SharePoint Online: Grant Permission to List Item using PowerShell

Permissions are hierarchical in SharePoint from the Top Site collection to the List Item level. When items are created in a list or library, they inherit the permissions of that list or library. However, This inheritance can be broken and permissions can be applied directly to the items. To set unique permissions on list items, you must configure permissions on the item level. Here is how:

How to Grant Access to Individual List Items in SharePoint Online?

We got a business requirement to grant permissions at the List item level. To set explicit permissions on SharePoint Online list items, we must first break the permission inheritance (stop inheriting permissions) and then add a user or group to the List Item.

  1. Go to your SharePoint Online list or library >> Select the item you want to provide unique permissions. 
  2. Click on the “Manage access” link from the information panel. On the Manage access page, click on “Advanced” link. set item level permission in sharepoint online
  3. On the Permissions tab, in the Inheritance group, click the Stop Inheriting Permissions button. Confirm the prompt.
    sharepoint online list item permissions powershell
  4. Now, click the “Grant Permissions.” button on the ribbon. In the Share dialog box, enter names, and email addresses. Click the Show Options button. In the Select A Permission Level list box, select the appropriate permission level, such as Edit.
    powershell to grant permission to list item in sharepoint online
  5. Click Share.

Having too many Item level permissions often leads to performance issues! so, be careful.

SharePoint Online: Set List Item Permissions using PowerShell:

How to give item-level permission for SharePoint Online? Here is my PowerShell to grant permissions in SharePoint Online.

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"

Function Set-ListItemPermission
{
    param
    (   
        [Parameter(Mandatory=$true)] [string]$SiteURL,
        [Parameter(Mandatory=$true)] [string]$ListName,
        [Parameter(Mandatory=$true)] [string]$ItemID,
        [Parameter(Mandatory=$true)] [string]$PermissionLevel,
        [Parameter(Mandatory=$true)] [string]$UserID
    )
    Try {
        #Setup Credentials to connect
        $Cred= Get-Credential
        $Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)

        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = $Credentials
        
        #Get the List and Item
        $List = $Ctx.Web.Lists.GetByTitle($ListName)
        $ListItem=$List.GetItemByID($ItemID)
        $Ctx.Load($List)
        $Ctx.Load($ListItem)
        $Ctx.ExecuteQuery()

        #Check if Item has unique permission already
        $list.Retrieve("HasUniqueRoleAssignments")
        $Ctx.ExecuteQuery()

        #Break Item's permission Inheritance, if its inheriting permissions from the parent
        if (-not $ListItem.HasUniqueRoleAssignments)
        {
            $ListItem.BreakRoleInheritance($false, $false) #keep the existing permissions: No -  Clear listitems permissions: No
            $ctx.ExecuteQuery()
        }

        #Get the User
        $User = $Ctx.Web.EnsureUser($UserID)
        $Ctx.load($User)
        $Ctx.ExecuteQuery()

        #Get the role 
        $Role = $Ctx.web.RoleDefinitions.GetByName($PermissionLevel)
        $RoleDB = New-Object Microsoft.SharePoint.Client.RoleDefinitionBindingCollection($Ctx)
        $RoleDB.Add($Role)
         
        #Assign permissions
        $UserPermissions = $ListItem.RoleAssignments.Add($User,$RoleDB)
        $ListItem.Update()
        $Ctx.ExecuteQuery()
    
        Write-host -f Green "Permission granted to List Item successfully!"
    }
    Catch {
        Write-host -f Red "Error granting permission to List Item!" $_.Exception.Message
    }
}

#Set parameter values
$SiteURL="https://crescent.sharepoint.com"
$ListName="Projects"
$ItemID="1"
$UserID="salaudeen@crescent.com"
$PermissionLevel="Edit"

#Call the function
Set-ListItemPermission -SiteURL $SiteURL -ListName $ListName -ItemID $ItemID -UserID $UserID -PermissionLevel $PermissionLevel 

This script grants permission on the Item level for a given user. If you want to provide permission to SharePoint Group, Instead of line

$User = $Web.EnsureUser($UserAccount)
#use:
$Group =$Web.SiteGroups.GetByName($GroupName)
#and then
$GroupPermissions = $Item.RoleAssignments.Add($Group,$RoleDB)

PnP PowerShell to Set Item Level Permission

To change the permission for list items in SharePoint Online using PowerShell, use: Set-PnPListItemPermission cmdlet.

#Config Variables
$SiteURL = "https://Crescent.sharepoint.com/sites/Marketing"
$ListName ="Projects"
$ListItemID ="1"
$GroupName="Marketing Members"
$UserID="Peter@TheCrescentTech.com"

#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Credentials (Get-Credential)

#Get the Group
$Group = Get-PnPGroup | where-Object {$_.Title -eq $GroupName}

#Grant permission to Group - Remove all existing permissions
Set-PnPListItemPermission -Identity $ListItemID -List $ListName -AddRole "Read" -Group $Group -ClearExisting

#Grant permission to User
Set-PnPListItemPermission -Identity $ListItemID -List $ListName -AddRole "Edit" -User $UserID

You can get all available permissions to add or remove using the Get-PnPRoleDefinition cmdlet.  We can grant permission to all list items as in SharePoint Online: Grant Permission to All Items in a List using PowerShell

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

7 thoughts on “SharePoint Online: Grant Permission to List Item using PowerShell

  • How do I set item-level permissions for an item that I don’t have permissions for?

    Reply
  • Hello,
    I’m a Sharepoint Administrator and I created a list of broken permissions at the item level. My ADM user does not have access permission to several of these items, as they were wrongly removed by some users.
    Is there any way to grant this permission again to the Administrator?

    Reply
  • Hello my friend. PnP’s documentation says that -List parameter of Set-PnPListItemPermission can be “The ID, Title or Url of the list”. But I’ve tried -List “someURL” and nothing works for me. Can you give me some example of Set-PnPListItemPermission -List with a ListURL, please?
    Thanks in advance for all of your posts.

    Reply
  • How to get the ID of a file?

    Reply
  • Hi, I am having trouble getting this to work. Have recent changes in SharePoint Online stopped this method working? Even a simple count of lists returns null.
    Thanks Mark

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *