Remove sharing permissions on all files in users’ OneDrive for Business

A while back I posted a “proof of concept” article/script about enumerating all shared files across your Office 365/OneDrive for Business environment. The script used the Graph API endpoints to get a list of users within your tenant, then for each user checked the presence of a OneDrive “drive”, enumerated the items therein and spilled details for any “shared” file. Sort of like the “sharing” report that you can generate within Office 365, but for all users.

You can apply much of the same code to a different scenario – removing access for any shared files. This is a common task for “leavers” scenarios, where the organization wants to make sure that content of user’s drive will not be accessible anymore by anyone else other than some designated person, be it the user’s manager or someone within the same team or even the legal department. A quick way to achieve this is to play with the sharing permissions on the individual Site collection corresponding to the user’s drive, but where’s the fun in that. Instead, I’ve compiled another “proof of concept” script that will remove sharing permissions from any and all files within given user’s OneDrive for business drive. Kind of like the “stop sharing” button we have for individual items, but applied at the user level.

As before, we will be using the Graph API endpoints, and to start with, we need a valid token. The script uses the application permissions model, so you will need to provide your tenantID, the appID of an Azure AD application you’ve created and the client secret associated with it. The application will need to have the Sites.ReadWrite.All permission in order to be able to enumerate drives, files within them and their permissions, as well as remove the permission entries. Users.Read.All permissions are also necessary, as to perform a check whether the provided user identifier corresponds to an actual user within the tenant.

If a valid drive is found for the user, the script will proceed to enumerate all items within it, depending on the specified parameter values. Unlike the “report” script, this time we will expand folders by default (controlled via the –ExpandFolders switch), up to a depth of two levels (controlled via the –Depth parameter), as to make sure we cover the bulk of the items available within the drive. The last parameter you need to specify is the user against which we will be running the script, via the –User parameter, and provide the value in the form of an UserPrincipalName or GUID. You can also specify the –Verbose switch to spill out additional details during the processing of the drive in question.

Without further ado, you can find the script over at GitHub. Once you have downloaded it, use the following syntax to run it against a given user:

.\Graph_ODFB_remove_all_shared.ps1 -Verbose -User

Note that not all permissions can be removed, for example secondary admin for the ODFB site will always keep their access. Here’s also a sample screenshot of the output generated (some improvements are needed there, but I got bored):

ODFB remove sharing

If needed, the script can be modified to perform this action for a set or all users within the tenant, but that’s an exercise I’ll leave to the reader. Other improvements that can be made include a more robust error handling, better handling of the output (generating a report?), adding a check whether a file is externally shared and a script parameter to remove just such permissions, etc. Token renewal is something else you might want to take care of, even though it shouldn’t be necessary as we’re handling one user at a time.

8 thoughts on “Remove sharing permissions on all files in users’ OneDrive for Business

  1. 247iutsupport says:

    I would like such a script for removing all shared links on a sharepoint site..

  2. Jason Pollock says:

    Vasil, We have had this running for a long while (thanks to your previous help), but recently the DELETE command is no longer working to remove permissions, and no errors either. We thought this was related to using the Graph API Beta end point, changed to the v1.0 endpoint but still not working. Any ideas? Thanks again and great work on this script.

    1. Vasil Michev says:

      Seems to run fine here. Keep in mind that you cannot remove some types of permissions (i.e. inherited ones, Owner permissions, etc), it will mostly remove sharing links.

  3. Tony Liu says:

    Hi Vasil, Thank you for the sharing your works. my situation is, I would like to give my staff the ability to remove one person from all his shared files/folder, i.e. one staff run a script and specify a user ID, the script scans all his own OneDrive folders and files to remove the specific user from sharing permission list. upon my studying your script, not a good idea to let general staff know tenantID, appID, or client_secret in plain text. all suggestions are appreciated.

    1. Vasil Michev says:

      It’s a “proof of concept” script mate, you can replace the authentication part of it with a proper function that handles things in secure manner, say via certificate or Azure Key vault secret…

  4. Jason Pollock says:

    I have been looking for a script like this for a while. I know this was a lot of work to put together. I have the script logging in but it is not returning any data for any accounts. When I target an account I know has shared folders and files the script returns No shared items. Any ideas? Perms are all correct

    1. Vasil Michev says:

      It’s almost always permissions 🙂 Best run the script with the verbose switch to see what’s happening.

      1. Jason Pollock says:

        Thanks. The issue was permissions related, sort of. The app was given SharePoint Sites.ReadWrite.All not graph api Sites.ReadWrite.All access. Once we added graph api Sites.ReadWrite.All all is working. Again Thanks and great work on this script!


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.