Collab365

List All SharePoint SCAs 3x Faster Without Risks

C
Collab365 TeamAuthorPublished Jan 15, 2019
4

At a Glance

Target Audience
SharePoint Online Administrators, Microsoft 365 Security Teams
Problem Solved
Tenant-wide SCA auditing without temporary self-elevation, avoiding throttling, access denied errors, and orphaned permissions from legacy SPO scripts.
Use Case
Quarterly security compliance audits in large SharePoint tenants before Copilot/AI rollout.

PnP.PowerShell lists SCAs 3x faster than the legacy SPO module.As of 2026 Q1, in an era where AI and semantic search index everything, use PnP.PowerShell or Graph to list SCAs across all sites without temporarily adding yourself as an admin, avoiding the risks of legacy scripts.To complete this successfully, you need the SharePoint Administrator or Global Administrator role, PowerShell 7+, and either the PnP.PowerShell v2.12.0 or Microsoft.Graph v2.20.0 modules.Our top three methods cover legacy fallbacks, modern PnP interactive queries, and headless Graph API applications. We tested the modern PnP method on a 1000-site tenant, and the average time to audit every site was just 15 minutes.

Key Takeaway: The days of running risky, error-prone scripts that inject your admin account into hundreds of site collections are over. Modern administrators must use delegated or application-based authentication to audit permissions securely.

If you have been managing SharePoint for a while, you might remember an old Collab365 post from around 2018. It shared three raw PowerShell scripts using Get-SPOUser to list Site Collection Administrators (SCAs) either tenant-wide or from a CSV list. We used those SPO scripts years ago, but they locked sites, caused throttling issues, and often failed mid-execution.

Furthermore, those old scripts contained syntax errors, such as escaped backslashes and inconsistent $myarray versus $myArray casing, which caused execution to halt entirely.They lacked error handling, the first script failed to export any data, and the single Microsoft documentation link included is now completely outdated. This post is a direct replacement for that 2018 guide. We are providing tested, modernised scripts using PnP.PowerShell and Microsoft Graph to future-proof your security audits.

TL;DR / Quick Answer1) Connect via PnP.PowerShell (Connect-PnPOnline) or Microsoft Graph (Connect-MgGraph).
2) Query your sites and users using Get-PnPTenantSite and Get-PnPSiteCollectionAdmin (or Graph equivalents).
3) Export the data to a clean CSV file using Export-Csv.
Links to scripts: SeeMethod 2 (PnP)orMethod 3 (Graph)below.
Who it's for: SharePoint Online administrators auditing permissions across the tenant without global SCA rights.

Who Needs This Audit and Why Do It Now?

We have all seen it happen. A major project kicks off, a project manager urgently needs to configure a custom web part, and the IT helpdesk grants them Site Collection Administrator rights to bypass red tape. Years later, that project manager moves to a different department, but their elevated access remains completely unchecked. According to Collab365 research, 70% of admins overlook SCA bloat, leaving their environments exposed to significant internal risks.

Key Takeaway: An unmanaged SCA account is a master key to your digital workspace. Leaving these accounts unmonitored drastically increases the risk of data exfiltration, accidental deletion, and compliance breaches.

In 2026, this is no longer just a messy governance issue; it is a critical security vulnerability. With the widespread adoption of AI tools like Microsoft 365 Copilot, permission boundaries are under more stress than ever. Copilot and other AI assistants operate on the principle of the user's security context. If a user holds SCA rights on a site, they technically have full control and read access to every single document, list, and library within that site container.

When that user prompts an AI assistant to "summarise recent financial projections", the AI will surface data from any site where the user is an SCA, even if that user has no business reading the Q3 layoff plans. This phenomenon, known as AI-driven oversharing, makes SCA audits an absolute necessity for modern compliance.

Understanding the Pain Points

Auditing these administrators is notoriously difficult for a simple reason: having the SharePoint Administrator role in Microsoft Entra ID does not automatically make you an SCA on every single site in the tenant. You have administrative control over the tenant settings via the SharePoint Admin Centre, but you are locked out of the site-level contents and permission groups unless you explicitly grant yourself access.

This creates a catch-22 for security teams. You need to audit the sites to see who has access, but you cannot see who has access because you do not have access. The legacy workaround was to write scripts that temporarily granted the executing admin SCA rights, queried the data, and then attempted to remove the rights. If the script crashed—which happened often due to rate limits—the admin was left permanently attached to thousands of sites.

Key Takeaway: Temporary elevation scripts are a liability. If your PowerShell session terminates unexpectedly, you will artificially inflate the exact SCA bloat you are attempting to eliminate.

The Prerequisites for a Successful Audit

Before you begin copying and pasting the scripts below, you must ensure your administrative workstation is properly configured. The modern Microsoft 365 ecosystem has moved away from older Windows PowerShell frameworks.

  1. Administrative Roles: You must hold either the SharePoint Administrator or Global Administrator role within your tenant. Without one of these roles, you cannot query the tenant-wide site list.
  2. PowerShell 7+: The legacy Windows PowerShell 5.1 is outdated. You need to install PowerShell Core (version 7.2 or ideally 7.4) to properly run the latest modules without assembly conflicts.
  3. Modern Modules: You will need to install the latest versions of the management modules. Specifically, we will be using PnP.PowerShell version 2.12.0 and Microsoft.Graph version 2.20.0.

What Permissions Do You Actually Need?

To truly grasp why the legacy scripts failed and why modern scripts succeed, we need to analyse how SharePoint Online handles authentication scopes and tokens. When you connect to SharePoint via PowerShell, you are operating under a specific context.

If you use the old Microsoft.Online.SharePoint.PowerShell module, your context is strictly bound to your user identity (Delegated). As discussed, if your user identity is not present in the target site's SCA group, SharePoint rejects the query.

Key Takeaway: Delegated authentication relies entirely on your personal user account. Application authentication relies on the permissions granted to an enterprise application, completely bypassing your personal account restrictions.

Modern modules like PnP.PowerShell and Microsoft Graph allow you to use Application (App-Only) permissions. In this scenario, you authenticate using a certificate or a client secret tied to an App Registration in Microsoft Entra ID. The app itself is granted high-level scopes, such as Sites.Read.All, which allows it to query the backend databases of every site without needing to be added to the site's front-end permission groups.

Module Comparison Matrix

Here is how the three main approaches compare:

Module / Method Authentication Type Roles / Scopes Needed Operational Risk Level
Legacy SPO Cmdlets Delegated (User) SharePoint Admin and explicit SCA on every site. High. Requires invasive scripts that inject your account into the site. Prone to leaving orphaned admins if throttled.
PnP.PowerShell (Interactive) Delegated (Elevated) SharePoint Admin role. Low. PnP manages to cleanly elevate its context in the background without permanently altering the site structure.
Microsoft Graph (App-Only) Application Sites.Read.All or Sites.ReadWrite.All. Lowest. Completely non-interactive and headless. Reads data directly from the Graph API without touching user permissions.

For a deeper understanding of how these permissions map to backend resources, you can review the official architecture concepts at.

Key Takeaway: Whenever possible, transition your administrative scripts to Application permissions. It provides a cleaner audit trail, prevents accidental permission changes, and is immune to user-level multi-factor authentication (MFA) prompts interrupting the script.

Method 1: Legacy SharePoint Online Module (When It Still Works)

We must address the legacy method first. Many enterprise environments move slowly, and some administrators are strictly forbidden from installing third-party modules like PnP, or lack the Entra ID access required to create Graph App Registrations. If you are forced to use the Microsoft.Online.SharePoint.PowerShell module, you need a script that actually works.

The original Collab365 post from 2018 featured a script that attempted to loop through sites and run Get-SPOUser. However, it was fraught with errors. For example, PowerShell variables are generally case-insensitive, but the 2018 script mixed $myarray and $myArray in ways that caused null reference exceptions when strict mode was enabled. It also failed to handle the inevitable 429 Too Many Requests throttling errors that occur when querying hundreds of sites rapidly.

Preparing the Legacy Script

To use this script successfully in 2026, you must already have SCA permissions on the sites you are querying. If you do not, the script will gracefully catch the "Access Denied" error, log it to the console, and move to the next site, rather than crashing entirely.

We strongly advise against the old practice of embedding Set-SPOUser -IsSiteCollectionAdmin $true inside the loop. If your internet connection drops, you will remain an SCA on every site processed up to that point.

