Remove sharing permissions on all files in users’ OneDrive for Business

A while back I posted a “proof of concept” article/script about enumerating all shared files across your Office 365/OneDrive for Business environment. The script used the Graph API endpoints to get a list of users within your tenant, then for each user checked the presence of a OneDrive “drive”, enumerated the items therein and spilled details for any “shared” file. Sort of like the “sharing” report that you can generate within Office 365, but for all users.

You can apply much of the same code to a different scenario – removing access for any shared files. This is a common task for “leavers” scenarios, where the organization wants to make sure that content of user’s drive will not be accessible anymore by anyone else other than some designated person, be it the user’s manager or someone within the same team or even the legal department. A quick way to achieve this is to play with the sharing permissions on the individual Site collection corresponding to the user’s drive, but where’s the fun in that. Instead, I’ve compiled another “proof of concept” script that will remove sharing permissions from any and all files within given user’s OneDrive for business drive. Kind of like the “stop sharing” button we have for individual items, but applied at the user level.

As before, we will be using the Graph API endpoints, and to start with, we need a valid token. The script uses the application permissions model, so you will need to provide your tenantID, the appID of an Azure AD application you’ve created and the client secret associated with it. The application will need to have the Sites.ReadWrite.All permission in order to be able to enumerate drives, files within them and their permissions, as well as remove the permission entries. Users.Read.All permissions are also necessary, as to perform a check whether the provided user identifier corresponds to an actual user within the tenant.

If a valid drive is found for the user, the script will proceed to enumerate all items within it, depending on the specified parameter values. Unlike the “report” script, this time we will expand folders by default (controlled via the –ExpandFolders switch), up to a depth of two levels (controlled via the –Depth parameter), as to make sure we cover the bulk of the items available within the drive. The last parameter you need to specify is the user against which we will be running the script, via the –User parameter, and provide the value in the form of an UserPrincipalName or GUID. You can also specify the –Verbose switch to spill out additional details during the processing of the drive in question.

Without further ado, you can find the script over at GitHub. Once you have downloaded it, use the following syntax to run it against a given user:

Note that not all permissions can be removed, for example secondary admin for the ODFB site will always keep their access. Here’s also a sample screenshot of the output generated (some improvements are needed there, but I got bored):

If needed, the script can be modified to perform this action for a set or all users within the tenant, but that’s an exercise I’ll leave to the reader. Other improvements that can be made include a more robust error handling, better handling of the output (generating a report?), adding a check whether a file is externally shared and a script parameter to remove just such permissions, etc. Token renewal is something else you might want to take care of, even though it shouldn’t be necessary as we’re handling one user at a time.