Admin Reports Client Side Object Model (CSOM) CSV Document Library List List Item Permission PowerShell SharePoint SharePoint Online 

SharePoint Online: Export Permissions of a Site, List, or Item using PowerShell

Salaudeen Rajack 5 Comments , , ,

Requirement: Export permissions applied to a SharePoint Site, List, or List Item to CSV report.

PowerShell to Export Permissions of a Site, List, List Item in SharePoint Online

Managing permissions is an important aspect of SharePoint Online site and list administration. Sometimes, you may need to export the permissions of a site, list, or item in SharePoint Online for backup or auditing purposes. PowerShell provides a powerful and efficient way to automate this process. In this article, we will discuss how to export permissions of a SharePoint Online site, list, or item using PowerShell.

This PowerShell script extracts and exports Immediate permissions of the given object (not on any underlying objects). E.g., get list permissions.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Get Permissions Applied on a particular Object, such as: Web, List or ListItem
Function Export-SPOPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object, $ReportFile)
{
    #Write CSV- TAB Separated File) Header
    "Account `t Permissions `t Type" | out-file $ReportFile

    #Get permissions assigned to the object
    $Ctx.Load($Object.RoleAssignments)
    $Ctx.ExecuteQuery()

    Foreach($RoleAssignment in $Object.RoleAssignments)
    { 
            $Ctx.Load($RoleAssignment.Member)
            $Ctx.executeQuery()

            #Get the Permissions on the given object
            $Permissions=@()
            $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
            $Ctx.ExecuteQuery()
            Foreach ($RoleDefinition in $RoleAssignment.RoleDefinitionBindings)
            {
                $Permissions += $RoleDefinition.Name +";"
            }
            #Check the permission type
            if($RoleAssignment.Member.PrincipalType -eq "User")
            {
                #Send the Data to Report file
                "$($RoleAssignment.Member.Title)($($RoleAssignment.Member.LoginName)) `t $($Permissions) `t User Account" | Out-File $ReportFile -Append
            }
                
            ElseIf($RoleAssignment.Member.PrincipalType -eq "SharePointGroup")
            {
                #Send the Data to Report file
                "$($RoleAssignment.Member.LoginName)`t $($Permissions) `t SharePoint Group" | Out-File $ReportFile -Append
            }
            ElseIf($RoleAssignment.Member.PrincipalType -eq "SecurityGroup")
            {
                #Send the Data to Report file
                "$($RoleAssignment.Member.Title)`t $($Permissions) `t Security Group" | Out-File $ReportFile -Append
            }
    }
    Write-host -f Green "Permissions Exported to File $ReportFile!"
}

Try {
        #Set parameter values
        $SiteURL="https://crescent.sharepoint.com/sites/Ops"
        $ListName="Projects"
        $ListItemID="2"

        #Get Credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials

        #Get the Web
        $Web = $Ctx.Web
        $Ctx.Load($Web)
        $Ctx.ExecuteQuery()

        #Call the function to Get web's permissions
        Write-host -f Yellow "Extracting Permissions of the Web "$Web.URL"..."
        Export-SPOPermissions -Object $Web -ReportFile "C:\Temp\WebPermissions.csv"

        #Get the List
        $List = $Ctx.web.Lists.GetByTitle($ListName)
        $Ctx.Load($List)
        $Ctx.ExecuteQuery()

        #Call the function to Get List's permissions
        Write-host -f Yellow "Extracting Permissions of the List "$List.Title"..."
        Export-SPOPermissions -Object $List -ReportFile "C:\Temp\ListPermissions.csv"

        #Get List Item by ID
        $ListItem = $List.GetItemById($ListItemID)  
        $Ctx.Load($ListItem)
        $Ctx.ExecuteQuery()

        #Call the function to Get List's permissions
        Write-host -f Yellow "Extracting Permissions of the List Item ID: "$ListItemID"..."
        Export-SPOPermissions -Object $ListItem -ReportFile "C:\Temp\ListItemPermissions.csv"
     }
    Catch {
        write-host -f Red "Error Generating Permissions Report!" $_.Exception.Message
 }

This exports SharePoint Online permissions using PowerShell. Here is a sample report generated:

export sharepoint online permissions to excel using powershell

Expand SharePoint Groups and Export List Permissions using PowerShell

How about expanding each SharePoint Online group and exporting its members instead of just displaying the group name? So that you exactly get who has access to what! Here is the PowerShell to get SharePoint Online Document Library or List Permissions.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
   
#Function to Export List Permissions to CSV
Function Export-SPOListPermission([String]$SiteURL, [String]$ListName, [String]$CSVPath)
{
    Try{
        #Get Credentials to connect
        $Cred= Get-Credential

        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
       
        #Get the List
        $List = $Ctx.Web.Lists.GetByTitle($ListName)
        $Ctx.Load($List)
        $Ctx.ExecuteQuery()
  
        #Get permissions assigned to the List
        $RoleAssignments = $List.RoleAssignments
        $Ctx.Load($RoleAssignments)
        $Ctx.ExecuteQuery()
  
        #Loop through each permission assigned and extract details
        $PermissionCollection = @()
        Foreach($RoleAssignment in $RoleAssignments)
        { 
            $Ctx.Load($RoleAssignment.Member)
            $Ctx.executeQuery()
  
            #Get the Principal Type: User, SP Group, AD Group
            $PermissionType = $RoleAssignment.Member.PrincipalType
  
            #Get the Permission Levels assigned
            $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
            $Ctx.ExecuteQuery()
            $PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name) -join ","
              
            #Get SharePoint group members
            If($PermissionType -eq "SharePointGroup")
            {
                #Get Group Members
                $Group = $Ctx.web.SiteGroups.GetByName($RoleAssignment.Member.LoginName)
                $Ctx.Load($Group)
                $GroupMembers= $Group.Users
                $Ctx.Load($GroupMembers)
                $Ctx.ExecuteQuery()
                Foreach ($Member in $GroupMembers)
                {
                    #Add the Data to Object
                    $Permissions = New-Object PSObject
                    $Permissions | Add-Member NoteProperty Name($Member.Title)
                    $Permissions | Add-Member NoteProperty Type($PermissionType)
                    $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
                    $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
                    $PermissionCollection += $Permissions
                }
            }
            Else
            {
                #Add the Data to Object
                $Permissions = New-Object PSObject
                $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
                $Permissions | Add-Member NoteProperty Type($PermissionType)
                $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
                $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
                $PermissionCollection += $Permissions
            }

        }
        $PermissionCollection
        
        #Export List Permissions to CSV File
        $PermissionCollection | Export-CSV $CSVPath -NoTypeInformation
        write-host -f Green "List Permissions Exported Successfully!"
    }
    Catch {
    write-host -f Red "Error Exporting List Permissions!" $_.Exception.Message
    }
}

#Call the function to Export List Permissions
Export-SPOListPermission -SiteURL "https://Crescent.sharepoint.com/sites/Marketing" `
                         -ListName "Documents" -CSVPath "C:\Temp\ListPermissions.csv"

Conclusion:

In this article, we have discussed how to export permissions of a SharePoint Online site, list, or item using PowerShell. Following the steps outlined in this guide, you can quickly and easily export a list of all permissions of a site, list, or item in SharePoint Online to a CSV file. With PowerShell, you can automate this process and make managing and maintaining your SharePoint Online environment easier.

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. Passionate about sharing the deep technical knowledge and experience to help others, through the real-world articles!

5 thoughts on “SharePoint Online: Export Permissions of a Site, List, or Item using PowerShell

  • Hi,
    Is there are way to extract permissions of a document library in Sharepoint Server 2019/Subscription Edition?

    Reply

  • Question: If I run this, will it prompt me for the list where I want to get permissions?

    Reply

  • You should also mention that SharePoint Server Client Components SDK installed. In my case I had SharePoint Server 2013 Client Components and needed to change the first two lines to:
    Add-Type -Path “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.dll”
    Add-Type -Path “C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\ISAPI\Microsoft.SharePoint.Client.Runtime.dll”

    Other than that, great article!
    Thanks!

    Reply

  • hi mate, is there a way to only get folder permissions and not all items?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *