SharePoint Online: Get All List Items with Unique Permissions using PowerShell

Requirement: Get All SharePoint Online List Items with Unique Permissions using PowerShell

How to check if a list Item has Unique permissions or inheriting permissions from the parent?

To get if a SharePoint Online list Item or File in a document library has unique permissions, follow these steps:

  • Navigate to the list/library and then select the list item.
  • From the details pane, click on the “Manage Access” link (in Classic experience, click on “Advanced” >> “Shared With”) and then click on the “Advanced” link.
  • This takes you to the Advanced permissions page of the list item, which gives you the information on whether the list item has unique permissions or is inheriting permissions from the parent. E.g. You’ll get the text “This list item has unique permissions
    sharepoint online find list items with unique permissions

SharePoint Online: PowerShell to Get All List Items with Unique Permissions:

Let’s get all list items with unique permissions using PowerShell.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to call a non-generic method Load
Function Invoke-LoadMethod() {
   param([Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),[string]$PropertyName) 
   $ctx = $Object.Context
   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
   $type = $Object.GetType()
   $clientLoad = $load.MakeGenericMethod($type)  
   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
   $Expression = [System.Linq.Expressions.Expression]::Lambda([System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),[System.Object] ), $($Parameter))
   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
   $ExpressionArray.SetValue($Expression, 0)
   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
 
#Define Parameter values
$SiteURL="https://crescent.sharepoint.com/sites/PMO"
$ListName="Projects"
 
Try {
    #Setup Credentials to connect
    $Cred= Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Credentials
         
    #Get All Lists of the web
    $List = $Ctx.Web.Lists.GetByTitle($ListName)
    $Ctx.Load($List)
    $Ctx.ExecuteQuery()
    Write-host "Total List Items Found:"$List.ItemCount

    #Query to Get 2000 items from the list
    $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
    $Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
 
    #Batch process list items - to mitigate list threshold issue on larger lists
    Do {  
        $ListItems = $List.GetItems($Query)
        $Ctx.Load($ListItems)
        $Ctx.ExecuteQuery()

        $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
  
        #Loop through each List item
        ForEach($ListItem in $ListItems)
        {
            Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
            $Ctx.ExecuteQuery()
            if ($ListItem.HasUniqueRoleAssignments -eq $true)
            {        
                Write-Host -f Green "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' has Unique Permissions"
            }
            else
            {
                Write-Host -f Yellow "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' is inhering Permissions from the Parent"
            }
        }
    } While ($Query.ListItemCollectionPosition -ne $null)
 
}
Catch {
    write-host -f Red "Error Checking Unique Permissions!" $_.Exception.Message
}

Find Unique Permissions in SharePoint Online List using PnP PowerShell

We can search for unique permissions in the SharePoint Online list or library with PnP PowerShell as well.

#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/PMO"
$ListName = "Projects"
  
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive

#Get all list items in batches
$ListItems = Get-PnPListItem -List $ListName -PageSize 2000
 
#Iterate through each list item
ForEach($ListItem in $ListItems)
{
    #Check if the Item has unique permissions
    $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
    If($HasUniquePermissions)
    {
        Write-Host -f Green "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' has Unique Permissions"
    }
    Else
    {
        Write-Host -f Yellow "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' is inhering Permissions from its Parent"
    }    
}

To remove unique permissions from all list items in SharePoint Online, use: SharePoint Online: Delete Unique Permissions for All Items in a List using PowerShell

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

5 thoughts on “SharePoint Online: Get All List Items with Unique Permissions using PowerShell

  • Thanks for your insight and efforts Salaudeen.
    I’m still managing a SharePoint 2010 farm, as well as SPO, and I need to be able to add people (or a group) to every document that has unique permissions in a library.
    It’s a Business Intelligence Centre site template used to provide SSRS reports and the reports within are categorised and secured based on those categorisations. Site Owners and the AD Group that relates to each category have got Read access and, as part of a new project, I need to grant another team, access to those reports.
    Because they’re not inheriting the library permissions I can’t add these people to a group without them becoming Site Owners, which I don’t want, and having to get them added to each and every AD group is also very unattractive.
    Do you have any info on a script that I could use to add each of these accounts to the unique permissions on each object in the library?

    Reply
  • Your scripts are great, but I have been trying to narrow down the ability to export SharePoint list items with not just the group permissions, but the member of each group.

    I need to find out what user has permissions to a list item. Ideally, I’m trying to export a csv that would list an item, what group or user has access to it, and at what level.

    Can you help?

    Reply
  • Hi there. Thank you for posting so many awesome PowerShell scripts. They are so very helpful.
    I have been using this one named “SharePoint Online: PowerShell to Get All List Items with Unique Permissions” and I get the dreaded error: “The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator.”

    My List has over 500,000 items in it with over 10,000 folders having unique permissions on each. I don’t understand why it is not batching the results in bundles of 2000. The error happens on the executions of the caml query (regardless of the limit i specify 2000 or less).

    Any ideas?

    Reply
    • Hi There,
      CSOM Script has been updated to handle large lists. Please try now! You can also use the PnP PowerShell method.

      Reply

Leave a Reply

Your email address will not be published.