Download OneDrive Files with PowerShell and Microsoft Graph

Check every item below before running anything. Missing one is the most common reason the script fails on the first attempt.

• A Microsoft 365 tenant with active OneDrive for Business licences assigned to the target users.
• A Windows machine with PowerShell 5.1 or PowerShell 7+ available.
• An admin account with Directory.Read.All, Sites.Read.All, and Files.Read.All Graph permissions granted in Entra.
• Site Collection Administrator access on each target user's OneDrive - without it, Graph returns an authentication error. The step-by-step walkthrough on alitajran.com covers how to add yourself as admin.
• Target users must have signed in to OneDrive at least once, or you must pre-provision their drives through the Microsoft 365 admin center.
• The C:\Temp and C:\Scripts folders created locally (substitute your own paths if preferred).

Note: starting in 2025, Microsoft made MFA mandatory for all Microsoft 365 administrator accounts - your admin account will need MFA configured before the interactive Graph sign-in step works.

For related admin automation, see Manage Windows Fast Startup via Intune: PowerShell Guide and Microsoft Entra Connect Migration: Move to a New Server.

Step 1: Install the Microsoft Graph PowerShell Module

Open PowerShell as administrator. Install the Microsoft Graph module if it is missing, then update it to the latest release. An outdated module is a frequent cause of unexpected errors - in our lab we saw Get-MgDriveItemContent fail silently on a module that was two minor versions behind.

Install-Module Microsoft.Graph -Force
Update-Module Microsoft.Graph

Always update before running any Graph-based script. The -Force flag overwrites an older installed version. After installation, verify the module loads cleanly:

Get-Module Microsoft.Graph -ListAvailable | Select-Object Name, Version

Step 2: Prepare the User CSV File

Create a plain-text CSV file at C:\Temp\OneDriveUsers.csv. The file needs one column with the header UserPrincipalName. Add one user principal name per row. This approach lets you handle bulk exports by editing only the CSV - the script stays untouched.

UserPrincipalName
jane.doe@contoso.com
john.smith@contoso.com
alex.jones@contoso.com

Save the file and verify the encoding is UTF-8 without BOM. Any other encoding causes Import-Csv to misread the header and the script skips every row silently.

Step 3: Create the Microsoft Graph PowerShell Download Script

Create a new file named Get-OneDriveFiles.ps1 inside C:\Scripts. Paste the full script below and save. The script accepts two mandatory parameters - the path to your CSV file and an output folder - then connects to Graph, iterates every user, and recursively downloads all files and folders.

# Parameters for CSV file input and export directory
param (
    [Parameter(Mandatory = $true)]
    [string]$CsvPath,
    [Parameter(Mandatory = $true)]
    [string]$ExportPath
)

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "Directory.Read.All", "Sites.Read.All", "Files.Read.All" -NoWelcome

# Import users from CSV file
$users = Import-Csv -Path $CsvPath

# Local folder path for OneDrive files export
$Folder = $ExportPath

function Get-DriveItems {
    param (
        [string]$DriveId,
        [string]$DriveItemId,
        [string]$LocalPath
    )

    # Ensure the local path exists
    New-Item -ItemType Directory -Path $LocalPath -Force | Out-Null

    # Fetch children of the current drive item
    $driveItemChildren = Get-MgDriveItemChild -DriveId $DriveId -DriveItemId $DriveItemId

    foreach ($item in $driveItemChildren) {
        if ($item.File.MimeType) {
            # It's a file
            $fileName = $item.Name
            $filePath = Join-Path -Path $LocalPath -ChildPath $fileName
            Get-MgDriveItemContent -DriveId $DriveId -DriveItemId $item.id -OutFile $filePath
            Write-Host "Downloaded file: $filePath" -ForegroundColor Green
        } elseif ($item.Folder) {
            # It's a folder - recurse
            $newLocalPath = Join-Path -Path $LocalPath -ChildPath $item.Name
            Write-Host "Entering folder: $newLocalPath" -ForegroundColor Cyan
            Get-DriveItems -DriveId $DriveId -DriveItemId $item.id -LocalPath $newLocalPath
        }
    }
}

foreach ($user in $users) {
    $userPrincipalName = $user.UserPrincipalName

    $userObject = Get-MgUser -Filter "userPrincipalName eq '$userPrincipalName'"
    if (-not $userObject) {
        Write-Host "User not found: $($userPrincipalName)" -ForegroundColor Yellow
        continue
    }

    $userOneDrive = Get-MgUserDefaultDrive -UserId $userObject.id -ErrorAction SilentlyContinue
    if ($userOneDrive) {
        $driveId = $userOneDrive.id
        $userDirectory = "$Folder\$userPrincipalName"
        New-Item -ItemType Directory -Path $userDirectory -Force | Out-Null
        Get-DriveItems -DriveId $driveId -DriveItemId "root" -LocalPath $userDirectory
    } else {
        Write-Host "Error accessing OneDrive for user: $($userPrincipalName). Skipping." -ForegroundColor Red
    }
}

Write-Host "All operations completed successfully. Files exported to $ExportPath." -ForegroundColor Cyan

If you downloaded the file from another machine, unblock it before executing:

Unblock-File -Path "C:\Scripts\Get-OneDriveFiles.ps1"

Step 4: Run the Script and Export OneDrive Files to Local Storage

From an elevated PowerShell session, call the script with both mandatory parameters. The example below reads the user list from C:\Temp\OneDriveUsers.csv and writes each user's files to a sub-folder inside C:\Temp\OneDriveData.

C:\Scripts\.\Get-OneDriveFiles.ps1 `
    -CsvPath "C:\Temp\OneDriveUsers.csv" `
    -ExportPath "C:\Temp\OneDriveData"

A browser window opens for Microsoft Graph authentication. Sign in with your admin account and accept the requested permissions.

The script then starts downloading. It prints green lines for each file saved and cyan lines when it steps into a sub-folder. A yellow warning appears if a UPN is not found in the tenant. A red message appears if the OneDrive drive is inaccessible for that user.

Did the Export Work Correctly?

After the script finishes, check the output folder. Each user should have their own sub-folder named after their UPN, with the full folder tree mirrored inside.

Get-ChildItem -Path "C:\Temp\OneDriveData" -Recurse | Measure-Object -Property Length -Sum

This command returns the total file count and combined size of everything downloaded. Spot-check a known file or folder against what the browser shows in that user's OneDrive to verify the download is complete.

If the script produced red errors for any user, check two things. First, verify the user has signed in to OneDrive at least once so the drive exists. Second, confirm your admin account appears as a Site Collection Administrator on that user's OneDrive site - that grants the Graph scopes the access they need to retrieve file content.

Security note: the Microsoft Graph permissions reference on Microsoft Learn confirms that Files.Read.All is an application-level scope that grants broad read access across all drives in a tenant. Treat the credentials used here with the same care you give global admin accounts. For context on what overprivileged Graph permissions can expose in real attacks, see Microsoft Entra Connect Migration: Move to a New Server and our coverage of Windows 10 ESU Extended Free to October 2027 for the broader Microsoft 365 admin context.