SharePoint Online: Get All Permission Levels using PowerShell
Requirement: Get permission levels in the SharePoint Online site using PowerShell.
How to Get All Permission Levels in SharePoint Online Site?
In SharePoint Online, you can assign different permission levels to users and groups to control what they can and cannot do on the site. For example, you may want your marketing team to have full access to all content on the site while giving other users read access. This blog post will show you how to get all permission levels for a site in SharePoint Online.
To view all permission levels in a SharePoint Online site, do the following:
- Navigate to your SharePoint Online site >> Click on Settings gear >> choose Site Settings. (Site Permissions >> Advanced Permissions Settings in Modern sites).
- Click on the Site Permissions link on the Site Settings page >> Click on Permission Levels from the ribbon.
- The Permission Levels page lists all permission levels available in the site.
This is useful if you want to see what permissions are currently assigned to users or groups in your environment.
SharePoint Online: PowerShell to Get Permission Levels
Permission levels are sets of base permissions grouped to provide specific rights on the site. This script returns all permission level names, including out-of-the-box permission levels such as “Full Control” and any custom permission levels created in the given SharePoint Online site collection.
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
Function Get-SPOPermissionLevels()
{
param
(
[Parameter(Mandatory=$true)] [string] $SiteURL
)
Try {
#Get Credentials to connect
$Cred= Get-Credential
$Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = $Credentials
#Get all permission levels
$RoleDefColl=$Ctx.web.RoleDefinitions
$Ctx.Load($RoleDefColl)
$Ctx.ExecuteQuery()
#Loop through all role definitions
ForEach($RoleDef in $RoleDefColl)
{
Write-Host -ForegroundColor Green $RoleDef.Name
}
}
Catch {
write-host -f Red "Error getting permission Levels!" $_.Exception.Message
}
}
#Set parameter values
$SiteURL="https://crescent.sharepoint.com/sites/Ops/"
#Call the function
Get-SPOPermissionLevels -SiteURL $SiteURL
This script gets all the Permission Levels that are configured in a SharePoint Online site collection.
SharePoint Online PowerShell to Get Permission Level
If you want to get a specific permission level in your PowerShell script, you can use the following:
#Get the permission level
$PermissionLevelName ="Read"
$PermissionLevel = $web.RoleDefinitions.GetByName($PermissionLevelName)
$Ctx.Load($PermissionLevel)
$Ctx.ExecuteQuery()
PnP PowerShell to Get Permission Levels in SharePoint Online
To get permission levels of a SharePoint Online site, use the cmdlet Get-PnPRoleDefinition
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)
#Get Permission levels
Get-PnPRoleDefinition
Similarly, to get a specific permission level, use the following:
#Get a Permission level
Get-PnPRoleDefinition -Identity "Read"
To get the ID of all permission levels, use this:
#sharepoint online get permission level id
Get-PnPRoleDefinition | Select Name, ID, Hidden, Description
Export Permission Levels from All Sites in the Tenant using PnP PowerShell
How about auditing permission levels created on all sites of your SharePoint Online tenant? The below PowerShell script iterates through each site collection and exports the permission levels to a CSV report. Make sure your account has Admin rights on all sites. Otherwise, you’ll get a “(403) Forbidden” error.
#Config Variables
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
$CSVOutputPath = "C:\Temp\PermissionLevels.csv"
#Get Credentials to connect
$Cred = Get-Credential
#Connect to Admin Center using PnP Online
Connect-PnPOnline -Url $TenantAdminURL -Credential $Cred
#Get All Site collections - Exclude: Seach Center, Redirect site, Mysite Host, App Catalog, Content Type Hub, eDiscovery and Bot Sites
$SiteCollections = Get-PnPTenantSite | Where {$_.Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")}
$PermissionLevels= @()
#Loop through each site collection
ForEach($Site in $SiteCollections)
{
Try {
Write-host "Processing Site:"$Site.URL -f Yellow
#Connect to the site
Connect-PnPOnline -Url $Site.URL -Credential $Cred
#Get Permission levels
$RoleDefs = Get-PnPRoleDefinition | Where {$_.Hidden -eq $false} | Select -ExpandProperty Name
$PermLevels = $RoleDefs -join ", "
#Collect data
$PermissionLevels += [PSCustomObject][ordered]@{
SiteName = $Site.Title
URL = $Site.URL
PermissionLevels = $PermLevels
}
}
Catch {
write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
}
}
#Export the data to CSV Report
$PermissionLevels | Export-Csv -Path $CSVOutputPath -NoTypeInformation
This PowerShell script iterates through all sites in the tenant, extracts and generates a permission levels report:
Hello,
I keep getting below error, could you help?
Get-PnPTenantSite : The current connection holds no SharePoint context. Please use one of the Connect-PnPOnline commands which uses the -Url argument to connect.
I would be interested in the reply to this question – I also would like a powershell script to report all permission levels for all sites.
The article has been updated to fetch permission levels from all sites!
Hi Salaudeen,
Could you please help me to get all permission levels for all sites (Entire Tenant).
Thanks,
SV