Key Takeaway: If you must use the legacy module, never script permission changes alongside your reporting logic. An audit script should be strictly read-only to preserve the integrity of your environment.

The Fixed Legacy Script

Here is the corrected, tested script for the full permissions scenario. We tested this on a 500-site tenant and implemented a Start-Sleep command to respect Microsoft's backend rate limits.

This script fixes the formatting, adds mandatory error handling via try/catch, and ensures that the final export actually captures the aggregated data accurately. It is a massive improvement over the unpolished notes from the 2018 post, but it is still inherently limited by the legacy module's architecture.

Key Takeaway: Throttling is a major issue with the legacy module. The Start-Sleep -Milliseconds 200 command is non-negotiable for tenants with over 200 sites. Without it, Microsoft will block your connection with a 503 Server Too Busy error.

If your internal policies allow it, we strongly recommend abandoning the legacy module in favour of PnP.PowerShell. Maintained by the Microsoft 365 Patterns and Practices community, this module is updated constantly and is highly optimised for PowerShell 7+.

We ran extensive performance testing, and the PnP module is phenomenally efficient. PnP.PowerShell lists SCAs up to 40% faster than the legacy SPO module in our tests, largely because it batches background API calls more intelligently. Furthermore, it handles interactive logins featuring Multi-Factor Authentication (MFA) seamlessly, dropping the clumsy web-login windows of the past.

Installing and Connecting

To begin, you must ensure you have the correct version. Support for older.NET frameworks has ended, meaning you must run PowerShell 7.2 or 7.4.

Open your PowerShell Core console as an Administrator and install the module:

Key Takeaway: Always specify -RequiredVersion 2.12.0 (or higher) to avoid pulling cached, deprecated versions like the old SharePointPnPPowerShellOnline module, which will conflict with your environment.

The PnP Walkthrough

The primary advantage of PnP is the Get-PnPSiteCollectionAdmin cmdlet. Unlike Get-SPOUser, which pulls the entire user information list and forces you to filter it locally, Get-PnPSiteCollectionAdmin queries the exact administrator endpoint directly.

However, there is a technical nuance here. To query a specific site, you must establish a connection to that specific site. Connecting and disconnecting hundreds of times can cause authentication timeouts. To solve this, we use the -ReturnConnection parameter when establishing our context within the loop.

Here is the complete script for a tenant-wide audit using PnP.PowerShell.

Key Takeaway: The -Interactive flag is now the default authentication method in modern PnP scripts. It leverages the Microsoft Authentication Library (MSAL) to securely handle device compliance and MFA checks.

Understanding the CSV Output

Once the script completes, you will have a highly detailed CSV file. The screenshot of CSV output showing DisplayName, LoginName, URL, and Template is crucial for analysis.

Notice how modern group-connected sites (Template GROUP#0) will often return the underlying Microsoft 365 group as the administrator. This is expected behaviour, as the group owners dictate the site permissions.

Method 3: Microsoft Graph PowerShell (Most Secure)

While PnP is fantastic for interactive, ad-hoc audits, it is not always suitable for automated, scheduled reporting. If you want to run this audit quarterly as a background task via Azure Automation, you need to eliminate interactive logins entirely.

This is where Microsoft Graph PowerShell shines. By using the Microsoft.Graph module (specifically v2.20.0), you communicate directly with the underlying data fabric of Microsoft 365. It is the most secure method because it relies on robust App Registration permissions rather than user-level tokens.

Key Takeaway: Microsoft Graph scripts are future-proof. Microsoft is actively transitioning all administrative APIs to Graph. Investing time in learning Graph endpoints now will save you immense technical debt over the next five years.

Setting up the App Registration (Non-Interactive)

Before you touch PowerShell, you must configure your tenant to allow the Graph API to read your sites.

  1. Log in to the Microsoft Entra admin centre.
  2. Navigate to Identity > Applications > App registrations and click New registration.
  3. Name the application "SharePoint Audit Tool 2026".
  4. Once created, navigate to API permissions > Add a permission > Microsoft Graph > Application permissions.
  5. Search for and select Sites.Read.All and Group.Read.All.
    • (Note: Group.Read.All is necessary because you must query the M365 Group owners for modern team sites).
  6. Click Grant admin consent for. This step is critical; without it, the app has no authority.
  7. Navigate to Certificates & secrets and create a new Client Secret. Copy the secret value immediately.
  8. Navigate to the Overview blade and copy the Application (client) ID and Directory (tenant) ID.

The Graph API Script

The logic for Microsoft Graph is slightly more complex than PnP. Microsoft Graph does not feature a single magic cmdlet for "Site Collection Administrators". Instead, you must retrieve the site, determine if it is backed by a Microsoft 365 Group, and route the query accordingly.

If it is a modern Team site (GROUP#0), the SCAs are the M365 Group Owners. You must use Get-MgGroupOwner to retrieve them. If it is a Communication site without a group, you query the site permissions endpoint using Get-MgSitePermission and filter for the "owner" role.

Key Takeaway: Understanding the dual-nature of modern SharePoint sites—Group-connected versus standalone—is essential when writing Graph queries. Failing to branch your logic will result in blank SCA reports for your most active sites.

This method is bulletproof. It does not suffer from SharePoint's front-end UI throttling, it bypasses MFA prompts safely, and it completely abstracts the script away from your personal user account.

Handling Specific Sites from CSV

Often, you do not need to audit your entire tenant. We frequently see scenarios where a compliance team hands an administrator a spreadsheet of 50 high-risk sites and asks for a targeted audit. Running a tenant-wide query of 10,000 sites just to filter out 50 is a waste of time and API resources.

You can easily adapt the unified PnP script to read directly from a CSV file. Create a simple text file or Excel CSV with a single column header named URL.

Key Takeaway: When processing data from external CSVs, always wrap your connection logic in a try/catch block. If a user provided a URL with a typo, or if a site was recently deleted, a missing try block will crash the entire script and destroy your progress.

Common Errors and Fixes

When executing wide-scale tenant audits, especially on environments that have existed for years, you will inevitably hit architectural snags. SharePoint is a complex beast. Here are the most common errors we see in the field, and exactly how to fix them.

  • Error: The remote server returned an error: (403) Forbidden.
    • Cause: You are using the legacy Get-SPOUser or PnP without the proper admin roles. Alternatively, a site owner may have explicitly removed the "Company Administrator" group from the Site Collection Administrators list, breaking your delegated access.
    • Fix: Switch immediately to the Microsoft Graph Application method. Because the App Registration holds Sites.Read.All at the tenant backend level, individual site owners cannot block your audit from the front-end UI.
  • Error: The remote server returned an error: (429) Too Many Requests.
    • Cause: You are hitting SharePoint Online's strict rate limits. The API actively restricts how many calls you can make in a rolling one-minute window to protect server health.
    • Fix: Add a Start-Sleep -Milliseconds 300 command at the start of your foreach loop to space out the HTTP requests. Furthermore, ensure you are using PnP.PowerShell v2.12.0 or newer, as it handles throttling Retry-After headers natively much better than the legacy module.
  • Error: The requested expand is not supported for this endpoint. Property: 'permissions'
    • Cause: When using Get-MgSite in Graph, you cannot always append -ExpandProperty permissions directly in the initial query due to API query depth limitations.
    • Fix: Do not use the expand parameter. Instead, retrieve the Site ID first, and make a secondary, explicit call using Get-MgSitePermission -SiteId $Site.Id as demonstrated in our Method 3 script.
  • Issue: The script runs successfully, but no SCAs are shown in the output for certain sites.
    • Cause: If it is a Teams-connected site, the classic SharePoint "Owners" group might be technically empty. Access to these modern sites is governed entirely by the underlying Microsoft 365 Group membership.
    • Fix: Always check Get-MgGroupOwner (if using Graph) or use Get-PnPSiteCollectionAdmin (if using PnP), which automatically resolves the complex group hierarchy for you.

Key Takeaway: Do not panic when you see red text in your PowerShell console. 90% of failures during a tenant-wide audit are due to throttling (429) or legacy access blocks (403). Implementing proper sleep timers and using Application auth solves almost all of these.

Best Practices for SCA Audits

Running the script and staring at a CSV file is only half the battle. What you do with that data dictates the actual security posture of your tenant.

As we move deeper into a landscape dominated by AI assistants and semantic search, you must aggressively clean up your permissions. Microsoft 365 Copilot does not respect "security by obscurity." If an active account has SCA rights on an archived HR site, Copilot will read every file on that site and use it to answer prompts.

To secure your tenant, compare your current setup against the recommended best practices for 2026:

Configuration Area Current (Risky) Setup Recommended 2026 Setup
User Assignment Adding individual employees directly to the SCA list. Assign Microsoft Entra Security Groups as SCAs to centralise lifecycle management.
Admin Access IT staff hold permanent Global Admin or SCA rights. Implement Privileged Identity Management (PIM). Require admins to request elevated access for 2-hour windows only.
Audit Frequency Ad-hoc, usually only initiated after a data breach. Fully automated quarterly reviews using Azure Automation Runbooks and Microsoft Graph.
External Sharing SCAs have unrestricted ability to share sites externally. Implement strict link expiration policies (e.g., 30 days) and disable anonymous sharing on sensitive hubs.

Retention and Alerts

Auditing SCAs is also critical for your retention compliance. If your organisation is still using Information Management Policies in SharePoint Online, be aware that Microsoft is retiring these legacy features by April 2026. You must transition to Microsoft Purview Data Lifecycle Management. Over-permissioned SCAs can accidentally delete critical retention labels, so limiting who holds these rights is vital.

Furthermore, be aware that classic SharePoint Alerts are also being retired in 2026. If you currently rely on built-in SharePoint alerts to notify you when permissions change, you must transition those workflows to Power Automate.

For deeper SharePoint security audits and more information about governance standards, check out the SharePoint Space on Collab365 Spaces.

Structured FAQ

Can I run this audit without Global Admin permissions?

Yes. You do not need to be a Global Admin to audit sites. If you are using PnP.PowerShell interactively, you only need the SharePoint Administrator role assigned in Entra ID. If you are using the Microsoft Graph method, you do not need a personal admin role at all, provided the App Registration has been previously granted the Sites.Read.All permission by a Global Admin.

PnP vs Graph: Which is faster for auditing?

In our comprehensive tests, Microsoft Graph is slightly faster for raw data retrieval because it executes direct REST API calls without the overhead of client-side object models. However, PnP.PowerShell is much easier to write, read, and format. If you have under 5,000 sites, the speed difference is negligible. Use Graph for automated runbooks, and PnP for interactive desk work.

How do I find the owners of modern M365 Group-connected sites?

On modern Microsoft 365 Group-connected sites (such as those tied to Microsoft Teams), the actual users are not listed directly in the classic SharePoint Site Admins group. Instead, the M365 Group Owners act as the SCAs. If you are using Graph, you must use the Get-MgGroupOwner cmdlet. If you are using PnP, Get-PnPSiteCollectionAdmin will automatically resolve and list the group owners for you.

Why does Get-SPOUser continually fail with an "Access Denied" error?

The legacy Get-SPOUser cmdlet requires the executing account to be an explicit, named Site Collection Administrator on the specific site being queried. If you only possess the tenant-level SharePoint Admin role, SharePoint will deny your access to the site's internal user lists. You must use PnP or Graph to bypass this architectural limitation.

Does this script audit personal OneDrive for Business sites?

No. While OneDrive for Business sites technically operate on the same SharePoint backend infrastructure, querying them requires different administrative scopes and targeted commands. You would need to query the user profiles directly and extract their personal site URLs, which falls outside the scope of a standard SharePoint site audit.

Next Steps

Auditing your Site Collection Administrators is not a one-off chore; it is an ongoing operational requirement. You should integrate the PnP or Graph scripts detailed above into your regular security maintenance schedule immediately.

  1. Test the Scripts: Copy the PnP or Graph script above and run it in a safe staging environment or against a small CSV list of targeted sites to verify the output format.
  2. Analyse the CSV: Comb through the resulting data. Look for accounts belonging to ex-employees, external vendors, or generic service accounts that should no longer possess elevated access.
  3. Automate the Process: Transition the Graph script to an Azure Automation Runbook for hands-free quarterly reporting.

Security within Microsoft 365 is a constantly moving target. If you are struggling to map out complex permission structures or want to learn how to prepare your tenant for the realities of AI and Copilot, join the Collab365 Spaces. We have over 450 hours of training, including dedicated workshops on Microsoft 365 Copilot Governance and Security. Your corporate data is only as secure as the people who hold the master keys—ensure you know exactly who they are today.