SharePoint Online: PowerShell to Get Folder Permissions

Requirement: Get Folder Permissions in SharePoint Online using PowerShell.

How to Get Folder Permissions in SharePoint Online?

Folder-level permission in SharePoint Online helps to obtain fine-grained permissions, and they are an important part of SharePoint Online security. As an administrator, you may need to manage the permissions for folders to ensure that users have the appropriate level of access. How do you find out who has access to a folder in SharePoint Online? There are two ways to get folder permissions in your SharePoint Online. The first is by navigating to the folder and getting its permissions through the web browser. To view folder-level permission in SharePoint Online, follow the below steps:

  1. Go to the library where the folder to check permissions. Select the Folder and from the Information panel, click on the “Manage Access” link.  folder level permission in sharepoint online
  2. This gets you the permissions assigned to that folder in SharePoint Online. sharepoint online folder permissions powershell
  3. You can scroll down and click on the “Advanced” button to get to the page where you can view folder permissions on a single page. This will list all users and groups with permissions for that folder, including their permission level.
    sharepoint online library folder permissions

This can be useful if you need to determine who has access to a specific folder, or if you need to troubleshoot why you cannot access a folder that you think you should have access to.

SharePoint Online: PowerShell to Get Folder Permissions

The SharePoint Online PowerShell Module is a powerful tool that offers administrators the ability to automate their work and easily manage permissions for different SharePoint objects. Let’s see how you can automate the manual task of retrieving folder permissions in SharePoint Online. Here is the PowerShell to get folder permissions in SharePoint Online

#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
 
#Function to Get Folder Permissions
Function Get-SPOFolderPermission([String]$SiteURL, [String]$FolderRelativeURL)
{
    Try{
        #Setup the context
        $Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
        $Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
     
        #Get the Folder
        $Folder = $Ctx.Web.GetFolderByServerRelativeUrl($FolderRelativeURL)
        $Ctx.Load($Folder)
        $Ctx.ExecuteQuery()

        #Get permissions assigned to the Folder
        $RoleAssignments = $Folder.ListItemAllFields.RoleAssignments
        $Ctx.Load($RoleAssignments)
        $Ctx.ExecuteQuery()

        #Loop through each permission assigned and extract details
        $PermissionCollection = @()
        Foreach($RoleAssignment in $RoleAssignments)
        { 
            $Ctx.Load($RoleAssignment.Member)
            $Ctx.executeQuery()

            #Get the User Type
            $PermissionType = $RoleAssignment.Member.PrincipalType

            #Get the Permission Levels assigned
            $Ctx.Load($RoleAssignment.RoleDefinitionBindings)
            $Ctx.ExecuteQuery()
            $PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name) -join ","
            
            #Get the User/Group Name
            $Name = $RoleAssignment.Member.Title # $RoleAssignment.Member.LoginName

            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Name($Name)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
            $PermissionCollection += $Permissions
        }
        Return $PermissionCollection
    }
    Catch {
    write-host -f Red "Error Getting Folder Permissions!" $_.Exception.Message
    }
}
 
#Set Config Parameters
$SiteURL="https://Crescent.sharepoint.com/sites/Marketing"
$FolderRelativeURL="/sites/Marketing/Shared Documents/2018"
 
#Get Credentials to connect
$Cred= Get-Credential
 
#Call the function to Get Folder Permissions
Get-SPOFolderPermission $SiteURL $FolderRelativeURL

This script generates a folder permissions report. If you need to export these permission settings to a CSV file, you can simply use the following:

#Call the function to Get Folder Permissions an export to CSV file
Get-SPOFolderPermission $SiteURL $FolderRelativeURL | Export-CSV "C:\Temp\FolderPermissions.csv" -NoTypeInformation
sharepoint online powershell get folder permissions

Here is another post on Set Folder permissions in SharePoint Online: SharePoint Online: Change Folder Permissions using PowerShell

SharePoint Online Folder Permissions Report using PnP PowerShell

How about expanding each group and generating a report that lists all group users? Well, this time, let’s do that with PnP PowerShell! This PowerShell script exports folder permissions to a CSV file.

