SharePoint Online: Change Group Permissions using PowerShell

Requirement: SharePoint Online Edit Group Permissions.

How to Update Permissions for a SharePoint Group?

In this blog post, we will look at how to change permissions for groups in SharePoint Online step-by-step, We’ll also show you how to use PowerShell to change group permissions which can be very useful if you need to quickly grant or revoke permissions for a group of users.

To edit group permissions in SharePoint Online, follow these steps:

  • Login to your SharePoint Online site as an administrator >> On the site collection Home page, click on Settings icon >> Click Site settings.
  • On the Site Settings page, under Users and Permissions, click on Site permissions.
  • Select the check box of the group to which you want to change permissions (either to grant additional rights or to revoke existing permissions).
  • In the Modify section of the ribbon, click on “Edit User Permissions” button.
    sharepoint online edit group permissions
  • On the Edit Permissions page, select/deselect the group permission check boxes according to your requirement. You can simply tick a checkbox next to permission levels such as “Contribute” to grant permission or uncheck to remove permission from the group.
    SharePoint Online Change Group Permissions using powershell
  • Click OK to save permission changes to the group.

Now, let’s edit group permissions using PowerShell.

SharePoint Online: Change Group Permission Level using PowerShell

The Set-SPOSiteGroup cmdlet lets you modify the properties of an existing SharePoint Online security group in a site collection. E.g. You may wish to edit group permissions of a specific group, you’ll need to use this cmdlet to do it.

You can Add-Remove permission(s) on a group inside a site collection:

#Variables for Admin Center & Site Collection URL
$AdminCenterURL = "https://crescenttech-admin.sharepoint.com/"
$SiteURL = "https://crescenttech.sharepoint.com/sites/marketing"

#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)

#sharepoint online change group permissions
Set-SPOSiteGroup -Site $SiteURL -Identity "Marketing Managers" -PermissionLevelsToRemove "Edit" -PermissionLevelsToAdd "Contribute"

This PowerShell script modifies the permissions level of a custom security group called “Marketing Managers” on your SharePoint Online site collection, by removing the current “Edit” permission that the group has and granting “Contribute” permission to it.

PowerShell CSOM Script to Change Group Permissions in SharePoint Online:

For the members group of the site, let’s remove “Edit” permissions and add “Contribute”

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables for Processing
$SiteURL = "https://crescent.sharepoint.com/Sites/marketing"
$GroupName="Marketing Team Site Members"
$PermissionToRemove="Edit"
$PermissionToAdd="Contribute"

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Cred

    #Get all groups of the site
    $Groups = $Ctx.Web.SiteGroups
    $Ctx.load($Groups)
    $Ctx.ExecuteQuery()
    
    #Get Group Names
    $GroupNames =  $Groups | Select -ExpandProperty Title
    
    #Check if the given group exists
    If($GroupNames -contains $GroupName)
    {
        #Get the Group
        $Group = $ctx.Web.SiteGroups.GetByName($GroupName)

        #Get Permission Levels to add and remove
        $RoleDefToAdd = $Ctx.web.RoleDefinitions.GetByName($PermissionToAdd)
        $RoleDefToRemove = $Ctx.web.RoleDefinitions.GetByName($PermissionToRemove)
        
        #Get the Group's role assignment on the web
        $RoleAssignment = $Ctx.web.RoleAssignments.GetByPrincipal($Group)
        
        #Add/remove permission levels to the role assignment
        $RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
        $RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
        $RoleAssignment.Update()
        $Ctx.ExecuteQuery()

        write-host  -f Green "User Group permissions updated Successfully!"
    }
    else
    {
        Write-host -f Yellow "Group Doesn't exist!"
    }
}
Catch {
    write-host -f Red "Error Changing Group Permissions!" $_.Exception.Message
}

PnP PowerShell to Change Group Permissions in SharePoint Online

Let’s add “Contribute” permissions and remove “Edit” permissions from a group:

#Config Variables
$SiteURL = "https://crescenttech.sharepoint.com/Sales"
$GroupName="Sales Portal Members"
 
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Set Group Permissions: Remove "Edit" and Add "Contribute"
Set-PnPGroup -Identity $GroupName -AddRole "Contribute" -RemoveRole "Edit" 

You can also use the Set-PnPGroupPermissions to set permissions of a SharePoint Online Group:

#Connect to the Site
Connect-PnPOnline -Url "https://crescentintranet.sharepoint.com/sites/Purchase"

#Get the Associated - Default Members Group
$MembersGroup = Get-PnPGroup -AssociatedMemberGroup

#Change Group Permissions  - Replace Edit with Contribute
Set-PnPGroupPermissions -Identity $MembersGroup -RemoveRole "Edit" -AddRole "Contribute"

Similarly, to add or remove permission to a SharePoint user, you can refer to: SharePoint Online: Change User Permissions using PowerShell

Salaudeen Rajack

Salaudeen Rajack is a SharePoint Architect with Two decades of SharePoint Experience. He loves sharing his knowledge and experiences with the SharePoint community, through his real-world articles!

7 thoughts on “SharePoint Online: Change Group Permissions using PowerShell

  • Hi Team, This is an excellent article. Thank you.
    Let me ask you, is there a way to get what List permissions, site permissions, manage permissions are in a permission level(permissions included in the permission level.

    Reply
  • Hi,

    I have an O365 group and would like to be added to Members SP group of site collection stored in a csv? any ideas?

    Reply
  • Hi Salaudeen, this blog is amazing and finding solutions to lot of things that I’m trying to achieve. Thank you so much for helping noobs like me to achieve the goal.

    I’m trying to change multiple subfolder permission for the default group. is this possible?
    for example; we have a private teams channel called Marketing. the document library of the marketing site that comes along with the channel has subfolders called A, B, C etc and these folder has multiple subfolders called m, n, o, p etc.
    /shared%20documents/marketing/A/m
    /shared%20documents/marketing/A/n
    /shared%20documents/marketing/A/o
    /shared%20documents/marketing/B/m
    /shared%20documents/marketing/B/n
    /shared%20documents/marketing/B/o
    before creating all these folder using script (there are 204 folder), I made the default group ‘Marketing members’ as Readonly for the root folder ‘marketing’ so the subfolders A, B etc can also be read only. Now, the sub-subfolder m,n,o etc are also read only but i want to change them to read-write so users can create content only in m,n,o etc and not under A,B,C etc.

    can it be done via script? if so, could you please help me?

    Reply
    • Well, You can use this PnP PowerShell script for your requirement:

      #Parameters
      $SiteURL = "https://crescent.sharepoint.com/sites/marketing"
      $ListName = "Shared Documents"
      $ParentFolderURL = "/shared documents/marketing"
         
      #Connect to PnP Online
      Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
      $Ctx = Get-PnPContext
      
      #Get 1st Level Folders from given parent Folder
      $Folders = Get-PnPFolderItem -ItemType Folder -FolderSiteRelativeUrl $ParentFolderURL 
      
      #Iterate through each 1st level folders
      ForEach($Folder in $Folders)
      {
          #Get Sub-folders of the 1st level folder
          $SubFolders =  $Folder.Folders
          $Ctx.load($SubFolders)
          $Ctx.ExecuteQuery()
      
          #Grant folder permissions to SharePoint Group on each sub-folder
          ForEach($SubFolder in $SubFolders)
          {
              Set-PnPFolderPermission -List $ListName -identity $SubFolder.ServerRelativeURL -AddRole "Edit" -Group "Marketing Members"
              Write-host "Granted Permission to "$SubFolder.ServerRelativeURL
          }
      }
      
      Reply
    • Thank you so much. I should’ve refreshed the page for your response but didn’t think I would receive response within an hour. anyways, I ran a script to delete all the folders and recreated all 12 folder and 204 sub folders using the script in the link which made me do a lot of work on excel. but your script would make it easier as its changing the permission. i’ll use it for future activities

      https://gallery.technet.microsoft.com/office/SharePoint-online-57f24eca#content

      Reply
  • Thanks Salaudeen, this is very helpful. I am not a developer so I couldn’t improvise on your script. But I am in need of a PS script to loop through all SPO site collections in the tenant and wherever a Group Name contains the word “Member” it removes the Edit permission level and adds the contribute permission level – do you think it is easily achievable, if so could you please help?

    Reply

Leave a Reply