SharePoint Online: Get All List Items with Unique Permissions using PowerShell

Requirement: Get All SharePoint Online List Items with Unique Permissions using PowerShell

How to Check if a list Item is using Unique permissions or inheriting permissions from the parent?
To get if a SharePoint Online list Item or File in a document library has unique permissions, follow these steps:
  • Navigate to the list/library and then select the list item.
  • From the details pane, Click on "Manage Access" link (in Classic experience, Click on "Advanced" >> "Shared With") and then click on "Advanced" link.
  • This takes you to the Advanced permissions page of the list item, which gives you the information whether the list item has unique permissions or its inheriting permissions from the parent. E.g. You'll get the text "This list item has unique permissions"
    sharepoint online find list items with unique permissions

SharePoint Online: PowerShell to Get All List Items with Unique Permissions:
Lets get all list items with unique permissions using PowerShell.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to call a non-generic method Load
Function Invoke-LoadMethod() {
   param([Microsoft.SharePoint.Client.ClientObject]$Object = $(throw "Please provide a Client Object"),[string]$PropertyName) 
   $ctx = $Object.Context
   $load = [Microsoft.SharePoint.Client.ClientContext].GetMethod("Load") 
   $type = $Object.GetType()
   $clientLoad = $load.MakeGenericMethod($type)  
   $Parameter = [System.Linq.Expressions.Expression]::Parameter(($type), $type.Name)
   $Expression = [System.Linq.Expressions.Expression]::Lambda([System.Linq.Expressions.Expression]::Convert([System.Linq.Expressions.Expression]::PropertyOrField($Parameter,$PropertyName),[System.Object] ), $($Parameter))
   $ExpressionArray = [System.Array]::CreateInstance($Expression.GetType(), 1)
   $ExpressionArray.SetValue($Expression, 0)
   $clientLoad.Invoke($ctx,@($Object,$ExpressionArray))
}
 
#Define Parameter values
$SiteURL="https://crescent.sharepoint.com/sites/PMO"
$ListName="Projects"
 
Try {
    #Setup Credentials to connect
    $Cred= Get-Credential
    $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
    #Setup the context
    $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
    $Ctx.Credentials = $Credentials
         
    #Get All Lists of the web
    $List = $Ctx.Web.Lists.GetByTitle($ListName)
    $Ctx.Load($List)
    $Ctx.ExecuteQuery()
    Write-host "Total List Items Found:"$List.ItemCount

    #Query to Get 2000 items from the list
    $Query = New-Object Microsoft.SharePoint.Client.CamlQuery
    $Query.ViewXml = "<View Scope='RecursiveAll'><RowLimit>2000</RowLimit></View>"
 
    #Batch process list items - to mitigate list threshold issue on larger lists
    Do {  
        $ListItems = $List.GetItems($Query)
        $Ctx.Load($ListItems)
        $Ctx.ExecuteQuery()

        $Query.ListItemCollectionPosition = $ListItems.ListItemCollectionPosition
  
        #Loop through each List item
        ForEach($ListItem in $ListItems)
        {
            Invoke-LoadMethod -Object $ListItem -PropertyName "HasUniqueRoleAssignments"
            $Ctx.ExecuteQuery()
            if ($ListItem.HasUniqueRoleAssignments -eq $true)
            {        
                Write-Host -f Green "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' has Unique Permissions"
            }
            else
            {
                Write-Host -f Yellow "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' is inhering Permissions from the Parent"
            }
        }
    } While ($Query.ListItemCollectionPosition -ne $null)
 
}
Catch {
    write-host -f Red "Error Checking Unique Permissions!" $_.Exception.Message
}

Find Unique Permissions in SharePoint Online List using PnP PowerShell
We can search for unique permissions in SharePoint Online list or library with PnP PowerShell as well.
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/PMO"
$ListName = "Projects"
  
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -UseWebLogin

#Get all list items in batches
$ListItems = Get-PnPListItem -List $ListName -PageSize 2000
 
#Iterate through each list item
ForEach($ListItem in $ListItems)
{
    #Check if the Item has unique permissions
    $HasUniquePermissions = Get-PnPProperty -ClientObject $ListItem -Property "HasUniqueRoleAssignments"
    If($HasUniquePermissions)
    {
        Write-Host -f Green "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' has Unique Permissions"
    }
    Else
    {
        Write-Host -f Yellow "List Item '$($ListItem["Title"])' with ID '$($ListItem.ID)' is inhering Permissions from its Parent"
    }    
}

To remove unique permissions from all list items in SharePoint Online, use: SharePoint Online: Delete Unique Permissions for All Items in a List using PowerShell

2 comments:

  1. Hi there. Thank you for posting so many awesome PowerShell scripts. They are so very helpful.
    I have been using this one named "SharePoint Online: PowerShell to Get All List Items with Unique Permissions" and I get the dreaded error: "The attempted operation is prohibited because it exceeds the list view threshold enforced by the administrator."

    My List has over 500,000 items in it with over 10,000 folders having unique permissions on each. I don't understand why it is not batching the results in bundles of 2000. The error happens on the executions of the caml query (regardless of the limit i specify 2000 or less).

    Any ideas?

    ReplyDelete
    Replies
    1. Hi There,
      CSOM Script has been updated to handle large lists. Please try now! You can also use the PnP PowerShell method.

      Delete

Please Login and comment to get your questions answered!

Powered by Blogger.