SharePoint Online: Get All Permission Levels using PowerShell

Requirement: Get permission levels in the SharePoint Online site using PowerShell.

How to Get All Permission Levels in SharePoint Online Site?

SharePoint permission levels are predefined sets of permissions that determine the actions users can perform within a SharePoint site or its contents. Each permission level consists of a combination of individual permissions, such as the ability to view, edit, delete, or manage items. In SharePoint Online, you can assign different permission levels to users and groups to control what they can and cannot do on the site.

For example, you may want your marketing team to have full access to all content on the site while giving other users read access. This blog post will show you how to get all permission levels for a SharePoint Online site.

To view all permission levels in a SharePoint Online site, do the following:

  1. Navigate to your SharePoint Online site >> Click on Settings gear >> Choose Site Settings. (Site Permissions >> Advanced Permissions Settings in Modern Sites).
  2. Click on the Site Permissions link on the Site Settings page >> Click on Permission Levels from the ribbon.permission level in sharepoint online
  3. The Permission Levels page lists all permission levels available on the site.get all permission levels in sharepoint online

This is useful if you want to see what permissions are currently assigned to users or groups in your environment. You can click on a specific permission level to view its details, including the individual permissions it grants.

SharePoint comes with a set of default permission levels that cover common scenarios. These include:

  1. Full Control: Grants complete control over the site, including the ability to manage permissions and site settings.
  2. Design: Allows users to create and manage lists, libraries, and pages.
  3. Edit: Enables users to add, edit, and delete items in lists and libraries.
  4. Contribute: Similar to Edit, but without the ability to delete items.
  5. Read: Grants read-only access to the site and its contents.
  6. Limited Access: Provides access to specific items without granting access to the entire site.

While these default permission levels are sufficient for many situations, you may need to create custom permission levels to meet specific requirements. For example, imagine granting a group of users the Contribute permission level to a specific SharePoint library.

SharePoint Online: PowerShell to Get Permission Levels

Permission levels are sets of base permissions grouped to provide specific rights on the site. This script returns all permission level names, including out-of-the-box permission levels such as “Full Control” and any custom permission levels created in the given SharePoint Online site collection.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
Function Get-SPOPermissionLevels()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL        
    )
    Try { 
        #Get Credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials

        #Get all permission levels
        $RoleDefColl=$Ctx.web.RoleDefinitions
        $Ctx.Load($RoleDefColl)
        $Ctx.ExecuteQuery()
    
        #Loop through all role definitions
        ForEach($RoleDef in $RoleDefColl)
        {
            Write-Host -ForegroundColor Green $RoleDef.Name
        }
     }
    Catch {
        write-host -f Red "Error getting permission Levels!" $_.Exception.Message
    }
}
 
#Set parameter values
$SiteURL="https://crescent.sharepoint.com/sites/Ops/"

#Call the function 
Get-SPOPermissionLevels -SiteURL $SiteURL 

This script gets all the role definitions that are configured in a SharePoint Online site collection.

SharePoint Online PowerShell to Get Permission Level

If you want to get a specific permission level in your PowerShell script, you can use the following:

#Get the permission level
$PermissionLevelName ="Read"
$PermissionLevel = $web.RoleDefinitions.GetByName($PermissionLevelName)
$Ctx.Load($PermissionLevel)
$Ctx.ExecuteQuery()

PnP PowerShell to Get Permission Levels in SharePoint Online

To get permission levels of a SharePoint Online site, use the cmdlet Get-PnPRoleDefinition

#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/Marketing"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Get Permission levels
Get-PnPRoleDefinition

Similarly, to get a specific permission level, use the following:

#Get a Permission level
Get-PnPRoleDefinition -Identity "Read"

To get the ID of all permission levels, use this:

#sharepoint online get permission level id
Get-PnPRoleDefinition | Select Name, ID, Hidden, Description

Export Permission Levels from All Sites in the Tenant using PnP PowerShell

How about auditing permission levels created on all sites of your SharePoint Online tenant? The below PowerShell script iterates through each site collection and exports the permission levels to a CSV report. Make sure your account has Admin rights on all sites. Otherwise, you’ll get a “(403) Forbidden” error.

#Config Variables
$TenantAdminURL = "https://crescent-admin.sharepoint.com"
$CSVOutputPath = "C:\Temp\PermissionLevels.csv"

#Get Credentials to connect
$Cred = Get-Credential

#Connect to Admin Center using PnP Online
Connect-PnPOnline -Url $TenantAdminURL -Credential $Cred

#Get All Site collections - Exclude: Seach Center, Redirect site, Mysite Host, App Catalog, Content Type Hub, eDiscovery and Bot Sites
$SiteCollections = Get-PnPTenantSite | Where {$_.Template -NotIn ("SRCHCEN#0", "REDIRECTSITE#0", "SPSMSITEHOST#0", "APPCATALOG#0", "POINTPUBLISHINGHUB#0", "EDISC#0", "STS#-1")}

$PermissionLevels= @()
#Loop through each site collection
ForEach($Site in $SiteCollections)
{
    Try {
        Write-host "Processing Site:"$Site.URL -f Yellow
        #Connect to the site
        Connect-PnPOnline -Url $Site.URL -Credential $Cred

        #Get Permission levels
        $RoleDefs = Get-PnPRoleDefinition | Where {$_.Hidden -eq $false} | Select -ExpandProperty Name
        $PermLevels = $RoleDefs -join ", "

        #Collect data
        $PermissionLevels += [PSCustomObject][ordered]@{
            SiteName         = $Site.Title
            URL              = $Site.URL
            PermissionLevels = $PermLevels
        }
    }
    Catch {
        write-host "Error: $($_.Exception.Message)" -foregroundcolor Red
    }
}
#Export the data to CSV Report
$PermissionLevels | Export-Csv -Path $CSVOutputPath -NoTypeInformation

This PowerShell script iterates through all sites in the tenant, extracts and generates a permission levels report:

permission levels report on sites in the tenant

Conclusion

In this blog post, we explored how to retrieve permission levels in SharePoint using PowerShell. We discussed the importance of understanding permission levels and their role in managing access to SharePoint resources. We also discussed the default permission levels, and how to retrieve them using various methods, including web user interface and PowerShell. By leveraging the Get-PnPRoleDefinition cmdlet, we demonstrated how to retrieve all permission levels or a specific permission level by its name.

Checkout the below posts for further reading:

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

6 thoughts on “SharePoint Online: Get All Permission Levels using PowerShell

  • How could this code be modified for MFA?
    Export Permission Levels from All Sites in the Tenant using PnP PowerShell

    Thank you!

    Reply
    • Use: Connect-PnPOnline -Url $Site.URL -Interactive
      Instead of: Connect-PnPOnline -Url $Site.URL -Credential $Cred

      Reply
  • Hello,
    I keep getting below error, could you help?
    Get-PnPTenantSite : The current connection holds no SharePoint context. Please use one of the Connect-PnPOnline commands which uses the -Url argument to connect.

    Reply
  • I would be interested in the reply to this question – I also would like a powershell script to report all permission levels for all sites.

    Reply
  • Hi Salaudeen,

    Could you please help me to get all permission levels for all sites (Entire Tenant).

    Thanks,
    SV

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *