SharePoint Online: Change Group Permissions using PowerShell

Requirement: SharePoint Online Change Group Permissions

How to Update permissions for a SharePoint group?
To edit group permissions in SharePoint Online, following these steps:
  • Login to your SharePoint Online site as a administrator >> On the site collection Home page, click on Settings icon >> Click Site settings.
  • On the Site Settings page, under Users and Permissions, click on Site permissions.
  • Select the check box of the group to which you want to change permissions (either to grant additional rights or to revoke existing permissions).
  • In the Modify section of the ribbon, click on "Edit User Permissions" button.
    sharepoint online edit group permissions
  • On the Edit Permissions page, select/deselect the group permission check boxes according to your requirement. You can simply tick a checkbox next to permission levels such as "Contribute" to grant permission or uncheck to remove permission from the group.
    SharePoint Online Change Group Permissions using powershell
  • Click OK to save permission changes to the group.

Now, Lets edit group permissions using PowerShell.

SharePoint Online: Change Group Permission Level using PowerShell
The Set-SPOSiteGroup cmdlet lets you modify properties of a existing SharePoint Online security groups in a site collection. E.g. You may wish to edit group permissions of a specific group, you'll need to use this cmdlet to do it.

You can Add-Remove permission(s) on a group inside a site collection:
#Variables for Admin Center & Site Collection URL
$AdminCenterURL = "https://crescenttech-admin.sharepoint.com/"
$SiteURL = "https://crescenttech.sharepoint.com/sites/marketing"

#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)

#sharepoint online change group permissions
Set-SPOSiteGroup -Site $SiteURL -Identity "Marketing Managers" -PermissionLevelsToRemove "Edit" -PermissionLevelsToAdd "Contribute"
This PowerShell script modifies the permissions level of a custom security group called "Marketing Managers" on your SharePoint Online site collection, by removing the current "Edit" permission that the group has and grants "Contribute" permission to it.

PowerShell CSOM Script to Change Group Permissions in SharePoint Online:
For the members group of the site, lets remove "Edit" permissions and add "Contribute"
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Variables for Processing
$SiteURL = "https://crescent.sharepoint.com/Sites/marketing"
$GroupName="Marketing Team Site Members"
$PermissionToRemove="Edit"
$PermissionToAdd="Contribute"

#Setup Credentials to connect
$Cred = Get-Credential
$Cred = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.UserName,$Cred.Password)

Try {
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Cred

    #Get all groups of the site
    $Groups = $Ctx.Web.SiteGroups
    $Ctx.load($Groups)
    $Ctx.ExecuteQuery()
    
    #Get Group Names
    $GroupNames =  $Groups | Select -ExpandProperty Title
    
    #Check if the given group exists
    If($GroupNames -contains $GroupName)
    {
        #Get the Group
        $Group = $ctx.Web.SiteGroups.GetByName($GroupName)

        #Get Permission Levels to add and remove
        $RoleDefToAdd = $Ctx.web.RoleDefinitions.GetByName($PermissionToAdd)
        $RoleDefToRemove = $Ctx.web.RoleDefinitions.GetByName($PermissionToRemove)
        
        #Get the Group's role assignment on the web
        $RoleAssignment = $Ctx.web.RoleAssignments.GetByPrincipal($Group)
        
        #Add/remove permission levels to the role assignment
        $RoleAssignment.RoleDefinitionBindings.Add($RoleDefToAdd)
        $RoleAssignment.RoleDefinitionBindings.Remove($RoleDefToRemove)
        $RoleAssignment.Update()
        $Ctx.ExecuteQuery()

        write-host  -f Green "User Group permissions updated Successfully!"
    }
    else
    {
        Write-host -f Yellow "Group Doesn't exist!"
    }
}
Catch {
    write-host -f Red "Error Changing Group Permissions!" $_.Exception.Message
}
Similarly, to add or remove permission to a SharePoint user, you can refer: SharePoint Online: Change User Permissions using PowerShell

PnP PowerShell to Change Group Permissions in SharePoint Online
Let's add "Contribute" permissions and remove "Edit" permissions from a group:
#Config Variables
$SiteURL = "https://crescenttech.sharepoint.com/Sales"
$GroupName="Sales Portal Members"
 
#Connect to PNP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Set Group Permissions: Remove "Edit" and Add "Contribute"
Set-PnPGroup -Identity $GroupName -AddRole "Contribute" -RemoveRole "Edit" 

5 comments:

  1. Thanks Salaudeen, this is very helpful. I am not a developer so I couldn't improvise on your script. But I am in need of a PS script to loop through all SPO site collections in the tenant and wherever a Group Name contains the word "Member" it removes the Edit permission level and adds the contribute permission level - do you think it is easily achievable, if so could you please help?

    ReplyDelete
    Replies
    1. So you want to replace the default member permissions from Edit to Contribute, isn't it? My another post written for SharePoint On-Prem could help you! Replace Edit Permissions with Contribute in SharePoint

      Delete
  2. Hi Salaudeen, this blog is amazing and finding solutions to lot of things that I'm trying to achieve. Thank you so much for helping noobs like me to achieve the goal.

    I'm trying to change multiple subfolder permission for the default group. is this possible?
    for example; we have a private teams channel called Marketing. the document library of the marketing site that comes along with the channel has subfolders called A, B, C etc and these folder has multiple subfolders called m, n, o, p etc.
    /shared%20documents/marketing/A/m
    /shared%20documents/marketing/A/n
    /shared%20documents/marketing/A/o
    /shared%20documents/marketing/B/m
    /shared%20documents/marketing/B/n
    /shared%20documents/marketing/B/o
    before creating all these folder using script (there are 204 folder), I made the default group 'Marketing members' as Readonly for the root folder 'marketing' so the subfolders A, B etc can also be read only. Now, the sub-subfolder m,n,o etc are also read only but i want to change them to read-write so users can create content only in m,n,o etc and not under A,B,C etc.

    can it be done via script? if so, could you please help me?

    ReplyDelete
    Replies
    1. Well, You can use this PnP PowerShell script for your requirement:

      #Parameters
      $SiteURL = "https://crescent.sharepoint.com/sites/marketing"
      $ListName = "Shared Documents"
      $ParentFolderURL = "/shared documents/marketing"

      #Connect to PnP Online
      Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
      $Ctx = Get-PnPContext

      #Get 1st Level Folders from given parent Folder
      $Folders = Get-PnPFolderItem -ItemType Folder -FolderSiteRelativeUrl $ParentFolderURL

      #Iterate through each 1st level folders
      ForEach($Folder in $Folders)
      {
      #Get Sub-folders of the 1st level folder
      $SubFolders = $Folder.Folders
      $Ctx.load($SubFolders)
      $Ctx.ExecuteQuery()

      #Grant folder permissions to SharePoint Group on each sub-folder
      ForEach($SubFolder in $SubFolders)
      {
      Set-PnPFolderPermission -List $ListName -identity $SubFolder.ServerRelativeURL -AddRole "Edit" -Group "Marketing Members"
      Write-host "Granted Permission to "$SubFolder.ServerRelativeURL
      }
      }

      Delete
    2. Thank you so much. I should've refreshed the page for your response but didn't think I would receive response within an hour. anyways, I ran a script to delete all the folders and recreated all 12 folder and 204 sub folders using the script in the link which made me do a lot of work on excel. but your script would make it easier as its changing the permission. i'll use it for future activities

      https://gallery.technet.microsoft.com/office/SharePoint-online-57f24eca#content

      Delete

Please Login and comment to get your questions answered!

Powered by Blogger.