Graph API / PowerShell Script to Remove OneDrive Share Permissions

In a recent migration project, due to legacy permissions in the source environment, I had a requirement to clear permissions for a specific user from other users OneDrive files and folders. As with a lot of the scripting I do for Office 365, the Graph API was the perfect tool for the job. I built a PowerShell script (Based on this one for permission reporting) to traverse the folder structure of a users OneDrive and remove permissions where they were granted to a specific delegate.

I originally looked at using the “SharedWithMe” endpoint of the delegates OneDrive but found this to be inconsistent, particularly with a large number of permissions so I decided to sacrifice the efficiency of targeting the files listed in the Shared With Me endpoint and just enumerate all of the files and folders.

Configure App Reg

To manage authentication and authorization for the script, an application registration in Azure AD is required. I’ve detailed the setup of an app reg multiple times in previous posts (see tip #1 here) so you can check those out for the basic setup. Once it’s in place you’ll need to add the following application permissions:

  • Directory.Read.All
  • Files.ReadWrite.All
  • Sites.ReadWrite.All

With the permissions in place and granted, take note of the usual Client ID, Tenant ID and Client Secret (tip #3). You’ll also need to know the UPN of the OneDrive user and the Delegate to remove. You can store them in variables if you like to make it easier:

$clientID = "97ca0822-c1d7-4d9d-813d-xxxxxxxxxxxx"
$tenantID = "a2f63c5b-8a0d-4bec-b01f-xxxxxxxxxxxx"
$clientSecret = "WVB7Q~nlCxYFL3atM_9ciJ6aaau2uxxxxxxxx"
$user = "IsaiahL@M365x497981.OnMicrosoft.com"
$delegate = "MeganB@M365x497981.OnMicrosoft.com"

In this post, I will be using a demo tenant. In the tenant we can see Isaiah has shared multiple files with Megan. These are visible in Megans “Shared with me” page (Figure 1).

Figure 1: Isaiah has shared multiple files with Megan

Running the script

With the above details, simply download the script from the link at the bottom of this post and run similar to the following example:

.\graph-OneDrive-Permission-Removal.ps1 -User $user -Delegate $delegate -clientID $clientID -clientSecret $clientSecret -tenantID $tenantID

The script will report out to the console as it runs (Figure 2), I didn’t include full logging in this script but you can enable a transcript using Start-Transcript to capture this detail to a file.

Figure 2: The script will output to the console as it runs

When the script runs, all permissions should be removed for the delegate user on the source users OneDrive files and folders. The “Shared with me” page may take a while to update and remove the listed files but permissions will be removed immediately and the delegate will get an access denied message as shown in Figure 3 when opening any of the files.

Figure 3: The delegate will get access denied to all files within the source OneDrive

Download the Script

The script can be downloaded from GitHub at the following link:

https://github.com/smcavinue/AdminSeanMc/blob/master/Graph%20Scripts/graph-OneDrive-Permission-Removal.ps1

There are obviously improvements and customizations that can be made to the script to meet your requirements; for instance, I didn’t really manage expiry of the Graph access token for very large OneDrives that take more than an hour but that’s the joy of sharing code, someone can always add to it and improve.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s