Security
The Core SDK Admin library provides SharePoint Admin security related APIs like listing the SharePoint Tenant admins and more.
Creating Context
In this article, you'll see a lot of context use: in this case this is a PnPContext which was obtained via the PnPContextFactory as explained in the overview article and shown below:
using (var context = await pnpContextFactory.CreateAsync("SiteToWorkWith"))
{
// See next chapter on how to use the PnPContext for doing SharePoint admin operations
}
PnP.Core.Admin dependency
The functionality shown in this article depends on the PnP.Core.Admin nuget package. Once the PnP.Core.Admin nuget package has been installed you can get to the SharePoint admin features via using the GetSharePointAdmin, GetSiteCollectionAppManager, GetTenantAppManager and GetSiteCollectionManager extension methods:
using (var context = await pnpContextFactory.CreateAsync("SiteToWorkWith"))
{
// Use the GetSharePointAdmin extension method on any PnPContext
// to tap into the SharePoint admin features
var url = context.GetSharePointAdmin().GetTenantAdminCenterUri();
}
Is the current user a SharePoint tenant administrator?
If the code you want to run requires SharePoint tenant administrator privileges then you can use the IsCurrentUserSharePointAdmin methods to verify.
// Checks if the current user is a SharePoint tenant admin
if (await context.GetSharePointAdmin().IsCurrentUserTenantAdminAsync())
{
// Do the admin operations
}
else
{
// Handle non admin scenario
}
Getting the SharePoint tenant administrators
Important
You need to be either a SharePoint Administrator or Global Administrator to use these methods.
If you need to list all the SharePoint admins use the GetTenantAdmins methods which will return a ISharePointUser instance for each admin user.
// Get the tenant admins
var admins = await context.GetSharePointAdmin().GetTenantAdminsAsync();
foreach(var admin in admins)
{
// Do something with the admin user
}
Getting the administrators of a site collection
Important
You need to be either a SharePoint Administrator or Global Administrator to use these methods.
To get the administrators of a given site collection use the GetSiteCollectionAdmins methods. You do not have to have access to the site collection to enumerate it's administrators as these methods depend on tenant APIs that only work for SharePoint administrators. When getting the administrators you'll see a difference between Microsoft 365 group connected site collections and the other site collections:
- For Microsoft 365 group connected site collections the Microsoft 365 group owners are included, they have the
IsMicrosoft365GroupOwnerproperty set totrue. These users don't have theLoginNameproperty set, instead theIdproperty is set - For the other site collections the returned users all have the
LoginNameproperty set, theIdproperty is not set. Also one of the admins is marked asIsSecondaryAdmin == false, that one administrator is the primary site collection administrator
// Get the site collection admins
var admins = await context.GetSiteCollectionManager().GetSiteCollectionAdminsAsync(new Uri("https://contoso.sharepoint.com/sites/somesite"));
foreach(var admin in admins)
{
// Do something with the site collection admin user
}
Setting the administrators of a site collection
Important
You need to be either a SharePoint Administrator or Global Administrator to use these methods.
To set the administrators of a given site collection use the SetSiteCollectionAdmins methods. You do not have to have access to the site collection to set it's administrators as these methods depend on tenant APIs that only work for SharePoint administrators. When setting the administrators you'll see a difference between Microsoft 365 group connected site collections and the other site collections:
- For the other site collections you provide a list of login names (e.g.
i:0#.f|membership|anna@contoso.onmicrosoft.comorc:0-.f|rolemanager|spo-grid-all-users/6492ece7-7f5d-4499-8130-50e761e25bd9). The first one of the list will be set as the primary site collection administrator, the others will be set as secondary site collection administrators. - For Microsoft 365 group connected site collections you do have the same option as for the other site collections with the difference that the primary site collection administrator of group connected sites is never updated. Next to that you can also specify the Azure AD user id's of users you want to grant site collection admin permissions by adding them to the Microsoft 365 group's owners. To stay in sync with what SharePoint Tenant admin center does, when adding a Microsoft 365 group owner the user is also added as a Microsoft 365 group member.
Note
The SetSiteCollectionAdmins methods will not remove existing site collection admins, only add new site collection admins.
// Set the site collection admins for a regular site
List<string> newAdmins = new List<string>();
newAdmins.Add("i:0#.f|membership|anna@contoso.onmicrosoft.com");
newAdmins.Add("c:0-.f|rolemanager|spo-grid-all-users/6492ece7-7f5d-4499-8130-50e761e25bd9");
context.GetSiteCollectionManager().SetSiteCollectionAdmins(new Uri("https://contoso.sharepoint.com/sites/somesite"), newAdmins);
// Set the site collection admins for a Microsoft 365 group connected site
List<Guid> newGroupOwners = new List<Guid>();
newGroupOwners.Add(Guid.Parse("3d25e9c4-b20f-443b-ab4d-8ab0668f72ee"));
context.GetSiteCollectionManager().SetSiteCollectionAdmins(new Uri("https://contoso.sharepoint.com/sites/somesite"), newGroupOwners);
By default SetSiteCollectionAdmins adds newAdmins to the list of existing site collection admins. By setting the optional CollectionUpdateOptions parameter to SetExact the newAdmins list will be set exactly and all other admins
will be removed.
// Set the site collection admins for a regular site
List<string> newAdmins = new List<string>();
newAdmins.Add("i:0#.f|membership|anna@contoso.onmicrosoft.com");
newAdmins.Add("c:0-.f|rolemanager|spo-grid-all-users/6492ece7-7f5d-4499-8130-50e761e25bd9");
context.GetSiteCollectionManager().SetSiteCollectionAdmins(
new Uri("https://contoso.sharepoint.com/sites/somesite"),
newAdmins,
null,
CollectionUpdateOptions.SetExact
);
A certain ISiteCollectionAdmin can be set as primary site collection administrator using SetAsPrimarySiteCollectionAdministrator:
// Get admins
List<ISiteCollectionAdmin> admins = context
.GetSiteCollectionManager()
.GetSiteCollectionAdmins(new Uri("https://contoso.sharepoint.com/sites/somesite"));
// Set the first as primary site collection administrator
admins.First()
.SetAsPrimarySiteCollectionAdministratorAsync(new Uri("https://contoso.sharepoint.com/sites/somesite"));