Blog written by:
SharePoint & .Net Consultant
In this article, I have developed a PowerShell script to get a ‘User with Direct Access Permissions Report’ from SharePoint online in CSV format.
This script will:
- Check a specific User or Group’s DIRECT access to SharePoint
- Checks the SharePoint Lists and Items for uniquely defined (broken Inheritance) permissions, then checks if user is granted access directly to it
This script will NOT:
- Check inside of SharePoint or Domain Groups
- Check Site or Site Collection Administrator level or Farm/Web Application level access
The script will iterate through the list and list items to check if the user has the permission and also determine what kind of permission the account has. Below is the screenshot of the permission report generated in CSV format.
You can download the entire powershell script from here.
Load SharePoint Windows PowerShell Snap-in
Unlike SharePoint Management Shell, you need to load this snap-in manually to use the cmdlets for SharePoint.
The Add-Type cmdlet lets you define a Microsoft .NET Framework class in your Windows PowerShell session.
Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll”
Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”
Make sure you have client.dll and runtime.client.dll (SharePoint Online Client Component) installed in GAC. Download the dll file from Url below path and installed it.
The SharePoint Online Client Components SDK can be used to enable development with SharePoint Online.
Connecting to SharePoint Online:
First, we need to connect to SharePoint online site.
To connect to SharePoint online we need to create the ‘client context’. Below is the code to connect to SharePoint online and some variables we need to enter.
Update the $siteUrl, $username and $password parameters with your sharepoint site url, sharepoint online username and sharepoint online password.
TIP: Be sure to put quotes around the site URL, username and password
$siteUrl = “https://company.sharepoint.com/sites/accounting”
$username = “firstname.lastname@example.org”
$password = “mySecretPassword123”
You do not need to change any other variables in the script.
|# Initialize client context
$siteUrl = ‘Site url’
$username = ‘admin username’
$password = ‘admin password’
$checkpermusername = “i:0#.f|membership|”+$SearchUser
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username,$securePassword)
$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)
$clientContext.Credentials = $credentials
$Web = $clientContext.Web;
Check If the list permission has been broken
We will check if the permission inheritcance has been broken on the list or not by using the HasUniqueRoleAssignments property of the list.
Checking Item Level Permission
The code below will check if the SharePoint List has ‘broken’ permission inheritance or not. If the SharePoint List does not have inherited permissions set (hence ‘broken’ permissions), then it will check if the given user has direct permission to the list or not. This utility does not check within Domain Groups for user access, however, you can enter groups that the user is a member of in a separate report.
This PowerShell script will generate a report for the site and display what the user has access to.
You can download the entire PowerShell script from here.
Please let me know any issues or comments in the comment box below.
View his professional profile on linked in
Latest posts by Dhaval Shah - MCD, MCSD (see all)
- SharePoint Online User Permission Reports - March 8, 2018
- How to Create multiple SharePoint Sites using PowerShell and XML template? - September 5, 2017
- Remote SharePoint PowerShell for On-Premises - August 28, 2017