SharePoint Online: Grant Permission to List or Library using PowerShell
Grant access to lists, libraries, and individual items in SharePoint Online:
There are times you may want to grant permissions at the list or library level to users and groups in SharePoint Online. Say, for example, You may want to provide read access at the site level and edit rights on the individual list level. So, to grant permissions to lists and libraries, as a first step, we have to stop inheriting permissions from its parent and then apply unique security permissions to any level underneath site collection, such as: Subsite, List, Library, or list items.
How to grant access to a list or library in SharePoint Online?
Here is how to give permission to a document library in SharePoint Online:
- Go to the target list or library settings (From the library page, Click on Library tab on the ribbon >> Select list settings. If modern UI is enabled, head on to Site connects and click settings from the list context menu)
- On the List Settings page, in the permissions and management group, click on the “Permissions for this list” link.
- On the permissions page, if the list is inheriting permissions from the parent, we have to break the permission inheritance. Click on the “Stop inheriting Permissions” button.
- Now, from the ribbon, click the “Grant Permissions” button from the Grant group.
- In the Share dialog box, in the designated text box, enter names or email addresses.
- Click the Show Options button and then specify the email invitation option, appropriate permission level such as edit.
- Click Share
This provides permission to a given user on the selected list or library.
SharePoint Online – PowerShell to Grant permissions to List or Library to a User or Group
List permissions can be manipulated with PowerShell. Here is the typical SharePoint Online set permissions PowerShell script: This script grants permission to an existing SharePoint group to the given list.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Configuration Parameters
$SiteURL= "https://crescent.sharepoint.com/sites/Projects/"
$ListName="Project Documents"
$GroupName="Project Members"
$PermissionLevel="Read"
#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Cred
#Get the web and List
$Web=$Ctx.Web
$List=$web.Lists.GetByTitle($ListName)
#Break Permission inheritence - keep existing list permissions & Item level permissions
$List.BreakRoleInheritance($True,$True)
$Ctx.ExecuteQuery()
Write-host -f Yellow "Permission inheritance broken..."
#Get the group or user
$Group =$Web.SiteGroups.GetByName($GroupName) #For User: $Web.EnsureUser('[email protected]')
$Ctx.load($Group)
$Ctx.ExecuteQuery()
#Grant permission to Group
#Get the role required
$Role = $web.RoleDefinitions.GetByName($PermissionLevel)
$RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
$RoleDB.Add($Role)
#Assign list permissions to the group
$Permissions = $List.RoleAssignments.Add($Group,$RoleDB)
$List.Update()
$Ctx.ExecuteQuery()
Write-Host "Added $PermissionLevel permission to $GroupName group in $ListName list. " -foregroundcolor Green
}
Catch {
write-host -f Red "Error Granting Permissions!" $_.Exception.Message
}
We can also set document library permissions in SharePoint Online using PnP PowerShell. If you want to grant permission to a new AD Group/Office 365 group, use:
#Config Variables
$GroupName ="[email protected]" #Or Group ID
#Resolve the Group
$Group = $Web.EnsureUser($GroupName)
$Ctx.load($Group)
$Ctx.ExecuteQuery()
SharePoint Online: Add Permission to List using PnP PowerShell
Let us use PnP PowerShell to add permissions to the SharePoint Online list.
#Config Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
$ListName ="Projects"
$UserID="[email protected]"
$GroupName = "Marketing Members"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
#Break Permission Inheritance of the List
Set-PnPList -Identity $ListName -BreakRoleInheritance -CopyRoleAssignments
#Grant permission on List to User
Set-PnPListPermission -Identity $ListName -AddRole "Edit" -User $UserID
#Grant permission on list to Group
Set-PnPListPermission -Identity $ListName -AddRole "Read" -Group $GroupName
Similarly, you can use this PowerShell to assign permissions to a group on the list:
Set-PnPGroupPermissions -Identity $GroupName -List ListName -AddRole Contribute
To remove user or group from list permissions: SharePoint Online: Remove User or Group from List Permissions using PowerShell
$UserID=”[email protected]”
#Grant permission on List to User
Set-PnPListPermission -Identity $ListName -AddRole “Edit” -User $UserID
How do I add multiple/bulk users to the list/library?
You can wrap them inside an Array and call the cmdlet as:
$UserIDs= @(“[email protected]”, “[email protected]”, “[email protected]”)
#Grant permission on List
$UserIDs | ForEach-Object { Set-PnPListPermission -Identity $ListName -AddRole “Edit” -User $_ }
CSV methods also works.
Hello! Thank you for the article!
I tried to add a office 365 group to the SP document library but I keep getting group cannot be found. I used the non PNP script you provided and added a for each loop as I have 82 sites and 3 office 365 groups that I need to add with visitor (read) permission. could you please help?
The CSOM script just grants permission to an existing group! If you want to add a new group from AD, Use:
#Resolve the Group
$Group = $Web.EnsureUser($GroupName) #[email protected]
$Ctx.load($Group)
$Ctx.ExecuteQuery()
Hi.
Does groups need to be mail enabled? i keeps getting error that the group dont exist, but if i use the gui i can ad it?
No! But Group must be created already in SharePoint.