#Function to Get Permissions Applied on a particular Object such as: Web, List, Library, Folder or List Item
Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
    Try {
        #Get permissions assigned to the Folder
        Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments

        #Check if Object has unique permissions
        $HasUniquePermissions = $Object.HasUniqueRoleAssignments
   
        #Loop through each permission assigned and extract details
        $PermissionCollection = @()
        Foreach($RoleAssignment in $Object.RoleAssignments)
        { 
            #Get the Permission Levels assigned and Member
            Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
   
            #Get the Principal Type: User, SP Group, AD Group
            $PermissionType = $RoleAssignment.Member.PrincipalType
            $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name

            #Remove Limited Access
            $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
            If($PermissionLevels.Length -eq 0) {Continue}

            #Get SharePoint group members
            If($PermissionType -eq "SharePointGroup")
            {
                #Get Group Members
                $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName
                
                #Leave Empty Groups
                If($GroupMembers.count -eq 0){Continue}

                ForEach($User in $GroupMembers)
                {
                    #Add the Data to Object
                    $Permissions = New-Object PSObject
                    $Permissions | Add-Member NoteProperty User($User.Title)
                    $Permissions | Add-Member NoteProperty Type($PermissionType)
                    $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
                    $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
                    $PermissionCollection += $Permissions
                }
            }
            Else
            {
                #Add the Data to Object
                $Permissions = New-Object PSObject
                $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
                $Permissions | Add-Member NoteProperty Type($PermissionType)
                $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
                $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
                $PermissionCollection += $Permissions
            }
        }
        #Export Permissions to CSV File
        $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation
        Write-host -f Green "`n*** Folder Permission Report Generated Successfully!***"
    }
    Catch {
    write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message
    }
}
  
#region ***Parameters***
$SiteURL="https://crescent.sharepoint.com/sites/marketing"
$ReportFile="C:\Temp\FolderPermissionRpt.csv"
$FolderRelativeURL = "/sites/marketing/Shared Documents/2019" 
#endregion

#Connect to the Site collection
Connect-PnPOnline -URL $SiteURL -Interactive

#Get the Folder from URL
$Folder = Get-PnPFolder -Url $FolderRelativeURL

#Call the function to generate permission report
Get-PnPPermissions $Folder.ListItemAllFields

and the result report:

sharepoint online folder permissions report
Tips: Can I use this script to get permissions of a File? Sure! Just get the file and call the function.
$File = Get-PnPFile -Url $filePath -AsListItem
Get-PnPPermissions $File

SharePoint Online: Folder Permission Report using PowerShell

How about generating a permission report for a given folder and all its subfolders in SharePoint Online?

#Function to Get Permissions Applied on a particular Folder
Function Get-PnPFolderPermission([Microsoft.SharePoint.Client.Folder]$Folder)
{
    Try {
        #Get permissions assigned to the Folder
        Get-PnPProperty -ClientObject $Folder.ListItemAllFields -Property HasUniqueRoleAssignments, RoleAssignments
 
        #Check if Folder has unique permissions
        $HasUniquePermissions = $Folder.ListItemAllFields.HasUniqueRoleAssignments
    
        #Loop through each permission assigned and extract details
        $PermissionCollection = @()
        Foreach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
        {
            #Get the Permission Levels assigned and Member
            Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member

            #Leave the Hidden Permissions
            If($RoleAssignment.Member.IsHiddenInUI -eq $False)
            {    
                #Get the Principal Type: User, SP Group, AD Group
                $PermissionType = $RoleAssignment.Member.PrincipalType
                $PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
 
                #Remove Limited Access
                $PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
                If($PermissionLevels.Length -eq 0) {Continue}
 
                #Get SharePoint group members
                If($PermissionType -eq "SharePointGroup")
                {
                    #Get Group Members
                    $GroupName = $RoleAssignment.Member.LoginName
                    $GroupMembers = Get-PnPGroupMember -Identity $GroupName
                 
                    #Leave Empty Groups
                    If($GroupMembers.count -eq 0){Continue}
                    If($GroupName -notlike "*System Account*" -and $GroupName -notlike "*SharingLinks*" -and $GroupName -notlike "*tenant*" -and $GroupName -notlike `
                        "Excel Services Viewers" -and $GroupName -notlike "Restricted Readers" -and  $GroupName -notlike "Records Center Web Service Submitters for records")
                    { 
                        ForEach($User in $GroupMembers)
                        {
                            #Add the Data to Folder
                            $Permissions = New-Object PSObject
                            $Permissions | Add-Member NoteProperty FolderName($Folder.Name)
                            $Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)
                            $Permissions | Add-Member NoteProperty User($User.Title)
                            $Permissions | Add-Member NoteProperty Type($PermissionType)
                            $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
                            $Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
                            $PermissionCollection += $Permissions
                        }
                    }
                }
                Else
                {
                    #Add the Data to Folder
                    $Permissions = New-Object PSObject
                    $Permissions | Add-Member NoteProperty FolderName($Folder.Name)
                    $Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)
                    $Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
                    $Permissions | Add-Member NoteProperty Type($PermissionType)
                    $Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
                    $Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
                    $PermissionCollection += $Permissions
                }
            }
        }
        #Export Permissions to CSV File
        $PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append
        Write-host -f Green "`n*** Permissions of Folder '$($Folder.Name)' at '$($Folder.ServerRelativeUrl)' Exported Successfully!***"
    }
    Catch {
    write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message
    }
}
   
# Parameters
$SiteURL="https://crescent.sharepoint.com/sites/Marketing"
$ReportFile="C:\Temp\FolderPermissionRpt.csv"
$FolderSiteRelativeURL = "/Branding/2020"
 
#Connect to the Site collection
Connect-PnPOnline -URL $SiteURL -Interactive

#Delete the file, If already exist!
If (Test-Path $ReportFile) { Remove-Item $ReportFile }

#Get the Folder and all Subfolders from URL
$Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
$SubFolders = Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelativeURL -ItemType Folder -Recursive

#Call the function to generate folder permission report
Get-PnPFolderPermission $Folder
$SubFolders | ForEach-Object { Get-PnPFolderPermission $_ }

In summary, getting folder permissions in SharePoint Online is a simple and necessary task that can help you manage the access and security of your organization’s content. By following the steps and PowerShell script in this article, you can easily generate folder permission reports and ensure that your organization’s resources are properly managed.

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

33 thoughts on “SharePoint Online: PowerShell to Get Folder Permissions

  • Hello.

    I want to get permissions for all folders of a library. I get the following error with a hidden folder named “Forms”:
    “InvalidOperation: An error occurred while enumerating through a collection: The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested…”
    How can I avoid this?

    Reply
  • Your script is very useful but I get error this time
    The error is : Error Getting Folder Permissions! Type [Microsoft.SharePoint.Client.ClientContext] not found. Make sure that the assembly containing this type is loaded.
    I tried the script in two tenant and it works but for another tenant it shows the error
    but not all time it sometime shows error and sometime run smoothly
    I dont know what is the reason getting the above error
    I tried to install sharepoint manangement shell also but still get the error

    Reply
  • Hi,

    When I run the script, I get the error

    Error Getting Folder Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
    I am using the 365 admin account we used to create the Sharepoint Site?

    Reply
  • Hi,
    i have a problem with the script because it returns also users that actually don’t have any permissions on a specific folder, in the report they are in the “Limited Access” group, but in the GUI they not appear and of course they don’t have permissions to access that specific folder.

    Can you please help me?

    thanks in advance
    Matteo

    Reply
  • Hi thanks for your effort in providing us these very useful scripts. I have the below error with all the scripts, please can you kindly help.

    Get-PnPFolder : File Not Found.
    At line:90 char:11
    + $Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-PnPFolder], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolder

    Error Generating Folder Permission Report! Cannot bind argument to parameter ‘ClientObject’ because it is null.

    Reply
    • The $FolderSiteRelativeURL should be provided as input to the second script. E.g., If your Folder URL is: https://YourDomain.SharePoint.com/sites/YourSite/YourLibrary/YourFolder, then the $FolderSiteRelativeURL is: /YourLibrary/YourFolder

      Reply
      • Thanks very much for your prompt response, I still get the same error. after modifying the FoldeSiteRelativeURL

        #region ***Parameters***
        $SiteURL=”https://xxx.sharepoint.com/sites/sample”
        $ReportFile=”C:\Temp\FolderPermissionRpt.csv”
        $FolderRelativeURL =”/Documents/General”
        #endregion

        #Connect to the Site collection
        Connect-PnPOnline -URL $SiteURL -Interactive

        #Get the Folder from URL
        $Folder = Get-PnPFolder -Url $FolderRelativeURL

        #Call the function to generate permission report
        Get-PnPPermissions $Folder.ListItemAllFields

        Reply
        • Any response to that ? I am really interested to only list permissions for a folder and it’s subfolders. I have 300k folder/subfolders in my list. It’s impossible for me to run the script on the entire list

          Reply
  • Hello, thank you for all the SPO scripts, you have helped me loads.

