PowerShell: Managing OneDrive for Business using CSOM

OneDrive for Business comes as part of Office 365, and while it sounds like its a separate product, it's really just SharePoint Online as the backend.  As an administrator, there may be some settings you would like to control when rolling out ODfB to your end users.  Some of these features can be applied from the GUI and as a global setting, but others need to be administered on a site by site basis.  I think you know what's coming next... PowerShell to the rescue.

As I said ODfB is a SharePoint site, specifically a MySite.  The site has a Document library called documents.  The site admin is the owner of the ODfB, so they have access to all the site settings.  This means that any changes you make at the site level can be reversed by the site admin, and Microsoft does not support removing site admin privileges from the owner.  So the good news is that you can change settings programatically on the back-end.  The bad news is that users can alter your desired settings if they want to, even though most users wouldn't even know where to go to do it.

With that disclaimer out of the way, there are some settings that end users can't change.  Data Loss Prevention settings can be applied to a group of ODfB sites or all ODfB sites.  That can be set from the Compliance Center in Office 365 and applies to current and newly created sites.  Preservation policies can be applied from the portal as well, but only to existing sites.  There is no way to set a default preservation policy for all ODfB sites.  Both DLP and preservation policies cannot be changed by the end user, so once it's set up you can rest easy.

Versioning and Information Rights Management (IRM) settings are applied at the site library level, and as such can be changed by the end user.  There is also no way of applying a default group of settings to all existing sites from the portal, unless you count going to each site individually and manually editing the sites.

I wrote the script below with the help of examples from TechNet, especially the portions that used the Client Side Object Model (CSOM), which I had never even heard of before.

The script has a number of different functions that can be used together or independently.  Before using, you will need to fill out the Declarations section with your desired settings.  The script leverages encrypted credentials using an AES key.  The creation process and encryption of credentials is covered in the notes.  As I said, the preservation policies only need to be set once.  The versioning and IRM should be checked periodically and reset to the desired state.  Hopefully, Microsoft will provide administrators the power to set defaults and restrict owners from editing certain settings.  The script will require that you install the SharePoint Online SDK and Management Shell.  Let me know what you think, and if you find any bugs!  In future versions, I plan to move the settings to a configuration file and add some logic for creating the stored credential on the fly.  I would also like to expand the settings for application.

Labels: , , , ,