Latest Posts

Managing OneDrive Access Requests using PnP PowerShell

Posted on by Rishan Solutions

Loading

OneDrive is a crucial part of Microsoft 365, allowing users to store and share files securely. Managing access requests is an essential aspect of OneDrive administration to ensure security and proper governance. PnP PowerShell (Patterns & Practices PowerShell) provides an efficient way to manage OneDrive access requests programmatically.

This guide will walk you through managing OneDrive access requests step by step using PnP PowerShell, covering installation, authentication, retrieval of access requests, approval, and rejection.

Step 1: Install PnP PowerShell

Before using PnP PowerShell, ensure it is installed on your system. If you haven’t installed it yet, open PowerShell as an administrator and run the following command:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

If you have already installed PnP PowerShell, update it to the latest version:

Update-Module -Name PnP.PowerShell

Once installed, you can verify the installation by running:

Get-Module -Name PnP.PowerShell -ListAvailable

Step 2: Connect to OneDrive Using PnP PowerShell

To manage OneDrive access requests, you need to authenticate with the appropriate permissions. Use the following command to connect to OneDrive:

Connect-PnPOnline -Scopes "Sites.FullControl.All" -Interactive

This command will prompt you to log in using your Microsoft 365 credentials. Ensure you have admin privileges to manage access requests.

Alternatively, if you want to connect using a client ID and secret (app-based authentication), use:

$clientId = "your-client-id"
$tenantId = "your-tenant-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -ClientId $clientId -ClientSecret $clientSecret -Tenant $tenantId

Step 3: Retrieve OneDrive Access Requests

Once connected, retrieve all pending access requests for OneDrive using:

$requests = Get-PnPAzureADUser -Filter "accountEnabled eq true"
$requests

Alternatively, to get access requests for a specific user’s OneDrive, use:

$userEmail = "user@yourdomain.com"
$oneDriveUrl = "https://yourtenant-my.sharepoint.com/personal/" + ($userEmail -replace "@", "_") + "/"

$requests = Get-PnPRequestAccess -SiteUrl $oneDriveUrl
$requests

This command retrieves all pending requests, including details such as the requester’s email, requested files/folders, and the status of the request.

Step 4: Approve Access Requests

To approve an access request, use the Grant-PnPSiteAccessRequest command:

$requestId = "request-id"
$siteUrl = "https://yourtenant-my.sharepoint.com/personal/user_domain_com"

Approve-PnPRequestAccess -SiteUrl $siteUrl -RequestId $requestId

If you want to grant a user edit or read access, use:

Grant-PnPAzureADUser -SiteUrl $siteUrl -User $userEmail -Role "Edit"

or

Grant-PnPAzureADUser -SiteUrl $siteUrl -User $userEmail -Role "Read"

Step 5: Reject Access Requests

To deny a request, use the following command:

$requestId = "request-id"
$siteUrl = "https://yourtenant-my.sharepoint.com/personal/user_domain_com"

Deny-PnPRequestAccess -SiteUrl $siteUrl -RequestId $requestId

Alternatively, you can automate the process to deny all pending requests using a loop:

foreach ($request in $requests) {
    Deny-PnPRequestAccess -SiteUrl $siteUrl -RequestId $request.Id
    Write-Host "Denied request from $($request.RequestedByEmail)"
}

Step 6: Automate Access Request Management with a Scheduled Task

If you want to automate OneDrive access request approvals or rejections, you can create a scheduled PowerShell script.

  1. Create a PowerShell script (Manage-OneDriveRequests.ps1)
# Connect to OneDrive
Connect-PnPOnline -Scopes "Sites.FullControl.All" -Interactive

# Define the OneDrive site URL
$siteUrl = "https://yourtenant-my.sharepoint.com/personal/user_domain_com"

# Get pending requests
$requests = Get-PnPRequestAccess -SiteUrl $siteUrl

# Process requests
foreach ($request in $requests) {
    if ($request.RequestedByEmail -match "trusteduser@yourdomain.com") {
        Approve-PnPRequestAccess -SiteUrl $siteUrl -RequestId $request.Id
        Write-Host "Approved request from $($request.RequestedByEmail)"
    } else {
        Deny-PnPRequestAccess -SiteUrl $siteUrl -RequestId $request.Id
        Write-Host "Denied request from $($request.RequestedByEmail)"
    }
}
  1. Create a Scheduled Task to Run the Script
    • Open Task Scheduler on Windows.
    • Click Create Basic Task.
    • Name it “Manage OneDrive Requests” and click Next.
    • Select Daily and specify a time.
    • Choose Start a Program and browse to powershell.exe.
    • In the Arguments field, enter: plaintextCopyEdit-File "C:\Scripts\Manage-OneDriveRequests.ps1"
    • Click Finish.

Now, the script will run automatically at the scheduled time, managing OneDrive access requests based on predefined rules.

Step 7: Monitor Access Request Logs

To keep track of access requests and approvals/rejections, you can log them into a CSV file.

$logFile = "C:\Logs\OneDriveRequests.csv"

$requests | Select-Object RequestedByEmail, RequestedDate | Export-Csv -Path $logFile -NoTypeInformation

Write-Host "Access requests logged in $logFile"

This helps in auditing and reviewing past access requests.

Leave a Reply

Your email address will not be published. Required fields are marked *