SharePoint Online: Find All Subsites with Unique Permissions using PowerShell

Requirement: Find All SharePoint Online Sites with Unique Permissions using PowerShell.

How to check if a site (web) is using Unique permissions or inheriting permissions from the parent?

Are you looking for a way to quickly check if a SharePoint Online Subsite has unique permissions? PowerShell makes finding all sites with unique permissions a breeze! This blog post will show you how to use PowerShell to find all subsites with unique permissions.

To check if a site has broken permissions, follow these steps:

  1. Navigate to the Site and then go to Site Settings >> Site Permissions >>Advanced permissions settings.
  2. The “Advanced permissions” page gives you information on whether the site has unique permissions or not. If the site has unique permissions,
    you’ll get the text “This site has unique permissions”, otherwise “This site inherits permissions from its parent.”
    sharepoint online powershell to find sites with unique permissions

SharePoint Online: PowerShell to Get All Webs (subsites) with unique permissions

This PowerShell gets you all subsites of a site collection, which are using unique permissions:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

#Define Parameter values
$SiteURL="https://crescent.sharepoint.com"

#Setup Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

Try {
    #Function to check if site has unique permissions
    Function Check-SPOWebUniquePermissions($SiteURL)
    {
        #Set up the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $credentials
 
        $Web = $Ctx.Web
        $Ctx.Load($Web)
        $Ctx.Load($Web.Webs)
        $Ctx.ExecuteQuery()

        #Check if the site has unique permissions
        $Web.Retrieve("HasUniqueRoleAssignments")
        $Ctx.ExecuteQuery()

        if ($Web.HasUniqueRoleAssignments -eq $true)
        {        
            Write-Host -f Green "Site '$($Web.URL)' has Unique Permissions"
        }
        else
        {
            Write-Host -f Yellow "Site '$($Web.URL)' is inhering Permissions from the Parent"
        }
 
        #Process Each subsite in current site
        ForEach($Web in $Web.Webs)
        {
            #call the function recursively
            Check-SPOWebUniquePermissions $Web.Url
        }
    } 
    #call the function 
    Check-SPOWebUniquePermissions $SiteURL
}
Catch {
    write-host -f Red "Error Checking Unique Permissions!" $_.Exception.Message
}

PnP PowerShell to Get Subsites with Unique Permissions

Let’s audit all subsite’s unique permission status with the help of PnP PowerShell:

#Parameters
$SiteURL = "https://crescent.sharepoint.com/sites/marketing"

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive

    #Get All subsites from the SharePoint Online site collection
    $WebsCollection = Get-PnPSubWeb -Recurse -Includes HasUniqueRoleAssignments
    
    #Get Unique Permission status of each subsite
    $WebsCollection | Select Title, URL, HasUniqueRoleAssignments
}
catch {
    write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

Leave a Reply

Your email address will not be published. Required fields are marked *