The Problem:
In SharePoint online (at least as of early 2015) site collection administrators have to be granted on a site by site basis.
When you create a new site collection using https://yoururl-admin.sharepoint.com, you are only allowed to pick ONE administrator for the Site collection (In on premise, you used to pick two)
Now a little trick you can use is, after the site collection is created, you can check the site collection then click the “owners” tab:
and from that screen you can add as many site collection administrators as you’d like:
But there is a downside, you can’t “select all” on all your site collections and add a user to all site collections at once.
Now, I hear you saying “Jack: What if I have 500 site collections and we add a new member to our team?” There’s got to be a better way, right? And it turns out, there is.
The Solution: PowerShell…
A Quick note before we get to the script: You’ll need the SharePoint Online Management Shell installed on your PC before this will work.Here’s a quick overview of how to use the script:
Update all the relevant variables:
- Admin site URL ($adminurl), and the $username that has permissions to log into the admin site url to make the change.
- put in your $tenantURL
- Update the list of $SiteCollectionAdmins with the list of users you want to make site collection admins
Run the script.
When you run the script it will try to logon to your SPO account and will prompt you for your SPO password, then you should see some slow and steady progress as it runs through each site collection. Finally, at the end you can review the log file to see if there were any issues.
The Script:
# Jack Fruh - sharepointjack.com # add a user or users to the site collection admin role on every site collection in Office 365 sites (SharePoint Online) #setup a log path $path = "$($(get-location).path)\LogFile.txt" #note we're using start-transcript, this does not work from inside the powershell ISE, only the command prompt start-transcript -path $Path write-host "This will connect to SharePoint Online" #Admin Variables: $Adminurl = "https://yoururl-admin.sharepoint.com" $username = "your@email.com" #Tenant Variables: $TenantURL = "https://yoururl.sharepoint.com" $SiteCollectionAdmins = @("firstuser@yourdomain.com", "seconduser@yourdomain.com", "etc@yourdomain.com") #Connect to SPO $SecurePWD = read-host -assecurestring "Enter Password for $username" $credential = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $SecurePWD Connect-SPOService -url $Adminurl -credential $credential write-host "Connected" -foregroundcolor green $sites = get-sposite Foreach ($site in $sites) { Write-host "Adding users to $($site.URL)" -foregroundcolor yellow #get the owner group name $ownerGroup = get-spoSitegroup -site $site.url | where {$_.title -like "*Owners"} $ownertitle = $ownerGroup.title Write-host "Owner Group is named > $ownertitle > " -foregroundcolor cyan #add the Site Collection Admin to the site in the owners group foreach ($user in $SiteCollectionAdmins) { Write-host "Adding $user to $($site.URL) as a user..." add-SPOuser -site $site.url -LoginName $user -group $ownerTitle write-host "Done" #Set the site collection admin flag for the Site collection admin write-host "Setting up $user as a site collection admin on $($site.url)..." set-spouser -site $site.url -loginname $user -IsSiteCollectionAdmin $true write-host "Done" -foregroundcolor green } } Write-host "Done with everything" -foregroundcolor green stop-transcript
This was exactly what I was looking for. Thanks.
Excellent… This is really useful.
Nice script. Is it possible to add a AD security group into the site collection owners not just a person(s)?
Thanks for the script, but have some questions in regards to it.
Is it possible to apply this to a security group instead of individuals.
Giving the ability to add / remove users when needed (We use AD sync with onprem AD)
If not, is there a way to also removed users when needed.
I tried with changin the script with chaning the line:
remove-SPOuser -site $site.url -LoginName $user -group $ownerTitle
But seemed not to work.
Cheers
How can you add a SharePoint group instead of an individual user to every site collection?
You’re adding the users to all Owners groups in a Site Collection. This is not the same as setting them as Site Collection Admins.
sorry, should have pointed out you’re doing both, adding to the (potentially many) Owners groups and setting as site collection admin.
Oh and I’ve just discovered this script wont work for sites created by O365 Groups, Planner and Teams.
Looks like we’ll need to use search to bring them back – assuming we have permission to see them in the first place…
Seems like a catch-22 for those of us wanting to use service accounts for accessing SPO
I was trying with tenant.SetSiteadmin but this doesnt seem to work with SharePoint online powershell csom. https://github.com/SharePoint/PnP-PowerShell/issues/232
Thanks a lot….your approach is working fine, This was exactly what I was looking for. 🙂
Thanks a lot… This worked like a charm