Find All Site Collection Administrators Across OneDrive for Business Sites

Ever wondered who has full control over your users’ OneDrive accounts? As an admin, it’s important to keep track of who holds site collection administrator rights in OneDrive. These users have elevated access, which means they can view, manage, and even delete content in the OneDrive site they’ve been granted access to. Knowing who they are is not just good practice but is also crucial for security and compliance.

You may need this information during audits or access reviews to ensure the right people have the appropriate level of control. In large environments, manually checking each OneDrive site is not practical. That is why getting a list of all OneDrive site collection admins becomes essential.

In this blog, we’ll walk you through how to efficiently list all OneDrive site collection admins in your tenant.

A site collection administrator in OneDrive for Business is someone who has full control over a user’s OneDrive site. This role allows them to access all files and settings without needing the site owner’s permission. In addition to full control, site collection admins also receive administrative email alerts related to the site collection.

There are two types of site collection administrators in OneDrive for Business:

Primary Site Collection Administrator

The primary site collection admin is the owner who has full control over their own OneDrive account. This role is automatically assigned, and there can only be one primary admin per OneDrive. However, the primary admin can be replaced by admins when necessary, such as when an employee leaves the organization or transitions to a different role.

Secondary Site Collection Administrator

Secondary site collection admins have the same full access as the primary admin (OneDrive owner). They can be individual users, multiple users, or even groups, depending on the organization’s needs. These admins are usually assigned by SharePoint admins, Global admins, OneDrive owners, or even by existing site collection admins in case of emergency.

Since both primary and secondary site collection admins have full access, it’s crucial to keep track of who holds these roles in each user’s OneDrive. You can use any of the methods below to find all site collection administrators in OneDrive.

• Review OneDrive site collection administrators using SharePoint admin center
• List site collection administrators in OneDrive for Business using PowerShell

The SharePoint admin center is the simplest way to view and manage site collection admins for individual OneDrive sites. To view the OneDrive site collection administrators of a specific OneDrive site, follow the steps below:

1. Sign in to the SharePoint admin center.
2. Navigate to More features and select Open under the User profiles section.
3. Under the People category, choose Manage User Profiles.
4. In the Find profiles field, search for the user whose OneDrive admins you want to view, and then hit Find.
5. Now, the name of the user will appear in the search results. Click on the correct user by verifying the user’s UPN and select the Manage site collection owners option.
6. This opens a pane where you can view the primary and secondary site collection administrators for that user’s OneDrive site.
   

While this method gives a quick view of a single user’s OneDrive admin access, it’s not scalable when you need to audit all OneDrive site collection admin access across users or generate reports.

PowerShell offers the most efficient way to bulk list site collection administrators across all OneDrive sites in your organization. You can use one of the following PowerShell authentication methods based on your needs.

1. Using SharePoint Online Management Shell – This method requires you to be a site collection administrator on each OneDrive site to view admin access. It uses your admin credentials and is ideal for straightforward reporting when you have the necessary permissions on each site.
2. Using PnP PowerShell – PnP PowerShell supports app credential authentication through Entra ID app registration, allowing tenant-wide access without needing to be individually added as a site collection administrator. This makes PnP ideal for large-scale management.
   

1. To list all site collection administrators across OneDrive for Business sites, first, connect to SharePoint Online Management Shell as administrator.

Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
 

Note: SharePoint admins or Global admins cannot view all site collection administrators on a OneDrive site by default. They must be explicitly added as site collection admins on the specific OneDrive site to gain access.

2. Then, run the following PowerShell snippet to export the list of site collection admins of all OneDrive user sites.

Get-SPOSite -IncludePersonalSite $true -Limit All -Template "SPSPERS" | ForEach-Object {
  $primary = $_.Owner
  $secondary = ""
  $errorMessage = ""
  try {  
    $admins = Get-SPOUser -Site $_.Url 2>$null  
    $secondary = ($admins | Where-Object { $_.IsSiteAdmin -eq $true -and $_.LoginName -ne $primary } | Select-Object -ExpandProperty LoginName) -join ";"  
  } catch {  
    $errorMessage = $_.Exception.Message  
  }
  [PSCustomObject]@{  
    "OneDrive URL"                   = $_.Url   
    "Primary Site Collection Admin"  = $primary   
    "Secondary Site Collection Admins" = if ($secondary) { $secondary } else { "Error in retrieval" } 
    "Error Message"                  = $errorMessage   
  }  
} | Export-Csv -Path "<OutputCSVFilePath>" -NoTypeInformation -Encoding UTF8

Sample Output

The above script extracts a tenant-wide list of all primary and secondary site collection admins for all user OneDrive sites and exports it to a CSV file.

Points to Note:

• Make sure to replace <OutputCSVFilePath> with the path where the CSV file should be saved.

• If you see the error ‘Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))’, it means you are not assigned as the site collection administrator for that site, and you cannot view the secondary site collection admins for that site.

• If you see a GUID instead of a UPN for the secondary site collection admin, it may represent a Microsoft 365 group. In such cases, you can use the Microsoft Graph cmdlet ‘Get-MgGroupMember’ to retrieve the list of members in the group.

While the above script requires you to be a site collection admin for each OneDrive site, PnP PowerShell offers a more flexible approach. The following PnP PowerShell script connects to SharePoint Online using certificate-based authentication through an Entra ID application.

Note: If you don’t already have an application for this purpose, register an Entra ID application to use with PnP PowerShell. Make sure the app is assigned the ‘Sites.Read.All’ application permission.

Make sure to replace:

• <TenantName> with your tenant name (contoso),
• <ClientId> with your application’s client ID,
• <Thumbprint> with your certificate’s thumbprint,
• <OutputCSVFilePath>with the path where the CSV file should be saved.

$TenantName = "<TenantName>"
$ClientId   = "<ClientId>"
$Thumbprint = "<ThumbPrint>"
$CsvPath    = "<OutputCSVFilePath>"
$AdminUrl   = "https://$TenantName-admin.sharepoint.com"
$TenantId   = "$TenantName.onmicrosoft.com"
Connect-PnPOnline -Tenant $TenantId -Url $AdminUrl -ClientId $ClientId -Thumbprint $Thumbprint
$oneDriveSites = Get-PnPTenantSite -IncludeOneDriveSites -Detailed | Where-Object {
    ($_.Template -like "SPSPERS*")
}
$adminOverview = @()
foreach ($site in $oneDriveSites) {
    try {
        Connect-PnPOnline -Url $site.Url -ClientId $ClientId -Thumbprint $Thumbprint -Tenant $TenantId
        $admins = Get-PnPSiteCollectionAdmin
        $ownerLogin = $site.Owner
        $ownerEmail = ($admins | Where-Object { $_.LoginName -eq $ownerLogin }).Email
        if (-not $ownerEmail) { $ownerEmail = $ownerLogin }
        $secondaryAdmins = $admins | Where-Object { $_.LoginName -ne $ownerLogin } | Select-Object -ExpandProperty Email
        $secondaryList = ($secondaryAdmins | Where-Object { $_ }) -join ";"
        $adminOverview += [PSCustomObject]@{
            "Name"        = $site.Title
            "OneDriveURL"              = $site.Url
            "PrimaryAdmin"   = $ownerEmail
            "SecondaryAdmins" = $secondaryList
        }
    }
    catch {
        Write-Host "Failed to process $($site.Url): $($_.Exception.Message)" -ForegroundColor Red
    }
}
$adminOverview | Export-Csv -Path $CsvPath -NoTypeInformation -Encoding UTF8
Write-Host "OneDrive for Business site collection admins exported to $CsvPath" -ForegroundColor Green

Sample Output

If you’re looking for a quicker, no-code way to list site collection administrators across all OneDrive user sites, AdminDroid is the ideal choice. It provides intuitive graphical insights and customizable features, enabling you to tailor reports to your specific needs in a user-friendly manner.

We hope this blog helps you gain better visibility into OneDrive site collection administrators. If you have any questions or feedback, feel free to drop them in the comments below. We’re here to help!