Tag Archives: SharePoint Online

Adding an O365 Security group to the Site Collection Administrators group

Here is the scenario… you wish provision every site collection in your SharePoint Online environment so that a key group of staff, say for example your support staff, have Site Collection Admin access.  To provide centralised control of this group you want to define it and its membership outside the boundaries of your SharePoint Online environment. In this case you have two options, a Security Group or an Office 365 Group. In the case of a Security group there is no associated email address so people can’t mail to it and it doesn’t appear in the address book. This is ideal for the type of group we are creating as communications with the support staff should be via a central help desk.

Here is where your problem arises because Microsoft publicly state that you cannot use a Security Group provide Site Collection Administrator  access. The reality is that it cane be done both manually and in code.


To add the security group as the primary SCA you will need to have O365 tenant admin permission. Go to the SharePoint Admin Center, locate the site collection in question , select the check box next to it and then click on Owners in the ribbon. In the Manage Administrators window you can add the security group just like you would any other user, both as a Primary or Secondary SCA.

If you don’t have tenant admin permission you will need to have SCA rights on the site collection in question. In this case you will be able to add the security group as a Secondary SCA by going to Site Settings and then selecting Site collection administrators under Users and Permissions. you can then add the security group as a Secondary SCA just like you would any other user .


You may have a requirement to retrospectively apply a change like this across your tenant using PowerShell or to set this up when you are provisioning the site collection as part of a provisioning app similar to the PnP provisioning samples.

The usual way to add someone as a SCA to a Site Collection using PowerShell is to use the Set-SPOUser cmdlet for example like this…

Set-SPOUser -Site $siteUrl-LoginName $userEmail -IsSiteCollectionAdmin $true 

You will notice that they way to identify the user being added as an SCA is via the -LoginName parameter which requires a valid email address in the tenant. The issue is that the  Security group doesn’t have an email address so it can’t be used it here. I’ve tried a number of approaches to including using the Object ID returned from Get-MSOLGroup cmdlet to no avail. I was able to resolve it and the simplest way to avcheive uses the claims encoded identity for the security group.

First you need to determine the claims encoded identity for the security group. One simple manual way of doing this is to go to a site and use the Check Permissions feature Under Site Permissions in Site Settings. Check the permissions for the security group in question and part of the report provides you with the claim encoded identity. It should look something like ‘c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111’. In my case this manual approach is fine but it is probably possible to retrieve this using PowerShell as well.

Once you know this information you can substitute it where you would normally use the users email address in the SetSPOUser call and it will recognise the security group and set it in the Secondary Site Collection Admins group e.g.

Set-SPOUser -Site $siteUrl -LoginName "c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111" -IsSiteCollectionAdmin $true

To achieve the same in code as part of a remote hosted app you will need to use CSOM. Something like the following C# ,NET code should allow you to do this. Obviously you will need to determine the claims ID for each of the security groups you want to add and will have already created you context object ctx

Dictionary<string, string> groupsForAdminAccess = new Dictionary<string, string>()
    {"Global Support Staff", "c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111"},
    {"Legal eDiscovery","c:0-.f|rolemanager|s-1-1-11-111111111-1111111111-1111111111-11111111"}
 foreach (KeyValuePair<string, string> groupToAdd in groupsForAdminAccess)
    User claimsGroupUser = ctx.Web.EnsureUser(groupToAdd.Value.ToString());
    claimsGroupUser.IsSiteAdmin = true;


1 Comment

Filed under General SharePoint Development, Office 365, SharePoint, SharePoint Online

What is my Site Collection Quota in SharePoint Online?

What is a Site Quota?

Site Quotas allow you to define a limit on the storage capacity of a top-level site (in SharePoint terms a site collection).The storage limit applies to the site collection as a whole. In other words, the storage limit applies to the total size of the content for the top-level site and for all sub-sites within the site collection. SharePoint Apps, the content in the Recycle Bin and if versioning is enabled, the versions in a site also count toward storage limits.

How do I request a site storage quota increase?

When a new site collection is created often a site quota is applied to the site to meet the organisation’s requirements to limit the unrestricted growth of their environment. In situations where the quota limit is exceeded or about to be exceeded you should contact you SharePoint farm administrator or support desk to request an increase. You may also find that your organisation has policies and procedures in place to deal with quota increase requests that define what constitutes a valid business reason for an increase and how to go about the request process.

How do I know when I am approaching my quota limit?

Over time and regular use your storage use will likely increase so how will you know if you are at risk of hitting the limit?

Firstly, SharePoint will proactively alert you to the fact that you have almost reached the current quota limit by flagging​ this at the top of the web page when you are on your site as shown below.

Second, SharePoint will send those identified as the Site Collection Administrators an email notifying them that the quota limit has almost been reached.

How Can I find out how much storage I am currently using?

Determining how much of your quota has currently been used is quite easy if you are the site owner i.e. you have Site Collection Administrator access to the site.

To view your current quota limit, how much storage your site is using and what within the site is using the storage simply go to the Site Settings for your site and click on Storage Metrics under the Site Collection Administration options e.g.

The page displayed looks something like this (obviously your metrics will be different)…

Storage Metrics

What happens if the storage limit is reached?

You will continue to be able to upload and create content until the quota is exceeded. This means that if for example you have 1Mb left of you quota you will still be able to upload a 200Mb file. Once the file is uploaded though, the quota will have been exceeded and no more updates or uploads will be possible until the storage used is brought back below the quota limit.

When the quota limit is exceeded an email is sent to the site collection administrator notifying them.  The email send includes a reference to the site with a URL, has links to the recycle bin and storage metrics for the site, and displays the site statistics (current usage). In addition to this email, a message is shown at the top of every page in the site. Unlike warnings, this message is seen by all users and is shown on every page of the site.

Quota Exceeded Banner

You cannot add content to a site that has exceeded its quota. This applies to list items as well as document/file based content. If you try to create, upload or drag and drop content you will receive an error message informing you of this e.g.

This message will also be displayed if you attempt to add a new App to your site after exceeding the limit.

How do I free up space on my site?

You might think that the answer to this question is simple…”just delete content I don’t need from my document library”. This is find if you are still within your quota limits. Unfortunately, once you have exceeded your quota, simply deleting content won’t work as it is put in the recycle bin and that also counts against usage. In this scenarios you will need to remove items from the recycle bin first to free up enough space. If there isn’t enough space freed up by the recycle bin, you’ll need to delete something from the site first and then remove it from the recycle bin. Note that unless you are a site collection administrator you can only see your personal recycle bin.
Even if you are a site collection administrator, the “empty the recycle bin” link provided in the red or yellow banner only takes you to the personal recycle bin for that user. If you are a site collection administrator and you want to see the recycle bin for all users go to Site Settings > Recycle Bin. This will take you to the administrative recycle bin page where you can see end user recycle bin items for all users as well as items deleted from the end user recycle bin (the second stage recycle bin).
Note: you do not need to delete items from the second stage recycle bin in order to clear up space as content stored here apparently does not count against your quota.

Leave a comment

Filed under Office 365, SharePoint, SharePoint Online