Add commands for SharePoint Administrator management

[MathijsVerbeeck]

Aim

The aim of this issue is to make it easier to add, list or remove SharePoint administrators.

Commands I would add

• New command: m365 spo site admin add #5883
• New command: m365 spo site admin list #5882
• New command: m365 spo site admin remove #5884

[milanholemans]

Good suggestion, it's something I've thought about in the past, but never had time to spec it out.
Few things to consider here:

• We handle the principle of 1 issue = 1 PR = 1 commit, so let's not combine 2 commands in a single issue.
• It would be useful to be able to add multiple values instead of just one.
• We should cover everything: users and Entra groups (M365 and security).
• It's a bummer that assigning permissions is located under the spo web group while this is under spo site group. But moving this also under web would be incorrect. Maybe we should add a remark to spo web roleassignment add where we guide the user to this new command to add a site collection admin.
• Let's also spec a command to list all site collection admins.
• Instead of --url, we should use --siteUrl.
• For the command name, instead of administrator, let's use admin.
• Let's add an --asAdmin flag to add/remove a site collection admin using SharePoint admin permissions in case you do not have access to the site.
• Add the ability to specify the primary admin?

Any other thoughts @pnp/cli-for-microsoft-365-maintainers ?

[waldekmastykarz]

Isn't configuring a site collection admin different from configuring web role assignment, which would justify it being in a different place?

Let's add an --asAdmin flag to add/remove a site collection admin using SharePoint admin permissions in case you do not have access to the site.

Do we need two different entry points for the API (tenant admin vs. site) or could we solve it with just one?

Add the ability to specify the primary admin?

If I recall correctly, only one principal can be designated as a primary admin. This will get complicated if we allow specifying multiple principals.

[milanholemans]

Isn't configuring a site collection admin different from configuring web role assignment, which would justify it being in a different place?

Yes, the place is justified indeed. But we can't do harm to put a remark in the docs guiding our users to the site collection admin command in my opinion.

Do we need two different entry points for the API (tenant admin vs. site) or could we solve it with just one?

Haven't checked it, but I'm afraid if you don't have permission to the site, you'll get a 404 response.

If I recall correctly, only one principal can be designated as a primary admin. This will get complicated if we allow specifying multiple principals.

Yes, only 1 person can be the primary admin indeed. What do you suggest?

[waldekmastykarz]

Yes, only 1 person can be the primary admin indeed. What do you suggest?

We can go about it in a few ways:

1. Allow specifying just one principal. If you want configure multiple, you run the command multiple times. To specify that you want to configure the primary admin
2. Allow specifying multiple principals. Introduce an additional option for primary admin, eg. --primary [primary] where the value is the principal to configure as primary admin and allows just one principal. Principals specified in --principals become secondary admins
3. Allow specifying multiple principals using --principals but when you use --primary flag, you can only specify one and we throw an error when you specify multiple

Rationale:

1. Is clear, albeit limiting
2. --principal doesn't convey the secondary admin, which we could consider renaming to --secondary. Feels a bit odd though
3. Not obvious upfront and will likely lead to errors

1 seems like the best choice. Thoughts?

[milanholemans]

Looks fine to me 👍

[MathijsVerbeeck]

I'll start speccing out the issues tomorrow. Do we keep this as 'major' issue containing links to the separate issues or is this a bit overkill?

[Adam-it]

I'll start speccing out the issues tomorrow. Do we keep this as 'major' issue containing links to the separate issues or is this a bit overkill?

I think it's a good idea 👍 Lets make this issue na epic with links to smaller separate issues for each command: add, remove, list.
That way we will keep 1 issue <-> 1 PR and we will have this issue to keep progress of it all 👍

[mkm17]

Hi, to the list of commands, we can add a command m365 spo site membership list to get membership of a site using a similar endpoint _api/SPO.Tenant/sites/GetSiteUserGroups?siteId='siteid'&userGroupIds=[0,1,2] as described by @martinlingstuyl in #5882 What do you think? I can take care of the proposed command as I am currently working to use it in my private script.