Tag Archives: PowerShell

Adding an O365 Security group to the Site Collection Administrators group

Here is the scenario… you wish provision every site collection in your SharePoint Online environment so that a key group of staff, say for example your support staff, have Site Collection Admin access.  To provide centralised control of this group you want to define it and its membership outside the boundaries of your SharePoint Online environment. In this case you have two options, a Security Group or an Office 365 Group. In the case of a Security group there is no associated email address so people can’t mail to it and it doesn’t appear in the address book. This is ideal for the type of group we are creating as communications with the support staff should be via a central help desk.

Here is where your problem arises because Microsoft publicly state that you cannot use a Security Group provide Site Collection Administrator  access. The reality is that it cane be done both manually and in code.


To add the security group as the primary SCA you will need to have O365 tenant admin permission. Go to the SharePoint Admin Center, locate the site collection in question , select the check box next to it and then click on Owners in the ribbon. In the Manage Administrators window you can add the security group just like you would any other user, both as a Primary or Secondary SCA.

If you don’t have tenant admin permission you will need to have SCA rights on the site collection in question. In this case you will be able to add the security group as a Secondary SCA by going to Site Settings and then selecting Site collection administrators under Users and Permissions. you can then add the security group as a Secondary SCA just like you would any other user .


You may have a requirement to retrospectively apply a change like this across your tenant using PowerShell or to set this up when you are provisioning the site collection as part of a provisioning app similar to the PnP provisioning samples.

The usual way to add someone as a SCA to a Site Collection using PowerShell is to use the Set-SPOUser cmdlet for example like this…

Set-SPOUser -Site $siteUrl-LoginName $userEmail -IsSiteCollectionAdmin $true 

You will notice that they way to identify the user being added as an SCA is via the -LoginName parameter which requires a valid email address in the tenant. The issue is that the  Security group doesn’t have an email address so it can’t be used it here. I’ve tried a number of approaches to including using the Object ID returned from Get-MSOLGroup cmdlet to no avail. I was able to resolve it and the simplest way to avcheive uses the claims encoded identity for the security group.

First you need to determine the claims encoded identity for the security group. One simple manual way of doing this is to go to a site and use the Check Permissions feature Under Site Permissions in Site Settings. Check the permissions for the security group in question and part of the report provides you with the claim encoded identity. It should look something like ‘c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111’. In my case this manual approach is fine but it is probably possible to retrieve this using PowerShell as well.

Once you know this information you can substitute it where you would normally use the users email address in the SetSPOUser call and it will recognise the security group and set it in the Secondary Site Collection Admins group e.g.

Set-SPOUser -Site $siteUrl -LoginName "c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111" -IsSiteCollectionAdmin $true

To achieve the same in code as part of a remote hosted app you will need to use CSOM. Something like the following C# ,NET code should allow you to do this. Obviously you will need to determine the claims ID for each of the security groups you want to add and will have already created you context object ctx

Dictionary<string, string> groupsForAdminAccess = new Dictionary<string, string>()
    {"Global Support Staff", "c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111"},
    {"Legal eDiscovery","c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111"}
 foreach (KeyValuePair<string, string> groupToAdd in groupsForAdminAccess)
    User claimsGroupUser = ctx.Web.EnsureUser(groupToAdd.Value.ToString());
    claimsGroupUser.IsSiteAdmin = true;


1 Comment

Filed under General SharePoint Development, Office 365, SharePoint, SharePoint Online