Created
July 18, 2023 15:23
-
-
Save FriedrichWeinmann/65765519cf25b311656eb5539970388b to your computer and use it in GitHub Desktop.
Removes all sharing permissions set to a user's OneDrive via graph API
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Requires -Modules MiniGraph | |
| <# | |
| .SYNOPSIS | |
| Clear all sharing permissions on a user's OneDrive | |
| .DESCRIPTION | |
| Before running this script, use any of the suitable Connect-* Commands in the MiniGraph module to connect. | |
| Scopes needed for this script: | |
| - User.Read.All : To retrieve the user data from graph | |
| - Sites.ReadWrite.All : To modify permissions on Sharepoint | |
| As this would usually be used for administrative purposes, Application authentication is recommended. | |
| This in turn means the permissions are highly sensitive and wide in scope. | |
| .PARAMETER Depth | |
| How deeply nested we should recurse through a user's OneDrive. | |
| Set it to a negative value to remove any depth limits. | |
| Defaults to: 2 | |
| .PARAMETER User | |
| The user to search. | |
| Will try to do them all if not specified. | |
| .PARAMETER All | |
| Confirm you really want to process ALL users in your tenant. | |
| #> | |
| [CmdletBinding()] | |
| Param( | |
| [int] | |
| $Depth = 2, | |
| [string[]] | |
| $User, | |
| [switch] | |
| $All | |
| ) | |
| $ErrorActionPreference = 'Stop' | |
| trap { | |
| Write-Warning "Script failed: $_" | |
| throw $_ | |
| } | |
| Set-GraphEndpoint -Type beta | |
| #region Functions | |
| function Resolve-GraphUser { | |
| [CmdletBinding()] | |
| param ( | |
| [AllowEmptyCollection()] | |
| [AllowNull()] | |
| [string[]] | |
| $User | |
| ) | |
| if (-not $User) { | |
| Invoke-GraphRequest -Query 'users?$select=id' | |
| return | |
| } | |
| foreach ($userName in $User) { | |
| Invoke-GraphRequest -Query "users/$($userName)?`$select=id" | |
| } | |
| } | |
| function Get-OneDriveRoot { | |
| [CmdletBinding()] | |
| param ( | |
| [parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] | |
| [Alias('id')] | |
| [string[]] | |
| $UserID, | |
| [switch] | |
| $AsPath | |
| ) | |
| process { | |
| foreach ($user in $UserID) { | |
| if ($AsPath) { | |
| "users/$($user)/drive/root" | |
| continue | |
| } | |
| try { Invoke-GraphRequest -Query "users/$($user)/drive/root" -ErrorAction Stop } | |
| catch { Write-Warning "No drive root found for $user. User has possibly not been OneDrive provisioned | $_" } | |
| } | |
| } | |
| } | |
| function Get-OneDriveItem { | |
| [CmdletBinding()] | |
| param ( | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] | |
| [string[]] | |
| $Path, | |
| [switch] | |
| $Recurse, | |
| [int] | |
| $Depth, | |
| [switch] | |
| $SharedOnly | |
| ) | |
| process { | |
| foreach ($oneDrivePath in $Path) { | |
| try { $children = Invoke-GraphRequest -Query "$oneDrivePath/children" } | |
| catch { | |
| Write-Warning "Path not found: $oneDrivePath | $_" | |
| } | |
| if ($SharedOnly) { $children | Where-Object Shared } | |
| else { $children } | |
| if (-not $Recurse) { continue } | |
| if (0 -eq $Depth) { continue } | |
| $queryRoot = $oneDrivePath -replace '^(.+?)/(.+?)/.+', '$1/$2/drive' | |
| foreach ($child in $children) { | |
| if (-not $child.Folder) { continue } | |
| Get-OneDriveItem -Path "$queryRoot/items/$($child.id)" -Recurse -Depth ($Depth - 1) | |
| } | |
| } | |
| } | |
| } | |
| function Remove-OneDriveSharingPermissions { | |
| [CmdletBinding()] | |
| Param( | |
| [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true)] | |
| [ValidateNotNullOrEmpty()] | |
| [string] | |
| $UserId, | |
| [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)] | |
| [ValidateNotNullOrEmpty()] | |
| [Alias('id')] | |
| [string] | |
| $ItemId | |
| ) | |
| process { | |
| $basePath = "users/$($UserId)/drive/items/$($ItemId)/permissions" | |
| $permissions = Invoke-GraphRequest -Query $basePath | |
| foreach ($permission in $permissions) { | |
| if ($permission.inheritedFrom) { continue } | |
| if (-not $permission.Link) { continue } | |
| Write-Verbose "Clearing permission $($permission.Id) from $($ItemId) for user $($UserId)" | |
| $null = Invoke-GraphRequest -Method Delete -Query "$basePath/$($permission.id)" | |
| } | |
| } | |
| } | |
| #endregion Functions | |
| if (-not $User -and -not $All) { | |
| throw "Use the -All parameter to really, truly clear all shared documents from all users in the tenant!" | |
| } | |
| Resolve-GraphUser -User $User -OutVariable graphUser | | |
| Get-OneDriveRoot -AsPath | | |
| Get-OneDriveItem -Recurse -Depth $Depth -SharedOnly | | |
| Remove-OneDriveSharingPermissions -UserId { $graphUser.id } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment