SharePoint Online: Remove User from Subsite Permission using PowerShell
Requirement: Remove a user from a SharePoint Online subsite.
How to remove a User from SharePoint Online Subsite?
By default, SharePoint Online subsites inherit permissions from their parent sites. As part of managing access to SharePoint Online sites, at times, it may be necessary to remove users from a subsite to restrict access or control the number of users who have access to sensitive information.
To remove a user from the SharePoint Online subsite, do the following:
Step 1: Remove the user from direct permissions of the site (if any):
- Go to the SharePoint Online subsite where the user you want to remove is.
- Click on the “Settings” gear icon, and select “Site Permissions” >> Click on the “Advanced Permission Settings” link.
- In the “Site Settings” page, under the “Users and Permissions” section, click on “Site Permissions”.
- In the “Site Permissions” page, click on the name of the user you want to remove.
- On the user’s page, click on the “Remove User permissions” button. You will be prompted to confirm the removal of the user. Click “OK” to remove the user from the subsite.
Step 2: Remove the user from all groups on the site
Similarly, You have to drill down to each group of the site and remove the user from the group.
But the problem is: We’ve to check each group and direct permissions to remove a user from the site. So, let’s remove user permissions in SharePoint Online using PowerShell!
SharePoint Online: Remove User from Subsite Permission using PowerShell
Here is how to remove user permissions in SharePoint Online using PowerShell
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
#Set parameter values
$SiteURL="https://crescent.sharepoint.com/sites/marketing/2018"
$UserID="[email protected]"
Try {
#Get Credentials to connect
$Cred= Get-Credential
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the web
$Web=$Ctx.Web
$Ctx.Load($Web)
$Ctx.ExecuteQuery()
#Frame Login Name
$LoginName = "i:0#.f|membership|"+$UserID
#Get the User to Delete
$User = $Web.SiteUsers.GetByLoginName($LoginName)
$Ctx.ExecuteQuery()
#Remove User from All Groups of the site
$Ctx.Load($User.Groups)
$Ctx.ExecuteQuery()
ForEach($Group in $User.Groups)
{
$Group.Users.RemoveByLoginName($LoginName)
Write-host -f Yellow "`tRemoved User from the Group:" $Group.Title
}
$Ctx.ExecuteQuery()
#Remove the user from direct permissions, if any
$Ctx.Load($Web.RoleAssignments)
$ctx.ExecuteQuery()
ForEach($RoleAssignment in $Web.RoleAssignments)
{
$Ctx.Load($RoleAssignment.Member)
$Ctx.executeQuery()
#Check direct permissions
if($RoleAssignment.Member.PrincipalType -eq "User")
{
#Is the current user is the user we search for?
if($RoleAssignment.Member.LoginName -eq $LoginName)
{
#Remove User from web Permissions
$Web.RoleAssignments.GetByPrincipal($User).DeleteObject()
$Ctx.ExecuteQuery()
Write-host -f Yellow "`tRemoved User from Direct Permissions of the Web!"
}
}
}
Write-Host "User: '$UserID' has been Removed from the site Successfully!" -ForegroundColor Green
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
PnP PowerShell to Remove User from All Groups of the Site
Here is the PnP PowerShell to remove a user from a SharePoint online subsite:
#Set Variables
$SiteURL = "https://crescent.sharepoint.com/sites/retail/archived"
$UserLoginID = "i:0#.f|membership|[email protected]"
#Connect to PnP Online
Connect-PnPOnline -Url $SiteURL -Interactive
#Get All Groups of the User
$UserGroups = Get-PnPUser -Identity $UserLoginID | Select -ExpandProperty Groups | Where {$_.Title -notmatch "Limited Access*"}
#Remove User from all Groups
$UserGroups | ForEach-Object {
Remove-PnPGroupMember -LoginName $UserLoginID -Identity $_.Title
Write-host "Removed user from Group:"$_.Title -f Green
}
To remove a user from the site collection, use: SharePoint Online: Remove User from Site Collection using PowerShell
Conclusion:
In conclusion, removing a user from a SharePoint Online subsite is a straightforward process that can be done through the user interface or using a PowerShell script. The steps outlined above provide a clear and easy-to-follow guide for removing users from a SharePoint Online subsite, whether working with the user interface or using a script. With the ability to easily manage access to your SharePoint Online sites, you can ensure that your information is secure and accessible only to the users who need it.
Hi
how to use this solution with sharepoint 2013
Best Regard
This was a great script and time saver for me. The only problem i ran in to, is that MFA was in use. After a bit a research,I found out how to use MFA for $Ctx and context so I thought I would share in case anyone else runs in to this same problem.
Replace Lines 10 – 15 with the below
#Get Credentials to connect
Connect-PnPOnline -Url $SiteURL -Interactive
#Setup the context
$Ctx = Get-PnPContext
Thanks for sharing! I’ve learned a good bit by reviewing your samples!
Hi Chris,
You can refer this post for MFA: Connect to SharePoint Online using PowerShell with Multi-factor Authentication (MFA)