    I’m currently trying to adapt your script ‘SharePoint Online: Folder Permission Report using PowerShell’ to output to CSV all folder and file permissions under a specific SPO-site and document library, but only the first three folder levels. I have this working for folders, I get a CSV with all permissions from the first three folder levels. But I’m now attempting to also add unique permissions found on files in those same three folder levels.

    I tried removing -ItemType ‘Folder’ from [Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelativeURL -ItemType Folder] and do get files listed, but once I pass those to the function it won’t understand the object type because the function listens for folder objecttypes only.

    I also looked at your script ‘SharePoint Online PowerShell to Get List Permissions’, but that script will iterate all files and folders and I couldn’t adapt that one to only scan the first three folder levels.

    So I finally ended up trying to take that function and combine the two scripts, but that function doesn’t understand the object type ‘Microsoft.SharePoint.Client.File’. I’m trying to use the switch in the function to also check for objects with this file object type. But I can’t get it to work.

    Are you able to give me a few pointers on how to have your script ‘SharePoint Online: Folder Permission Report using PowerShell’ also export unique permissions on files?

    Kind regards

    Reply
  • Hello All,

    How can we use this script when i have multiple folders under “Shared Documents”. I want to run the script at once . Appreciated your help thanks.

    Reply
  • Many thanks for your hard work on these scripts! Is it possible to use the script which gets the subfolder permissions on a Document Library instead of a folder? Thanks!

    Reply
    • Just set the “$FolderRelativeURL” variable to point your sub-folder and run the script.

      Reply
      • Many thanks for your reply, sorry but my original post wasn’t clear – I meant that I’d like to be able to use the script with the “$FolderRelativeURL” variable to point to the Document Library rather than to a sub-folder in the Document Library, so that I can get the permissions just on the folders on the root of the Document Library, (but not getting the permissions recursively of all the subfolders that exist in the entire Document Library).

        Reply
  • Thank you very much for your scripts – we’re using the folder permissions report which works really well to report the first level subfolders! I’m wondering if it’s possible to change this report to do exactly the same, but for a document library instead of a folder?

    If I change the $SiteURL to the one level above the actual sitename, and the $FolderSiteRelativeURL to the path of the document library relative to the $SiteURL, a report is generated although I do get some errors.

    I get these errors when the script starts
    Get-PnPFolder : The remote server returned an error: (404) Not Found.
    At #redacted# Permissions Report.ps1:90 char:11
    + $Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-PnPFolder], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolder

    Get-PnPFolderItem : The remote server returned an error: (404) Not Found.
    At #redacted# Permissions Report.ps1:91 char:15
    + … ubFolders = Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelat …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : InvalidOperation: (:) [Get-PnPFolderItem], PSInvalidOperationException
    + FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolderItem

    And then just before 2 of the green write-host entries, I get the below errors, but
    Error Generating Folder Permission Report! The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested

    To reiterate, even with the above errors the report is created correctly.

    Reply
  • Thank you for sharing this, although im getting the error below, its probably because basic auth is disabled by MS? do we have an alternate solution to cached the creds to run this script? Thanks so much

    Error Getting Folder Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”

    Reply
    • Use the PnP PowerShell to authenticate with MFA enabled account. CSOM script works with Non-MFA enabled accounts.

      Reply
  • hi, I need pnp scripts to get item level permission in sharepoint
    please help, I tried and did some changes in as you posted folder permission, but I am getting an error
    can you please help me to come out of this?

    Reply
  • Same error for me, anyone found a way around this?

    Reply
  • I get the same message :/

    Reply
  • Error Getting Folder Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”

    Reply
  • When I run this I get the following error.
    Error Generating Folder Permission Report! The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested.
    Any idea what I’m doing wrong?

    Reply
  • When I run this command, I was asked to “InputObject:” Does anyone know what I should input?

    Reply
  • Your site is very useful – thank you. I have used your script to break inheritance.
    I often have to create many folders in a site and permission them to individual users.
    I user Excel to concatenate build hundreds of lines of PS1 to create, remove users, add users etc…
    I wondered if there is a way to take a CSV file and create folders for one column, user and permissions in other columns.

    Reply
  • Sorry, I don’t get it how to get permissions from a folder and sub-folders in a SharePoint Online Library…
    I tried the mentioned scripts and even combined them, but there is no correct output.

    Hopefully you can guide me to get a correct report from permissions on a folder and sub-folders.

    Reply
  • Thanks, is it possible to generate folder permission for subfolders?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *