SharePoint Online: Get All Permission Levels using PowerShell

Requirement: Get permission levels in the SharePoint Online site using PowerShell.

How to Get All Permission Levels in SharePoint Online Site?

In SharePoint Online, you can assign different permission levels to users and groups to control what they can and cannot do on the site. For example, you may want your marketing team to have full access to all content on the site while giving other users read access. This blog post will show you how to get all permission levels for a site in SharePoint Online.

To view all permission levels in a SharePoint Online site, do the following:

  1. Navigate to your SharePoint Online site >> Click on Settings gear >> choose Site Settings. (Site Permissions >> Advanced Permissions Settings in Modern sites).
  2. Click on the Site Permissions link on the Site Settings page >> Click on Permission Levels from the ribbon.permission level in sharepoint online
  3. The Permission Levels page lists all permission levels available in the site.get all permission levels in sharepoint online

This is useful if you want to see what permissions are currently assigned to users or groups in your environment.

SharePoint Online: PowerShell to Get Permission Levels

Permission levels are sets of base permissions grouped together to provide specific rights on the site. This script returns all permission level names, including out-of-the-box permission levels such as “Full Control” and any custom permission levels created in the given SharePoint Online site collection.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
Function Get-SPOPermissionLevels()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL        
    )
    Try { 
        #Get Credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials

        #Get all permission levels
        $RoleDefColl=$Ctx.web.RoleDefinitions
        $Ctx.Load($RoleDefColl)
        $Ctx.ExecuteQuery()
    
        #Loop through all role definitions
        ForEach($RoleDef in $RoleDefColl)
        {
            Write-Host -ForegroundColor Green $RoleDef.Name
        }
     }
    Catch {
        write-host -f Red "Error getting permission Levels!" $_.Exception.Message
    }
}
 
#Set parameter values
$SiteURL="https://crescent.sharepoint.com/sites/Ops/"

#Call the function 
Get-SPOPermissionLevels -SiteURL $SiteURL 

This script gets you all the Permission Levels configured in the given SharePoint Online site collection.

SharePoint Online PowerShell to Get Permission Level

If you want to get a specific permission level in your PowerShell script, you can use:

#Get the permission level
$PermissionLevelName ="Read"
$PermissionLevel = $web.RoleDefinitions.GetByName($PermissionLevelName)
$Ctx.Load($PermissionLevel)
$Ctx.ExecuteQuery()

PnP PowerShell to Get Permission Levels in SharePoint Online

To get permission levels of a SharePoint Online site, use the cmdlet Get-PnPRoleDefinition

#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Get Permission levels
Get-PnPRoleDefinition

Similarly, to get a specific permission level, use:

#Get a Permission level
Get-PnPRoleDefinition -Identity "Read"

To get the ID of all permission levels, use:

#sharepoint online get permission level id
Get-PnPRoleDefinition | Select Name, ID, Hidden, Description

Export Permission Levels from All Sites in the Tenant using PnP PowerShell

How about auditing permission levels created on all sites of your SharePoint Online tenant? The below PowerShell script iterates through each site collection and exports the permission levels to a CSV report. Make sure your account has Admin rights on all sites. Otherwise, you’ll get a “(403) Forbidden” error.

#Config Variables
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
$CSVOutputPath = "C:\Temp\PermissionLevels.csv"

#Get Credentials to connect
$Cred = Get-Credential

#Connect to Admin Center using PnP Online
Connect-PnPOnline -Url $TenantAdminURL -Credential $Cred

#Get All Site collections - Exclude: Seach Center, Redirect site, Mysite Host, App Catalog, Content Type Hub, eDiscovery and Bot Sites
$SiteCollections = Get-PnPTenantSite | Where {$_.Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")}

$PermissionLevels= @()
#Loop through each site collection
ForEach($Site in $SiteCollections)
{
    Try {
        Write-host "Processing Site:"$Site.URL -f Yellow
        #Connect to the site
        Connect-PnPOnline -Url $Site.URL -Credential $Cred

        #Get Permission levels
        $RoleDefs = Get-PnPRoleDefinition | Where {$_.Hidden -eq $false} | Select -ExpandProperty Name
        $PermLevels = $RoleDefs -join ", "

        #Collect data
        $PermissionLevels += [PSCustomObject][ordered]@{
            SiteName         = $Site.Title
            URL              = $Site.URL
            PermissionLevels = $PermLevels
        }
    }
    Catch {
        write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
    }
}
#Export the data to CSV Report
$PermissionLevels | Export-Csv -Path $CSVOutputPath -NoTypeInformation

This PowerShell script iterates through all sites in the tenant, extracts and generates a permission levels report:

permission levels report on sites in the tenant

Salaudeen Rajack

Salaudeen Rajack - SharePoint Expert with Two decades of SharePoint Experience. Love to Share my knowledge and experience with the SharePoint community, through real-time articles!

4 thoughts on “SharePoint Online: Get All Permission Levels using PowerShell

  • Hello,
    I keep getting below error, could you help?
    Get-PnPTenantSite : The current connection holds no SharePoint context. Please use one of the Connect-PnPOnline commands which uses the -Url argument to connect.

    Reply
  • I would be interested in the reply to this question – I also would like a powershell script to report all permission levels for all sites.

    Reply
  • Hi Salaudeen,

    Could you please help me to get all permission levels for all sites (Entire Tenant).

    Thanks,
    SV

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *