Get All SharePoint Online Users and Groups with “Full Control” (Owner) Permissions using PowerShell

Requirement: Find all Users and groups with “Full Control” permissions in SharePoint Online sites.

How to Get Users and Groups with Full Control in SharePoint Online?

In SharePoint Online, permissions can be assigned to users and groups to control access to site content. One of the highest levels of permission is Full Control, which gives the user full access to all site content and the ability to manage permissions for others. There may be times when you need to get a list of users who have full control permissions in SharePoint Online sites. The process is relatively simple and can be helpful if you are looking to audit user permissions.

  1. Login to your SharePoint Online sites >> Click on the Settings gear >> Click on the “Site Permissions” link.
  2. In the “Permissions” panel, click on the “Advanced permissions settings.” link. This takes you to the site permissions page, where you’ll get all users and groups granted permissions to the site.sharepoint online powershell get users with full control

Get All Groups with “Full Control” from a Site Collection using PowerShell

Let’s get all groups with full control permissions and then members from those groups from a given site collection.

#Set Parameters
$AdminCenterURL="https://crescent-admin.sharepoint.com"
$SiteUrl = "https://crescent.sharepoint.com/sites/oncology"

#Connect to SharePoint Online
Connect-SPOService -Url $AdminCenterURL -credential (Get-Credential)

 #Get all Groups from the site
$SiteGroups = Get-SPOSiteGroup -Site $siteURL

#Get Group info that have "Full Control" Permissions
ForEach ($Group in $SiteGroups)
{
    If($Group.Roles.Contains("Full Control"))
    {
        Write-Host -f Yellow $Group.Title
        #Get each member of the group
        ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
        {
            write-host -f Green $User
        }
    }
} 

PowerShell to Get All Users from groups with “Full Control” Access Rights from All Sites:

How about retrieving all SharePoint Online groups with full control permissions from all site collections?

#Variables
$AdminCenterURL = "https://crescent-admin.sharepoint.com/"
 
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)
 
#Get all Site collections
$Sites = Get-SPOSite -Limit All

#Loop through site collections
ForEach($Site in $Sites)
{
    Write-host -f Cyan "Searching site: $($Site.URL)"
    #Get all Groups from the site permissions
    $SiteGroups = Get-SPOSiteGroup -Site $Site | Where { $_.Roles -ne $NULL -and $_.Users -ne $NULL}

    #Get Group info and members that have site owners permissions
    ForEach ($Group in $SiteGroups)
    {
        If($Group.Roles.Contains("Full Control"))
        {
            Write-Host -f Yellow $Group.Title
            #Get each member of the group
            ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
            {
                write-host -f Green $User
            }
        }
    }
}

This PowerShell script gets a list of users from groups with Full Control permission in a SharePoint Online site.

SharePoint Online: PowerShell to get users with full control

The above script just gets all users from groups with full control. What if there are users with full control permissions assigned through direct permissions?

#Parameters
$SiteURL = "https://crescent.sharepoint.com"
$ReportOutput = "C:\Temp\FullControlPermissionRpt.csv"

#Connect to Site
Connect-PnPonline -Url $SiteURL -Interactive
 
#Get the Root web
$Web = Get-PnPWeb -Includes RoleAssignments

#Loop through each permission assigned to the site and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
    #Get the Permission Levels assigned and Member
    Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
     
    #Check if "Full Control" Permission Level is assigned to the Assignment
    If( ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name).Contains("Full Control"))
    {
        $PermissionType = $RoleAssignment.Member.PrincipalType
        #Get SharePoint group members
        If($PermissionType -eq "SharePointGroup")
        {
            #Get Group Members
            $GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName

            $GroupUsers = ($GroupMembers | Where {$_.LoginName -ne "SHAREPOINT\system"} | Select -ExpandProperty Email) -join "; "
            #Leave Empty Groups - Without users
            If([String]::IsNullOrEmpty($GroupUsers)){ Continue }
   
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
            $Permissions | Add-Member NoteProperty Accounts($GroupUsers)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $PermissionData += $Permissions
        }
        Else
        {
            #Get the User
            $User = Get-PnPUser -Identity $RoleAssignment.Member.LoginName
            #Add the Data to Object
            $Permissions = New-Object PSObject
            $Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
            $Permissions | Add-Member NoteProperty Accounts($User.Email)
            $Permissions | Add-Member NoteProperty Type($PermissionType)
            $PermissionData += $Permissions
        }
    }
}
#Export Permissions data to CSV file
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation

In summary, the PowerShell script provides a quick and efficient way to get a list of users who have Full Control permission in a SharePoint Online site. By using the PowerShell script outlined above, you can easily retrieve a list of all users who have Full Control permissions on your SharePoint Online site. This information can be useful for managing site permissions, auditing access, or for troubleshooting purposes. Also, for ensuring that only the necessary individuals have full access, and making changes to permissions as needed.

Salaudeen Rajack

Salaudeen Rajack - Information Technology Expert with Two-decades of hands-on experience, specializing in SharePoint, PowerShell, Microsoft 365, and related products. He has held various positions including SharePoint Architect, Administrator, Developer and consultant, has helped many organizations to implement and optimize SharePoint solutions. Known for his deep technical expertise, He's passionate about sharing the knowledge and insights to help others, through the real-world articles!

2 thoughts on “Get All SharePoint Online Users and Groups with “Full Control” (Owner) Permissions using PowerShell

  • Nice article. The script doesn’t work if I have DG (domain security group) in the full control group. Can you please update the script?

    Reply
    • After Line#38, Add:

      ElseIf($PermissionType -eq “SecurityGroup”)
      {
      #AD Security Group
      }

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *