SharePoint Online: PowerShell to Get Folder Permissions
Requirement: Get Folder Permissions in SharePoint Online using PowerShell.
How to Get Folder Permissions in SharePoint Online?
Folder-level permission in SharePoint Online helps to obtain fine-grained permissions, and they are an important part of SharePoint Online security. As an administrator, you may need to manage the permissions for folders to ensure that users have the appropriate level of access. How do you find out who has access to a folder in SharePoint Online? There are two ways to get folder permissions in your SharePoint Online. The first is by navigating to the folder and getting its permissions through the web browser. To view folder-level permission in SharePoint Online, follow the below steps:
- Go to the library where the folder to check permissions. Select the Folder and from the Information panel, click on the “Manage Access” link.
- This gets you the permissions assigned to that folder in SharePoint Online.
- You can scroll down and click on the “Advanced” button to get to the page where you can view folder permissions on a single page. This will list all users and groups with permissions for that folder, including their permission level.
This can be useful if you need to determine who has access to a specific folder, or if you need to troubleshoot why you cannot access a folder that you think you should have access to.
SharePoint Online: PowerShell to Get Folder Permissions
The SharePoint Online PowerShell Module is a powerful tool that offers administrators the ability to automate their work and easily manage permissions for different SharePoint objects. Let’s see how you can automate the manual task of retrieving folder permissions in SharePoint Online. Here is the PowerShell to get folder permissions in SharePoint Online
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Function to Get Folder Permissions
Function Get-SPOFolderPermission([String]$SiteURL, [String]$FolderRelativeURL)
{
Try{
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the Folder
$Folder = $Ctx.Web.GetFolderByServerRelativeUrl($FolderRelativeURL)
$Ctx.Load($Folder)
$Ctx.ExecuteQuery()
#Get permissions assigned to the Folder
$RoleAssignments = $Folder.ListItemAllFields.RoleAssignments
$Ctx.Load($RoleAssignments)
$Ctx.ExecuteQuery()
#Loop through each permission assigned and extract details
$PermissionCollection = @()
Foreach($RoleAssignment in $RoleAssignments)
{
$Ctx.Load($RoleAssignment.Member)
$Ctx.executeQuery()
#Get the User Type
$PermissionType = $RoleAssignment.Member.PrincipalType
#Get the Permission Levels assigned
$Ctx.Load($RoleAssignment.RoleDefinitionBindings)
$Ctx.ExecuteQuery()
$PermissionLevels = ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name) -join ","
#Get the User/Group Name
$Name = $RoleAssignment.Member.Title # $RoleAssignment.Member.LoginName
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($Name)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty PermissionLevels($PermissionLevels)
$PermissionCollection += $Permissions
}
Return $PermissionCollection
}
Catch {
write-host -f Red "Error Getting Folder Permissions!" $_.Exception.Message
}
}
#Set Config Parameters
$SiteURL="https://Crescent.sharepoint.com/sites/Marketing"
$FolderRelativeURL="/sites/Marketing/Shared Documents/2018"
#Get Credentials to connect
$Cred= Get-Credential
#Call the function to Get Folder Permissions
Get-SPOFolderPermission $SiteURL $FolderRelativeURL
This script generates a folder permissions report. If you need to export these permission settings to a CSV file, you can simply use the following:
#Call the function to Get Folder Permissions an export to CSV file
Get-SPOFolderPermission $SiteURL $FolderRelativeURL | Export-CSV "C:\Temp\FolderPermissions.csv" -NoTypeInformation
Here is another post on Set Folder permissions in SharePoint Online: SharePoint Online: Change Folder Permissions using PowerShell
SharePoint Online Folder Permissions Report using PnP PowerShell
How about expanding each group and generating a report that lists all group users? Well, this time, let’s do that with PnP PowerShell! This PowerShell script exports folder permissions to a CSV file.
#Function to Get Permissions Applied on a particular Object such as: Web, List, Library, Folder or List Item
Function Get-PnPPermissions([Microsoft.SharePoint.Client.SecurableObject]$Object)
{
Try {
#Get permissions assigned to the Folder
Get-PnPProperty -ClientObject $Object -Property HasUniqueRoleAssignments, RoleAssignments
#Check if Object has unique permissions
$HasUniquePermissions = $Object.HasUniqueRoleAssignments
#Loop through each permission assigned and extract details
$PermissionCollection = @()
Foreach($RoleAssignment in $Object.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Get the Principal Type: User, SP Group, AD Group
$PermissionType = $RoleAssignment.Member.PrincipalType
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
#Remove Limited Access
$PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
If($PermissionLevels.Length -eq 0) {Continue}
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName
#Leave Empty Groups
If($GroupMembers.count -eq 0){Continue}
ForEach($User in $GroupMembers)
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty User($User.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
$PermissionCollection += $Permissions
}
}
Else
{
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
$PermissionCollection += $Permissions
}
}
#Export Permissions to CSV File
$PermissionCollection | Export-CSV $ReportFile -NoTypeInformation
Write-host -f Green "`n*** Folder Permission Report Generated Successfully!***"
}
Catch {
write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message
}
}
#region ***Parameters***
$SiteURL="https://crescent.sharepoint.com/sites/marketing"
$ReportFile="C:\Temp\FolderPermissionRpt.csv"
$FolderRelativeURL = "/sites/marketing/Shared Documents/2019"
#endregion
#Connect to the Site collection
Connect-PnPOnline -URL $SiteURL -Interactive
#Get the Folder from URL
$Folder = Get-PnPFolder -Url $FolderRelativeURL
#Call the function to generate permission report
Get-PnPPermissions $Folder.ListItemAllFields
and the result report:
Tips: Can I use this script to get permissions of a File? Sure! Just get the file and call the function.
$File = Get-PnPFile -Url $filePath -AsListItem
Get-PnPPermissions $File
$File = Get-PnPFile -Url $filePath -AsListItem
Get-PnPPermissions $File
SharePoint Online: Folder Permission Report using PowerShell
How about generating a permission report for a given folder and all its subfolders in SharePoint Online?
#Function to Get Permissions Applied on a particular Folder
Function Get-PnPFolderPermission([Microsoft.SharePoint.Client.Folder]$Folder)
{
Try {
#Get permissions assigned to the Folder
Get-PnPProperty -ClientObject $Folder.ListItemAllFields -Property HasUniqueRoleAssignments, RoleAssignments
#Check if Folder has unique permissions
$HasUniquePermissions = $Folder.ListItemAllFields.HasUniqueRoleAssignments
#Loop through each permission assigned and extract details
$PermissionCollection = @()
Foreach($RoleAssignment in $Folder.ListItemAllFields.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Leave the Hidden Permissions
If($RoleAssignment.Member.IsHiddenInUI -eq $False)
{
#Get the Principal Type: User, SP Group, AD Group
$PermissionType = $RoleAssignment.Member.PrincipalType
$PermissionLevels = $RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name
#Remove Limited Access
$PermissionLevels = ($PermissionLevels | Where { $_ -ne "Limited Access"}) -join ","
If($PermissionLevels.Length -eq 0) {Continue}
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupName = $RoleAssignment.Member.LoginName
$GroupMembers = Get-PnPGroupMember -Identity $GroupName
#Leave Empty Groups
If($GroupMembers.count -eq 0){Continue}
If($GroupName -notlike "*System Account*" -and $GroupName -notlike "*SharingLinks*" -and $GroupName -notlike "*tenant*" -and $GroupName -notlike `
"Excel Services Viewers" -and $GroupName -notlike "Restricted Readers" -and $GroupName -notlike "Records Center Web Service Submitters for records")
{
ForEach($User in $GroupMembers)
{
#Add the Data to Folder
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty FolderName($Folder.Name)
$Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)
$Permissions | Add-Member NoteProperty User($User.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("SharePoint Group: $($RoleAssignment.Member.LoginName)")
$PermissionCollection += $Permissions
}
}
}
Else
{
#Add the Data to Folder
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty FolderName($Folder.Name)
$Permissions | Add-Member NoteProperty FolderURL($Folder.ServerRelativeUrl)
$Permissions | Add-Member NoteProperty User($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$Permissions | Add-Member NoteProperty Permissions($PermissionLevels)
$Permissions | Add-Member NoteProperty GrantedThrough("Direct Permissions")
$PermissionCollection += $Permissions
}
}
}
#Export Permissions to CSV File
$PermissionCollection | Export-CSV $ReportFile -NoTypeInformation -Append
Write-host -f Green "`n*** Permissions of Folder '$($Folder.Name)' at '$($Folder.ServerRelativeUrl)' Exported Successfully!***"
}
Catch {
write-host -f Red "Error Generating Folder Permission Report!" $_.Exception.Message
}
}
# Parameters
$SiteURL="https://crescent.sharepoint.com/sites/Marketing"
$ReportFile="C:\Temp\FolderPermissionRpt.csv"
$FolderSiteRelativeURL = "/Branding/2020"
#Connect to the Site collection
Connect-PnPOnline -URL $SiteURL -Interactive
#Delete the file, If already exist!
If (Test-Path $ReportFile) { Remove-Item $ReportFile }
#Get the Folder and all Subfolders from URL
$Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
$SubFolders = Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelativeURL -ItemType Folder -Recursive
#Call the function to generate folder permission report
Get-PnPFolderPermission $Folder
$SubFolders | ForEach-Object { Get-PnPFolderPermission $_ }
In summary, getting folder permissions in SharePoint Online is a simple and necessary task that can help you manage the access and security of your organization’s content. By following the steps and PowerShell script in this article, you can easily generate folder permission reports and ensure that your organization’s resources are properly managed.
Hi,
i have a problem with the script because it returns also users that actually don’t have any permissions on a specific folder, in the report they are in the “Limited Access” group, but in the GUI they not appear and of course they don’t have permissions to access that specific folder.
Can you please help me?
thanks in advance
Matteo
Hi thanks for your effort in providing us these very useful scripts. I have the below error with all the scripts, please can you kindly help.
Get-PnPFolder : File Not Found.
At line:90 char:11
+ $Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-PnPFolder], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolder
Error Generating Folder Permission Report! Cannot bind argument to parameter ‘ClientObject’ because it is null.
The $FolderSiteRelativeURL should be provided as input to the second script. E.g., If your Folder URL is: https://YourDomain.SharePoint.com/sites/YourSite/YourLibrary/YourFolder, then the $FolderSiteRelativeURL is: /YourLibrary/YourFolder
Thanks very much for your prompt response, I still get the same error. after modifying the FoldeSiteRelativeURL
#region ***Parameters***
$SiteURL=”https://xxx.sharepoint.com/sites/sample”
$ReportFile=”C:\Temp\FolderPermissionRpt.csv”
$FolderRelativeURL =”/Documents/General”
#endregion
#Connect to the Site collection
Connect-PnPOnline -URL $SiteURL -Interactive
#Get the Folder from URL
$Folder = Get-PnPFolder -Url $FolderRelativeURL
#Call the function to generate permission report
Get-PnPPermissions $Folder.ListItemAllFields
Hello, thank you for all the SPO scripts, you have helped me loads.
I’m currently trying to adapt your script ‘SharePoint Online: Folder Permission Report using PowerShell’ to output to CSV all folder and file permissions under a specific SPO-site and document library, but only the first three folder levels. I have this working for folders, I get a CSV with all permissions from the first three folder levels. But I’m now attempting to also add unique permissions found on files in those same three folder levels.
I tried removing -ItemType ‘Folder’ from [Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelativeURL -ItemType Folder] and do get files listed, but once I pass those to the function it won’t understand the object type because the function listens for folder objecttypes only.
I also looked at your script ‘SharePoint Online PowerShell to Get List Permissions’, but that script will iterate all files and folders and I couldn’t adapt that one to only scan the first three folder levels.
So I finally ended up trying to take that function and combine the two scripts, but that function doesn’t understand the object type ‘Microsoft.SharePoint.Client.File’. I’m trying to use the switch in the function to also check for objects with this file object type. But I can’t get it to work.
Are you able to give me a few pointers on how to have your script ‘SharePoint Online: Folder Permission Report using PowerShell’ also export unique permissions on files?
Kind regards
Hello All,
How can we use this script when i have multiple folders under “Shared Documents”. I want to run the script at once . Appreciated your help thanks.
Use this script to generate a permission report for a document library: Generate Document Library Permissions report in SharePoint Online using PowerShell
I followed the script it is running. But when the report is generated on the users column . All the user who have persmission of a particular folder are mentioned. I need one user for one folder or sub folder not all the users who have access to it. Do I need to do any modifications.
Many thanks for your hard work on these scripts! Is it possible to use the script which gets the subfolder permissions on a Document Library instead of a folder? Thanks!
Just set the “$FolderRelativeURL” variable to point your sub-folder and run the script.
Many thanks for your reply, sorry but my original post wasn’t clear – I meant that I’d like to be able to use the script with the “$FolderRelativeURL” variable to point to the Document Library rather than to a sub-folder in the Document Library, so that I can get the permissions just on the folders on the root of the Document Library, (but not getting the permissions recursively of all the subfolders that exist in the entire Document Library).
Thank you very much for your scripts – we’re using the folder permissions report which works really well to report the first level subfolders! I’m wondering if it’s possible to change this report to do exactly the same, but for a document library instead of a folder?
If I change the $SiteURL to the one level above the actual sitename, and the $FolderSiteRelativeURL to the path of the document library relative to the $SiteURL, a report is generated although I do get some errors.
I get these errors when the script starts
Get-PnPFolder : The remote server returned an error: (404) Not Found.
At #redacted# Permissions Report.ps1:90 char:11
+ $Folder = Get-PnPFolder -Url $FolderSiteRelativeURL
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-PnPFolder], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolder
Get-PnPFolderItem : The remote server returned an error: (404) Not Found.
At #redacted# Permissions Report.ps1:91 char:15
+ … ubFolders = Get-PnPFolderItem -FolderSiteRelativeUrl $FolderSiteRelat …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-PnPFolderItem], PSInvalidOperationException
+ FullyQualifiedErrorId : InvalidOperation,PnP.PowerShell.Commands.Files.GetFolderItem
And then just before 2 of the green write-host entries, I get the below errors, but
Error Generating Folder Permission Report! The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested
To reiterate, even with the above errors the report is created correctly.
Thank you for sharing this, although im getting the error below, its probably because basic auth is disabled by MS? do we have an alternate solution to cached the creds to run this script? Thanks so much
Error Getting Folder Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
Use the PnP PowerShell to authenticate with MFA enabled account. CSOM script works with Non-MFA enabled accounts.
hi, I need pnp scripts to get item level permission in sharepoint
please help, I tried and did some changes in as you posted folder permission, but I am getting an error
can you please help me to come out of this?
Same error for me, anyone found a way around this?
Looks your account is MFA enabled! Can you try the PnP PowerShell methods?
I get the same message :/
Error Getting Folder Permissions! Exception calling “ExecuteQuery” with “0” argument(s): “The sign-in name or password does not match one in the Microsoft account system.”
Try the PnP PowerShell methods as it can handle MFA accounts. Other solutions are here: Fix “The sign-in name or password does not match one in the Microsoft account system” Error in SharePoint Online
When I run this I get the following error.
Error Generating Folder Permission Report! The collection has not been initialized. It has not been requested or the request has not been executed. It may need to be explicitly requested.
Any idea what I’m doing wrong?
When I run this command, I was asked to “InputObject:” Does anyone know what I should input?
Your site is very useful – thank you. I have used your script to break inheritance.
I often have to create many folders in a site and permission them to individual users.
I user Excel to concatenate build hundreds of lines of PS1 to create, remove users, add users etc…
I wondered if there is a way to take a CSV file and create folders for one column, user and permissions in other columns.
Yes, You can use PowerShell and CSV to create folders and set permissions.
Sorry, I don’t get it how to get permissions from a folder and sub-folders in a SharePoint Online Library…
I tried the mentioned scripts and even combined them, but there is no correct output.
Hopefully you can guide me to get a correct report from permissions on a folder and sub-folders.
Thanks, is it possible to generate folder permission for subfolders?
Yes, Just get the Subfolder How to Get a Folder/Sub-Folder in SharePoint Online? and call the function:
Get-PnPPermissions $Folder.ListItemAllFields
Please give sample code
“To get permissions for all items and folders under the target sub-folder”
This script gets you the permission report for all items, folders and sub-folders in a list or library SharePoint Online: Document Library Permissions Report using PowerShell