none
How to Add an Office 365 Security Group as site collection admin using PowerShell

    Question

  • Hi,

    I been trying write a powershell script to walk through the entire O365 SharePoint Online tenant and add an Office 365 Security group (one that doesn't have an email address associated with it) to the primary or secondary site collection (SC) administrators for each site. The group will support eDiscovery and Administrative Support activities.

    I have the script working to enumerate all site collections but have hit a problem when I want to add the group.

    I can use the following cmdlet to add a user as and SC admin:

    Set-SPOUser-Site $siteUrl-LoginName$userEmail -IsSiteCollectionAdmin$true

    Where $userEmail is a valid email address in the tenant. The issue is that the Office 365 Security group doesn't have an email address so I can't use it here. I can enumerate the group using the following but I can't find anyway to use the output from this and apply it to adding it to the SC admins group.

    Get-MsolGroup-SearchString"SharePoint eDisc and Admins"

    Can you please provide some assistance as to how to successfully an Office 365 Security group  to the primary or secondary site collection (SC) administrators for a site using PowerShell.

    I've been told by Partner Support that this is not possible using the current SPO cmdlets and that CSOM is not within their support scope. SO can anyone help with this query in relation to how to acheinve this using CSOM within PowerShell?

    Thanks in advance,

    KB


    Kirk Barrett, CSC

    Wednesday, March 23, 2016 5:48 AM

Answers

  • Thanks Amit.

    Whilst using the ObjectID returned from Get-msolGroup didn't solve the problem the URL you provided did provide a hint as to a possible solution in one of the comments.

    I have now followed up on this and can report back that I have worked out how to achieve the desired result.

    First you need to determine the claims encoded identity for the security group. One simple manual way of doing this is to go to a site and use the Check Permissions feature Under Site Permissions in Site Settings. Check the permissions for the security group in question and part of the report provides you with the claim encoded identity. It should look something like 'c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111'. In my case this manual approach is fine but it is probably possible to retrieve this using PowerShell as well.

    Once you know this information you can substitute it where you would normally use the users email address in the SetSPOUser call and it will recognise the security group and set it in the Secondary Site Collection Admins group e.g.

    Set-SPOUser -Site $targetsite -LoginName ":0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111" -IsSiteCollectionAdmin $true


    Kirk Barrett, CSC

    Friday, April 1, 2016 5:19 AM

All replies

  • Can't be done at all, PowerShell or GUI. The Primary and Secondary SCA must be individual users.
    Wednesday, March 23, 2016 9:19 AM
  • Fortunately you are wrong regarding the GUI as we currently add a O365 security group both via the O365 SharePoint admin GUI and directly via the Site Settings path on the Site Collection.

    There is also a provider hosted app running in our tenant that provisions custom site collections that does this as well so it is possible via code route.

    I simply want to write some admin scripts for periodically updating these sites in cases where a individual removes our 'SharePoint eDisc and Admins' group.

    Kirk


    Kirk Barrett, CSC

    Wednesday, March 23, 2016 9:00 PM
  • Do you mean as a Site Collection Admin or THE Primary Site Collection Admin? The former is possible, easy even, but i'm confident the second isn't. Given that you're describing adding it through Site Settings it can't be the former in that case.

    Do you just want to add the group as a SCA or do you need to add it as the Primary/Secondary Site Collection owner?

    Thursday, March 24, 2016 12:14 AM
  • Yep, it's possible to add an Office 365 Security Group as the primary site collection administrator see snapshot below...


    Kirk Barrett, CSC

    Thursday, March 24, 2016 12:23 AM
  • That is very interesting, especially given the description text next to it saying it's not supported and that it's never worked on-prem. Technically that screen shot doesn't prove it can be done (that could be a user or you could have resolved it but not hit submit) but that'd be a wierd thing to do so they must have updated things.

    The PowerShell to change that value is Set-SPSite, as you're probably aware. Have you tried it with Domain\username format?

    https://technet.microsoft.com/en-GB/library/ff607958.aspx

    It also may not be supported to use a non-email enabled account. That would mean that emails to the PSCA can't be sent which is an assumption that underpins a reasonable amount of use cases

    Thursday, March 24, 2016 9:06 AM
  • I am not sure how much this will help but try using Group ObjectID by using Get-MsloGroup

    Once you get the ObjectID try and pass the objectID to your Set-SPOUser and see if that helps.

    Also check the following thread for some help. 

    http://sharepoint.stackexchange.com/questions/114421/can-i-use-set-spouser-to-set-an-o365-security-group-as-a-secondary-site-collecti

    I am not sure I can access the O365 Security groups using CSOM (still researching) but give this a try and see if it helps.

    Thursday, March 24, 2016 2:51 PM
    Moderator
  • Thanks Amit.

    Whilst using the ObjectID returned from Get-msolGroup didn't solve the problem the URL you provided did provide a hint as to a possible solution in one of the comments.

    I have now followed up on this and can report back that I have worked out how to achieve the desired result.

    First you need to determine the claims encoded identity for the security group. One simple manual way of doing this is to go to a site and use the Check Permissions feature Under Site Permissions in Site Settings. Check the permissions for the security group in question and part of the report provides you with the claim encoded identity. It should look something like 'c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111'. In my case this manual approach is fine but it is probably possible to retrieve this using PowerShell as well.

    Once you know this information you can substitute it where you would normally use the users email address in the SetSPOUser call and it will recognise the security group and set it in the Secondary Site Collection Admins group e.g.

    Set-SPOUser -Site $targetsite -LoginName ":0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111" -IsSiteCollectionAdmin $true


    Kirk Barrett, CSC

    Friday, April 1, 2016 5:19 AM
  • a note on Kirk's answer... his example script at the bottom cut off the "c" at the start of the identity
    Wednesday, May 17, 2017 5:53 PM
  • Hi Friends,

    Posting to an old thread, so that its easy for other Fellows. :) 

    With Manual way, you can easily find Group Security ID, by visiting site & then Site Settings > Site Permissions > Check Permissions > Enter Group Name as Shown in Picture 1

    Picture 1

    Hit Check Now & you will see group ID as below. Picture#2

    Picture #2


    Sunday, May 13, 2018 5:57 AM