kwizcom banner advertisement

SharePoint Online: Delete Unique Permissions for All Items in a List using PowerShell

Requirement: Reset all customized permissions in all documents of a SharePoint online document library.

By default, Permissions are inherited from their parent in all levels of SharePoint. E.g. Sites inherits permissions from its parent site collection (or parent site), lists and libraries inherits permissions from the site, items in the list inherits permissions from the list. So, If you make any change in permissions at the parent level, any child underneath, automatically inherits the permission changes you made in the parent, unless the child is using its own unique permissions.

At times, you may have to setup unique permissions at granular level and of course, you may have to reset the broken permissions.

How to Delete Unique Permissions in SharePoint?
To reset custom permissions on SharePoint list items or documents,
  • Navigate to the SharePoint library where your documents are stored
  • Select the document >> Click on "Shared With" under Manage group in the ribbon 
  • Click on Advanced >> and click on "Delete Unique Permissions" button from the ribbon. Confirm the prompt once!
delete unique permissions in sharepoint online using powershell

Alright, now the permissions are set to Inherited from the parent library of the document. 
But wait, Picking each and every individual document and repeating these steps to remove unique permissions is tedious, wouldn't you agree? So, I wrote this PowerShell script to Reset Broken Inheritance on all items in a SharePoint List.

PowerShell Script to Delete Unique Permissions for All List Items in SharePoint Online:
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
  
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com/sites/Sales/"
$ListName= "Documents"
$UserName= "Salaudeen@crescent.com"
$Password ="Password goes here"
 
#Setup Credentials to connect
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($UserName,(ConvertTo-SecureString $Password -AsPlainText -Force))
 
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl) 
$Context.Credentials = $credentials
  
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)
 
#Get All List Items
$Query = New-Object Microsoft.SharePoint.Client.CamlQuery
$ListItems = $List.GetItems($Query)
$Context.Load($ListItems)
$Context.ExecuteQuery()

Write-host "Total Items Found:"$ListItems.Count
#Iterate through each list item
 $ListItems |  foreach {
    #Delete Unique Permission
    $_.ResetRoleInheritance()
 }
$Context.ExecuteQuery()

Write-host "Broken Permissions are Deleted on All Items!" -ForegroundColor Green
There are two improvements can be made in the above script:
  1. The above script doesn't handle large lists with > 5000 items. 
  2. The above script simply resets inheritance without checking if the list item has unique permissions.
So, lets fix the above issues and here is the updated script:
#Load SharePoint Online Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#To call a non-generic method Load
Function Invoke-LoadMethod() {
    param(
            [Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),
            [string]$PropertyName
        ) 
   $ctx = $Object.Context
   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
   $type = $Object.GetType()
   $clientLoad = $load.MakeGenericMethod($type)
  
   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
   $Expression = [System.Linq.Expressions.Expression]::Lambda([System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),[System.Object] ), $($Parameter))
   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
   $ExpressionArray.SetValue($Expression, 0)
   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
   
##Variables for Processing
$SiteUrl = "https://crescent.sharepoint.com"
$ListName= "Documents"
  
#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
  
#Set up the context
$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl) 
$Context.Credentials = $Credentials
   
#Get the List
$List = $Context.web.Lists.GetByTitle($ListName)

#Batch process list items - to mitigate list threashold issue on larger lists
Do {  
    #Get all items from the list
    $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
    $Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
    $ListItems = $List.GetItems($Query)
    $Context.Load($ListItems)
    $Context.ExecuteQuery()
          
    $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
 
    #Loop through each List item
    ForEach($ListItem in $ListItems)
    {
        Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
        $Context.ExecuteQuery()
        if ($ListItem.HasUniqueRoleAssignments -eq $true)
        {
            #Reset Permission Inheritance
            $ListItem.ResetRoleInheritance()
            Write-host  -ForegroundColor Yellow "Inheritence Restored on Item:" $ListItem.ID
        }
    }
    $Context.ExecuteQuery()
} While ($Query.ListItemCollectionPosition -ne $null)
 
Write-host "Broken Permissions are Deleted on All Items!" -ForegroundColor Green

Last but not least: You need SharePoint online Client SDK installed on your client machine to use this code: https://www.microsoft.com/en-us/download/details.aspx?id=42038
SharePoint Online: Delete Unique Permissions for All Items in a List using PowerShell SharePoint Online: Delete Unique Permissions for All Items in a List using PowerShell Reviewed by Salaudeen Rajack on February 20, 2016 Rating: 5

2 comments:

  1. This was very usable. I noticed when running the code on a library with more than 1000 items that I got an error message complaining about not enough resources in SPO to complete the request. I changed the foreach to the following:
    # Start with 100 items
    $Counter = 100

    #Iterate through each list item
    $ListItems | foreach {
    if ($Counter > 0) {
    #Delete Unique Permission
    $_.ResetRoleInheritance()
    $Counter = $Counter - 1
    }
    else {
    $_.ResetRoleInheritance()
    $Context.ExecuteQuery()
    $Counter = 100
    }
    }
    $Context.ExecuteQuery()

    This way the changes are made on every 100 items and then for the last items at the end. I've used it on three different libraries without errors.

    ReplyDelete

Please Login and comment to get your questions answered!

Powered by Blogger.