Cloud

OneDrive for Business Shared With Me Folder Permissions Management

Recently I had a client that wanted the Shared with Everyone folder in their employees One Drive for Business to have the Everyone permissions revoked.  They didn’t want anyone sharing items with everyone.  Part of that is the use the Set-SPOTenant PowerShell cmdlet with the –ShowEveryoneClaim and the ShowEveryoneExceptExternalUsersClaim both set to false.  If we can grab the folder then what we really need to do is just to reset the permissions to the default.  In fact, there is a method that we can call.  Its called ResetRoleInheritance and it will make the item take it’s parents permissions.  If we execute that on the Shared with Everyone folder it will become just like every other folder in the OD4B.

A OneDrive for Business with a Shared with Everyone Folder

A OneDrive for Business with a Shared with Everyone Folder

Microsoft isn’t creating the Shared with Everyone folder on new OD4B instances, but what about all of the existing ones?  To accomplish this we will have to use the Client Side Object Model CSOM because the Get-SPOSite object does not expose the Folders in a site.  First pass  using CSOM would grab the site from the Context and then grab the Folders and find the one we are looking for.

Great, we got the folder and now we can set the permissions.  Oh wait…we can’t.  The CSOM Folder object doesn’t expose the ResetRoleInheritance method.  After some checking, it is only expose on the Items object so we need to grab the folder as an Item and then we can reset its permissions.  OK, Attempt number 2.  To grab the Items collection we will use the GetItems method on the Document Library after we grab it as a List as opposed to a Folder collections.

Great, now we have the Library as a List, we need to get the Item in the list.  To do that we use the GetItems method which means we have to build a CAML query.  Yeah, I know, we all thought that CAML was going to finally die a lonely and much appreciated death, but here we are using it again.

So, we have the Items in the Folder.  I would note that you could, at this point, just use the CAML query to get the item that you want and that would be faster, but I chose to get them all and then walk them looking for the item I wanted.  Yeah, I know, not efficient, but by this time I had been beating my head against the wall for days trying to figure this out.

With that we have gotten the Folder, and technically everything in that folder and reset its permissions to the parent.

PowerShell results of our Script

PowerShell results of our Script

And the end result…

Folder is set to the parents permissions, in this case, only the owner can see it.

Folder is set to the parents permissions, in this case, only the owner can see it.

Kudos to Ryan Jenkins for helping with the Items and figuring out how to get to the Folder name on the item.

Leave a Reply