Table of Contents
Managing OneDrive Storage Quotas Through Groups
A reader asked if it is possible to control the assignment of OneDrive for Business storage quotas using groups using a mechanism like group-based license management. The simple answer is that Microsoft 365 doesn’t support such a feature, but like many administrative operations, it’s relatively easy to automate with PowerShell.
Another article covers the basics of reporting and assigning OneDrive storage. OneDrive for Business accounts are personal SharePoint Online sites. Assigning a new storage quota to a user’s OneDrive account is done using the Set-SPOSite cmdlet from the SharePoint Online administration module. This is one of the Microsoft 365 modules that receives frequent updates, so make sure that you use the most recent version. It’s a good idea to check for updates monthly, either manually or using a PowerShell script to process the Microsoft 365 modules typically used by tenant administrators.
Creating a Script to Update OneDrive Storage Quotas
The steps required in the script to update OneDrive storage quotas based on group membership are:
- Connect to SharePoint Online and the Microsoft Graph PowerShell SDK.
- Read information about the target OneDrive storage allocations from some source. I used a CSV file.
- Figure out the service domain for the tenant to calculate the root of OneDrive account URLs. This will be something like: https://office365itpros-my.sharepoint.com/personal/. Later, we combine a modified version of user principal names (replacing dot and @ characters with underscores) to form the URL for each account. An example is https://office365itpros-my.sharepoint.com/personal/James_Ryan_office365itpros_com.
- For each group, get the group members. For each member, figure out the user’s OneDrive account URL and run the Get-SPOSite cmdlet to check its current storage quota. You can use any of the group types supported by Azure AD, including dynamic Microsoft 365 groups. With some adjustments to the code, it would also be possible to use an Exchange Online dynamic distribution list.
- If the assigned quota is less than the desired quota, run the Set-SPOSite cmdlet to increase the quota.
- Create a report about what happened (Figure 1).
The script includes nothing complicated in terms of code. You can download the script I wrote from GitHub. Remember that the script is not bulletproof in terms of error handling. Its intention is to prove the principle of what is possible. The script should run without a problem if you sign in with a tenant administrator account. I have not tested the code in an Azure Automation runbook (to run the script on a schedule), but I think that adapting the code for Azure Automation would not be difficult.
Use Azure AD Administrative Units Instead of Groups
Azure AD administrative units are the current flavor of the month in Microsoft Purview with many solutions, including Data loss prevention (DLP) and Data lifecycle management (retention) supporting the use of administrative units to scope policies. If you have the necessary Azure AD Premium licenses, you could use administrative units as the basis for storage assignment.
This article explains how to use PowerShell to retrieve information from administrative units. Instead of fetching a set of user principal names for group members, you’d fetch the same information for the members of an administrative unit, like this:
[array]$GroupMemberUPN = (Get-MgAdministrativeUnitMember -AdministrativeUnitId 150dccad-f8b8-4e54-9246-89834b8b5a25).AdditionalProperties.userPrincipalName
The Microsoft Graph PowerShell SDK cmdlets for administrative units use the beta endpoint, so remember to select that endpoint before attempting to use the cmdlets:
Select-MgProfile beta
PowerShell Automation Scores Again
It would be nice if Microsoft included group-based OneDrive storage management in SharePoint Online. However, this functionality is probably not high on their priority list for new development. This is yet another example of how PowerShell fills in the cracks and gaps left in Microsoft 365 management and underscores why tenant administrators should have the ability to perform at least simple tasks with PowerShell.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
There are now non-beta cmdlets for managing Administrative Units in PowerShell, but the name’s changed 😀
Get-MgDirectoryAdministrativeUnit
Get-MgDirectoryAdministrativeUnitMember
etc etc
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/get-mgdirectoryadministrativeunit?view=graph-powershell-1.0
Not sure if previous comment made it through – but there are non-beta cmdlets for managing Administrative Units via PowerShell now – they just have new names:
Get-MgDirectoryAdministrativeUnit
Get-MgDirectoryAdministrativeUnitMember
New-MgDirectoryAdministrativeUnit
etc etc
A OneDrive personal site isn’t created for a user if they haven’t logged in yet, and thus there is no Quota to check or set for them. I have found that it’s more efficient to just get all OneDrive personal sites instead and work from that using the Owner field. An added benefit is it’s less calls (in my instance over 10k less).
Get-SPOSite -IncludePersonalSite $true -Limit ALL -Filter “Url -like ‘-my.sharepoint.com/personal/'”
That’s certainly a valid approach and you must do whatever works best for you.
The articles posted here are all about illustrating principles. Once people understand what’s possible, they can implement whatever solution makes sense for their circumstances.
With the education tenant A1 change that Microsoft pushed out this month, they also appear to have provided the Group-Based quota management mentioned here – it might be worth linking to it if you see it in your tenant under the Reports -> Storage -> Storage Limits as an option for OneDrive.