Client Side Object Model (CSOM) Folder Permission PnP PowerShell PowerShell SharePoint SharePoint Online 

SharePoint Online: Remove User or Group from Folder Permissions using PowerShell

Salaudeen Rajack 4 Comments , , , , ,

Requirement: Remove the user from folder permissions in SharePoint Online.

How to Remove a user from folder permissions in SharePoint Online?

Want to restrict access to a folder in SharePoint Online? This blog post will show you how to remove a user or group from folder permissions in SharePoint Online. We’ll also see the PowerShell to quickly revoke access for a specific user from a folder.

To remove a user or group from SharePoint Online Folder’s permissions, follow these steps:

  1. Navigate to your SharePoint Online list or library where the target folder is located. 
  2. Click on “Details” from the specific Folder’s context menu >> In the Details pane, click on “Manage Access” and then “Advanced” links. This takes you to the “Advanced Permissions” page.
  3. From the ribbon, click on the “Stop Inhering Permissions” button and confirm the prompt.
    Remove Group from Folder Permissions
  4. Now, You’ll get the list of users and groups who have permissions on the folder. When you break the permission, SharePoint copies permissions from its parent (List/library in our case!)
  5. Select the users and groups you want to remove permission from the folder and confirm the prompt.
    remove user from folder permissions powershell
  6. That’s all. We’ve removed the users from folder permissions.

Remove User from folder permissions using PowerShell

Here is my PowerShell to remove user permission from a folder in SharePoint Online:

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Remove-SPOUserPermissionsFromList()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL,
        [Parameter(Mandatory=$true)] [string] $FolderURL,
        [Parameter(Mandatory=$true)] [string] $UserAccount
    )
 
    Try {
        #Get credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
        $Web = $Ctx.web
 
        #Get the Folder
        $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
        $Ctx.Load($Folder)
        $Ctx.ExecuteQuery()
     
        #Break Permission inheritence - Keep all existing list permissions & Don't keep Item level permissions
        $Folder.ListItemAllFields.BreakRoleInheritance($True,$False)
        $Ctx.ExecuteQuery()
        Write-host -f Yellow "Folder's Permission inheritance broken..."
      
        #Get the SharePoint User object from the site
        $User = $Web.EnsureUser($UserAccount)
        $Ctx.load($User)

        #Get permissions assigned to the folder
        $Ctx.Load($Folder.ListItemAllFields.RoleAssignments)
        $Ctx.ExecuteQuery()

        #Check if the user has permission on the list
        [Bool]$UserFound = $False
        ForEach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
        {
            $ctx.Load($RoleAssignment.Member)
            $Ctx.ExecuteQuery()

            #remove user permission from folder
            If($RoleAssignment.Member.LoginName -eq $User.LoginName)
            {
                $Folder.ListItemAllFields.RoleAssignments.GetByPrincipal($User).DeleteObject()
                $Ctx.ExecuteQuery()
                $UserFound = $True
                Write-host "User Permissions Removed from the List Successfully!" -ForegroundColor Green  
            }
        }
        #If user doesn't exist in list permissions
        If($UserFound -eq $False) { Write-host "User Not found in List Permissions!" -ForegroundColor Red}
    }
    Catch {
       write-host -f Red "Error Removing permissions from the Folder!" $_.Exception.Message
    }
}

#Config Variables
$SiteURL="https://crescent.sharepoint.com"
$FolderURL="/Project Docs/Active"
$UserAccount="Salaudeen@Crescent.com"

#Call the function to remove user permissions from a list
Remove-SPOUserPermissionsFromList -SiteURL $SiteURL -FolderURL $FolderURL -UserAccount $UserAccount

This PowerShell removes a user from folder permissions on given parameters.

Remove Group from Folder Permissions using PowerShell

Similarly, use this PowerShell script to remove a SharePoint group from the folder’s permissions.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Remove-SPOGroupPermissionsFromList()
{
  param
    (
        [Parameter(Mandatory=$true)] [string] $SiteURL,
        [Parameter(Mandatory=$true)] [string] $FolderURL,
        [Parameter(Mandatory=$true)] [string] $GroupName
    )
 
    Try {
        #Get credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
 
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
        $Web = $Ctx.web
 
        #Get the Folder
        $Folder = $Web.GetFolderByServerRelativeUrl($FolderURL)
        $Ctx.Load($Folder)
        $Ctx.ExecuteQuery()
     
        #Break Permission inheritence - Keep all existing list permissions & Don't keep Item level permissions
        $Folder.ListItemAllFields.BreakRoleInheritance($True,$False)
        $Ctx.ExecuteQuery()
        Write-host -f Yellow "Folder's Permission inheritance broken..."
      
        #Get the SharePoint Site Group object
        $Group =$Web.SiteGroups.GetByName($GroupName)
        $Ctx.load($Group)

        #Get permissions assigned to the folder
        $Ctx.Load($Folder.ListItemAllFields.RoleAssignments)
        $Ctx.ExecuteQuery()

        #Check if the Group has permission on the list
        [Bool]$GroupFound = $False
        ForEach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
        {
            $ctx.Load($RoleAssignment.Member)
            $Ctx.ExecuteQuery()

            #remove Group permission from folder
            If($RoleAssignment.Member.LoginName -eq $Group.LoginName)
            {
                $Folder.ListItemAllFields.RoleAssignments.GetByPrincipal($Group).DeleteObject()
                $Ctx.ExecuteQuery()
                $GroupFound = $True
                Write-host "Group Permissions Removed from the List Successfully!" -ForegroundColor Green  
            }
        }
        #If Group doesn't exist in list permissions
        If($GroupFound -eq $False) { Write-host "Group Not found in List Permissions!" -ForegroundColor Red}
    }
    Catch {
       write-host -f Red "Error Removing Group permissions from the Folder!" $_.Exception.Message
    }
}

#Config Variables
$SiteURL="https://crescent.sharepoint.com"
$FolderURL="/Project Docs/Active"
$GroupName="Team Site Visitors"

#Call the function to remove Group permissions from a list
Remove-SPOGroupPermissionsFromList -SiteURL $SiteURL -FolderURL $FolderURL -GroupName $GroupName

This Removes the SharePoint Online group from folder permissions using PowerShell. Here is another post on granting permission to SharePoint Online Folder using PowerShell: Set Folder Permissions in SharePoint Online using PowerShell

PnP PowerShell to Remove User from Folder Permissions from a CSV file

We have a CSV file with the list of URLs and want to remove a particular user from all those folders. The CSV file has just one column with the header “URL” and about 100+ rows.

#Config Variables
$SiteURL = "https://crescent.sharepoint.com/sites/legal"
$ListName="Work"
$CSVFile = "C:\Temp\Folders.csv"
$UserAccount = "i:0#.f|membership|steve@crescent.com"

Try {
    #Connect to PnP Online
    Connect-PnPOnline -Url $SiteURL -Interactive

    #Get content from CSV file
    Import-Csv $CSVFile | ForEach-Object {
        Write-host "Processing Folder:"$_.URL
        #Get the Folder from URL
        $Folder = Get-PnPFolder -Url $_.URL

        #Get Folder Item
        $FolderItem = Get-PnPProperty -ClientObject $Folder -Property ListItemAllFields
        $HasUniquePerm =  Get-PnPProperty -ClientObject $FolderItem -Property HasUniqueRoleAssignments

        #Break Permission Inheritance
        If(!$HasUniquePerm)
        {
            $FolderItem.BreakRoleInheritance($True, $True)
            Write-host "`tFolder's Permission Inheritance Broken!"
        }
        #Get the User
        $User = Get-PnPUser -Identity $UserAccount -ErrorAction Stop

        #Get Permissions from the Folder
        $RoleAssignments = Get-PnPProperty -ClientObject $FolderItem -Property RoleAssignments

        #Remove user from folder permissions
        [Bool]$UserFound = $false
        ForEach($RoleAssignment in $RoleAssignments)
        {
           $Member =  Get-PnPProperty -ClientObject $RoleAssignment -Property Member
           If($Member.LoginName -eq $User.LoginName)
           {
                $UserFound = $True
                $FolderItem.RoleAssignments.GetByPrincipal($User).DeleteObject()
                Invoke-PnPQuery
           }
        }
        
        If($UserFound) { Write-host "`tRemoved user from Folder Permission!" }  
    }
}
Catch {
    write-host -f Red "Error Removing user from Folder:" $_.Exception.Message
}

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. Passionate about sharing the deep technical knowledge and experience to help others, through the real-world articles!

4 thoughts on “SharePoint Online: Remove User or Group from Folder Permissions using PowerShell

  • Hi Salaudeen,

    Is there a equivalent for this in REST API?

    Reply

  • Hello, Your script is awesome and looks great. Script removes Sharepoint groups as well. But removing Azure Active directory security group is not possible. Is there a solution, which will be able to remove AAD security groups from folder?
    Thank You so much

    Reply

    • Use the Same script you use for removing User accounts. In the UserAccount (LoginID) parameter, supply the ID of your Active Directory group. E.g. $AdGroupID = “c:0t.c|tenant|798cb3d4-7ca8-4567-adb5-916bc496d7cd”

      Reply

  • Very very helpful! Much thanks to you!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *