SharePoint Online User Permission Reports

Blog written by: 
Dhaval Shah
SharePoint & .Net Consultant

Intro

In this article, I have developed a PowerShell script to get a ‘User with Direct Access Permissions Report’ from SharePoint online in CSV format.

This script will:

  • Check a specific User or Group’s DIRECT access to SharePoint
  • Checks the SharePoint Lists and Items for uniquely defined (broken Inheritance) permissions, then checks if user is granted access directly to it

This script will NOT:

  • Check inside of SharePoint or Domain Groups
  • Check Site or Site Collection Administrator level or Farm/Web Application level access

The script will iterate through the list and list items to check if the user has the permission and also determine what kind of permission the account has. Below is the screenshot of the permission report generated in CSV format.

You can download the entire PowerShell script from here.

SharePoint Permissions Reporting tool

For a complete SharePoint Reporting tool,
see the
SharePoint Essentials Toolkit Enterprise Suite ‘Permissions Manager’

Load SharePoint Windows PowerShell Snap-in

Unlike SharePoint Management Shell, you need to load this snap-in manually to use the cmdlets for SharePoint.

[void][System.Reflection.Assembly]::LoadWithPartialName(“Microsoft.SharePoint.PowerShell”)

 

Add-Type

The Add-Type cmdlet lets you define a Microsoft .NET Framework class in your Windows PowerShell session.

Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll”

Add-Type -path “C:\Program Files\Common Files\microsoft shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”

Make sure you have client.dll and runtime.client.dll (SharePoint Online Client Component) installed in GAC. Download the dll file from Url below path and installed it.

https://www.microsoft.com/en-us/download/details.aspx?id=42038

The SharePoint Online Client Components SDK can be used to enable development with SharePoint Online.

Connecting to SharePoint Online:

First, we need to connect to SharePoint online site.

To connect to SharePoint online we need to create the ‘client context’. Below is the code to connect to SharePoint online and some variables we need to enter.

Update the $siteUrl, $username and $password parameters with your sharepoint site url, sharepoint online username and sharepoint online password.

TIP: Be sure to put quotes around the site URL, username and password

Example:

$siteUrl = “https://company.sharepoint.com/sites/accounting”
$username = “myemail@company.com”
$password = “mySecretPassword123”

You do not need to change any other variables in the script.

# Initialize client context

$siteUrl = ‘Site url’

$username = ‘admin username’

$password = ‘admin password’

 

$checkpermusername = “i:0#.f|membership|”+$SearchUser

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force

$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($username,$securePassword)

$clientContext = New-Object Microsoft.SharePoint.Client.ClientContext($siteUrl)

$clientContext.Credentials = $credentials

$Web = $clientContext.Web;

$clientContext.Load($Web)

$clientContext.ExecuteQuery()

 

Check If the list permission has been broken

We will check if the permission inheritcance has been broken on the list or not by using the HasUniqueRoleAssignments property of the list.

 

Checking Item Level Permission

The code below will check if the SharePoint List has ‘broken’ permission inheritance or not. If the SharePoint List does not have inherited permissions set (hence ‘broken’ permissions), then it will check if the given user has direct permission to the list or not. This utility does not check within Domain Groups for user access, however, you can enter groups that the user is a member of in a separate report.

This PowerShell script will generate a report for the site and display what the user has access to.

You can download the entire PowerShell script from here.

Please let me know any issues or comments in the comment box below.

Do you use SharePoint? Try our toolkit
Download SharePoint Essentials Toolkit Now
Download the SharePoint Essentials Toolkit
Follow me

Dhaval Shah - MCD, MCSD

SharePoint and Dot Net Consultant at QiPoint
Dhaval Shah (Houston, TX USA) has more than 9 Years of professional experience working as a SharePoint and Dot Net Consultant. He has worked on 30+ projects dealing with more than 15+ clients. He has a special focus on developing and implementing enterprise-level business solutions, built on SharePoint, Dot net and the Microsoft technology stack involving MVC apps, Web API and REST services.

View his professional profile on linked in
https://www.linkedin.com/in/dhavalshah27/
Follow me

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.