Get All SharePoint Online Users and Groups with “Full Control” (Owner) Permissions using PowerShell
Requirement: Find all Users and groups with “Full Control” permissions in SharePoint Online sites.
How to Get Users and Groups with Full Control in SharePoint Online?
In SharePoint Online, permissions can be assigned to users and groups to control access to site content. One of the highest levels of permission is Full Control, which gives the user full access to all site content and the ability to manage permissions for others. There may be times when you need to get a list of users who have full control permissions in SharePoint Online sites. The process is relatively simple and can be helpful if you are looking to audit user permissions.
- Login to your SharePoint Online sites >> Click on the Settings gear >> Click on the “Site Permissions” link.
- In the “Permissions” panel, click on the “Advanced permissions settings.” link. This takes you to the site permissions page, where you’ll get all users and groups granted permissions to the site.
Get All Groups with “Full Control” from a Site Collection using PowerShell
Let’s get all groups with full control permissions and then members from those groups from a given site collection.
#Set Parameters
$AdminCenterURL="https://crescent-admin.sharepoint.com"
$SiteUrl = "https://crescent.sharepoint.com/sites/oncology"
#Connect to SharePoint Online
Connect-SPOService -Url $AdminCenterURL -credential (Get-Credential)
#Get all Groups from the site
$SiteGroups = Get-SPOSiteGroup -Site $siteURL
#Get Group info that have "Full Control" Permissions
ForEach ($Group in $SiteGroups)
{
If($Group.Roles.Contains("Full Control"))
{
Write-Host -f Yellow $Group.Title
#Get each member of the group
ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
{
write-host -f Green $User
}
}
}
PowerShell to Get All Users from groups with “Full Control” Access Rights from All Sites:
How about retrieving all SharePoint Online groups with full control permissions from all site collections?
#Variables
$AdminCenterURL = "https://crescent-admin.sharepoint.com/"
#Connect to SharePoint Online
Connect-SPOService -url $AdminCenterURL -Credential (Get-Credential)
#Get all Site collections
$Sites = Get-SPOSite -Limit All
#Loop through site collections
ForEach($Site in $Sites)
{
Write-host -f Cyan "Searching site: $($Site.URL)"
#Get all Groups from the site permissions
$SiteGroups = Get-SPOSiteGroup -Site $Site | Where { $_.Roles -ne $NULL -and $_.Users -ne $NULL}
#Get Group info and members that have site owners permissions
ForEach ($Group in $SiteGroups)
{
If($Group.Roles.Contains("Full Control"))
{
Write-Host -f Yellow $Group.Title
#Get each member of the group
ForEach($User in $Group.Users | Where{$_.contains("@")}) #Exclude system Users
{
write-host -f Green $User
}
}
}
}
This PowerShell script gets a list of users from groups with Full Control permission in a SharePoint Online site.
SharePoint Online: PowerShell to get users with full control
The above script just gets all users from groups with full control. What if there are users with full control permissions assigned through direct permissions?
#Parameters
$SiteURL = "https://crescent.sharepoint.com"
$ReportOutput = "C:\Temp\FullControlPermissionRpt.csv"
#Connect to Site
Connect-PnPonline -Url $SiteURL -Interactive
#Get the Root web
$Web = Get-PnPWeb -Includes RoleAssignments
#Loop through each permission assigned to the site and extract details
$PermissionData = @()
ForEach ($RoleAssignment in $Web.RoleAssignments)
{
#Get the Permission Levels assigned and Member
Get-PnPProperty -ClientObject $RoleAssignment -Property RoleDefinitionBindings, Member
#Check if "Full Control" Permission Level is assigned to the Assignment
If( ($RoleAssignment.RoleDefinitionBindings | Select -ExpandProperty Name).Contains("Full Control"))
{
$PermissionType = $RoleAssignment.Member.PrincipalType
#Get SharePoint group members
If($PermissionType -eq "SharePointGroup")
{
#Get Group Members
$GroupMembers = Get-PnPGroupMember -Identity $RoleAssignment.Member.LoginName
$GroupUsers = ($GroupMembers | Where {$_.LoginName -ne "SHAREPOINT\system"} | Select -ExpandProperty Email) -join "; "
#Leave Empty Groups - Without users
If([String]::IsNullOrEmpty($GroupUsers)){ Continue }
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Accounts($GroupUsers)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$PermissionData += $Permissions
}
Else
{
#Get the User
$User = Get-PnPUser -Identity $RoleAssignment.Member.LoginName
#Add the Data to Object
$Permissions = New-Object PSObject
$Permissions | Add-Member NoteProperty Name($RoleAssignment.Member.Title)
$Permissions | Add-Member NoteProperty Accounts($User.Email)
$Permissions | Add-Member NoteProperty Type($PermissionType)
$PermissionData += $Permissions
}
}
}
#Export Permissions data to CSV file
$PermissionData | Export-csv -path $ReportOutput -NoTypeInformation
In summary, the PowerShell script provides a quick and efficient way to get a list of users who have Full Control permission in a SharePoint Online site. By using the PowerShell script outlined above, you can easily retrieve a list of all users who have Full Control permissions on your SharePoint Online site. This information can be useful for managing site permissions, auditing access, or for troubleshooting purposes. Also, for ensuring that only the necessary individuals have full access, and making changes to permissions as needed.
Nice article. The script doesn’t work if I have DG (domain security group) in the full control group. Can you please update the script?
After Line#38, Add:
ElseIf($PermissionType -eq “SecurityGroup”)
{
#AD Security Group
}