SharePoint Online: Create Permission Level using PowerShell

Requirement: Create a new permission level in SharePoint online site collection for contribute without delete permissions.

SharePoint Online Permission Levels:
SharePoint Permission levels are set of actions user can perform in SharePoint, packaged as a group to make permission management easier. So, Instead of providing individual permissions to users and groups, you pick a permission level and assign it to the new user. (or even Add the user to a group which has a specific permission level associated). There are default permission levels included in SharePoint, such as:
  • Full Control - For Site collection owners. This permission level includes all available permissions and grants assigned users admin-level access to the site and all its resources.
  • Design - The Design permission level provides the ability to manage lists, libraries, and pages within a SharePoint site, as well as approve content and manage the site's look and feel.
  • Manage Hierarchy - Lets you to create and manage subsites in addition to edit rights.
  • Edit - Assigned to members of the site. Enables associated users to create and manage lists and libraries and their content.
  • Approve - The Approve permission level grants the ability to edit and approve pages, list items, and documents when content is configured to require approval.
  • Contribute - This permission level provides the ability to view, add, update, and delete list items and documents. 
  • Read - The Read permission level provides read-only access to site resources. 
  • Limited Access : This permission can't be manually set. It is assigned by SharePoint automatically when access granted to the least level object without giving access to the parent.
  • View Only - View Only permission is similar to read. It lets users to view files but users cannot download them.
Never edit or delete any OOTB permission levels in SharePoint! If needed, you can copy any existing permission levels and make amendments to it!

How to create a permission level in SharePoint Online?
Contribute without delete permission level is often required in real world scenarios. Let's say, You want your users to be able to add files to the library but not delete files from the library. To achieve, we can simply copy the "Contribute" permission level and take off "Delete Items" permission from it! To create new permission level in SharePoint Online, Follow these steps:
  • Go to the Site Settings >> Click on Site Permissions
  • Click on Permission Levels button from the ribbon
This takes you to the page which lists all default permission levels available in SharePoint with their  corresponding description.  Now you can either Add a Permission Level or click on any existing permission level, Copy and then Edit the new permission level to fill your requirements.
sharepoint online powershell create permission level

Do not change any default permission levels such as "Full Control" or "Contribute".

SharePoint Online PowerShell to Create Permission Level 
Here is how to create custom permission level in SharePoint Online using PowerShell.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
##Variables for Processing
$SiteUrl = ""
$SourcePermissionLevelName ="Contribute"
$TargetPermissionLevelName ="Contribute Without Delete"

Try {
    #Get Credentials to connect
    $Cred = Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteUrl)
    $Ctx.Credentials = $Credentials
    $Web = $Ctx.Web

    #Get the source permission level
    $RoleDefinitions = $web.RoleDefinitions
    $SourceRoleDefinition = $RoleDefinitions.GetByName($SourcePermissionLevelName)

    #get base permissions from the source and remove "Delete"
    $TargetBasePermissions = $SourceRoleDefinition.BasePermissions

    #check if the given permission level exists already!
    $TargetPermissionLevel = $RoleDefinitions | Where-Object { $_.Name -eq $TargetPermissionLevelName } 
    if($TargetPermissionLevel -eq $null)
        #Create new permission level from source permission level
        $PermissionCreationInfo = New-Object Microsoft.SharePoint.Client.RoleDefinitionCreationInformation
        $PermissionCreationInfo.Name = $TargetPermissionLevelName
        $PermissionCreationInfo.Description = $TargetPermissionLevelName
        $PermissionCreationInfo.BasePermissions = $TargetBasePermissions

        #Add the role definitin to the site
        $TargetPermissionLevel = $Web.RoleDefinitions.Add($PermissionCreationInfo)
        Write-host "New Permission Level Created Successfully!" -ForegroundColor Green
        Write-host "Permission Level Already Exists!" -ForegroundColor Red
Catch {
    write-host -f Red "Error Creating Permission Level!" $_.Exception.Message
This script copies existing permission level and creates the new permission level. Instead of copying an existing permission level and manipulating it, You can also create new permission level from the scratch.
#Create base Permission set
$Permissions = New-Object Microsoft.SharePoint.Client.BasePermissions
#Add permissions to it

SharePoint Online: PnP PowerShell to Create Permission Level
Let's create new permission level "Contribute without Delete" by copying contribute permission level and removing delete capabilities from it.
#Set Variables
$SiteURL = ""

#Connect to PNP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Get Permission level to copy
$ContributeRole = Get-PnPRoleDefinition -Identity "Contribute"

#Create a custom Permission level and exclude delete from contribute 
Add-PnPRoleDefinition -RoleName "Contribute without Delete" -Clone $ContributeRole -Exclude DeleteListItems, DeleteVersions -Description "Contribute without delete permission"

Create Custom Permission Level for All Site Collections in the Tenant 
How about creating a custom permission level on all sites in tenant?
$Domain =  "CrescentIntranet" #Domain Name in SharePoint Online. E.g.
$NewPermissionLevelName = "Contribute without Delete"
$BasePermissionLevelName = "Contribute"
#Frame Tenant URL and Tenant Admin URL
$TenantURL = "https://$"
$TenantAdminURL = "https://$"

#Get Credentials to connect
$Cred = Get-Credential

#Connect to Admin Center
Connect-PnPOnline -Url $TenantAdminURL -Credentials $Cred
#Get All Site collections - Filter BOT and MySite Host
$Sites = Get-PnPTenantSite -Filter "Url -like '$TenantURL'"
#Iterate through all site collections
$Sites | ForEach-Object {
    #Connect to each site collection
    $SiteConn = Connect-PnPOnline -Url $_.URL -Credentials $Cred -ReturnConnection  
    #check if the given permission level exists already!
    $NewPermissionLevel = Get-PnPRoleDefinition | Where-Object { $_.Name -eq $NewPermissionLevelName } 
    If($NewPermissionLevel -eq $null)
        #Get Permission level to copy
        $BaseRoleDefinition = Get-PnPRoleDefinition -Identity $BasePermissionLevelName
        #Create a custom Permission level and exclude delete from contribute 
        Add-PnPRoleDefinition -RoleName $NewPermissionLevelName -Clone $BaseRoleDefinition -Exclude DeleteListItems, DeleteVersions -Description "Contribute without delete permission" | Out-Null
        Write-host "Created Permission Level at $($_.URL)" -f Green
        Write-host "Permission Level Already Exists at $($_.URL)" -ForegroundColor Yellow
    Disconnect-PnPOnline -Connection $SiteConn


  1. Hi!

    Is it possible to create a sharepoint permission level that can contribute but only view own files in a document library?


  2. Hi

    You've shown how to create a permission level thru the administrator UI but also how to do it with a powershell script. Are these just two alternative ways of doing the same thing?

    1. Yes, Its just two ways to do the same! When you need to automate-repeat use PowerShell.


Please Login and comment to get your questions answered!

Powered by Blogger.