection administrator. For example, after you assign permissions, you can save the text file that contains the list of OneDrive for Business sites and add a line to it that identifies the user who is assigned as the site collection administrator.

  • Users can view the list of site collection administators for their OneDrive for Business site. Because users are site collection adminsitrators for their own OneDrive for Business site, they can remove site collection administrators. Consider doing the following to mitigate the chance of users removing the user who is assigned eDiscovery permissions to OneDrive for Business sites.

    • Communicate to users that for eDiscovery and compliance purposes, a compliance officer has been assigned as a site collection administrator to OneDrive for Business sites in your organization.

    • Re-run the script in Step 3, if necessary, to re-assign a user as the site collection administrator for OneDrive for Business sites.

  • You can also use the script that you ran in Step 3 to remove a user as the site collection administrator from OneDrive for Business sites. To remove a user as a site collection administrator, you have to change the following command (near the end of the script) from:

    Set-SPOUser -Site $fullsitepath -LoginName $eDiscoveryUser -IsSiteCollectionAdmin $true

    to:

    Set-SPOUser -Site $fullsitepath -LoginName $eDiscoveryUser -IsSiteCollectionAdmin $false

    You can also change the following line in the script from:

    "Making $eDiscoveryUser a Site Collection Admin"

    to:

    "Removing $eDiscoveryUser as a Site Collection Admin"

    After you make these changes, save the script with a different name, such as OD4BRemoveSCA.ps1, and then use it to remove a user as a site collection administrator from a group of OneDrive for Business sites.

  • When the script in Step 2 runs, it processes each profile found in your organization and displays the message, "Examining profile x of y". The total number of profiles that are examined might be more than the number of OneDrive for Business sites that are saved to the ListOfMysites output file. This is normal because only users who have used or opened their OneDrive for Business site are included in the output file.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×