Automating with PowerShell: setting OneDrive ownership

So I’ve been hard at work on CIPP the last couple of weeks and because of that haven’t had time to blog really. The great thing is that all of the stuff I normally blog about is pretty easy to integrate into CIPP. One of them being the subject today; sometimes you have leavers in a company you manage and you’d like to transfer the OneDrive ownership to another user, so they can check if there are no important files in there before the user is permanently deleted.

The portal makes this pretty easy, but as we do most of our offboarding using scripting we had to figure out how to do this; turns out that it’s a pretty straight forward process using the M365 hidden APIs that are used for the partner portal.

The script

For this script, you’ll need to use the Secure Application Model. If you want an easy web interface for this instead, check out our open source project named CIPP.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27


$ApplicationId = 'AppID'
$ApplicationSecret = 'AppSecret'
$RefreshToken = 'RefreshTokens'
$ExchangeRefreshToken = 'YourExchangeRefreshToken'
#### User info
$OneDriveCurrentOwner = "CurrentOwner@mail.com"
$OneDriveAddOwner = "AddedOwner@mail.com"
$Tenant = "MyClient.onmicrosoft.com"
###

$credential = New-Object System.Management.Automation.PSCredential($ApplicationId, ($ApplicationSecret | Convertto-SecureString -AsPlainText -Force))
$graphToken = New-PartnerAccessToken -ApplicationId $ApplicationId -Credential $credential -RefreshToken $refreshToken -Scopes 'https://graph.microsoft.com/.default' -ServicePrincipal -Tenant $TenantID
$GraphHeader = @{ "Authorization" = "Bearer $($graphToken.accesstoken)" }

$UserSharepoint = (Invoke-RestMethod -uri "https://graph.microsoft.com/beta/users/$($OneDriveCurrentOwner)/drive" -Headers $GraphHeader).weburl -replace "/Documents"
$GainAccessJson = '{"SecondaryContact":"' + $OneDriveAddOwner + '","IsCurrentUserPersonalSiteAdmin":false,"IsDelegatedAdmin":true,"UserPersonalSiteUrl":"' + $UserSharepoint + '"}'
$uri = "https://login.microsoftonline.com/$($Tenant)/oauth2/token"
$body = "resource=https://admin.microsoft.com&grant_type=refresh_token&refresh_token=$($ENV:ExchangeRefreshToken)"
$token = Invoke-RestMethod $uri -Body $body -ContentType "application/x-www-form-urlencoded" -ErrorAction SilentlyContinue -Method post
$OwnershipOnedrive = Invoke-RestMethod -ContentType "application/json;charset=UTF-8" -Uri 'https://admin.microsoft.com/admin/api/users/setSecondaryOwner' -Body $GainAccessJson -Method POST -Headers @{
    Authorization            = "Bearer $($token.access_token)";
"x-ms-client-request-id" = [guid]::NewGuid().ToString();
"x-ms-client-session-id" = [guid]::NewGuid().ToString()
'x-ms-correlation-id' = [guid]::NewGuid()
'X-Requested-With' = 'XMLHttpRequest'
}
$OwnershipOnedrive

And that’s it. This’ll help you offboard those users just a little bit easier, as always, Happy PowerShelling! 🙂